Prepare release v0.9.1

Fix wrong version for KubeVirt CAPI provider

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

Makefile

@@ -3,6 +3,7 @@
 build:
 	make -C packages/apps/http-cache image
 	make -C packages/apps/kubernetes image
+	make -C packages/system/cilium image
 	make -C packages/system/kubeovn image
 	make -C packages/system/dashboard image
 	make -C packages/core/installer image

hack/e2e.sh

@@ -0,0 +1,318 @@
+#!/bin/bash
+if [ "$COZYSTACK_INSTALLER_YAML" = "" ]; then
+  echo 'COZYSTACK_INSTALLER_YAML variable is not set!' >&2
+  echo 'please set it with following command:' >&2
+  echo >&2
+  echo 'export COZYSTACK_INSTALLER_YAML=$(helm template -n cozy-system installer packages/core/installer)' >&2
+  echo >&2
+  exit 1
+fi
+
+if [ "$(cat /proc/sys/net/ipv4/ip_forward)" != 1 ]; then
+  echo "IPv4 forwarding is not enabled!" >&2
+  echo 'please enable forwarding with the following command:' >&2
+  echo >&2
+  echo 'echo 1 > /proc/sys/net/ipv4/ip_forward' >&2
+  echo >&2
+  exit 1
+fi
+
+set -x
+set -e
+
+kill `cat srv1/qemu.pid srv2/qemu.pid srv3/qemu.pid` || true
+
+ip link del cozy-br0 || true
+ip link add cozy-br0 type bridge
+ip link set cozy-br0 up
+ip addr add 192.168.123.1/24 dev cozy-br0
+
+# Enable forward & masquerading
+echo 1 > /proc/sys/net/ipv4/ip_forward
+iptables -t nat -A POSTROUTING -s 192.168.123.0/24 -j MASQUERADE
+
+rm -rf srv1 srv2 srv3
+mkdir -p srv1 srv2 srv3
+
+# Prepare cloud-init
+for i in 1 2 3; do
+  echo "local-hostname: srv$i" > "srv$i/meta-data"
+  echo '#cloud-config' > "srv$i/user-data"
+  cat > "srv$i/network-config" <<EOT
+version: 2
+ethernets:
+  eth0:
+    dhcp4: false
+    addresses:
+      - "192.168.123.1$i/26"
+    gateway4: "192.168.123.1"
+    nameservers:
+      search: [cluster.local]
+      addresses: [8.8.8.8]
+EOT
+
+  ( cd srv$i && genisoimage \
+      -output seed.img \
+      -volid cidata -rational-rock -joliet \
+      user-data meta-data network-config
+  )
+done
+
+# Prepare system drive
+if [ ! -f nocloud-amd64.raw ]; then
+  wget https://github.com/aenix-io/cozystack/releases/latest/download/nocloud-amd64.raw.xz -O nocloud-amd64.raw.xz
+  rm -f nocloud-amd64.raw
+  xz --decompress nocloud-amd64.raw.xz
+fi
+for i in 1 2 3; do
+  cp nocloud-amd64.raw srv$i/system.img
+  qemu-img resize srv$i/system.img 20G
+done
+
+# Prepare data drives
+for i in 1 2 3; do
+  qemu-img create srv$i/data.img 100G
+done
+
+# Prepare networking
+for i in 1 2 3; do
+  ip link del cozy-srv$i || true
+  ip tuntap add dev cozy-srv$i mode tap
+  ip link set cozy-srv$i up
+  ip link set cozy-srv$i master cozy-br0
+done
+
+# Start VMs
+for i in 1 2 3; do
+  qemu-system-x86_64 -machine type=pc,accel=kvm -cpu host -smp 4 -m 8192 \
+    -device virtio-net,netdev=net0,mac=52:54:00:12:34:5$i -netdev tap,id=net0,ifname=cozy-srv$i,script=no,downscript=no \
+    -drive file=srv$i/system.img,if=virtio,format=raw \
+    -drive file=srv$i/seed.img,if=virtio,format=raw \
+    -drive file=srv$i/data.img,if=virtio,format=raw \
+    -display none -daemonize -pidfile srv$i/qemu.pid
+done
+
+sleep 5
+
+# Wait for VM to start up
+timeout 60 sh -c 'until nc -nzv 192.168.123.11 50000 && nc -nzv 192.168.123.12 50000 && nc -nzv 192.168.123.13 50000; do sleep 1; done'
+
+cat > patch.yaml <<\EOT
+machine:
+  kubelet:
+    nodeIP:
+      validSubnets:
+      - 192.168.123.0/24
+    extraConfig:
+      maxPods: 512
+  kernel:
+    modules:
+    - name: openvswitch
+    - name: drbd
+      parameters:
+        - usermode_helper=disabled
+    - name: zfs
+    - name: spl
+  install:
+    image: ghcr.io/aenix-io/cozystack/talos:v1.7.1
+  files:
+  - content: |
+      [plugins]
+        [plugins."io.containerd.grpc.v1.cri"]
+          device_ownership_from_security_context = true      
+    path: /etc/cri/conf.d/20-customization.part
+    op: create
+
+cluster:
+  network:
+    cni:
+      name: none
+    dnsDomain: cozy.local
+    podSubnets:
+    - 10.244.0.0/16
+    serviceSubnets:
+    - 10.96.0.0/16
+EOT
+
+cat > patch-controlplane.yaml <<\EOT
+machine:
+  network:
+    interfaces:
+    - interface: eth0
+      vip:
+        ip: 192.168.123.10
+cluster:
+  allowSchedulingOnControlPlanes: true
+  controllerManager:
+    extraArgs:
+      bind-address: 0.0.0.0
+  scheduler:
+    extraArgs:
+      bind-address: 0.0.0.0
+  apiServer:
+    certSANs:
+    - 127.0.0.1
+  proxy:
+    disabled: true
+  discovery:
+    enabled: false
+  etcd:
+    advertisedSubnets:
+    - 192.168.123.0/24
+EOT
+
+# Gen configuration
+if [ ! -f secrets.yaml ]; then
+  talosctl gen secrets
+fi
+
+rm -f controlplane.yaml worker.yaml talosconfig kubeconfig
+talosctl gen config --with-secrets secrets.yaml cozystack https://192.168.123.10:6443 --config-patch=@patch.yaml --config-patch-control-plane @patch-controlplane.yaml
+export TALOSCONFIG=$PWD/talosconfig
+
+# Apply configuration
+talosctl apply -f controlplane.yaml -n 192.168.123.11 -e 192.168.123.11 -i
+talosctl apply -f controlplane.yaml -n 192.168.123.12 -e 192.168.123.12 -i
+talosctl apply -f controlplane.yaml -n 192.168.123.13 -e 192.168.123.13 -i
+
+# Wait for VM to be configured
+timeout 60 sh -c 'until nc -nzv 192.168.123.11 50000 && nc -nzv 192.168.123.12 50000 && nc -nzv 192.168.123.13 50000; do sleep 1; done'
+
+# Bootstrap
+talosctl bootstrap -n 192.168.123.11 -e 192.168.123.11
+
+# Wait for etcd
+timeout 120 sh -c 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep "rpc error"; do sleep 1; done'
+
+rm -f kubeconfig
+talosctl kubeconfig kubeconfig -e 192.168.123.10 -n 192.168.123.10
+export KUBECONFIG=$PWD/kubeconfig
+
+# Wait for kubernetes nodes appear
+timeout 60 sh -c 'until [ $(kubectl get node -o name | wc -l) = 3 ]; do sleep 1; done'
+kubectl create ns cozy-system
+kubectl create -f - <<\EOT
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cozystack
+  namespace: cozy-system
+data:
+  bundle-name: "paas-full"
+  ipv4-pod-cidr: "10.244.0.0/16"
+  ipv4-pod-gateway: "10.244.0.1"
+  ipv4-svc-cidr: "10.96.0.0/16"
+  ipv4-join-cidr: "100.64.0.0/16"
+EOT
+
+#
+echo "$COZYSTACK_INSTALLER_YAML" | kubectl apply -f -
+
+# wait for cozystack pod to start
+kubectl wait deploy  --timeout=1m --for=condition=available -n cozy-system cozystack
+
+# wait for helmreleases appear
+timeout 60 sh -c 'until kubectl get hr -A | grep cozy; do sleep 1; done'
+
+sleep 5
+
+kubectl get hr -A | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n " $1 " hr/" $2 " &"} END{print "wait"}' | sh -x
+# Wait for linstor controller
+kubectl wait deploy --timeout=5m --for=condition=available -n cozy-linstor linstor-controller
+
+# Wait for all linstor nodes become Online
+timeout 60 sh -c 'until [ $(kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor node list | grep -c Online) = 3 ]; do sleep 1; done'
+
+kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs srv1 /dev/vdc --pool-name data --storage-pool data
+kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs srv2 /dev/vdc --pool-name data --storage-pool data
+kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs srv3 /dev/vdc --pool-name data --storage-pool data
+
+kubectl create -f- <<EOT
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: local
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+provisioner: linstor.csi.linbit.com
+parameters:
+  linstor.csi.linbit.com/storagePool: "data"
+  linstor.csi.linbit.com/layerList: "storage"
+  linstor.csi.linbit.com/allowRemoteVolumeAccess: "false"
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: replicated
+provisioner: linstor.csi.linbit.com
+parameters:
+  linstor.csi.linbit.com/storagePool: "data"
+  linstor.csi.linbit.com/autoPlace: "3"
+  linstor.csi.linbit.com/layerList: "drbd storage"
+  linstor.csi.linbit.com/allowRemoteVolumeAccess: "true"
+  property.linstor.csi.linbit.com/DrbdOptions/auto-quorum: suspend-io
+  property.linstor.csi.linbit.com/DrbdOptions/Resource/on-no-data-accessible: suspend-io
+  property.linstor.csi.linbit.com/DrbdOptions/Resource/on-suspended-primary-outdated: force-secondary
+  property.linstor.csi.linbit.com/DrbdOptions/Net/rr-conflict: retry-connect
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true
+EOT
+kubectl create -f- <<EOT
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: cozystack
+  namespace: cozy-metallb
+spec:
+  ipAddressPools:
+  - cozystack
+---
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: cozystack
+  namespace: cozy-metallb
+spec:
+  addresses:
+  - 192.168.123.200-192.168.123.250
+  autoAssign: true
+  avoidBuggyIPs: false
+EOT
+
+kubectl patch -n tenant-root hr/tenant-root --type=merge -p '{"spec":{ "values":{
+  "host": "example.org",
+  "ingress": true,
+  "monitoring": true,
+  "etcd": true
+}}}'
+
+# Wait for HelmRelease be created
+timeout 60 sh -c 'until kubectl get hr -n tenant-root etcd ingress monitoring tenant-root; do sleep 1; done'
+
+# Wait for HelmReleases be installed
+kubectl wait --timeout=2m --for=condition=ready -n tenant-root hr etcd ingress monitoring tenant-root
+
+# Wait for nginx-ingress-controller
+timeout 60 sh -c 'until kubectl get deploy -n tenant-root root-ingress-controller; do sleep 1; done'
+kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy root-ingress-controller
+
+# Wait for etcd
+kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=3 -n tenant-root sts etcd
+
+# Wait for Victoria metrics
+kubectl wait --timeout=5m --for=condition=available deploy -n tenant-root vmalert-vmalert vminsert-longterm vminsert-shortterm
+kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=2 -n tenant-root sts vmalertmanager-alertmanager vmselect-longterm vmselect-shortterm vmstorage-longterm vmstorage-shortterm
+
+# Wait for grafana
+kubectl wait --timeout=5m --for=condition=ready -n tenant-root clusters.postgresql.cnpg.io grafana-db
+kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy grafana-deployment 
+
+# Get IP of nginx-ingress
+ip=$(kubectl get svc -n tenant-root root-ingress-controller -o jsonpath='{.status.loadBalancer.ingress..ip}')
+
+# Check Grafana
+curl -sS -k "https://$ip" -H 'Host: grafana.example.org' | grep Found

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.6.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.9.1"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.6.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.9.1"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/clickhouse/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.2.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/clickhouse/templates/clickhouse.yaml

@@ -14,6 +14,7 @@ spec:
       {{- range $name, $u := . }}
       {{ $name }}/password_sha256_hex: {{ sha256sum $u.password }}
       {{ $name }}/profile: {{ ternary "readonly" "default" (index $u "readonly" | default false) }}
+      {{ $name }}/networks/ip: ["::/0"]
       {{- end }}
     {{- end }}
     profiles:

packages/apps/http-cache/images/nginx-cache.json

@@ -1,4 +1,48 @@
 {
-  "containerimage.config.digest": "sha256:aa7a9874c35d7fac8668a623744acbf376b48aed2ef1dc4b3a19054fdcff99cf",
-  "containerimage.digest": "sha256:d825427d433dda95db40264c6559b44c7bbb726e69279e90fe73fe8fc9265abb"
+  "buildx.build.provenance": {
+    "buildType": "https://mobyproject.org/buildkit@v1",
+    "materials": [
+      {
+        "uri": "pkg:docker/ubuntu@22.04?platform=linux%2Famd64",
+        "digest": {
+          "sha256": "340d9b015b194dc6e2a13938944e0d016e57b9679963fdeb9ce021daac430221"
+        }
+      }
+    ],
+    "invocation": {
+      "configSource": {
+        "entryPoint": "Dockerfile"
+      },
+      "parameters": {
+        "frontend": "dockerfile.v0",
+        "args": {
+          "build-arg:ARCH": "amd64"
+        },
+        "locals": [
+          {
+            "name": "context"
+          },
+          {
+            "name": "dockerfile"
+          }
+        ]
+      },
+      "environment": {
+        "platform": "linux/amd64"
+      }
+    }
+  },
+  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/q6c6lcwah1m8gj7fxrdn94eaz",
+  "containerimage.config.digest": "sha256:304f57018d29e52d00cfc8c35e1d5112eeb3d85f0056de5112baab79748528ab",
+  "containerimage.descriptor": {
+    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+    "digest": "sha256:7d2554ce0a988672ceab3d3a7a504a06ca30d5ccb1de0b677871169147b3130e",
+    "size": 1094,
+    "platform": {
+      "architecture": "amd64",
+      "os": "linux"
+    }
+  },
+  "containerimage.digest": "sha256:7d2554ce0a988672ceab3d3a7a504a06ca30d5ccb1de0b677871169147b3130e",
+  "image.name": "ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0,ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0-v0.9.1"
 }

packages/apps/kafka/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.2.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kafka/templates/topics.yaml

@@ -8,8 +8,12 @@ metadata:
     strimzi.io/cluster: "{{ $.Release.Name }}"
 spec:
   topicName: "{{ $topic.name }}"
-  partitions: 10
-  replicas: 3
+  {{- with $topic.partitions }}
+  partitions: "{{ . }}"
+  {{- end }}
+  {{- with $topic.replicas }}
+  replicas: "{{ . }}"
+  {{- end }}
   {{- with $topic.config }}
   config:
     {{- toYaml . | nindent 4 }}

packages/apps/kafka/values.yaml

@@ -32,6 +32,6 @@ zookeeper:
 ##       max.compaction.lag.ms: 5400000
 ##       min.insync.replicas: 2
 ##     partitions: 1
-##     replicationFactor: 3
+##     replicas: 3
 ##
 topics: []

packages/apps/kubernetes/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.6.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.19.4"
+appVersion: "1.30.1"

packages/apps/kubernetes/Makefile

@@ -1,4 +1,4 @@
-UBUNTU_CONTAINER_DISK_TAG = v1.29.1
+UBUNTU_CONTAINER_DISK_TAG = v1.30.1
 
 include ../../../scripts/common-envs.mk
 

packages/apps/kubernetes/README.md

@@ -36,3 +36,13 @@ kubectl get secret -n <namespace> kubernetes-<clusterName>-admin-kubeconfig -o g
 | `host`                  | The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host). | `""`  |
 | `controlPlane.replicas` | Number of replicas for Kubernetes contorl-plane components                                                                             | `2`   |
 | `nodeGroups`            | nodeGroups configuration                                                                                                               | `{}`  |
+
+### Cluster Addons
+
+| Name                          | Description                                                                        | Value   |
+| ----------------------------- | ---------------------------------------------------------------------------------- | ------- |
+| `addons.certManager.enabled`  | Enables the cert-manager                                                           | `false` |
+| `addons.ingressNginx.enabled` | Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role)           | `false` |
+| `addons.ingressNginx.hosts`   | List of domain names that should be passed through to the cluster by upper cluster | `[]`    |
+| `addons.fluxcd.enabled`       | Enables Flux CD                                                                    | `false` |
+

packages/apps/kubernetes/images/ubuntu-container-disk.json

@@ -1,4 +1,48 @@
 {
-  "containerimage.config.digest": "sha256:24cee18d0bc9ed40e741412da86820dd99bdb9ffa4c794c81856725a4a10d86e",
-  "containerimage.digest": "sha256:6a43369905e0630bb401e1cf73084bbef3060e960756f261676cd3bea4195e9a"
+  "buildx.build.provenance": {
+    "buildType": "https://mobyproject.org/buildkit@v1",
+    "materials": [
+      {
+        "uri": "pkg:docker/ubuntu@22.04?platform=linux%2Famd64",
+        "digest": {
+          "sha256": "340d9b015b194dc6e2a13938944e0d016e57b9679963fdeb9ce021daac430221"
+        }
+      }
+    ],
+    "invocation": {
+      "configSource": {
+        "entryPoint": "Dockerfile"
+      },
+      "parameters": {
+        "frontend": "dockerfile.v0",
+        "args": {
+          "build-arg:ARCH": "amd64"
+        },
+        "locals": [
+          {
+            "name": "context"
+          },
+          {
+            "name": "dockerfile"
+          }
+        ]
+      },
+      "environment": {
+        "platform": "linux/amd64"
+      }
+    }
+  },
+  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/px2lfxfyhlqfufdvuvk6z8aek",
+  "containerimage.config.digest": "sha256:c144c5f12a47af7880ee5f056b14177c07b585b8ab1e68b7e7900e1c923083cf",
+  "containerimage.descriptor": {
+    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+    "digest": "sha256:81caf89efe252ae2ca1990d08a3a314552d70ff36bcd4022b173c7150fbec805",
+    "size": 506,
+    "platform": {
+      "architecture": "amd64",
+      "os": "linux"
+    }
+  },
+  "containerimage.digest": "sha256:81caf89efe252ae2ca1990d08a3a314552d70ff36bcd4022b173c7150fbec805",
+  "image.name": "ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1,ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1-v0.9.1"
 }

