Merge branch 'main' into add-kafka-exporter

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

hack/e2e.sh

@@ -36,7 +36,7 @@ mkdir -p srv1 srv2 srv3
 
 # Prepare cloud-init
 for i in 1 2 3; do
-  echo "local-hostname: srv$i" > "srv$i/meta-data"
+  echo "hostname: srv$i" > "srv$i/meta-data"
   echo '#cloud-config' > "srv$i/user-data"
   cat > "srv$i/network-config" <<EOT
 version: 2
@@ -114,7 +114,7 @@ machine:
     - name: zfs
     - name: spl
   install:
-    image: ghcr.io/aenix-io/cozystack/talos:v1.7.1
+    image: ghcr.io/aenix-io/cozystack/talos:v1.8.0
   files:
   - content: |
       [plugins]
@@ -182,7 +182,7 @@ timeout 60 sh -c 'until nc -nzv 192.168.123.11 50000 && nc -nzv 192.168.123.12 5
 talosctl bootstrap -n 192.168.123.11 -e 192.168.123.11
 
 # Wait for etcd
-timeout 120 sh -c 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep "rpc error"; do sleep 1; done'
+timeout 180 sh -c 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep "rpc error"; do sleep 1; done'
 
 rm -f kubeconfig
 talosctl kubeconfig kubeconfig -e 192.168.123.10 -n 192.168.123.10

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.15.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.16.3"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.15.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.16.3"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/ferretdb/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.6.2@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1
+ghcr.io/aenix-io/cozystack/postgres-backup:0.7.0@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:556bc8d29ee9e90b3d64d0481dcfc66483d055803315bba3d9ece17c0d97f32b
+ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:cd744b2d1d50191f4908f2db83079b32973d1c009fe9468627be72efbfa0a107

packages/apps/kafka/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.3.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kafka/templates/kafka.yaml

@@ -76,3 +76,15 @@ spec:
         metadata:
          labels:
            policy.cozystack.io/allow-to-apiserver: "true"
+      spec:
+        enableServiceLinks: false
+  kafkaExporter:
+    groupRegex: ".*"
+    topicRegex: ".*"
+    resources:
+      requests:
+        cpu: 200m
+        memory: 64Mi
+      limits:
+        cpu: 500m
+        memory: 128Mi

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.11.0
+version: 0.12.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cluster-autoscaler:latest@sha256:7f617de5a24de790a15d9e97c6287ff2b390922e6e74c7a665cbf498f634514d
+ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.12.0@sha256:7f617de5a24de790a15d9e97c6287ff2b390922e6e74c7a665cbf498f634514d

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:latest@sha256:735aa8092501fc0f2904b685b15bc0137ea294cb08301ca1185d3dec5f467f0f
+ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.12.0@sha256:b9dc8e5f0296146b37b332b07b8cd74d1b0308786160b161c670c55005d3dbe9

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:latest@sha256:e56b46591cdf9140e97c3220a0c2681aadd4a4b3f7ea8473fb2504dc96e8b53a
+ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.12.0@sha256:bd9175e1307c0afa828974df40edaa4ab905b869e1260a09675ceb1c1b248f1f

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:5ce80a453073c4f44347409133fc7b15f1d2f37a564d189871a4082fc552ff0f
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:1f249fbe52821a62f706c6038b13401234e1b758ac498e53395b8f9a642b015f

packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml

@@ -16,6 +16,7 @@ spec:
         app: {{ .Release.Name }}-cluster-autoscaler
         policy.cozystack.io/allow-to-apiserver: "true"
     spec:
+      enableServiceLinks: false
       tolerations:
         - key: CriticalAddonsOnly
           operator: Exists

packages/apps/kubernetes/templates/cluster.yaml

@@ -210,6 +210,26 @@ spec:
         name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }}
         namespace: default
       version: v1.30.1
+---
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: MachineHealthCheck
+metadata:
+  name: {{ $.Release.Name }}-{{ $groupName }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+  clusterName: {{ $.Release.Name }}
+  nodeStartupTimeout: 10m
+  selector:
+    matchLabels:
+      cluster.x-k8s.io/cluster-name: {{ $.Release.Name }}
+      cluster.x-k8s.io/deployment-name: {{ $.Release.Name }}-{{ $groupName }}
+  unhealthyConditions:
+  - type: Ready
+    status: Unknown
+    timeout: 30s
+  - type: Ready
+    status: "False"
+    timeout: 30s
 {{- end }}
 ---
 {{- /*