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.29.1
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1

packages/apps/kubernetes/images/ubuntu-container-disk/Dockerfile

@@ -26,8 +26,8 @@ RUN qemu-img resize image.img 5G \
  && guestfish --remote sh "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" \
  && guestfish --remote sh 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list' \
 # kubernetes repo
- && guestfish --remote sh "curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" \
- && guestfish --remote sh "echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list" \
+ && guestfish --remote sh "curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.30/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" \
+ && guestfish --remote sh "echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list" \
 # install containerd
  && guestfish --remote command "apt-get update -y" \
  && guestfish --remote command "apt-get install -y containerd.io" \

packages/apps/kubernetes/templates/cluster.yaml

@@ -2,6 +2,58 @@
 {{- $etcd := index $myNS.metadata.annotations "namespace.cozystack.io/etcd" }}
 {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
 {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+{{- $kubevirtmachinetemplateNames := list }}
+{{- define "kubevirtmachinetemplate" -}}
+spec:
+  virtualMachineBootstrapCheck:
+    checkStrategy: ssh
+  virtualMachineTemplate:
+    metadata:
+      namespace: {{ $.Release.Namespace }}
+      labels:
+        {{- range .group.roles }}
+        node-role.kubernetes.io/{{ . }}: ""
+        {{- end }}
+    spec:
+      runStrategy: Always
+      template:
+        spec:
+          domain:
+            cpu:
+              threads: 1
+              cores: {{ .group.resources.cpu }}
+              sockets: 1
+            devices:
+              disks:
+              - name: system
+                disk:
+                  bus: virtio
+                  pciAddress: 0000:07:00.0
+              - name: containerd
+                disk:
+                  bus: virtio
+                  pciAddress: 0000:08:00.0
+              - name: kubelet
+                disk:
+                  bus: virtio
+                  pciAddress: 0000:09:00.0
+              networkInterfaceMultiqueue: true
+            memory:
+              guest: {{ .group.resources.memory }}
+          evictionStrategy: External
+          volumes:
+          - name: system
+            containerDisk:
+              image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}"
+          - name: containerd
+            emptyDisk:
+              capacity: 20Gi
+          - name: kubelet
+            emptyDisk:
+              capacity: 20Gi
+{{- end }}
+
+
 ---
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: Cluster
@@ -57,7 +109,7 @@ spec:
       className: "{{ $ingress }}"
   deployment:
   replicas: 2
-  version: 1.29.4
+  version: 1.30.1
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
 kind: KubevirtCluster
@@ -101,56 +153,20 @@ spec:
         skipPhases:
         - addon/kube-proxy
 ---
+{{- $context := deepCopy $ }}
+{{- $_ := set $context "group" $group }}
+{{- $kubevirtmachinetemplate := include "kubevirtmachinetemplate" $context }}
+{{- $kubevirtmachinetemplateHash := $kubevirtmachinetemplate | sha256sum | trunc 6 }}
+{{- $kubevirtmachinetemplateName := printf "%s-%s-%s" $.Release.Name $groupName $kubevirtmachinetemplateHash }}
+{{- $kubevirtmachinetemplateNames = append $kubevirtmachinetemplateNames $kubevirtmachinetemplateName }}
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
 kind: KubevirtMachineTemplate
 metadata:
-  name: {{ $.Release.Name }}-{{ $groupName }}
+  name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }}
   namespace: {{ $.Release.Namespace }}
 spec:
   template:
-    spec:
-      virtualMachineBootstrapCheck:
-        checkStrategy: ssh
-      virtualMachineTemplate:
-        metadata:
-          namespace: {{ $.Release.Namespace }}
-        spec:
-          runStrategy: Always
-          template:
-            spec:
-              domain:
-                cpu:
-                  threads: 1
-                  cores: {{ $group.resources.cpu }}
-                  sockets: 1
-                devices:
-                  disks:
-                  - name: system
-                    disk:
-                      bus: virtio
-                      pciAddress: 0000:07:00.0
-                  - name: containerd
-                    disk:
-                      bus: virtio
-                      pciAddress: 0000:08:00.0
-                  - name: kubelet
-                    disk:
-                      bus: virtio
-                      pciAddress: 0000:09:00.0
-                  networkInterfaceMultiqueue: true
-                memory:
-                  guest: {{ $group.resources.memory }}
-              evictionStrategy: External
-              volumes:
-              - name: system
-                containerDisk:
-                  image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}"
-              - name: containerd
-                emptyDisk:
-                  capacity: 20Gi
-              - name: kubelet
-                emptyDisk:
-                  capacity: 20Gi
+    {{- $kubevirtmachinetemplate | nindent 4 }}
 ---
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: MachineDeployment
@@ -165,18 +181,55 @@ metadata:
 spec:
   clusterName: {{ $.Release.Name }}
   template:
+    metadata:
+      labels:
+        cluster.x-k8s.io/cluster-name: {{ $.Release.Name }}
+        cluster.x-k8s.io/deployment-name: {{ $.Release.Name }}-{{ $groupName }}
+        {{- range $group.roles }}
+        node-role.kubernetes.io/{{ . }}: ""
+        {{- end }}
     spec:
       bootstrap:
         configRef:
           apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
           kind: KubeadmConfigTemplate
           name: {{ $.Release.Name }}-{{ $groupName }}
-          namespace: default
+          namespace: {{ $.Release.Namespace }}
       clusterName: {{ $.Release.Name }}
       infrastructureRef:
         apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
         kind: KubevirtMachineTemplate
-        name: {{ $.Release.Name }}-{{ $groupName }}
+        name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }}
         namespace: default
-      version: v1.29.4
+      version: v1.30.1
+{{- end }}
+---
+{{- /*
+We must preserve all previous KubevirtMachineTemplates until a MachineSet references them.
+*/ -}}
+{{- $mss := (lookup "cluster.x-k8s.io/v1beta1" "MachineSet" $.Release.Namespace "").items }}
+{{- $oldKubevirtmachinetemplates := dict }}
+{{- range $kmt := (lookup "infrastructure.cluster.x-k8s.io/v1alpha1" "KubevirtMachineTemplate" .Release.Namespace "").items }}
+{{- range $or := $kmt.metadata.ownerReferences }}
+{{- if and (eq $or.kind "Cluster") (eq $or.name $.Release.Name) }}
+{{- range $ms := $mss }}
+{{- if and (eq $ms.spec.template.spec.infrastructureRef.kind "KubevirtMachineTemplate") (eq $ms.spec.template.spec.infrastructureRef.name $kmt.metadata.name) }}
+{{- if not (has $kmt.metadata.name $kubevirtmachinetemplateNames) }}
+{{- $oldKubevirtmachinetemplates = merge $oldKubevirtmachinetemplates (dict $kmt.metadata.name $kmt) }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- range $oldKubevirtmachinetemplates }}
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
+kind: KubevirtMachineTemplate
+metadata:
+  name: {{ .metadata.name }}
+  namespace: {{ .metadata.Namespace }}
+spec:
+  {{- .spec | toYaml | nindent 2 }}
 {{- end }}

packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml

@@ -0,0 +1,39 @@
+{{- if .Values.addons.certManager.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-cert-manager
+  labels:
+    cozystack.io/repository: system
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  interval: 5m
+  releaseName: cert-manager
+  chart:
+    spec:
+      chart: cozy-cert-manager
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-kubeconfig
+  targetNamespace: cozy-cert-manager
+  storageNamespace: cozy-cert-manager
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
+{{- end }}

packages/apps/kubernetes/templates/helmreleases/cilium.yaml

@@ -1,4 +1,4 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: {{ .Release.Name }}-cilium
@@ -6,7 +6,7 @@ metadata:
     cozystack.io/repository: system
     coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
-  interval: 1m
+  interval: 5m
   releaseName: cilium
   chart:
     spec:
@@ -23,6 +23,11 @@ spec:
   storageNamespace: cozy-cilium
   install:
     createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
   values:
     cilium:
       tunnel: disabled
@@ -44,5 +49,7 @@ spec:
       enableIPv4Masquerade: true
       ipv4NativeRoutingCIDR: ""
   dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
   - name: {{ .Release.Name }}
     namespace: {{ .Release.Namespace }}
+  {{- end }}

packages/apps/kubernetes/templates/helmreleases/csi.yaml

@@ -1,4 +1,4 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: {{ .Release.Name }}-csi
@@ -6,7 +6,7 @@ metadata:
     cozystack.io/repository: system
     coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
-  interval: 1m
+  interval: 5m
   releaseName: csi
   chart:
     spec:
@@ -23,6 +23,13 @@ spec:
   storageNamespace: cozy-csi
   install:
     createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
   dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
   - name: {{ .Release.Name }}
     namespace: {{ .Release.Namespace }}
+  {{- end }}

packages/apps/kubernetes/templates/helmreleases/delete.yaml

@@ -20,17 +20,23 @@ spec:
           effect: "NoSchedule"
       containers:
         - name: kubectl
-          image: docker.io/clastix/kubectl:v1.29.1
+          image: docker.io/clastix/kubectl:v1.30.1
           command:
-            - kubectl
-            - --namespace={{ .Release.Namespace }}
-            - patch
-            - helmrelease
-            - {{ .Release.Name }}-cilium
-            - {{ .Release.Name }}-csi
-            - -p
-            - '{"spec": {"suspend": true}}'
-            - --type=merge
+            - /bin/sh
+            - -c
+            - |
+                kubectl
+                --namespace={{ .Release.Namespace }}
+                patch
+                helmrelease
+                {{ .Release.Name }}-cilium
+                {{ .Release.Name }}-csi
+                {{ .Release.Name }}-cert-manager
+                {{ .Release.Name }}-ingress-nginx
+                {{ .Release.Name }}-fluxcd-operator
+                {{ .Release.Name }}-fluxcd
+                -p '{"spec": {"suspend": true}}'
+                --type=merge --field-manager=flux-client-side-apply || true
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -60,6 +66,10 @@ rules:
     resourceNames:
       - {{ .Release.Name }}-cilium
       - {{ .Release.Name }}-csi
+      - {{ .Release.Name }}-cert-manager
+      - {{ .Release.Name }}-ingress-nginx
+      - {{ .Release.Name }}-fluxcd-operator
+      - {{ .Release.Name }}-fluxcd
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml

@@ -0,0 +1,84 @@
+{{- if .Values.addons.fluxcd.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-fluxcd-operator
+  labels:
+    cozystack.io/repository: system
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  interval: 5m
+  releaseName: fluxcd-operator
+  chart:
+    spec:
+      chart: cozy-fluxcd-operator
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-kubeconfig
+  targetNamespace: cozy-fluxcd
+  storageNamespace: cozy-fluxcd
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  values:
+    flux-operator:
+      fullnameOverride: flux-operator
+      tolerations: []
+      hostNetwork: false
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-fluxcd
+  labels:
+    cozystack.io/repository: system
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  interval: 5m
+  releaseName: fluxcd
+  chart:
+    spec:
+      chart: cozy-fluxcd
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-kubeconfig
+  targetNamespace: cozy-fluxcd
+  storageNamespace: cozy-fluxcd
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
+  - name: {{ .Release.Name }}-fluxcd-operator
+    namespace: {{ .Release.Namespace }}
+{{- end }}

packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml

@@ -0,0 +1,49 @@
+{{- if .Values.addons.ingressNginx.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-ingress-nginx
+  labels:
+    cozystack.io/repository: system
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  interval: 5m
+  releaseName: ingress-nginx
+  chart:
+    spec:
+      chart: cozy-ingress-nginx
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-kubeconfig
+  targetNamespace: cozy-ingress-nginx
+  storageNamespace: cozy-ingress-nginx
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  values:
+    ingress-nginx:
+      fullnameOverride: ingress-nginx
+      controller:
+        kind: DaemonSet
+        hostNetwork: true
+        service:
+          enabled: false
+      nodeSelector:
+        node-role.kubernetes.io/ingress-nginx: ""
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
+{{- end }}

packages/apps/kubernetes/templates/ingress.yaml

@@ -0,0 +1,45 @@
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
+{{- if .Values.addons.ingressNginx.hosts }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}-ingress-nginx
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+spec:
+  ingressClassName: "{{ $ingress }}"
+  rules:
+  {{- range .Values.addons.ingressNginx.hosts }}
+  - host: {{ . | quote }}
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ $.Release.Name }}-ingress-nginx
+            port:
+              number: 443
+  {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-ingress-nginx
+spec:
+  ports:
+  - appProtocol: http
+    name: http
+    port: 80
+    targetPort: 80
+  - appProtocol: https
+    name: https
+    port: 443
+    targetPort: 443
+  selector:
+    cluster.x-k8s.io/cluster-name: {{ .Release.Name }}
+    node-role.kubernetes.io/ingress-nginx: ""
+{{- end }}

packages/apps/kubernetes/values.schema.json

@@ -16,6 +16,47 @@
                     "default": 2
                 }
             }
+        },
+        "addons": {
+            "type": "object",
+            "properties": {
+                "certManager": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean",
+                            "description": "Enables the cert-manager",
+                            "default": false
+                        }
+                    }
+                },
+                "ingressNginx": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean",
+                            "description": "Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role)",
+                            "default": false
+                        },
+                        "hosts": {
+                            "type": "array",
+                            "description": "List of domain names that should be passed through to the cluster by upper cluster",
+                            "default": [],
+                            "items": {}
+                        }
+                    }
+                },
+                "fluxcd": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean",
+                            "description": "Enables Flux CD",
+                            "default": false
+                        }
+                    }
+                }
+            }
         }
     }
 }

packages/apps/kubernetes/values.yaml

@@ -16,3 +16,36 @@ nodeGroups:
     resources:
       cpu: 2
       memory: 1024Mi
+    roles:
+    - ingress-nginx
+
+## @section Cluster Addons
+##
+addons:
+
+  ## Cert-manager: automatically creates and manages SSL/TLS certificate
+  ##
+  certManager:
+    ## @param addons.certManager.enabled Enables the cert-manager
+    enabled: false
+
+  ## Ingress-NGINX Controller
+  ##
+  ingressNginx:
+    ## @param addons.ingressNginx.enabled Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role)
+    ##
+    enabled: false
+    ## @param addons.ingressNginx.hosts List of domain names that should be passed through to the cluster by upper cluster
+    ## e.g:
+    ## hosts:
+    ## - example.org
+    ## - foo.example.net
+    ##
+    hosts: []
+
+  ## Flux CD
+  ##
+  fluxcd:
+    ## @param addons.fluxcd.enabled Enables Flux CD
+    ##
+    enabled: false

packages/apps/postgres/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.1
+version: 0.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/postgres/README.md

@@ -35,11 +35,13 @@ more details:
 
 ### Common parameters
 
-| Name       | Description                                     | Value   |
-| ---------- | ----------------------------------------------- | ------- |
-| `external` | Enable external access from outside the cluster | `false` |
-| `size`     | Persistent Volume size                          | `10Gi`  |
-| `replicas` | Number of MariaDB replicas                      | `2`     |
+| Name                     | Description                                                                                                             | Value   |
+| ------------------------ | ----------------------------------------------------------------------------------------------------------------------- | ------- |
+| `external`               | Enable external access from outside the cluster                                                                         | `false` |
+| `size`                   | Persistent Volume size                                                                                                  | `10Gi`  |
+| `replicas`               | Number of Postgres replicas                                                                                             | `2`     |
+| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.           | `0`     |
+| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances). | `0`     |
 
 ### Configuration parameters
 

packages/apps/postgres/templates/db.yaml

@@ -11,6 +11,9 @@ spec:
     parameters:
       max_wal_senders: "30"
 
+  minSyncReplicas: {{ .Values.quorum.minSyncReplicas }}
+  maxSyncReplicas: {{ .Values.quorum.maxSyncReplicas }}
+
   monitoring:
     enablePodMonitor: true
 

packages/apps/postgres/values.schema.json

@@ -14,9 +14,24 @@
         },
         "replicas": {
             "type": "number",
-            "description": "Number of MariaDB replicas",
+            "description": "Number of Postgres replicas",
             "default": 2
         },
+        "quorum": {
+            "type": "object",
+            "properties": {
+                "minSyncReplicas": {
+                    "type": "number",
+                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.",
+                    "default": 0
+                },
+                "maxSyncReplicas": {
+                    "type": "number",
+                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).",
+                    "default": 0
+                }
+            }
+        },
         "databases": {
             "type": "object",
             "description": "Databases configuration",

packages/apps/postgres/values.yaml

@@ -2,12 +2,19 @@
 
 ## @param external Enable external access from outside the cluster
 ## @param size Persistent Volume size
-## @param replicas Number of MariaDB replicas
+## @param replicas Number of Postgres replicas
 ##
 external: false
 size: 10Gi
 replicas: 2
 
+## Configuration for the quorum-based synchronous replication
+## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.
+## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).
+quorum:
+  minSyncReplicas: 0
+  maxSyncReplicas: 0
+
 ## @section Configuration parameters
 
 ## @param users [object] Users configuration

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: https://upload.wikimedia.org/wikipedia/commons/0/04/User_icon_1.svg
 
 type: application
-version: 1.1.0
+version: 1.2.0

packages/apps/tenant/README.md

@@ -25,7 +25,7 @@ tenant-root (example.org)
 
 Thus, you can create `tenant-u1` with a set of services like `etcd`, `ingress`, `monitoring`. And create another tenant namespace `tenant-u2` inside of `tenant-u1`.
 