packages/apps/kubernetes/templates/csi/deploy.yaml

@@ -15,6 +15,7 @@ spec:
         app: {{ .Release.Name }}-kcsi-driver
         policy.cozystack.io/allow-to-apiserver: "true"
     spec:
+      enableServiceLinks: false
       serviceAccountName: {{ .Release.Name }}-kcsi
       priorityClassName: system-cluster-critical
       tolerations:

packages/apps/kubernetes/templates/helmreleases/cilium.yaml

@@ -30,7 +30,6 @@ spec:
       retries: -1
   values:
     cilium:
-      tunnel: disabled
       k8sServiceHost: {{ .Release.Name }}.{{ .Release.Namespace }}.svc
       k8sServicePort: 6443
       routingMode: tunnel

packages/apps/kubernetes/templates/kccm/manager.yaml

@@ -15,6 +15,7 @@ spec:
         k8s-app: {{ .Release.Name }}-kccm
         policy.cozystack.io/allow-to-apiserver: "true"
     spec:
+      enableServiceLinks: false
       tolerations:
         - key: CriticalAddonsOnly
           operator: Exists

packages/apps/mysql/images/mariadb-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.1@sha256:fa2b3195521cffa55eb6d71a50b875d3c234a45e5dff71b2b9002674175bea93
+ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.1@sha256:793edb25a29cbc00781e40af883815ca36937e736e2b0d202ea9c9619fb6ca11

packages/apps/postgres/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.6.2@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1
+ghcr.io/aenix-io/cozystack/postgres-backup:0.7.0@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1

packages/apps/postgres/templates/db.yaml

@@ -10,7 +10,9 @@ spec:
   postgresql:
     parameters:
       max_wal_senders: "30"
-      max_connections: “{{ .Values.postgresql.parameters.max_connections }}”
+      {{- with .Values.postgresql.parameters.max_connections }}
+      max_connections: "{{ . }}"
+      {{- end }}
 
   minSyncReplicas: {{ .Values.quorum.minSyncReplicas }}
   maxSyncReplicas: {{ .Values.quorum.maxSyncReplicas }}

packages/apps/postgres/values.schema.json

@@ -29,9 +29,9 @@
                     "type": "object",
                     "properties": {
                         "max_connections": {
-                            "type": "string",
+                            "type": "number",
                             "description": "Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections",
-                            "default": "100"
+                            "default": 100
                         }
                     }
                 }
@@ -103,4 +103,4 @@
             }
         }
     }
-}
+}

packages/apps/postgres/values.yaml

@@ -14,7 +14,7 @@ storageClass: ""
 ## @param postgresql.parameters.max_connections Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections
 postgresql:
   parameters:
-    max_connections: "100"
+    max_connections: 100
 
 ## Configuration for the quorum-based synchronous replication
 ## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.

packages/apps/rabbitmq/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.1
+version: 0.4.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/rabbitmq/templates/rabbitmq.yaml

@@ -16,6 +16,8 @@ spec:
     statefulSet:
       spec:
         template:
+          spec:
+            enableServiceLinks: false
           metadata:
             labels:
               policy.cozystack.io/allow-to-apiserver: "true"
@@ -47,7 +49,7 @@ metadata:
     config: '{{ printf "%s %s" $user $password | sha256sum }}'
 spec:
   importCredentialsSecret:
-    name: {{ $.Release.Name }}-{{ $user }}-credentials
+    name: {{ $.Release.Name }}-{{ kebabcase $user }}-credentials
   rabbitmqClusterReference:
     name: {{ $.Release.Name }}
 ---

packages/apps/versions_map

@@ -31,7 +31,10 @@ kubernetes 0.8.0 ac11056e
 kubernetes 0.8.1 e54608d8
 kubernetes 0.8.2 5ca8823
 kubernetes 0.9.0 9b6dd19
-kubernetes 0.10.0 HEAD
+kubernetes 0.10.0 ac5c38b
+kubernetes 0.11.0 4eaca42
+kubernetes 0.11.1 4f430a90
+kubernetes 0.12.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
@@ -48,12 +51,14 @@ postgres 0.4.0 ec283c33
 postgres 0.4.1 5ca8823
 postgres 0.5.0 c07c4bbd
 postgres 0.6.0 2a4768a
-postgres 0.6.2 HEAD
+postgres 0.6.2 54fd61c
+postgres 0.7.0 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 5ca8823
 rabbitmq 0.3.0 9e33dc0
 rabbitmq 0.4.0 36d8855
-rabbitmq 0.4.1 HEAD
+rabbitmq 0.4.1 35536bb
+rabbitmq 0.4.2 HEAD
 redis 0.1.1 f642698
 redis 0.2.0 5ca8823
 redis 0.3.0 HEAD