-Let's see what will happen when you run Kubernetes and Postgres under `tenant-u2` namesapce.
+Let's see what will happen when you run Kubernetes and Postgres under `tenant-u2` namespace.
 
 Since `tenant-u2` does not have its own cluster services like `etcd`, `ingress`, and `monitoring`, the applications will use the cluster services of the parent tenant.  
 This in turn means:

packages/apps/tenant/templates/etcd.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.etcd }}
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: etcd

packages/apps/tenant/templates/ingress.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.ingress }}
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: ingress

packages/apps/tenant/templates/monitoring.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.monitoring }}
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: monitoring

packages/apps/versions_map

@@ -1,19 +1,24 @@
 clickhouse 0.1.0 ca79f72
-clickhouse 0.2.0 HEAD
+clickhouse 0.2.0 7cd7de73
+clickhouse 0.2.1 HEAD
 http-cache 0.1.0 a956713
 http-cache 0.2.0 HEAD
 kafka 0.1.0 760f86d2
-kafka 0.2.0 HEAD
+kafka 0.2.0 a2cc83d
+kafka 0.2.1 HEAD
 kubernetes 0.1.0 f642698
 kubernetes 0.2.0 7cd7de73
 kubernetes 0.3.0 7caccec1
-kubernetes 0.4.0 HEAD
+kubernetes 0.4.0 6cae6ce8
+kubernetes 0.5.0 6bd2d455
+kubernetes 0.6.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 HEAD
 postgres 0.1.0 f642698
 postgres 0.2.0 7cd7de73
-postgres 0.2.1 HEAD
+postgres 0.2.1 4a97e297
+postgres 0.3.0 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 HEAD
 redis 0.1.1 f642698
@@ -24,7 +29,8 @@ tenant 0.1.3 3d1b86c
 tenant 0.1.4 d200480
 tenant 0.1.5 e3ab858
 tenant 1.0.0 7cd7de7
-tenant 1.1.0 HEAD
+tenant 1.1.0 4da8ac3b
+tenant 1.2.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 HEAD

packages/core/fluxcd/Makefile

@@ -1,20 +0,0 @@
-NAME=fluxcd
-NAMESPACE=cozy-$(NAME)
-
-API_VERSIONS_FLAGS=$(addprefix -a ,$(shell kubectl api-versions))
-
-show:
-	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS)
-
-apply:
-	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl apply -n $(NAMESPACE) -f-
-
-diff:
-	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f-
-
-update:
-	rm -rf charts
-	helm repo add fluxcd-community https://fluxcd-community.github.io/helm-charts
-	helm repo update fluxcd-community
-	helm pull fluxcd-community/flux2 --untar --untardir charts
-	sed -i 's/\.{{ \.Values\.clusterDomain | default "cluster\.local" }}\.//g' `grep -rl '.{{ .Values.clusterDomain | default "cluster.local" }}.' charts`

packages/core/fluxcd/charts/flux2/Chart.yaml

@@ -1,11 +0,0 @@
-annotations:
-  artifacthub.io/changes: |
-    - "[Chore]: Update App Version to upstream 2.2.3"
-apiVersion: v2
-appVersion: 2.2.3
-description: A Helm chart for flux2
-name: flux2
-sources:
-- https://github.com/fluxcd-community/helm-charts
-type: application
-version: 2.12.4

packages/core/fluxcd/charts/flux2/README.md

@@ -1,174 +0,0 @@
-# flux2
-
-![Version: 2.12.4](https://img.shields.io/badge/Version-2.12.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.2.3](https://img.shields.io/badge/AppVersion-2.2.3-informational?style=flat-square)
-
-A Helm chart for flux2
-
-This helm chart is maintained and released by the fluxcd-community on a best effort basis.
-
-## Source Code
-
-* <https://github.com/fluxcd-community/helm-charts>
-
-## Values
-
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| cli.affinity | object | `{}` |  |
-| cli.annotations | object | `{}` |  |
-| cli.image | string | `"ghcr.io/fluxcd/flux-cli"` |  |
-| cli.nodeSelector | object | `{}` |  |
-| cli.serviceAccount.automount | bool | `true` |  |
-| cli.tag | string | `"v2.2.3"` |  |
-| cli.tolerations | list | `[]` |  |
-| clusterDomain | string | `"cluster.local"` |  |
-| crds.annotations | object | `{}` | Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep |
-| extraObjects | list | `[]` | Array of extra K8s manifests to deploy |
-| helmController.affinity | object | `{}` |  |
-| helmController.annotations."prometheus.io/port" | string | `"8080"` |  |
-| helmController.annotations."prometheus.io/scrape" | string | `"true"` |  |
-| helmController.container.additionalArgs | list | `[]` |  |
-| helmController.create | bool | `true` |  |
-| helmController.extraEnv | list | `[]` |  |
-| helmController.image | string | `"ghcr.io/fluxcd/helm-controller"` |  |
-| helmController.imagePullPolicy | string | `""` |  |
-| helmController.labels | object | `{}` |  |
-| helmController.nodeSelector | object | `{}` |  |
-| helmController.priorityClassName | string | `""` |  |
-| helmController.resources.limits | object | `{}` |  |
-| helmController.resources.requests.cpu | string | `"100m"` |  |
-| helmController.resources.requests.memory | string | `"64Mi"` |  |
-| helmController.serviceAccount.annotations | object | `{}` |  |
-| helmController.serviceAccount.automount | bool | `true` |  |
-| helmController.serviceAccount.create | bool | `true` |  |
-| helmController.tag | string | `"v0.37.4"` |  |
-| helmController.tolerations | list | `[]` |  |
-| imageAutomationController.affinity | object | `{}` |  |
-| imageAutomationController.annotations."prometheus.io/port" | string | `"8080"` |  |
-| imageAutomationController.annotations."prometheus.io/scrape" | string | `"true"` |  |
-| imageAutomationController.container.additionalArgs | list | `[]` |  |
-| imageAutomationController.create | bool | `true` |  |
-| imageAutomationController.extraEnv | list | `[]` |  |
-| imageAutomationController.image | string | `"ghcr.io/fluxcd/image-automation-controller"` |  |
-| imageAutomationController.imagePullPolicy | string | `""` |  |
-| imageAutomationController.labels | object | `{}` |  |
-| imageAutomationController.nodeSelector | object | `{}` |  |
-| imageAutomationController.priorityClassName | string | `""` |  |
-| imageAutomationController.resources.limits | object | `{}` |  |
-| imageAutomationController.resources.requests.cpu | string | `"100m"` |  |
-| imageAutomationController.resources.requests.memory | string | `"64Mi"` |  |
-| imageAutomationController.serviceAccount.annotations | object | `{}` |  |
-| imageAutomationController.serviceAccount.automount | bool | `true` |  |
-| imageAutomationController.serviceAccount.create | bool | `true` |  |
-| imageAutomationController.tag | string | `"v0.37.1"` |  |
-| imageAutomationController.tolerations | list | `[]` |  |
-| imagePullSecrets | list | `[]` | contents of pod imagePullSecret in form 'name=[secretName]'; applied to all controllers |
-| imageReflectionController.affinity | object | `{}` |  |
-| imageReflectionController.annotations."prometheus.io/port" | string | `"8080"` |  |
-| imageReflectionController.annotations."prometheus.io/scrape" | string | `"true"` |  |
-| imageReflectionController.container.additionalArgs | list | `[]` |  |
-| imageReflectionController.create | bool | `true` |  |
-| imageReflectionController.extraEnv | list | `[]` |  |
-| imageReflectionController.image | string | `"ghcr.io/fluxcd/image-reflector-controller"` |  |
-| imageReflectionController.imagePullPolicy | string | `""` |  |
-| imageReflectionController.labels | object | `{}` |  |
-| imageReflectionController.nodeSelector | object | `{}` |  |
-| imageReflectionController.priorityClassName | string | `""` |  |
-| imageReflectionController.resources.limits | object | `{}` |  |
-| imageReflectionController.resources.requests.cpu | string | `"100m"` |  |
-| imageReflectionController.resources.requests.memory | string | `"64Mi"` |  |
-| imageReflectionController.serviceAccount.annotations | object | `{}` |  |
-| imageReflectionController.serviceAccount.automount | bool | `true` |  |
-| imageReflectionController.serviceAccount.create | bool | `true` |  |
-| imageReflectionController.tag | string | `"v0.31.2"` |  |
-| imageReflectionController.tolerations | list | `[]` |  |
-| installCRDs | bool | `true` |  |
-| kustomizeController.affinity | object | `{}` |  |
-| kustomizeController.annotations."prometheus.io/port" | string | `"8080"` |  |
-| kustomizeController.annotations."prometheus.io/scrape" | string | `"true"` |  |
-| kustomizeController.container.additionalArgs | list | `[]` |  |
-| kustomizeController.create | bool | `true` |  |
-| kustomizeController.envFrom | object | `{"map":{"name":""},"secret":{"name":""}}` | Defines envFrom using a configmap and/or secret. |
-| kustomizeController.extraEnv | list | `[]` |  |
-| kustomizeController.extraSecretMounts | list | `[]` | Defines additional mounts with secrets. Secrets must be manually created in the namespace or with kustomizeController.secret |
-| kustomizeController.image | string | `"ghcr.io/fluxcd/kustomize-controller"` |  |
-| kustomizeController.imagePullPolicy | string | `""` |  |
-| kustomizeController.labels | object | `{}` |  |
-| kustomizeController.nodeSelector | object | `{}` |  |
-| kustomizeController.priorityClassName | string | `""` |  |
-| kustomizeController.resources.limits | object | `{}` |  |
-| kustomizeController.resources.requests.cpu | string | `"100m"` |  |
-| kustomizeController.resources.requests.memory | string | `"64Mi"` |  |
-| kustomizeController.secret.create | bool | `false` | Create a secret to use it with extraSecretMounts. Defaults to false. |
-| kustomizeController.secret.data | object | `{}` |  |
-| kustomizeController.secret.name | string | `""` |  |
-| kustomizeController.serviceAccount.annotations | object | `{}` |  |
-| kustomizeController.serviceAccount.automount | bool | `true` |  |
-| kustomizeController.serviceAccount.create | bool | `true` |  |
-| kustomizeController.tag | string | `"v1.2.2"` |  |
-| kustomizeController.tolerations | list | `[]` |  |
-| logLevel | string | `"info"` |  |
-| multitenancy.defaultServiceAccount | string | `"default"` | All Kustomizations and HelmReleases which don’t have spec.serviceAccountName specified, will use the default account from the tenant’s namespace. Tenants have to specify a service account in their Flux resources to be able to deploy workloads in their namespaces as the default account has no permissions. |
-| multitenancy.enabled | bool | `false` | Implement the patches for Multi-tenancy lockdown. See https://fluxcd.io/docs/installation/#multi-tenancy-lockdown |
-| multitenancy.privileged | bool | `true` | Both kustomize-controller and helm-controller service accounts run privileged with cluster-admin ClusterRoleBinding. Disable if you want to run them with a minimum set of permissions. |
-| notificationController.affinity | object | `{}` |  |
-| notificationController.annotations."prometheus.io/port" | string | `"8080"` |  |
-| notificationController.annotations."prometheus.io/scrape" | string | `"true"` |  |
-| notificationController.container.additionalArgs | list | `[]` |  |
-| notificationController.create | bool | `true` |  |
-| notificationController.extraEnv | list | `[]` |  |
-| notificationController.image | string | `"ghcr.io/fluxcd/notification-controller"` |  |
-| notificationController.imagePullPolicy | string | `""` |  |
-| notificationController.labels | object | `{}` |  |
-| notificationController.nodeSelector | object | `{}` |  |
-| notificationController.priorityClassName | string | `""` |  |
-| notificationController.resources.limits | object | `{}` |  |
-| notificationController.resources.requests.cpu | string | `"100m"` |  |
-| notificationController.resources.requests.memory | string | `"64Mi"` |  |
-| notificationController.service.annotations | object | `{}` |  |
-| notificationController.service.labels | object | `{}` |  |
-| notificationController.serviceAccount.annotations | object | `{}` |  |
-| notificationController.serviceAccount.automount | bool | `true` |  |
-| notificationController.serviceAccount.create | bool | `true` |  |
-| notificationController.tag | string | `"v1.2.4"` |  |
-| notificationController.tolerations | list | `[]` |  |
-| notificationController.webhookReceiver.ingress.annotations | object | `{}` |  |
-| notificationController.webhookReceiver.ingress.create | bool | `false` |  |
-| notificationController.webhookReceiver.ingress.hosts[0].host | string | `"flux-webhook.example.com"` |  |
-| notificationController.webhookReceiver.ingress.hosts[0].paths[0].path | string | `"/"` |  |
-| notificationController.webhookReceiver.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` |  |
-| notificationController.webhookReceiver.ingress.labels | object | `{}` |  |
-| notificationController.webhookReceiver.ingress.tls | list | `[]` |  |
-| notificationController.webhookReceiver.service.annotations | object | `{}` |  |
-| notificationController.webhookReceiver.service.labels | object | `{}` |  |
-| policies.create | bool | `true` |  |
-| prometheus.podMonitor.create | bool | `false` | Enables podMonitor endpoint |
-| prometheus.podMonitor.podMetricsEndpoints[0].port | string | `"http-prom"` |  |
-| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].action | string | `"keep"` |  |
-| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].regex | string | `"Running"` |  |
-| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_phase"` |  |
-| rbac.annotations | object | `{}` | Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep |
-| rbac.create | bool | `true` |  |
-| rbac.createAggregation | bool | `true` | Grant the Kubernetes view, edit and admin roles access to Flux custom resources |
-| sourceController.affinity | object | `{}` |  |
-| sourceController.annotations."prometheus.io/port" | string | `"8080"` |  |
-| sourceController.annotations."prometheus.io/scrape" | string | `"true"` |  |
-| sourceController.container.additionalArgs | list | `[]` |  |
-| sourceController.create | bool | `true` |  |
-| sourceController.extraEnv | list | `[]` |  |
-| sourceController.image | string | `"ghcr.io/fluxcd/source-controller"` |  |
-| sourceController.imagePullPolicy | string | `""` |  |
-| sourceController.labels | object | `{}` |  |
-| sourceController.nodeSelector | object | `{}` |  |
-| sourceController.priorityClassName | string | `""` |  |
-| sourceController.resources.limits | object | `{}` |  |
-| sourceController.resources.requests.cpu | string | `"100m"` |  |
-| sourceController.resources.requests.memory | string | `"64Mi"` |  |
-| sourceController.service.annotations | object | `{}` |  |
-| sourceController.service.labels | object | `{}` |  |
-| sourceController.serviceAccount.annotations | object | `{}` |  |
-| sourceController.serviceAccount.automount | bool | `true` |  |
-| sourceController.serviceAccount.create | bool | `true` |  |
-| sourceController.tag | string | `"v1.2.4"` |  |
-| sourceController.tolerations | list | `[]` |  |
-| watchAllNamespaces | bool | `true` |  |

packages/core/fluxcd/charts/flux2/templates/_helper.tpl

@@ -1,7 +0,0 @@
-{{- define "template.image" -}}
-{{- if eq (substr 0 7 .tag) "sha256:" -}}
-{{- printf "%s@%s" .image .tag -}}
-{{- else -}}
-{{- printf "%s:%s" .image .tag -}}
-{{- end -}}
-{{- end -}}

packages/core/fluxcd/charts/flux2/templates/aggregate-clusterroles.yaml

@@ -1,47 +0,0 @@
-{{- if .Values.rbac.createAggregation }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  {{- with .Values.rbac.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-  name: flux-edit
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - notification.toolkit.fluxcd.io
-      - source.toolkit.fluxcd.io
-      - helm.toolkit.fluxcd.io
-      - image.toolkit.fluxcd.io
-      - kustomize.toolkit.fluxcd.io
-    resources: ["*"]
-    verbs:
-      - create
-      - delete
-      - deletecollection
-      - patch
-      - update
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: flux-view
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-rules:
-  - apiGroups:
-      - notification.toolkit.fluxcd.io
-      - source.toolkit.fluxcd.io
-      - helm.toolkit.fluxcd.io
-      - image.toolkit.fluxcd.io
-      - kustomize.toolkit.fluxcd.io
-    resources: ["*"]
-    verbs:
-      - get
-      - list
-      - watch
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml

@@ -1,26 +0,0 @@
-{{- if and .Values.rbac.create (or (not .Values.multitenancy.enabled) .Values.multitenancy.privileged) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  {{- with .Values.rbac.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: cluster-reconciler
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ .Values.rbac.roleRef.name }}
-subjects:
-- kind: ServiceAccount
-  name: kustomize-controller
-  namespace: {{ .Release.Namespace }}
-- kind: ServiceAccount
-  name: helm-controller
-  namespace: {{ .Release.Namespace }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml

@@ -1,19 +0,0 @@
-{{- if and .Values.rbac.create .Values.multitenancy.enabled (not .Values.multitenancy.privileged) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  {{- with .Values.rbac.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-  name: cluster-reconciler-impersonator
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-rules:
-- apiGroups: [""]
-  resources: ["serviceaccounts"]
-  verbs: ["impersonate"]
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml

@@ -1,26 +0,0 @@
-{{- if and .Values.rbac.create .Values.multitenancy.enabled (not .Values.multitenancy.privileged) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  {{- with .Values.rbac.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: cluster-reconciler-impersonator
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-reconciler-impersonator
-subjects:
-- kind: ServiceAccount
-  name: kustomize-controller
-  namespace: {{ .Release.Namespace }}
-- kind: ServiceAccount
-  name: helm-controller
-  namespace: {{ .Release.Namespace }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrole.yaml

@@ -1,82 +0,0 @@
-{{- if and .Values.rbac.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  {{- with .Values.rbac.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-  name: crd-controller
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-rules:
-- apiGroups: ['source.toolkit.fluxcd.io']
-  resources: ['*']
-  verbs: ['*']
-- apiGroups: ['kustomize.toolkit.fluxcd.io']
-  resources: ['*']
-  verbs: ['*']
-- apiGroups: ['helm.toolkit.fluxcd.io']
-  resources: ['*']
-  verbs: ['*']
-- apiGroups: ['notification.toolkit.fluxcd.io']
-  resources: ['*']
-  verbs: ['*']
-- apiGroups: ['image.toolkit.fluxcd.io']
-  resources: ['*']
-  verbs: ['*']
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  - secrets
-  - configmaps
-  - serviceaccounts
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
-# required by leader election
-- apiGroups:
-    - ""
-  resources:
-    - configmaps
-  verbs:
-    - get
-    - list
-    - watch
-    - create
-    - update
-    - patch
-    - delete
-- apiGroups:
-    - ""
-  resources:
-    - configmaps/status
-  verbs:
-    - get
-    - update
-    - patch
-- apiGroups:
-  - "coordination.k8s.io"
-  resources:
-  - leases
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrolebinding.yaml

@@ -1,38 +0,0 @@
-{{- if and .Values.rbac.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  {{- with .Values.rbac.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-  name: crd-controller
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: crd-controller
-subjects:
-  - kind: ServiceAccount
-    name: kustomize-controller
-    namespace: {{ .Release.Namespace }}
-  - kind: ServiceAccount
-    name: helm-controller
-    namespace: {{ .Release.Namespace }}
-  - kind: ServiceAccount
-    name: source-controller
-    namespace: {{ .Release.Namespace }}
-  - kind: ServiceAccount
-    name: notification-controller
-    namespace: {{ .Release.Namespace }}
-  - kind: ServiceAccount
-    name: image-reflector-controller
-    namespace: {{ .Release.Namespace }}
-  - kind: ServiceAccount
-    name: image-automation-controller
-    namespace: {{ .Release.Namespace }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/extra-manifests.yaml

@@ -1,4 +0,0 @@
-{{ range .Values.extraObjects }}
----
-{{ tpl (toYaml .) $ }}
-{{ end }}

packages/core/fluxcd/charts/flux2/templates/helm-controller-sa.yaml

@@ -1,18 +0,0 @@
-{{- if and .Values.helmController.create}}
-{{- if .Values.helmController.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: helm-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: helm-controller
-  {{- with .Values.helmController.serviceAccount.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-{{- end -}}
-{{- end -}}

packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml

@@ -1,133 +0,0 @@
-{{- if and .Values.helmController.create}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app.kubernetes.io/component: helm-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.helmController.labels }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  name: helm-controller
-spec:
-  {{- if kindIs "invalid" .Values.helmController.replicas }}
-  replicas: 1
-  {{- else }}
-  replicas: {{ .Values.helmController.replicas  }}
-  {{- end}}
-  selector:
-    matchLabels:
-      app: helm-controller
-  template:
-    metadata:
-      {{- with .Values.helmController.annotations }}
-      annotations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        app: helm-controller
-{{ with .Values.helmController.labels }}{{ toYaml . | indent 8 }}{{ end }}
-    spec:
-      automountServiceAccountToken: {{ .Values.helmController.serviceAccount.automount }}
-    {{- if .Values.helmController.initContainers}}
-      initContainers:
-        {{- toYaml .Values.helmController.initContainers | nindent 8}}
-    {{- end}}
-      containers:
-      - args:
-        {{- if .Values.multitenancy.enabled }}
-        - --no-cross-namespace-refs=true
-        - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default"  }}
-        {{- end}}
-        {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
-        {{- end}}
-        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
-        - --log-level={{ .Values.logLevel | default "info" }}
-        - --log-encoding=json
-        - --enable-leader-election
-        {{- range .Values.helmController.container.additionalArgs }}
-        - {{ . }}
-        {{- end}}
-        env:
-        - name: RUNTIME_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        {{- with .Values.helmController.extraEnv }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-        image: {{ template "template.image" .Values.helmController }}
-        {{- if .Values.helmController.imagePullPolicy }}
-        imagePullPolicy: {{ .Values.helmController.imagePullPolicy }}
-        {{- else }}
-        imagePullPolicy: IfNotPresent
-        {{- end }}
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: healthz
-        name: manager
-        ports:
-        - containerPort: 8080
-          name: http-prom
-        - containerPort: 9440
-          name: healthz
-          protocol: TCP
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: healthz
-        {{- with .Values.helmController.resources }}
-        resources: {{ toYaml . | nindent 10 }}
-        {{- end }}
-        {{- if .Values.helmController.securityContext }}
-        securityContext: {{ toYaml .Values.helmController.securityContext | nindent 10 }}
-        {{- else }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          seccompProfile:
-            type: RuntimeDefault
-        {{- end}}
-        volumeMounts:
-        - mountPath: /tmp
-          name: temp
-        {{- if .Values.helmController.volumeMounts }}
-        {{- toYaml .Values.helmController.volumeMounts | nindent 8 }}
-        {{- end}}
-      {{- if .Values.helmController.priorityClassName }}
-      priorityClassName: {{ .Values.helmController.priorityClassName | quote }}
-      {{- end }}
-      {{- if .Values.helmController.podSecurityContext }}
-      securityContext: {{ toYaml .Values.helmController.podSecurityContext | nindent 8 }}
-      {{- end }}
-      serviceAccountName: helm-controller
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
-      {{- end }}
-      terminationGracePeriodSeconds: 600
-      volumes:
-      - emptyDir: {}
-        name: temp
-      {{- if .Values.helmController.volumes }}
-      {{- toYaml .Values.helmController.volumes | nindent 6 }}
-      {{- end}}
-      {{- with .Values.helmController.nodeSelector }}
-      nodeSelector: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.helmController.affinity }}
-      affinity: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.helmController.tolerations }}
-      tolerations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/image-automation-controller-sa.yaml

@@ -1,18 +0,0 @@
-{{- if and .Values.imageAutomationController.create }}
-{{- if .Values.imageAutomationController.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: image-automation-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: image-automation-controller
-  {{- with .Values.imageAutomationController.serviceAccount.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-{{- end -}}
-{{- end -}}

packages/core/fluxcd/charts/flux2/templates/image-automation-controller.crds.yaml

@@ -1,326 +0,0 @@
-{{- if and .Values.installCRDs .Values.imageAutomationController.create }}
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
-    {{- with .Values.crds.annotations }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  labels:
-    app.kubernetes.io/component: image-automation-controller
-    app.kubernetes.io/instance: '{{ .Release.Namespace }}'
-    app.kubernetes.io/managed-by: '{{ .Release.Service }}'
-    app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
-    helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
-  name: imageupdateautomations.image.toolkit.fluxcd.io
-spec:
-  group: image.toolkit.fluxcd.io
-  names:
-    kind: ImageUpdateAutomation
-    listKind: ImageUpdateAutomationList
-    plural: imageupdateautomations
-    singular: imageupdateautomation
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .status.lastAutomationRunTime
-      name: Last run
-      type: string
-    name: v1beta1
-    schema:
-      openAPIV3Schema:
-        description: ImageUpdateAutomation is the Schema for the imageupdateautomations
-          API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: ImageUpdateAutomationSpec defines the desired state of ImageUpdateAutomation
-            properties:
-              git:
-                description: GitSpec contains all the git-specific definitions. This
-                  is technically optional, but in practice mandatory until there are
-                  other kinds of source allowed.
-                properties:
-                  checkout:
-                    description: Checkout gives the parameters for cloning the git
-                      repository, ready to make changes. If not present, the `spec.ref`
-                      field from the referenced `GitRepository` or its default will
-                      be used.
-                    properties:
-                      ref:
-                        description: Reference gives a branch, tag or commit to clone
-                          from the Git repository.
-                        properties:
-                          branch:
-                            description: Branch to check out, defaults to 'master'
-                              if no other field is defined.
-                            type: string
-                          commit:
-                            description: "Commit SHA to check out, takes precedence
-                              over all reference fields. \n This can be combined with
-                              Branch to shallow clone the branch, in which the commit
-                              is expected to exist."
-                            type: string
-                          name:
-                            description: "Name of the reference to check out; takes
-                              precedence over Branch, Tag and SemVer. \n It must be
-                              a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description
-                              Examples: \"refs/heads/main\", \"refs/tags/v0.1.0\",
-                              \"refs/pull/420/head\", \"refs/merge-requests/1/head\""
-                            type: string
-                          semver:
-                            description: SemVer tag expression to check out, takes
-                              precedence over Tag.
-                            type: string
-                          tag:
-                            description: Tag to check out, takes precedence over Branch.
-                            type: string
-                        type: object
-                    required:
-                    - ref
-                    type: object
-                  commit:
-                    description: Commit specifies how to commit to the git repository.
-                    properties:
-                      author:
-                        description: Author gives the email and optionally the name
-                          to use as the author of commits.
-                        properties:
-                          email:
-                            description: Email gives the email to provide when making
-                              a commit.
-                            type: string
-                          name:
-                            description: Name gives the name to provide when making
-                              a commit.
-                            type: string
-                        required:
-                        - email
-                        type: object
-                      messageTemplate:
-                        description: MessageTemplate provides a template for the commit
-                          message, into which will be interpolated the details of
-                          the change made.
-                        type: string
-                      signingKey:
-                        description: SigningKey provides the option to sign commits
-                          with a GPG key
-                        properties:
-                          secretRef:
-                            description: SecretRef holds the name to a secret that
-                              contains a 'git.asc' key corresponding to the ASCII
-                              Armored file containing the GPG signing keypair as the
-                              value. It must be in the same namespace as the ImageUpdateAutomation.
-                            properties:
-                              name:
-                                description: Name of the referent.
-                                type: string
-                            required:
-                            - name
-                            type: object
-                        type: object
-                    required:
-                    - author
-                    type: object
-                  push:
-                    description: Push specifies how and where to push commits made
-                      by the automation. If missing, commits are pushed (back) to
-                      `.spec.checkout.branch` or its default.
-                    properties:
-                      branch:
-                        description: Branch specifies that commits should be pushed
-                          to the branch named. The branch is created using `.spec.checkout.branch`
-                          as the starting point, if it doesn't already exist.
-                        type: string
-                      options:
-                        additionalProperties:
-                          type: string
-                        description: 'Options specifies the push options that are
-                          sent to the Git server when performing a push operation.
-                          For details, see: https://git-scm.com/docs/git-push#Documentation/git-push.txt---push-optionltoptiongt'
-                        type: object
-                      refspec:
-                        description: 'Refspec specifies the Git Refspec to use for
-                          a push operation. If both Branch and Refspec are provided,
-                          then the commit is pushed to the branch and also using the
-                          specified refspec. For more details about Git Refspecs,
-                          see: https://git-scm.com/book/en/v2/Git-Internals-The-Refspec'
-                        type: string
-                    type: object
-                required:
-                - commit
-                type: object
-              interval:
-                description: Interval gives an lower bound for how often the automation
-                  run should be attempted.
-                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
-                type: string
-              sourceRef:
-                description: SourceRef refers to the resource giving access details
-                  to a git repository.
-                properties:
-                  apiVersion:
-                    description: API version of the referent.
-                    type: string
-                  kind:
-                    default: GitRepository
-                    description: Kind of the referent.
-                    enum:
-                    - GitRepository
-                    type: string
-                  name:
-                    description: Name of the referent.
-                    type: string
-                  namespace:
-                    description: Namespace of the referent, defaults to the namespace
-                      of the Kubernetes resource object that contains the reference.
-                    type: string
-                required:
-                - kind
-                - name
-                type: object
-              suspend:
-                description: Suspend tells the controller to not run this automation,
-                  until it is unset (or set to false). Defaults to false.
-                type: boolean
-              update:
-                default:
-                  strategy: Setters
-                description: Update gives the specification for how to update the
-                  files in the repository. This can be left empty, to use the default
-                  value.
-                properties:
-                  path:
-                    description: Path to the directory containing the manifests to
-                      be updated. Defaults to 'None', which translates to the root
-                      path of the GitRepositoryRef.
-                    type: string
-                  strategy:
-                    default: Setters
-                    description: Strategy names the strategy to be used.
-                    enum:
-                    - Setters
-                    type: string
-                required:
-                - strategy
-                type: object
-            required:
-            - interval
-            - sourceRef
-            type: object
-          status:
-            default:
-              observedGeneration: -1
-            description: ImageUpdateAutomationStatus defines the observed state of
-              ImageUpdateAutomation
-            properties:
-              conditions:
-                items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              lastAutomationRunTime:
-                description: LastAutomationRunTime records the last time the controller
-                  ran this automation through to completion (even if no updates were
-                  made).
-                format: date-time
-                type: string
-              lastHandledReconcileAt:
-                description: LastHandledReconcileAt holds the value of the most recent
-                  reconcile request value, so a change of the annotation value can
-                  be detected.
-                type: string
-              lastPushCommit:
-                description: LastPushCommit records the SHA1 of the last commit made
-                  by the controller, for this automation object
-                type: string
-              lastPushTime:
-                description: LastPushTime records the time of the last pushed change.
-                format: date-time
-                type: string
-              observedGeneration:
-                format: int64
-                type: integer
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml