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.7.6
+version: v1.8.0
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.7.6
+    imageRef: ghcr.io/siderolabs/installer:v1.8.0
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
 output:
   kind: initramfs
   imageOptions: {}

packages/core/installer/images/talos/profiles/installer.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.7.6
+version: v1.8.0
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.7.6
+    imageRef: ghcr.io/siderolabs/installer:v1.8.0
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
 output:
   kind: installer
   imageOptions: {}

packages/core/installer/images/talos/profiles/iso.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.7.6
+version: v1.8.0
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.7.6
+    imageRef: ghcr.io/siderolabs/installer:v1.8.0
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
 output:
   kind: iso
   imageOptions: {}

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.7.6
+version: v1.8.0
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.7.6
+    imageRef: ghcr.io/siderolabs/installer:v1.8.0
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
 output:
   kind: kernel
   imageOptions: {}

packages/core/installer/images/talos/profiles/metal.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.7.6
+version: v1.8.0
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.7.6
+    imageRef: ghcr.io/siderolabs/installer:v1.8.0
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.7.6
+version: v1.8.0
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.7.6
+    imageRef: ghcr.io/siderolabs/installer:v1.8.0
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240909
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240909
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240909
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240909
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.0
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.15.0@sha256:aeff26a80f84b4323578e613b3bf03caa842d617ec8d9ca98706867c1e70609f
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.16.3@sha256:7f281a046f648a53e9b957c6297e5e62c53b39a2816240720c142da0d1d79700

packages/core/platform/bundles/distro-full.yaml

@@ -29,6 +29,7 @@ releases:
       enableIdentityMark: true
       ipv4NativeRoutingCIDR: "{{ index $cozyConfig.data "ipv4-pod-cidr" }}"
       autoDirectNodeRoutes: true
+      routingMode: native
 
 - name: cert-manager
   releaseName: cert-manager
@@ -139,4 +140,19 @@ releases:
   releaseName: traffic-manager
   chart: cozy-telepresence
   namespace: cozy-telepresence
+  optional: true
   dependsOn: []
+
+- name: external-dns
+  releaseName: external-dns
+  chart: cozy-external-dns
+  namespace: cozy-external-dns
+  optional: true
+  dependsOn: [cilium]
+
+- name: external-secrets-operator
+  releaseName: external-secrets-operator
+  chart: cozy-external-secrets-operator
+  namespace: cozy-external-secrets-operator
+  optional: true
+  dependsOn: [cilium]

packages/core/platform/bundles/distro-hosted.yaml

@@ -91,4 +91,19 @@ releases:
   releaseName: traffic-manager
   chart: cozy-telepresence
   namespace: cozy-telepresence
+  optional: true
+  dependsOn: []
+
+- name: external-dns
+  releaseName: external-dns
+  chart: cozy-external-dns
+  namespace: cozy-external-dns
+  optional: true
+  dependsOn: [] 
+
+- name: external-secrets-operator
+  releaseName: external-secrets-operator
+  chart: cozy-external-secrets-operator
+  namespace: cozy-external-secrets-operator
+  optional: true
   dependsOn: []

packages/core/platform/bundles/paas-full.yaml

@@ -175,6 +175,7 @@ releases:
   releaseName: traffic-manager
   chart: cozy-telepresence
   namespace: cozy-telepresence
+  optional: true
   dependsOn: [cilium,kubeovn]
 