@@ -1,135 +0,0 @@
-{{- if and .Values.imageAutomationController.create}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app.kubernetes.io/component: image-automation-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.imageAutomationController.labels }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  name: image-automation-controller
-spec:
-  {{- if kindIs "invalid" .Values.imageAutomationController.replicas }}
-  replicas: 1
-  {{- else }}
-  replicas: {{ .Values.imageAutomationController.replicas  }}
-  {{- end}}
-  selector:
-    matchLabels:
-      app: image-automation-controller
-  template:
-    metadata:
-      {{- with .Values.imageAutomationController.annotations }}
-      annotations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        app: image-automation-controller
-{{ with .Values.imageAutomationController.labels }}{{ toYaml . | indent 8 }}{{ end }}
-    spec:
-      automountServiceAccountToken: {{ .Values.imageAutomationController.serviceAccount.automount }}
-      {{- if .Values.imageAutomationController.initContainers}}
-      initContainers:
-        {{- toYaml .Values.imageAutomationController.initContainers | nindent 8}}
-      {{- end}}
-      containers:
-      - args:
-        {{- if .Values.multitenancy.enabled }}
-        - --no-cross-namespace-refs=true
-        {{- end}}
-        {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
-        {{- end}}
-        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
-        - --log-level={{ .Values.logLevel | default "info" }}
-        - --log-encoding=json
-        - --enable-leader-election
-        {{- range .Values.imageAutomationController.container.additionalArgs }}
-        - {{ . }}
-        {{- end}}
-        env:
-        - name: RUNTIME_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        {{- with .Values.imageAutomationController.extraEnv }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-        image: {{ template "template.image" .Values.imageAutomationController }}
-        {{- if .Values.imageAutomationController.imagePullPolicy }}
-        imagePullPolicy: {{ .Values.imageAutomationController.imagePullPolicy }}
-        {{- else }}
-        imagePullPolicy: IfNotPresent
-        {{- end }}
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: healthz
-        name: manager
-        ports:
-        - containerPort: 8080
-          name: http-prom
-        - containerPort: 9440
-          name: healthz
-          protocol: TCP
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: healthz
-        {{- with .Values.imageAutomationController.resources }}
-        resources: {{ toYaml . | nindent 10 }}
-        {{- end }}
-        {{- if .Values.imageAutomationController.securityContext }}
-        securityContext: {{ toYaml .Values.imageAutomationController.securityContext | nindent 10 }}
-        {{- else }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          seccompProfile:
-            type: RuntimeDefault
-        {{- end}}
-        volumeMounts:
-        - mountPath: /tmp
-          name: temp
-        {{- if .Values.imageAutomationController.volumeMounts }}
-        {{- toYaml .Values.imageAutomationController.volumeMounts | nindent 8 }}
-        {{- end}}
-      {{- if .Values.imageAutomationController.priorityClassName }}
-      priorityClassName: {{ .Values.imageAutomationController.priorityClassName | quote }}
-      {{- end }}
-      {{- if .Values.imageAutomationController.podSecurityContext }}
-      securityContext: {{ toYaml .Values.imageAutomationController.podSecurityContext | nindent 8 }}
-      {{- else }}
-      securityContext:
-        fsGroup: 1337
-      {{- end}}
-      serviceAccountName: image-automation-controller
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
-      {{- end }}
-      terminationGracePeriodSeconds: 10
-      volumes:
-      - emptyDir: {}
-        name: temp
-      {{- if .Values.imageAutomationController.volumes }}
-      {{- toYaml .Values.imageAutomationController.volumes | nindent 6 }}
-      {{- end}}
-      {{- with .Values.imageAutomationController.nodeSelector }}
-      nodeSelector: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.imageAutomationController.affinity }}
-      affinity: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.imageAutomationController.tolerations }}
-      tolerations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/image-reflector-controller-sa.yaml

@@ -1,18 +0,0 @@
-{{- if and .Values.imageReflectionController.create }}
-{{- if .Values.imageReflectionController.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: image-reflector-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: image-reflector-controller
-  {{- with .Values.imageReflectionController.serviceAccount.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-{{- end -}}
-{{- end -}}

packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.crds.yaml

@@ -1,901 +0,0 @@
-{{- if and .Values.installCRDs .Values.imageReflectionController.create }}
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
-    {{- with .Values.crds.annotations }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  labels:
-    app.kubernetes.io/component: image-reflector-controller
-    app.kubernetes.io/instance: '{{ .Release.Namespace }}'
-    app.kubernetes.io/managed-by: '{{ .Release.Service }}'
-    app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
-    helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
-  name: imagepolicies.image.toolkit.fluxcd.io
-spec:
-  group: image.toolkit.fluxcd.io
-  names:
-    kind: ImagePolicy
-    listKind: ImagePolicyList
-    plural: imagepolicies
-    singular: imagepolicy
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .status.latestImage
-      name: LatestImage
-      type: string
-    name: v1beta1
-    schema:
-      openAPIV3Schema:
-        description: ImagePolicy is the Schema for the imagepolicies API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: ImagePolicySpec defines the parameters for calculating the
-              ImagePolicy
-            properties:
-              filterTags:
-                description: FilterTags enables filtering for only a subset of tags
-                  based on a set of rules. If no rules are provided, all the tags
-                  from the repository will be ordered and compared.
-                properties:
-                  extract:
-                    description: Extract allows a capture group to be extracted from
-                      the specified regular expression pattern, useful before tag
-                      evaluation.
-                    type: string
-                  pattern:
-                    description: Pattern specifies a regular expression pattern used
-                      to filter for image tags.
-                    type: string
-                type: object
-              imageRepositoryRef:
-                description: ImageRepositoryRef points at the object specifying the
-                  image being scanned
-                properties:
-                  name:
-                    description: Name of the referent.
-                    type: string
-                  namespace:
-                    description: Namespace of the referent, when not specified it
-                      acts as LocalObjectReference.
-                    type: string
-                required:
-                - name
-                type: object
-              policy:
-                description: Policy gives the particulars of the policy to be followed
-                  in selecting the most recent image
-                properties:
-                  alphabetical:
-                    description: Alphabetical set of rules to use for alphabetical
-                      ordering of the tags.
-                    properties:
-                      order:
-                        default: asc
-                        description: Order specifies the sorting order of the tags.
-                          Given the letters of the alphabet as tags, ascending order
-                          would select Z, and descending order would select A.
-                        enum:
-                        - asc
-                        - desc
-                        type: string
-                    type: object
-                  numerical:
-                    description: Numerical set of rules to use for numerical ordering
-                      of the tags.
-                    properties:
-                      order:
-                        default: asc
-                        description: Order specifies the sorting order of the tags.
-                          Given the integer values from 0 to 9 as tags, ascending
-                          order would select 9, and descending order would select
-                          0.
-                        enum:
-                        - asc
-                        - desc
-                        type: string
-                    type: object
-                  semver:
-                    description: SemVer gives a semantic version range to check against
-                      the tags available.
-                    properties:
-                      range:
-                        description: Range gives a semver range for the image tag;
-                          the highest version within the range that's a tag yields
-                          the latest image.
-                        type: string
-                    required:
-                    - range
-                    type: object
-                type: object
-            required:
-            - imageRepositoryRef
-            - policy
-            type: object
-          status:
-            default:
-              observedGeneration: -1
-            description: ImagePolicyStatus defines the observed state of ImagePolicy
-            properties:
-              conditions:
-                items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              latestImage:
-                description: LatestImage gives the first in the list of images scanned
-                  by the image repository, when filtered and ordered according to
-                  the policy.
-                type: string
-              observedGeneration:
-                format: int64
-                type: integer
-            type: object
-        type: object
-    served: true
-    storage: false
-    subresources:
-      status: {}
-  - additionalPrinterColumns:
-    - jsonPath: .status.latestImage
-      name: LatestImage
-      type: string
-    name: v1beta2
-    schema:
-      openAPIV3Schema:
-        description: ImagePolicy is the Schema for the imagepolicies API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: ImagePolicySpec defines the parameters for calculating the
-              ImagePolicy.
-            properties:
-              filterTags:
-                description: FilterTags enables filtering for only a subset of tags
-                  based on a set of rules. If no rules are provided, all the tags
-                  from the repository will be ordered and compared.
-                properties:
-                  extract:
-                    description: Extract allows a capture group to be extracted from
-                      the specified regular expression pattern, useful before tag
-                      evaluation.
-                    type: string
-                  pattern:
-                    description: Pattern specifies a regular expression pattern used
-                      to filter for image tags.
-                    type: string
-                type: object
-              imageRepositoryRef:
-                description: ImageRepositoryRef points at the object specifying the
-                  image being scanned
-                properties:
-                  name:
-                    description: Name of the referent.
-                    type: string
-                  namespace:
-                    description: Namespace of the referent, when not specified it
-                      acts as LocalObjectReference.
-                    type: string
-                required:
-                - name
-                type: object
-              policy:
-                description: Policy gives the particulars of the policy to be followed
-                  in selecting the most recent image
-                properties:
-                  alphabetical:
-                    description: Alphabetical set of rules to use for alphabetical
-                      ordering of the tags.
-                    properties:
-                      order:
-                        default: asc
-                        description: Order specifies the sorting order of the tags.
-                          Given the letters of the alphabet as tags, ascending order
-                          would select Z, and descending order would select A.
-                        enum:
-                        - asc
-                        - desc
-                        type: string
-                    type: object
-                  numerical:
-                    description: Numerical set of rules to use for numerical ordering
-                      of the tags.
-                    properties:
-                      order:
-                        default: asc
-                        description: Order specifies the sorting order of the tags.
-                          Given the integer values from 0 to 9 as tags, ascending
-                          order would select 9, and descending order would select
-                          0.
-                        enum:
-                        - asc
-                        - desc
-                        type: string
-                    type: object
-                  semver:
-                    description: SemVer gives a semantic version range to check against
-                      the tags available.
-                    properties:
-                      range:
-                        description: Range gives a semver range for the image tag;
-                          the highest version within the range that's a tag yields
-                          the latest image.
-                        type: string
-                    required:
-                    - range
-                    type: object
-                type: object
-            required:
-            - imageRepositoryRef
-            - policy
-            type: object
-          status:
-            default:
-              observedGeneration: -1
-            description: ImagePolicyStatus defines the observed state of ImagePolicy
-            properties:
-              conditions:
-                items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              latestImage:
-                description: LatestImage gives the first in the list of images scanned
-                  by the image repository, when filtered and ordered according to
-                  the policy.
-                type: string
-              observedGeneration:
-                format: int64
-                type: integer
-              observedPreviousImage:
-                description: ObservedPreviousImage is the observed previous LatestImage.
-                  It is used to keep track of the previous and current images.
-                type: string
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
-    {{- with .Values.crds.annotations }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  labels:
-    app.kubernetes.io/component: image-reflector-controller
-    app.kubernetes.io/instance: '{{ .Release.Namespace }}'
-    app.kubernetes.io/managed-by: '{{ .Release.Service }}'
-    app.kubernetes.io/part-of: flux
-    app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
-    helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
-  name: imagerepositories.image.toolkit.fluxcd.io
-spec:
-  group: image.toolkit.fluxcd.io
-  names:
-    kind: ImageRepository
-    listKind: ImageRepositoryList
-    plural: imagerepositories
-    singular: imagerepository
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .status.lastScanResult.scanTime
-      name: Last scan
-      type: string
-    - jsonPath: .status.lastScanResult.tagCount
-      name: Tags
-      type: string
-    name: v1beta1
-    schema:
-      openAPIV3Schema:
-        description: ImageRepository is the Schema for the imagerepositories API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: ImageRepositorySpec defines the parameters for scanning an
-              image repository, e.g., `fluxcd/flux`.
-            properties:
-              accessFrom:
-                description: AccessFrom defines an ACL for allowing cross-namespace
-                  references to the ImageRepository object based on the caller's namespace
-                  labels.
-                properties:
-                  namespaceSelectors:
-                    description: NamespaceSelectors is the list of namespace selectors
-                      to which this ACL applies. Items in this list are evaluated
-                      using a logical OR operation.
-                    items:
-                      description: NamespaceSelector selects the namespaces to which
-                        this ACL applies. An empty map of MatchLabels matches all
-                        namespaces in a cluster.
-                      properties:
-                        matchLabels:
-                          additionalProperties:
-                            type: string
-                          description: MatchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
-                          type: object
-                      type: object
-                    type: array
-                required:
-                - namespaceSelectors
-                type: object
-              certSecretRef:
-                description: "CertSecretRef can be given the name of a secret containing
-                  either or both of \n - a PEM-encoded client certificate (`certFile`)
-                  and private key (`keyFile`); - a PEM-encoded CA certificate (`caFile`)
-                  \n and whichever are supplied, will be used for connecting to the
-                  registry. The client cert and key are useful if you are authenticating
-                  with a certificate; the CA cert is useful if you are using a self-signed
-                  server certificate."
-                properties:
-                  name:
-                    description: Name of the referent.
-                    type: string
-                required:
-                - name
-                type: object
-              exclusionList:
-                description: ExclusionList is a list of regex strings used to exclude
-                  certain tags from being stored in the database.
-                items:
-                  type: string
-                type: array
-              image:
-                description: Image is the name of the image repository
-                type: string
-              interval:
-                description: Interval is the length of time to wait between scans
-                  of the image repository.
-                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
-                type: string
-              secretRef:
-                description: SecretRef can be given the name of a secret containing
-                  credentials to use for the image registry. The secret should be
-                  created with `kubectl create secret docker-registry`, or the equivalent.
-                properties:
-                  name:
-                    description: Name of the referent.
-                    type: string
-                required:
-                - name
-                type: object
-              serviceAccountName:
-                description: ServiceAccountName is the name of the Kubernetes ServiceAccount
-                  used to authenticate the image pull if the service account has attached
-                  pull secrets.
-                maxLength: 253
-                type: string
-              suspend:
-                description: This flag tells the controller to suspend subsequent
-                  image scans. It does not apply to already started scans. Defaults
-                  to false.
-                type: boolean
-              timeout:
-                description: Timeout for image scanning. Defaults to 'Interval' duration.
-                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
-                type: string
-            type: object
-          status:
-            default:
-              observedGeneration: -1
-            description: ImageRepositoryStatus defines the observed state of ImageRepository
-            properties:
-              canonicalImageName:
-                description: CanonicalName is the name of the image repository with
-                  all the implied bits made explicit; e.g., `docker.io/library/alpine`
-                  rather than `alpine`.
-                type: string
-              conditions:
-                items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              lastHandledReconcileAt:
-                description: LastHandledReconcileAt holds the value of the most recent
-                  reconcile request value, so a change of the annotation value can
-                  be detected.
-                type: string
-              lastScanResult:
-                description: LastScanResult contains the number of fetched tags.
-                properties:
-                  scanTime:
-                    format: date-time
-                    type: string
-                  tagCount:
-                    type: integer
-                required:
-                - tagCount
-                type: object
-              observedGeneration:
-                description: ObservedGeneration is the last reconciled generation.
-                format: int64
-                type: integer
-            type: object
-        type: object
-    served: true
-    storage: false
-    subresources:
-      status: {}
-  - additionalPrinterColumns:
-    - jsonPath: .status.lastScanResult.scanTime
-      name: Last scan
-      type: string
-    - jsonPath: .status.lastScanResult.tagCount
-      name: Tags
-      type: string
-    name: v1beta2
-    schema:
-      openAPIV3Schema:
-        description: ImageRepository is the Schema for the imagerepositories API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: ImageRepositorySpec defines the parameters for scanning an
-              image repository, e.g., `fluxcd/flux`.
-            properties:
-              accessFrom:
-                description: AccessFrom defines an ACL for allowing cross-namespace
-                  references to the ImageRepository object based on the caller's namespace
-                  labels.
-                properties:
-                  namespaceSelectors:
-                    description: NamespaceSelectors is the list of namespace selectors
-                      to which this ACL applies. Items in this list are evaluated
-                      using a logical OR operation.
-                    items:
-                      description: NamespaceSelector selects the namespaces to which
-                        this ACL applies. An empty map of MatchLabels matches all
-                        namespaces in a cluster.
-                      properties:
-                        matchLabels:
-                          additionalProperties:
-                            type: string
-                          description: MatchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
-                          type: object
-                      type: object
-                    type: array
-                required:
-                - namespaceSelectors
-                type: object
-              certSecretRef:
-                description: "CertSecretRef can be given the name of a Secret containing
-                  either or both of \n - a PEM-encoded client certificate (`tls.crt`)
-                  and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`)
-                  \n and whichever are supplied, will be used for connecting to the
-                  registry. The client cert and key are useful if you are authenticating
-                  with a certificate; the CA cert is useful if you are using a self-signed
-                  server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`.
-                  \n Note: Support for the `caFile`, `certFile` and `keyFile` keys
-                  has been deprecated."
-                properties:
-                  name:
-                    description: Name of the referent.
-                    type: string
-                required:
-                - name
-                type: object
-              exclusionList:
-                default:
-                - ^.*\.sig$
-                description: ExclusionList is a list of regex strings used to exclude
-                  certain tags from being stored in the database.
-                items:
-                  type: string
-                maxItems: 25
-                type: array
-              image:
-                description: Image is the name of the image repository
-                type: string
-              insecure:
-                description: Insecure allows connecting to a non-TLS HTTP container
-                  registry.
-                type: boolean
-              interval:
-                description: Interval is the length of time to wait between scans
-                  of the image repository.
-                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
-                type: string
-              provider:
-                default: generic
-                description: The provider used for authentication, can be 'aws', 'azure',
-                  'gcp' or 'generic'. When not specified, defaults to 'generic'.
-                enum:
-                - generic
-                - aws
-                - azure
-                - gcp
-                type: string
-              secretRef:
-                description: SecretRef can be given the name of a secret containing
-                  credentials to use for the image registry. The secret should be
-                  created with `kubectl create secret docker-registry`, or the equivalent.
-                properties:
-                  name:
-                    description: Name of the referent.
-                    type: string
-                required:
-                - name
-                type: object
-              serviceAccountName:
-                description: ServiceAccountName is the name of the Kubernetes ServiceAccount
-                  used to authenticate the image pull if the service account has attached
-                  pull secrets.
-                maxLength: 253
-                type: string
-              suspend:
-                description: This flag tells the controller to suspend subsequent
-                  image scans. It does not apply to already started scans. Defaults
-                  to false.
-                type: boolean
-              timeout:
-                description: Timeout for image scanning. Defaults to 'Interval' duration.
-                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
-                type: string
-            type: object
-          status:
-            default:
-              observedGeneration: -1
-            description: ImageRepositoryStatus defines the observed state of ImageRepository
-            properties:
-              canonicalImageName:
-                description: CanonicalName is the name of the image repository with
-                  all the implied bits made explicit; e.g., `docker.io/library/alpine`
-                  rather than `alpine`.
-                type: string
-              conditions:
-                items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              lastHandledReconcileAt:
-                description: LastHandledReconcileAt holds the value of the most recent
-                  reconcile request value, so a change of the annotation value can
-                  be detected.
-                type: string
-              lastScanResult:
-                description: LastScanResult contains the number of fetched tags.
-                properties:
-                  latestTags:
-                    items:
-                      type: string
-                    type: array
-                  scanTime:
-                    format: date-time
-                    type: string
-                  tagCount:
-                    type: integer
-                required:
-                - tagCount
-                type: object
-              observedExclusionList:
-                description: ObservedExclusionList is a list of observed exclusion
-                  list. It reflects the exclusion rules used for the observed scan
-                  result in spec.lastScanResult.
-                items:
-                  type: string
-                type: array
-              observedGeneration:
-                description: ObservedGeneration is the last reconciled generation.
-                format: int64
-                type: integer
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml

@@ -1,139 +0,0 @@
-{{- if and .Values.imageReflectionController.create }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app.kubernetes.io/component: image-reflector-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.imageReflectionController.labels }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  name: image-reflector-controller
-spec:
-  {{- if kindIs "invalid" .Values.imageReflectionController.replicas }}
-  replicas: 1
-  {{- else }}
-  replicas: {{ .Values.imageReflectionController.replicas  }}
-  {{- end}}
-  selector:
-    matchLabels:
-      app: image-reflector-controller
-  template:
-    metadata:
-      {{- with .Values.imageReflectionController.annotations }}
-      annotations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        app: image-reflector-controller
-{{ with .Values.imageReflectionController.labels }}{{ toYaml . | indent 8 }}{{ end }}
-    spec:
-      automountServiceAccountToken: {{ .Values.imageReflectionController.serviceAccount.automount }}
-      {{- if .Values.imageReflectionController.initContainers}}
-      initContainers:
-        {{- toYaml .Values.imageReflectionController.initContainers | nindent 8}}
-      {{- end}}
-      containers:
-      - args:
-        {{- if .Values.multitenancy.enabled }}
-        - --no-cross-namespace-refs=true
-        {{- end}}
-        {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
-        {{- end}}
-        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
-        - --log-level={{ .Values.logLevel | default "info" }}
-        - --log-encoding=json
-        - --enable-leader-election
-        {{- range .Values.imageReflectionController.container.additionalArgs }}
-        - {{ . }}
-        {{- end}}
-        env:
-        - name: RUNTIME_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        {{- with .Values.imageReflectionController.extraEnv }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-        image: {{ template "template.image" .Values.imageReflectionController }}
-        {{- if .Values.imageReflectionController.imagePullPolicy }}
-        imagePullPolicy: {{ .Values.imageReflectionController.imagePullPolicy }}
-        {{- else }}
-        imagePullPolicy: IfNotPresent
-        {{- end }}
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: healthz
-        name: manager
-        ports:
-        - containerPort: 8080
-          name: http-prom
-        - containerPort: 9440
-          name: healthz
-          protocol: TCP
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: healthz
-        {{- with .Values.imageReflectionController.resources }}
-        resources: {{ toYaml . | nindent 10 }}
-        {{- end }}
-        {{- if .Values.imageReflectionController.securityContext }}
-        securityContext: {{ toYaml .Values.imageReflectionController.securityContext | nindent 10 }}
-        {{- else }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          seccompProfile:
-            type: RuntimeDefault
-        {{- end}}
-        volumeMounts:
-        - mountPath: /tmp
-          name: temp
-        - mountPath: /data
-          name: data
-        {{- if .Values.imageReflectionController.volumeMounts }}
-        {{- toYaml .Values.imageReflectionController.volumeMounts | nindent 8 }}
-        {{- end}}
-      {{- if .Values.imageReflectionController.priorityClassName }}
-      priorityClassName: {{ .Values.imageReflectionController.priorityClassName | quote }}
-      {{- end }}
-      {{- if .Values.imageReflectionController.podSecurityContext }}
-      securityContext: {{ toYaml .Values.imageReflectionController.podSecurityContext | nindent 8 }}
-      {{- else }}
-      securityContext:
-        fsGroup: 1337
-      {{- end}}
-      serviceAccountName: image-reflector-controller
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
-      {{- end }}
-      terminationGracePeriodSeconds: 10
-      volumes:
-      - emptyDir: {}
-        name: temp
-      - emptyDir: {}
-        name: data
-      {{- if .Values.imageReflectionController.volumes }}
-      {{- toYaml .Values.imageReflectionController.volumes | nindent 6 }}
-      {{- end}}
-      {{- with .Values.imageReflectionController.nodeSelector }}
-      nodeSelector: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.imageReflectionController.affinity }}
-      affinity: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.imageReflectionController.tolerations }}
-      tolerations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/kustomize-controller-sa.yaml

@@ -1,18 +0,0 @@
-{{- if and .Values.kustomizeController.create }}
-{{- if .Values.kustomizeController.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: kustomize-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: kustomize-controller
-  {{- with .Values.kustomizeController.serviceAccount.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-{{- end -}}
-{{- end -}}

packages/core/fluxcd/charts/flux2/templates/kustomize-controller-secret.yaml

@@ -1,18 +0,0 @@
-{{- if and .Values.kustomizeController.secret.create }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Values.kustomizeController.secret.name }}
-  namespace:  {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-type: Opaque
-data:
-  {{- range $key, $value := .Values.kustomizeController.secret.data }}
-  {{ $key }}: {{ $value | toString | b64enc | quote }}
-  {{- end }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml

@@ -1,158 +0,0 @@
-{{- if and .Values.kustomizeController.create }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app.kubernetes.io/component: kustomize-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.kustomizeController.labels }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  name: kustomize-controller
-spec:
-  {{- if kindIs "invalid" .Values.kustomizeController.replicas }}
-  replicas: 1
-  {{- else }}
-  replicas: {{ .Values.kustomizeController.replicas  }}
-  {{- end}}
-  selector:
-    matchLabels:
-      app: kustomize-controller
-  template:
-    metadata:
-      {{- with .Values.kustomizeController.annotations }}
-      annotations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        app: kustomize-controller
-{{ with .Values.kustomizeController.labels }}{{ toYaml . | indent 8 }}{{ end }}
-    spec:
-      automountServiceAccountToken: {{ .Values.kustomizeController.serviceAccount.automount }}
-      {{- if .Values.kustomizeController.initContainers}}
-      initContainers:
-        {{- toYaml .Values.kustomizeController.initContainers | nindent 8}}
-      {{- end}}
-      containers:
-      - args:
-        {{- if .Values.multitenancy.enabled }}
-        - --no-cross-namespace-refs=true
-        - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default"  }}
-        {{- end}}
-        {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
-        {{- end}}
-        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
-        - --log-level={{ .Values.logLevel | default "info" }}
-        - --log-encoding=json
-        - --enable-leader-election
-        {{- range .Values.kustomizeController.container.additionalArgs }}
-        - {{ . }}
-        {{- end}}
-        env:
-        - name: RUNTIME_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        {{- with .Values.kustomizeController.extraEnv }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-        {{- if or (.Values.kustomizeController.envFrom.map.name) (.Values.kustomizeController.envFrom.secret.name) }}
-        envFrom:
-          {{- if .Values.kustomizeController.envFrom.map.name }}
-          - configMapRef:
-              name: {{ .Values.kustomizeController.envFrom.map.name }}
-          {{- end }}
-          {{- if .Values.kustomizeController.envFrom.secret.name }}
-          - secretRef:
-              name: {{ .Values.kustomizeController.envFrom.secret.name }}
-          {{- end }}
-        {{- end }}
-        image: {{ template "template.image" .Values.kustomizeController }}
-        {{- if .Values.kustomizeController.imagePullPolicy }}
-        imagePullPolicy: {{ .Values.kustomizeController.imagePullPolicy }}
-        {{- else }}
-        imagePullPolicy: IfNotPresent
-        {{- end }}
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: healthz
-        name: manager
-        ports:
-        - containerPort: 8080
-          name: http-prom
-        - containerPort: 9440
-          name: healthz
-          protocol: TCP
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: healthz
-        {{- with .Values.kustomizeController.resources }}
-        resources: {{ toYaml . | nindent 10 }}
-        {{- end }}
-        {{- if .Values.kustomizeController.securityContext }}
-        securityContext: {{ toYaml .Values.kustomizeController.securityContext | nindent 10 }}
-        {{- else }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          seccompProfile:
-            type: RuntimeDefault
-        {{- end}}
-        volumeMounts:
-        - mountPath: /tmp
-          name: temp
-        {{- if .Values.kustomizeController.volumeMounts }}
-        {{- toYaml .Values.kustomizeController.volumeMounts | nindent 8 }}
-        {{- end}}
-      {{- if .Values.kustomizeController.priorityClassName }}
-      priorityClassName: {{ .Values.kustomizeController.priorityClassName | quote }}
-      {{- end }}
-      {{- range .Values.kustomizeController.extraSecretMounts }}
-        - name: {{ .name }}
-          mountPath: {{ .mountPath }}
-          subPath: {{ .subPath }}
-          readOnly: {{ .readOnly }}
-      {{- end }}
-      {{- if .Values.kustomizeController.podSecurityContext }}
-      securityContext: {{ toYaml .Values.kustomizeController.podSecurityContext | nindent 8 }}
-      {{- else }}
-      securityContext:
-        fsGroup: 1337
-      {{- end}}
-      serviceAccountName: kustomize-controller
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
-      {{- end }}
-      terminationGracePeriodSeconds: 60
-      volumes:
-      - emptyDir: {}
-        name: temp
-      {{- if .Values.kustomizeController.volumes }}
-      {{- toYaml .Values.kustomizeController.volumes | nindent 6 }}
-      {{- end}}
-      {{- range .Values.kustomizeController.extraSecretMounts }}
-      - name: {{ .name }}
-        secret:
-          secretName: {{ .secretName }}
-      {{- end }}
-      {{- with .Values.kustomizeController.nodeSelector }}
-      nodeSelector: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.kustomizeController.affinity }}
-      affinity: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.kustomizeController.tolerations }}
-      tolerations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/notification-controller-ingress.yaml

@@ -1,49 +0,0 @@
-{{- if and .Values.notificationController.create .Values.notificationController.webhookReceiver.ingress.create }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.notificationController.webhookReceiver.ingress.labels }}{{ toYaml . | nindent 4 }}{{ end }}
-  {{- with .Values.notificationController.webhookReceiver.ingress.annotations }}
-  annotations:
-    {{- range $key, $value := . }}
-    {{ $key }}: {{ tpl $value $ | quote }}
-    {{- end }}
-  {{- end }}
-  name: webhook-receiver
-spec:
-  {{- if .Values.notificationController.webhookReceiver.ingress.ingressClassName }}
-  ingressClassName: {{ .Values.notificationController.webhookReceiver.ingress.ingressClassName }}
-  {{- end -}}
-  {{- if .Values.notificationController.webhookReceiver.ingress.tls }}
-  tls:
-    {{- range .Values.notificationController.webhookReceiver.ingress.tls }}
-    - hosts:
-        {{- range .hosts }}
-        - {{ . | quote }}
-        {{- end }}
-      secretName: {{ .secretName }}
-    {{- end }}
-  {{- end }}
-  rules:
-    {{- range .Values.notificationController.webhookReceiver.ingress.hosts }}
-    - host: {{ .host | quote }}
-      http:
-        paths:
-          {{- range .paths }}
-          - path: {{ .path }}
-            pathType: {{ .pathType }}
-            backend:
-              service:
-                name: webhook-receiver
-                port:
-                  number: 80
-          {{- end }}
-    {{- end }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/notification-controller-sa.yaml

@@ -1,18 +0,0 @@
-{{- if and .Values.notificationController.create -}}
-{{- if .Values.notificationController.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: notification-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: notification-controller
-  {{- with .Values.notificationController.serviceAccount.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-{{- end -}}
-{{- end -}}

packages/core/fluxcd/charts/flux2/templates/notification-controller-service.yaml

@@ -1,29 +0,0 @@
-{{- if and .Values.notificationController.create }}
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.notificationController.service.labels }}{{ toYaml . | nindent 4 }}{{ end }}
-  name: notification-controller
-  {{- with .Values.notificationController.service.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: http
-  {{- if .Values.notificationController.service.ports }}
-  {{- toYaml .Values.notificationController.service.ports | nindent 2 }}
-  {{- end}}
-  selector:
-    app: notification-controller
-  type: ClusterIP
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/notification-controller-webhook-service.yaml

@@ -1,26 +0,0 @@
-{{- if and .Values.notificationController.create }}
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.notificationController.webhookReceiver.service.labels }}{{ toYaml . | nindent 4 }}{{ end }}
-  name: webhook-receiver
-  {{- with .Values.notificationController.webhookReceiver.service.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: 9292
-  selector:
-    app: notification-controller
-  type: ClusterIP
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/notification-controller.yaml

@@ -1,136 +0,0 @@
-{{- if and .Values.notificationController.create }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app.kubernetes.io/component: notification-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.notificationController.labels }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  name: notification-controller
-spec:
-  {{- if kindIs "invalid" .Values.notificationController.replicas }}
-  replicas: 1
-  {{- else }}
-  replicas: {{ .Values.notificationController.replicas  }}
-  {{- end}}
-  selector:
-    matchLabels:
-      app: notification-controller
-  template:
-    metadata:
-      {{- with .Values.notificationController.annotations }}
-      annotations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        app: notification-controller
-{{ with .Values.notificationController.labels }}{{ toYaml . | indent 8 }}{{ end }}
-    spec:
-      automountServiceAccountToken: {{ .Values.notificationController.serviceAccount.automount }}
-      {{- if .Values.notificationController.initContainers}}
-      initContainers:
-        {{- toYaml .Values.notificationController.initContainers | nindent 8}}
-      {{- end}}
-      containers:
-      - args:
-        {{- if .Values.multitenancy.enabled }}
-        - --no-cross-namespace-refs=true
-        {{- end}}
-        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
-        - --log-level={{ .Values.logLevel | default "info" }}
-        - --log-encoding=json
-        - --enable-leader-election
-        {{- range .Values.notificationController.container.additionalArgs }}
-        - {{ . }}
-        {{- end}}
-        env:
-        - name: RUNTIME_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        {{- with .Values.notificationController.extraEnv }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-        image: {{ template "template.image" .Values.notificationController }}
-        {{- if .Values.notificationController.imagePullPolicy }}
-        imagePullPolicy: {{ .Values.notificationController.imagePullPolicy }}
-        {{- else }}
-        imagePullPolicy: IfNotPresent
-        {{- end }}
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: healthz
-        name: manager
-        ports:
-        - containerPort: 9090
-          name: http
-          protocol: TCP
-        - containerPort: 9292
-          name: http-webhook
-          protocol: TCP
-        - containerPort: 8080
-          name: http-prom
-          protocol: TCP
-        - containerPort: 9440
-          name: healthz
-          protocol: TCP
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: healthz
-        {{- with .Values.notificationController.resources }}
-        resources: {{ toYaml . | nindent 10 }}
-        {{- end }}
-        {{- if .Values.notificationController.securityContext }}
-        securityContext: {{ toYaml .Values.notificationController.securityContext | nindent 10 }}
-        {{- else }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          seccompProfile:
-            type: RuntimeDefault
-        {{- end}}
-        volumeMounts:
-        - mountPath: /tmp
-          name: temp
-        {{- if .Values.notificationController.volumeMounts }}
-        {{- toYaml .Values.notificationController.volumeMounts | nindent 8 }}
-        {{- end}}
-      {{- if .Values.notificationController.priorityClassName }}
-      priorityClassName: {{ .Values.notificationController.priorityClassName | quote }}
-      {{- end }}
-      {{- if .Values.notificationController.podSecurityContext }}
-      securityContext: {{ toYaml .Values.notificationController.podSecurityContext | nindent 8 }}
-      {{- end }}
-      serviceAccountName: notification-controller
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
-      {{- end }}
-      terminationGracePeriodSeconds: 10
-      volumes:
-      - emptyDir: {}
-        name: temp
-      {{- if .Values.notificationController.volumes }}
-      {{- toYaml .Values.notificationController.volumes | nindent 6 }}
-      {{- end}}
-      {{- with .Values.notificationController.nodeSelector }}
-      nodeSelector: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.notificationController.affinity }}
-      affinity: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.notificationController.tolerations }}
-      tolerations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/podmonitor.yaml