 - name: dashboard
@@ -216,3 +217,17 @@ releases:
   namespace: cozy-cluster-api
   privileged: true
   dependsOn: [cilium,kubeovn,capi-operator]
+
+- name: external-dns
+  releaseName: external-dns
+  chart: cozy-external-dns
+  namespace: cozy-external-dns
+  optional: true
+  dependsOn: [cilium,kubeovn]
+
+- name: external-secrets-operator
+  releaseName: external-secrets-operator
+  chart: cozy-external-secrets-operator
+  namespace: cozy-external-secrets-operator
+  optional: true
+  dependsOn: [cilium,kubeovn]

packages/core/platform/bundles/paas-hosted.yaml

@@ -97,6 +97,21 @@ releases:
   releaseName: traffic-manager
   chart: cozy-telepresence
   namespace: cozy-telepresence
+  optional: true
+  dependsOn: []
+
+- name: external-dns
+  releaseName: external-dns
+  chart: cozy-external-dns
+  namespace: cozy-external-dns
+  optional: true
+  dependsOn: [cilium,kubeovn]
+
+- name: external-secrets-operator
+  releaseName: external-secrets-operator
+  chart: cozy-external-secrets-operator
+  namespace: cozy-external-secrets-operator
+  optional: true
   dependsOn: []
 
 - name: dashboard

packages/core/platform/templates/helmreleases.yaml

@@ -3,6 +3,7 @@
 {{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
 {{- $dependencyNamespaces := dict }}
 {{- $disabledComponents := splitList "," ((index $cozyConfig.data "bundle-disable") | default "") }}
+{{- $enabledComponents := splitList "," ((index $cozyConfig.data "bundle-enable") | default "") }}
 
 {{/* collect dependency namespaces from releases */}}
 {{- range $x := $bundle.releases }}
@@ -11,6 +12,7 @@
 
 {{- range $x := $bundle.releases }}
 {{- if not (has $x.name $disabledComponents) }}
+{{- if or (not $x.optional) (and ($x.optional) (has $x.name $enabledComponents)) }}
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
@@ -65,3 +67,4 @@ spec:
   {{- end }}
 {{- end }}
 {{- end }}
+{{- end }}

packages/core/platform/templates/namespaces.yaml

@@ -1,17 +1,23 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $bundleName := index $cozyConfig.data "bundle-name" }}
 {{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
+{{- $disabledComponents := splitList "," ((index $cozyConfig.data "bundle-disable") | default "") }}
+{{- $enabledComponents := splitList "," ((index $cozyConfig.data "bundle-enable") | default "") }}
 {{- $namespaces := dict }}
 
 {{/* collect namespaces from releases */}}
 {{- range $x := $bundle.releases }}
-{{- if not (hasKey $namespaces $x.namespace) }}
-{{- $_ := set $namespaces $x.namespace false }}
-{{- end }}
-{{/* if at least one release requires a privileged namespace, then it should be privileged */}}
-{{- if or $x.privileged (index $namespaces $x.namespace) }}
-{{- $_ := set $namespaces $x.namespace true }}
-{{- end }}
+  {{- if not (hasKey $namespaces $x.namespace) }}
+    {{- if not (has $x.name $disabledComponents) }}
+      {{- if and ($x.optional) (has $x.name $enabledComponents) }}
+        {{- $_ := set $namespaces $x.namespace false }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+  {{/* if at least one release requires a privileged namespace, then it should be privileged */}}
+  {{- if or $x.privileged (index $namespaces $x.namespace) }}
+    {{- $_ := set $namespaces $x.namespace true }}
+  {{- end }}
 {{- end }}
 
 {{/* Add extra namespaces */}}

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.15.0@sha256:20cc84e4a11db31434881355c070113a7823501a28a6114ca02830b18607ad21
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.16.3@sha256:25b298d621ec79431d106184d59849bbae634588742583d111628126ad8615c5

packages/extra/ingress/templates/dashboard.yaml

@@ -1,29 +1,36 @@
-{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
-{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
-{{- if .Values.dashboard }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    acme.cert-manager.io/http01-ingress-class: tenant-root
-  name: dashboard-{{ .Release.Namespace }}
-  namespace: cozy-dashboard
-spec:
-  ingressClassName: {{ .Release.Namespace }}
-  rules:
-  - host: dashboard.{{ $host }}
-    http:
-      paths:
-      - backend:
-          service:
-            name: dashboard
-            port:
-              number: 80
-        path: /
-        pathType: Prefix
-  tls:
-  - hosts:
-    - dashboard.{{ $host }}
-    secretName: dashboard-{{ .Release.Namespace }}-tls
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}  
+
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}  
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}  
+
+{{- if .Values.dashboard }}  
+apiVersion: networking.k8s.io/v1  
+kind: Ingress  
+metadata:  
+  annotations:  
+    cert-manager.io/cluster-issuer: letsencrypt-prod  
+    {{- if eq $issuerType "cloudflare" }} 
+    {{- else }}  
+    acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}  
+    {{- end }}  
+  name: dashboard-{{ .Release.Namespace }}  
+  namespace: cozy-dashboard  
+spec:  
+  ingressClassName: {{ .Release.Namespace }}  
+  rules:  
+  - host: dashboard.{{ $host }}  
+    http:  
+      paths:  
+      - backend:  
+          service:  
+            name: dashboard  
+            port:  
+              number: 80  
+        path: /  
+        pathType: Prefix  
+  tls:  
+  - hosts:  
+    - dashboard.{{ $host }}  
+    secretName: dashboard-{{ .Release.Namespace }}-tls  
 {{- end }}