@@ -1,32 +0,0 @@
-{{ if .Values.prometheus.podMonitor.create }}
-apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
-metadata:
-  name: {{ .Release.Name }}
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    {{- range $key, $value := .Values.prometheus.podMonitor.additionalLabels }}
-    {{ $key }}: {{ $value | quote }}
-    {{- end }}
-spec:
-  namespaceSelector:
-    matchNames:
-      - {{ .Release.Namespace }}
-  selector:
-    matchExpressions:
-      - key: app
-        operator: In
-        values:
-          - helm-controller
-          - source-controller
-          - kustomize-controller
-          - notification-controller
-          - image-automation-controller
-          - image-reflector-controller
-  podMetricsEndpoints:
-{{ toYaml .Values.prometheus.podMonitor.podMetricsEndpoints | indent 4 }}
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/policies.yaml

@@ -1,63 +0,0 @@
-{{- if and .Values.policies.create}}
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: allow-egress
-spec:
-  egress:
-  - {}
-  ingress:
-  - from:
-    - podSelector: {}
-  podSelector: {}
-  policyTypes:
-  - Ingress
-  - Egress
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: allow-scraping
-spec:
-  ingress:
-  - from:
-    - namespaceSelector: {}
-    ports:
-    - port: 8080
-      protocol: TCP
-  podSelector: {}
-  policyTypes:
-  - Ingress
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: allow-webhooks
-spec:
-  ingress:
-  - from:
-    - namespaceSelector: {}
-  podSelector:
-    matchLabels:
-      app: notification-controller
-  policyTypes:
-  - Ingress
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/pre-install-job-serviceaccount.yaml

@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: "{{ .Release.Name }}-flux-check"
-  annotations:
-    "helm.sh/hook": pre-install
-    "helm.sh/hook-weight": "-10"
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

packages/core/fluxcd/charts/flux2/templates/pre-install-job.yaml

@@ -1,72 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: "{{ .Release.Name }}-flux-check"
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  annotations:
-    "helm.sh/hook": pre-install
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-spec:
-  backoffLimit: 1
-  template:
-    metadata:
-      name: "{{ .Release.Name }}"
-      {{- with .Values.cli.annotations }}
-      annotations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-        app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-        app.kubernetes.io/part-of: flux
-        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
-    spec:
-      restartPolicy: Never
-      serviceAccountName: "{{ .Release.Name }}-flux-check"
-      automountServiceAccountToken: {{ .Values.cli.serviceAccount.automount }}
-      containers:
-      - name: flux-cli
-        image: {{ template "template.image" .Values.cli }}
-        command: ["/usr/local/bin/flux", "check",  "--pre", "--namespace", {{ .Release.Namespace }}]
-        {{- with .Values.cli.resources }}
-        resources: {{ toYaml . | nindent 10 }}
-        {{- end }}
-        {{- if .Values.cli.securityContext }}
-        securityContext: {{ toYaml .Values.cli.securityContext | nindent 10 }}
-        {{- else }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          seccompProfile:
-            type: RuntimeDefault
-        {{- end}}
-        {{- if .Values.cli.volumeMounts }}
-        volumeMounts:
-        {{- toYaml .Values.cli.volumeMounts | nindent 10 }}
-        {{- end}}
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
-      {{- end }}
-      {{- with .Values.cli.nodeSelector }}
-      nodeSelector: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- if .Values.cli.volumes }}
-      volumes:
-      {{- toYaml .Values.cli.volumes | nindent 8 }}
-      {{- end}}
-      {{- with .Values.cli.affinity }}
-      affinity: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.cli.tolerations }}
-      tolerations: {{ toYaml . | nindent 8 }}
-      {{- end }}

packages/core/fluxcd/charts/flux2/templates/source-controller-service.yaml

@@ -1,29 +0,0 @@
-{{- if .Values.sourceController.create }}
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.sourceController.service.labels }}{{ toYaml . | nindent 4 }}{{ end }}
-  name: source-controller
-  {{- with .Values.sourceController.service.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: http
-  {{- if .Values.sourceController.service.ports }}
-  {{- toYaml .Values.sourceController.service.ports | nindent 2 }}
-  {{- end}}
-  selector:
-    app: source-controller
-  type: ClusterIP
-{{- end }}

packages/core/fluxcd/charts/flux2/templates/source-controller-serviceaccount.yaml

@@ -1,18 +0,0 @@
-{{- if .Values.sourceController.create -}}
-{{- if .Values.sourceController.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: source-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-  name: source-controller
-  {{- with .Values.sourceController.serviceAccount.annotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-{{- end -}}
-{{- end -}}

packages/core/fluxcd/charts/flux2/templates/source-controller.yaml

@@ -1,140 +0,0 @@
-{{- if .Values.sourceController.create }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app.kubernetes.io/component: source-controller
-    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
-    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
-    app.kubernetes.io/part-of: flux
-    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    control-plane: controller
-    {{- with .Values.sourceController.labels }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
-  name: source-controller
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: source-controller
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      {{- with .Values.sourceController.annotations }}
-      annotations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        app: source-controller
-{{ with .Values.sourceController.labels }}{{ toYaml . | indent 8 }}{{ end }}
-    spec:
-      automountServiceAccountToken: {{ .Values.sourceController.serviceAccount.automount }}
-      {{- if .Values.sourceController.initContainers}}
-      initContainers:
-        {{- toYaml .Values.sourceController.initContainers | nindent 8}}
-      {{- end}}
-      containers:
-      - args:
-        {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
-        {{- end}}
-        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
-        - --log-level={{ .Values.logLevel | default "info" }}
-        - --log-encoding=json
-        - --enable-leader-election
-        - --storage-path=/data
-        - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc
-        {{- range .Values.sourceController.container.additionalArgs }}
-        - {{ . }}
-        {{- end}}
-        env:
-        - name: RUNTIME_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        {{- with .Values.sourceController.extraEnv }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-        image: {{ template "template.image" .Values.sourceController }}
-        {{- if .Values.sourceController.imagePullPolicy }}
-        imagePullPolicy: {{ .Values.sourceController.imagePullPolicy }}
-        {{- else }}
-        imagePullPolicy: IfNotPresent
-        {{- end }}
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: healthz
-        name: manager
-        ports:
-        - containerPort: 9090
-          name: http
-          protocol: TCP
-        - containerPort: 8080
-          name: http-prom
-          protocol: TCP
-        - containerPort: 9440
-          name: healthz
-          protocol: TCP
-        readinessProbe:
-          httpGet:
-            path: /
-            port: http
-        {{- with .Values.sourceController.resources }}
-        resources: {{ toYaml . | nindent 10 }}
-        {{- end }}
-        {{- if .Values.sourceController.securityContext }}
-        securityContext: {{ toYaml .Values.sourceController.securityContext | nindent 10 }}
-        {{- else }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          seccompProfile:
-            type: RuntimeDefault
-        {{- end}}
-        volumeMounts:
-        - mountPath: /data
-          name: data
-        - mountPath: /tmp
-          name: tmp
-        {{- if .Values.sourceController.volumeMounts }}
-        {{- toYaml .Values.sourceController.volumeMounts | nindent 8 }}
-        {{- end}}
-      {{- if .Values.sourceController.priorityClassName }}
-      priorityClassName: {{ .Values.sourceController.priorityClassName | quote }}
-      {{- end }}
-      {{- if .Values.sourceController.podSecurityContext }}
-      securityContext: {{ toYaml .Values.sourceController.podSecurityContext | nindent 8 }}
-      {{- else }}
-      securityContext:
-        fsGroup: 1337
-      {{- end}}
-      serviceAccountName: source-controller
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
-      {{- end }}
-      terminationGracePeriodSeconds: 10
-      volumes:
-      - emptyDir: {}
-        name: data
-      - emptyDir: {}
-        name: tmp
-      {{- if .Values.sourceController.volumes }}
-      {{- toYaml .Values.sourceController.volumes | nindent 6 }}
-      {{- end}}
-      {{- with .Values.sourceController.nodeSelector }}
-      nodeSelector: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.sourceController.affinity }}
-      affinity: {{ toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.sourceController.tolerations }}
-      tolerations: {{ toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

packages/core/fluxcd/charts/flux2/values.yaml

@@ -1,327 +0,0 @@
-# global
-
-installCRDs: true
-crds:
-  # -- Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep
-  annotations: {}
-
-multitenancy:
-  # -- Implement the patches for Multi-tenancy lockdown.
-  # See https://fluxcd.io/docs/installation/#multi-tenancy-lockdown
-  enabled: false
-  # -- All Kustomizations and HelmReleases which don’t have spec.serviceAccountName
-  # specified, will use the default account from the tenant’s namespace.
-  # Tenants have to specify a service account in their Flux resources to be able
-  # to deploy workloads in their namespaces as the default account has no permissions.
-  defaultServiceAccount: "default"
-  # -- Both kustomize-controller and helm-controller service accounts run privileged
-  # with cluster-admin ClusterRoleBinding. Disable if you want to run them with a
-  # minimum set of permissions.
-  privileged: true
-
-clusterDomain: cluster.local
-
-cli:
-  image: ghcr.io/fluxcd/flux-cli
-  tag: v2.2.3
-  nodeSelector: {}
-  affinity: {}
-  tolerations: []
-  annotations: {}
-  serviceAccount:
-    automount: true
-
-# controllers
-
-helmController:
-  create: true
-  image: ghcr.io/fluxcd/helm-controller
-  tag: v0.37.4
-  resources:
-    limits: {}
-    # cpu: 1000m
-    # memory: 1Gi
-    requests:
-      cpu: 100m
-      memory: 64Mi
-  priorityClassName: ""
-  annotations:
-    prometheus.io/port: "8080"
-    prometheus.io/scrape: "true"
-  labels: {}
-  container:
-    additionalArgs: []
-  extraEnv: []
-  serviceAccount:
-    create: true
-    automount: true
-    annotations: {}
-  imagePullPolicy: ""
-  nodeSelector: {}
-  # expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
-  # for example:
-  #   affinity:
-  #     nodeAffinity:
-  #      requiredDuringSchedulingIgnoredDuringExecution:
-  #        nodeSelectorTerms:
-  #        - matchExpressions:
-  #          - key: foo.bar.com/role
-  #            operator: In
-  #            values:
-  #            - master
-
-  affinity: {}
-  # expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core
-  # for example:
-  #   tolerations:
-  #   - key: foo.bar.com/role
-  #     operator: Equal
-  #     value: master
-  #     effect: NoSchedule
-
-  tolerations: []
-
-imageAutomationController:
-  create: true
-  image: ghcr.io/fluxcd/image-automation-controller
-  tag: v0.37.1
-  resources:
-    limits: {}
-    # cpu: 1000m
-    # memory: 1Gi
-    requests:
-      cpu: 100m
-      memory: 64Mi
-  priorityClassName: ""
-  annotations:
-    prometheus.io/port: "8080"
-    prometheus.io/scrape: "true"
-  labels: {}
-  container:
-    additionalArgs: []
-  extraEnv: []
-  serviceAccount:
-    create: true
-    automount: true
-    annotations: {}
-  imagePullPolicy: ""
-  nodeSelector: {}
-  affinity: {}
-  tolerations: []
-
-imageReflectionController:
-  create: true
-  image: ghcr.io/fluxcd/image-reflector-controller
-  tag: v0.31.2
-  resources:
-    limits: {}
-    # cpu: 1000m
-    # memory: 1Gi
-    requests:
-      cpu: 100m
-      memory: 64Mi
-  priorityClassName: ""
-  annotations:
-    prometheus.io/port: "8080"
-    prometheus.io/scrape: "true"
-  labels: {}
-  container:
-    additionalArgs: []
-  extraEnv: []
-  serviceAccount:
-    create: true
-    automount: true
-    annotations: {}
-  imagePullPolicy: ""
-  nodeSelector: {}
-  affinity: {}
-  tolerations: []
-
-kustomizeController:
-  create: true
-  image: ghcr.io/fluxcd/kustomize-controller
-  tag: v1.2.2
-  resources:
-    limits: {}
-    # cpu: 1000m
-    # memory: 1Gi
-    requests:
-      cpu: 100m
-      memory: 64Mi
-  priorityClassName: ""
-  annotations:
-    prometheus.io/port: "8080"
-    prometheus.io/scrape: "true"
-  labels: {}
-  container:
-    additionalArgs: []
-  extraEnv: []
-  serviceAccount:
-    create: true
-    automount: true
-    annotations: {}
-  imagePullPolicy: ""
-  secret:
-    # -- Create a secret to use it with extraSecretMounts. Defaults to false.
-    create: false
-    name: ""
-    data: {}
-  # -- Defines envFrom using a configmap and/or secret.
-  envFrom:
-    map:
-      name: ""
-    secret:
-      name: ""
-  # -- Defines additional mounts with secrets.
-  # Secrets must be manually created in the namespace or with kustomizeController.secret
-  extraSecretMounts: []
-  # - name: secret-files
-  #   mountPath: /etc/secrets
-  #   subPath: ""
-  #   secretName: secret-files
-  #   readOnly: true
-
-  nodeSelector: {}
-  affinity: {}
-  tolerations: []
-
-notificationController:
-  create: true
-  image: ghcr.io/fluxcd/notification-controller
-  tag: v1.2.4
-  resources:
-    limits: {}
-    # cpu: 1000m
-    # memory: 1Gi
-    requests:
-      cpu: 100m
-      memory: 64Mi
-  priorityClassName: ""
-  annotations:
-    prometheus.io/port: "8080"
-    prometheus.io/scrape: "true"
-  labels: {}
-  container:
-    additionalArgs: []
-  extraEnv: []
-  serviceAccount:
-    create: true
-    automount: true
-    annotations: {}
-  imagePullPolicy: ""
-  service:
-    labels: {}
-    annotations: {}
-  webhookReceiver:
-    service:
-      labels: {}
-      annotations: {}
-    ingress:
-      create: false
-      # ingressClassName: nginx
-      annotations: {}
-      # kubernetes.io/ingress.class: nginx
-      # kubernetes.io/tls-acme: "true"
-      labels: {}
-      hosts:
-        - host: flux-webhook.example.com
-          paths:
-            - path: /
-              pathType: ImplementationSpecific
-      tls: []
-      #  - secretName: flux-webhook-tls
-      #    hosts:
-      #      - flux-webhook.example.com
-
-
-  nodeSelector: {}
-  affinity: {}
-  tolerations: []
-
-sourceController:
-  create: true
-  image: ghcr.io/fluxcd/source-controller
-  tag: v1.2.4
-  resources:
-    limits: {}
-    # cpu: 1000m
-    # memory: 1Gi
-    requests:
-      cpu: 100m
-      memory: 64Mi
-  priorityClassName: ""
-  annotations:
-    prometheus.io/port: "8080"
-    prometheus.io/scrape: "true"
-  labels: {}
-  container:
-    additionalArgs: []
-  serviceAccount:
-    create: true
-    automount: true
-    annotations: {}
-  imagePullPolicy: ""
-  service:
-    labels: {}
-    annotations: {}
-  nodeSelector: {}
-  affinity: {}
-  tolerations: []
-  extraEnv: []
-
-policies:
-  create: true
-
-rbac:
-  create: true
-  # -- Grant the Kubernetes view, edit and admin roles access to Flux custom resources
-  createAggregation: true
-  # -- Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep
-  annotations: {}
-  roleRef:
-    name: cluster-admin
-
-logLevel: info
-watchAllNamespaces: true
-
-# -- contents of pod imagePullSecret in form 'name=[secretName]'; applied to all controllers
-imagePullSecrets: []
-
-# -- Array of extra K8s manifests to deploy
-extraObjects: []
-# Example usage from https://fluxcd.io/docs/components/source/buckets/#static-authentication
-# - apiVersion: source.toolkit.fluxcd.io/v1beta2
-#   kind: Bucket
-#   metadata:
-#     name: podinfo
-#     namespace: default
-#   spec:
-#     interval: 1m
-#     provider: generic
-#     bucketName: podinfo
-#     endpoint: minio.minio.svc.cluster.local:9000
-#     insecure: true
-#     secretRef:
-#       name: minio-credentials
-# - apiVersion: v1
-#   kind: Secret
-#   metadata:
-#     name: minio-credentials
-#     namespace: default
-#   type: Opaque
-#   data:
-#     accesskey: <BASE64>
-#     secretkey: <BASE64>
-
-# Enables podMonitor creation for the Prometheus Operator
-prometheus:
-  podMonitor:
-    # -- Enables podMonitor endpoint
-    create: false
-    podMetricsEndpoints:
-      - port: http-prom
-        relabelings:
-          # https://github.com/prometheus-operator/prometheus-operator/issues/4816
-          - sourceLabels: [__meta_kubernetes_pod_phase]
-            action: keep
-            regex: Running