packages/extra/monitoring/Chart.yaml

@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.4.0
+version: 1.5.0

packages/extra/monitoring/templates/alerta/alerta.yaml

@@ -1,3 +1,6 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
+
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
 {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
@@ -145,16 +148,18 @@ metadata:
   labels:
     app: alerta
   annotations:
+    {{- if ne $issuerType "cloudflare" }} 
     acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
+    {{- end }} 
     cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
   ingressClassName: {{ $ingress }}
   tls:
     - hosts:
-        - "{{ .Values.host | default (printf "alerta.%s" $host) }}"
+        - "{{ printf "alerta.%s" (.Values.host | default $host) }}"
       secretName: alerta-tls
   rules:
-    - host: "{{ .Values.host | default (printf "alerta.%s" $host) }}"
+    - host: "{{ printf "alerta.%s" (.Values.host | default $host) }}"
       http:
         paths:
           - path: /

packages/extra/monitoring/templates/grafana/grafana.yaml

@@ -1,3 +1,6 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }} 
+
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
 {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
@@ -22,7 +25,7 @@ spec:
       password: ${GF_DATABASE_PASSWORD}
       #ssl_mode: require
     server:
-      root_url: "https://{{ .Values.host | default (printf "grafana.%s" $host) }}"
+      root_url: "https://{{ printf "grafana.%s" (.Values.host | default $host) }}"
     security:
       admin_user: user
       admin_password: ${GF_PASSWORD}
@@ -90,12 +93,14 @@ spec:
   ingress:
     metadata:
       annotations:
-        acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}"
+        {{- if ne $issuerType "cloudflare" }}
+        acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}"  
+        {{- end }}
         cert-manager.io/cluster-issuer: letsencrypt-prod
     spec:
       ingressClassName: "{{ $ingress }}"
       rules:
-        - host: "{{ .Values.host | default (printf "grafana.%s" $host) }}"
+        - host: "{{ printf "grafana.%s" (.Values.host | default $host) }}"
           http:
             paths:
               - backend:
@@ -107,5 +112,5 @@ spec:
                 pathType: Prefix
       tls:
       - hosts:
-        - "{{ .Values.host | default (printf "grafana.%s" $host) }}"
+        - "{{ printf "grafana.%s" (.Values.host | default $host) }}"
         secretName: grafana-ingress-tls

packages/extra/seaweedfs/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.2.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/extra/seaweedfs/templates/seaweedfs.yaml

@@ -38,6 +38,10 @@ spec:
           storageClass: {{ . }}
           {{- end }}
           maxVolumes: 0
+
+      filer:
+        s3:
+          domainName: {{ .Values.host | default (printf "s3.%s" $host) }}
       
       s3:
         ingress:

packages/extra/versions_map

@@ -12,6 +12,8 @@ monitoring 1.1.0 15478a88
 monitoring 1.2.0 c9e0d63b
 monitoring 1.2.1 4471b4ba
 monitoring 1.3.0 6c5cf5b
-monitoring 1.4.0 HEAD
+monitoring 1.4.0 adaf603b
+monitoring 1.5.0 HEAD
 seaweedfs 0.1.0 5ca8823
-seaweedfs 0.2.0 HEAD
+seaweedfs 0.2.0 9e33dc0
+seaweedfs 0.2.1 HEAD

packages/system/capi-operator/values.yaml

@@ -0,0 +1,8 @@
+cluster-api-operator:
+  resources:
+    limits:
+      cpu: 200m
+      memory: 512Mi
+    requests:
+      cpu: 100m
+      memory: 100Mi