packages/core/installer/Makefile

@@ -25,6 +25,7 @@ image-cozystack:
 		--provenance false \
 		--tag $(REGISTRY)/cozystack:$(call settag,$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/cozystack:latest \
+		--platform linux/amd64,linux/arm64 \
 		--cache-to type=inline \
 		--metadata-file images/cozystack.json \
 		--push=$(PUSH) \

packages/core/installer/images/cozystack.json

@@ -1,4 +1,10 @@
 {
-  "containerimage.config.digest": "sha256:8726af130b534d259ae28a92d84fb866df045765739a59146974d85554e5f188",
-  "containerimage.digest": "sha256:bc9109b0ed072ecbb143ea74edb9bf8a801b4903e0b849aeaa79488c4a9fb7f2"
+  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/extxoj9ofu1pnz4jjx5x5813k",
+  "containerimage.descriptor": {
+    "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
+    "digest": "sha256:1309102e4c59935e0d9fbdb439f11b62f01e858a1569b5168ba5eb6b338197ee",
+    "size": 685
+  },
+  "containerimage.digest": "sha256:1309102e4c59935e0d9fbdb439f11b62f01e858a1569b5168ba5eb6b338197ee",
+  "image.name": "ghcr.io/aenix-io/cozystack/cozystack:v0.9.1"
 }

packages/core/installer/images/cozystack.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cozystack:v0.6.0
+ghcr.io/aenix-io/cozystack/cozystack:v0.9.1

packages/core/installer/images/cozystack/Dockerfile

@@ -3,12 +3,15 @@ FROM golang:alpine3.19 as k8s-await-election-builder
 ARG K8S_AWAIT_ELECTION_GITREPO=https://github.com/LINBIT/k8s-await-election
 ARG K8S_AWAIT_ELECTION_VERSION=0.4.1
 
+# TARGETARCH is a docker special variable: https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope
+ARG TARGETARCH
+
 RUN apk add --no-cache git make
 RUN git clone ${K8S_AWAIT_ELECTION_GITREPO} /usr/local/go/k8s-await-election/ \
  && cd /usr/local/go/k8s-await-election \
  && git reset --hard v${K8S_AWAIT_ELECTION_VERSION} \
  && make \
- && mv ./out/k8s-await-election-amd64 /k8s-await-election
+ && mv ./out/k8s-await-election-${TARGETARCH} /k8s-await-election
 
 FROM alpine:3.19 AS builder
 

packages/core/installer/images/matchbox.json

@@ -1,4 +1,45 @@
 {
-  "containerimage.config.digest": "sha256:05f6f9ed2e662dde64ace18dbbd69001b39778841bda812d7b6b86e064270e64",
-  "containerimage.digest": "sha256:56ef77367394c4b073c862974726d882036c9b95d27a56a774987fe3244c35f6"
+  "buildx.build.provenance": {
+    "buildType": "https://mobyproject.org/buildkit@v1",
+    "materials": [
+      {
+        "uri": "pkg:docker/quay.io/poseidon/matchbox@v0.10.0?platform=linux%2Famd64",
+        "digest": {
+          "sha256": "e14cc4a8f6e8f1182fce74d04fe949b6bfc91b04132b3944297661e2c38c9790"
+        }
+      }
+    ],
+    "invocation": {
+      "configSource": {
+        "entryPoint": "Dockerfile"
+      },
+      "parameters": {
+        "frontend": "dockerfile.v0",
+        "locals": [
+          {
+            "name": "context"
+          },
+          {
+            "name": "dockerfile"
+          }
+        ]
+      },
+      "environment": {
+        "platform": "linux/amd64"
+      }
+    }
+  },
+  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/zcwi0hxjd3o0u3a9vd855h1ss",
+  "containerimage.config.digest": "sha256:e504821d142164128080de70a3723da8d444a433c06304ed85696e3881278761",
+  "containerimage.descriptor": {
+    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+    "digest": "sha256:1db6c0e94c2cfaa787a6a2f9c10f5da2644fdb7add06182fb763541316c63edd",
+    "size": 1488,
+    "platform": {
+      "architecture": "amd64",
+      "os": "linux"
+    }
+  },
+  "containerimage.digest": "sha256:1db6c0e94c2cfaa787a6a2f9c10f5da2644fdb7add06182fb763541316c63edd",
+  "image.name": "ghcr.io/aenix-io/cozystack/matchbox:v0.9.1,ghcr.io/aenix-io/cozystack/matchbox:v1.7.1-v0.9.1"
 }

packages/core/platform/bundles/distro-full.yaml

@@ -1,6 +1,19 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 
 releases:
+- name: fluxcd-operator
+  releaseName: fluxcd-operator
+  chart: cozy-fluxcd-operator
+  namespace: cozy-fluxcd
+  privileged: true
+  dependsOn: []
+
+- name: fluxcd
+  releaseName: fluxcd
+  chart: cozy-fluxcd
+  namespace: cozy-fluxcd
+  dependsOn: [fluxcd-operator,cilium]
+
 - name: cilium
   releaseName: cilium
   chart: cozy-cilium

packages/core/platform/bundles/distro-hosted.yaml

@@ -1,6 +1,19 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 
 releases:
+- name: fluxcd-operator
+  releaseName: fluxcd-operator
+  chart: cozy-fluxcd-operator
+  namespace: cozy-fluxcd
+  privileged: true
+  dependsOn: []
+
+- name: fluxcd
+  releaseName: fluxcd
+  chart: cozy-fluxcd
+  namespace: cozy-fluxcd
+  dependsOn: [fluxcd-operator]
+
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
@@ -54,13 +67,13 @@ releases:
   releaseName: kafka-operator
   chart: cozy-kafka-operator
   namespace: cozy-kafka-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: []
 
 - name: clickhouse-operator
   releaseName: clickhouse-operator
   chart: cozy-clickhouse-operator
   namespace: cozy-clickhouse-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: []
 
 - name: rabbitmq-operator
   releaseName: rabbitmq-operator

packages/core/platform/bundles/paas-full.yaml

@@ -1,6 +1,19 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 
 releases:
+- name: fluxcd-operator
+  releaseName: fluxcd-operator
+  chart: cozy-fluxcd-operator
+  namespace: cozy-fluxcd
+  privileged: true
+  dependsOn: []
+
+- name: fluxcd
+  releaseName: fluxcd
+  chart: cozy-fluxcd
+  namespace: cozy-fluxcd
+  dependsOn: [fluxcd-operator,cilium,kubeovn]
+
 - name: cilium
   releaseName: cilium
   chart: cozy-cilium
@@ -153,8 +166,8 @@ releases:
   chart: cozy-dashboard
   namespace: cozy-dashboard
   dependsOn: [cilium,kubeovn]
-  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }}
-  {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }}
+  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
+  {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
   values:
     kubeapps:
       redis:

packages/core/platform/bundles/paas-hosted.yaml

@@ -1,6 +1,19 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 
 releases:
+- name: fluxcd-operator
+  releaseName: fluxcd-operator
+  chart: cozy-fluxcd-operator
+  namespace: cozy-fluxcd
+  privileged: true
+  dependsOn: []
+
+- name: fluxcd
+  releaseName: fluxcd
+  chart: cozy-fluxcd
+  namespace: cozy-fluxcd
+  dependsOn: [fluxcd-operator]
+
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
@@ -54,13 +67,13 @@ releases:
   releaseName: kafka-operator
   chart: cozy-kafka-operator
   namespace: cozy-kafka-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: []
 
 - name: clickhouse-operator
   releaseName: clickhouse-operator
   chart: cozy-clickhouse-operator
   namespace: cozy-clickhouse-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: []
 
 - name: rabbitmq-operator
   releaseName: rabbitmq-operator
@@ -91,8 +104,8 @@ releases:
   chart: cozy-dashboard
   namespace: cozy-dashboard
   dependsOn: []
-  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }}
-  {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }}
+  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
+  {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
   values:
     kubeapps:
       redis:

packages/core/platform/templates/apps.yaml

@@ -3,8 +3,8 @@
 {{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
 {{- $host := "example.org" }}
 {{- $tenantRoot := list }}
-{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2beta2" }}
-{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2beta2" "HelmRelease" "tenant-root" "tenant-root" }}
+{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2" }}
+{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" "tenant-root" "tenant-root" }}
 {{- end }}
 {{- if and $tenantRoot $tenantRoot.spec $tenantRoot.spec.values $tenantRoot.spec.values.host }}
 {{- $host = $tenantRoot.spec.values.host }}
@@ -22,7 +22,7 @@ metadata:
     namespace.cozystack.io/host: "{{ $host }}"
   name: tenant-root
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: tenant-root

packages/core/platform/templates/helmreleases.yaml

@@ -12,7 +12,7 @@
 {{- range $x := $bundle.releases }}
 {{- if not (has $x.name $disabledComponents) }}
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: {{ $x.name }}
@@ -20,7 +20,7 @@ metadata:
   labels:
     cozystack.io/repository: system
 spec:
-  interval: 1m
+  interval: 5m
   releaseName: {{ $x.releaseName | default $x.name }}
   install:
     crds: CreateReplace

packages/core/platform/templates/helmrepos.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: cozystack-system
@@ -10,7 +10,7 @@ spec:
   interval: 5m0s
   url: http://cozystack.cozy-system.svc/repos/system
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: cozystack-apps
@@ -22,7 +22,7 @@ spec:
   interval: 5m0s
   url: http://cozystack.cozy-system.svc/repos/apps
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: cozystack-extra

packages/core/platform/templates/namespaces.yaml

@@ -16,7 +16,6 @@
 
 {{/* Add extra namespaces */}}
 {{- $_ := set $namespaces "cozy-public" false }}
-{{- $_ := set $namespaces "cozy-fluxcd" false }}
 
 {{- range $namespace, $privileged := $namespaces }}
 ---

packages/extra/ingress/Chart.yaml

@@ -3,4 +3,4 @@ name: ingress
 description: NGINX Ingress Controller
 icon: https://docs.nginx.com/nginx-ingress-controller/images/icons/NGINX-Ingress-Controller-product-icon.svg
 type: application
-version: 1.0.0
+version: 1.2.0

packages/extra/ingress/README.md

@@ -4,6 +4,7 @@
 
 ### Common parameters
 
-| Name       | Description                      | Value |
-| ---------- | -------------------------------- | ----- |
-| `replicas` | Number of ingress-nginx replicas | `2`   |
+| Name          | Description                      | Value |
+| ------------- | -------------------------------- | ----- |
+| `replicas`    | Number of ingress-nginx replicas | `2`   |
+| `externalIPs` | List of externalIPs for service. | `[]`  |

packages/extra/ingress/config.json

@@ -0,0 +1,23 @@
+{
+  "comments": {
+    "format": "##"
+  },
+  "tags": {
+    "param": "@param",
+    "section": "@section",
+    "descriptionStart": "@descriptionStart",
+    "descriptionEnd": "@descriptionEnd",
+    "skip": "@skip",
+    "extra": "@extra"
+  },
+  "modifiers": {
+    "array": "array",
+    "object": "object",
+    "string": "string",
+    "nullable": "nullable",
+    "default": "default"
+  },
+  "regexp": {
+    "paramsSectionTitle": "Parameters"
+  }
+}

packages/extra/ingress/templates/nginx-ingress.yaml

@@ -1,4 +1,4 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: ingress-nginx
@@ -27,3 +27,13 @@ spec:
         admissionWebhooks:
           enabled: false
         {{- end }}
+        service:
+          {{- if .Values.externalIPs }}
+          externalIPs:
+            {{- toYaml .Values.externalIPs | nindent 12 }}
+          type: ClusterIP
+          externalTrafficPolicy: Cluster
+          {{- else }}
+          type: LoadBalancer
+          externalTrafficPolicy: Local
+          {{- end }}

packages/extra/ingress/templates/nginx-scrape.yaml

@@ -3,12 +3,11 @@ apiVersion: operator.victoriametrics.com/v1beta1
 kind: VMPodScrape
 metadata:
   name: nginx-ingress-controller
-  namespace: cozy-monitoring
 spec:
   jobLabel: jobLabel
   namespaceSelector:
     matchNames:
-    - cozy-ingress-nginx
+    - {{ .Release.Namespace }}
   podMetricsEndpoints:
   - port: metrics
     honorLabels: true
@@ -29,12 +28,11 @@ apiVersion: operator.victoriametrics.com/v1beta1
 kind: VMPodScrape
 metadata:
   name: nginx-ingress-controller-detailed
-  namespace: cozy-monitoring
 spec:
   jobLabel: jobLabel
   namespaceSelector:
     matchNames:
-    - cozy-ingress-nginx
+    - {{ .Release.Namespace }}
   podMetricsEndpoints:
   - port: metrics2
     honorLabels: true

packages/extra/ingress/values.schema.json

@@ -6,6 +6,14 @@
             "type": "number",
             "description": "Number of ingress-nginx replicas",
             "default": 2
+        },
+        "externalIPs": {
+            "type": "array",
+            "description": "List of externalIPs for service.",
+            "default": "[]",
+            "items": {
+                "type": "string"
+            }
         }
     }
 }

packages/extra/ingress/values.yaml

@@ -3,3 +3,14 @@
 ## @param replicas Number of ingress-nginx replicas
 ##
 replicas: 2
+
+## @param externalIPs [array] List of externalIPs for service.
+## Optional. If not specified will use LoadBalancer service by default.
+## 
+## e.g:
+## externalIPs:
+##   - "11.22.33.44"
+##   - "11.22.33.45"
+##   - "11.22.33.46"
+##
+externalIPs: []

packages/extra/monitoring/Chart.yaml

@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: https://www.svgrepo.com/download/184787/analytics-laptop.svg
 type: application
-version: 1.0.0
+version: 1.1.0

packages/extra/monitoring/templates/oncall/oncall-release.yaml

@@ -1,7 +1,7 @@
 {{- if .Values.oncall.enabled }}
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: grafana-oncall

packages/extra/versions_map

@@ -2,5 +2,8 @@ etcd 1.0.0 f7eaab0
 etcd 2.0.0 a6d0f7cf
 etcd 2.0.1 6fc1cc7d
 etcd 2.1.0 HEAD
-ingress 1.0.0 HEAD
-monitoring 1.0.0 HEAD
+ingress 1.0.0 f642698
+ingress 1.1.0 838bee5d
+ingress 1.2.0 HEAD
+monitoring 1.0.0 f642698
+monitoring 1.1.0 HEAD

packages/system/capi-operator/Makefile

@@ -1,5 +1,5 @@
-NAME=capi-operator
-NAMESPACE=cozy-cluster-api
+export NAME=capi-operator
+export NAMESPACE=cozy-cluster-api
 
 include ../../../scripts/package-system.mk
 

packages/system/capi-operator/charts/cluster-api-operator/Chart.lock

@@ -1,6 +0,0 @@
-dependencies:
-- name: cert-manager
-  repository: https://charts.jetstack.io
-  version: v1.13.2
-digest: sha256:b92a86c20cdd8a5e44995e71addefd379fdf302410a7dde388623f0e06187406
-generated: "2024-01-16T12:59:42.630842426Z"