packages/system/cert-manager-issuers/templates/cluster-issuers.yaml

@@ -1,35 +1,57 @@
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  annotations:
-  name: letsencrypt-prod
-spec:
-  acme:
-    privateKeySecretRef:
-      name: letsencrypt-prod
-    server: https://acme-v02.api.letsencrypt.org/directory
-    solvers:
-    - http01:
-        ingress:
-          class: nginx
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-stage
-spec:
-  acme:
-    privateKeySecretRef:
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}  
+
+apiVersion: cert-manager.io/v1 
+kind: ClusterIssuer  
+metadata:  
+  name: letsencrypt-prod  
+spec:  
+  acme:  
+    privateKeySecretRef:  
+      name: letsencrypt-prod  
+    server: https://acme-v02.api.letsencrypt.org/directory  
+    solvers:  
+    - {{- if eq $issuerType "cloudflare" }}  
+        dns01:  
+          cloudflare:  
+            apiTokenSecretRef:  
+              name: cloudflare-api-token-secret  
+              key: api-token  
+      {{- else }}  
+        http01:  
+          ingress:  
+            class: nginx  
+      {{- end }}  
+
+---  
+
+apiVersion: cert-manager.io/v1  
+kind: ClusterIssuer  
+metadata:  
+  name: letsencrypt-stage  
+spec:  
+  acme:  
+    privateKeySecretRef:  
       name: letsencrypt-stage
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    solvers:
-    - http01:
-        ingress:
-          class: nginx
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: selfsigned-cluster-issuer
-spec:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory  
+    solvers:  
+    - {{- if eq $issuerType "cloudflare" }}  
+        dns01:  
+          cloudflare:  
+            apiTokenSecretRef:  
+              name: cloudflare-api-token-secret  
+              key: api-token  
+      {{- else }}  
+        http01:  
+          ingress:  
+            class: nginx  
+      {{- end }}  
+
+---  
+
+apiVersion: cert-manager.io/v1  
+kind: ClusterIssuer  
+metadata:  
+  name: selfsigned-cluster-issuer  
+spec:  
   selfSigned: {}

packages/system/cilium/charts/cilium/Chart.yaml

@@ -79,7 +79,7 @@ annotations:
     Pod IP Pool\n  description: |\n    CiliumPodIPPool defines an IP pool that can
     be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n"
 apiVersion: v2
-appVersion: 1.16.1
+appVersion: 1.16.2
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
@@ -95,4 +95,4 @@ kubeVersion: '>= 1.21.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.16.1
+version: 1.16.2

packages/system/cilium/charts/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.16.1](https://img.shields.io/badge/Version-1.16.1-informational?style=flat-square) ![AppVersion: 1.16.1](https://img.shields.io/badge/AppVersion-1.16.1-informational?style=flat-square)
+![Version: 1.16.2](https://img.shields.io/badge/Version-1.16.2-informational?style=flat-square) ![AppVersion: 1.16.2](https://img.shields.io/badge/AppVersion-1.16.2-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -83,7 +83,7 @@ contributors across the globe, there is almost always someone available to help.
 | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
 | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true |
 | authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. |
-| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server |
+| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:c230832bd3b0be59a6c47ed64294f9ce71e91b327957920b6929a0caa8353140","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server |
 | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into |
 | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration |
 | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations |
@@ -182,7 +182,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
 | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.1","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:cc84190fed92e03a2b3a33bc670b2447b521ee258ad9b076baaad13be312ea73","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.2","useDigest":true}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
@@ -353,7 +353,7 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:9762041c3760de226a8b00cc12f27dacc28b7691ea926748f9b5c18862db503f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.9-1726784081-a90146d13b4cd7d168d573396ccf2b3db5a3b047","useDigest":true}` | Envoy container image. |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
 | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
@@ -484,7 +484,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.1","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:4b559907b378ac18af82541dafab430a857d94f1057f2598645624e6e7ea286c","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.2","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -590,7 +590,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.1","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.2","useDigest":true}` | Agent container image. |
 | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -717,7 +717,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.hostNetwork | bool | `true` | HostNetwork setting |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804","awsDigest":"sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4","azureDigest":"sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22","genericDigest":"sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.1","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:16e33abb6b8381e2f66388b6d7141399f06c9b51b9ffa08fd159b8d321929716","awsDigest":"sha256:b6a73ec94407a56cccc8a395225e2aecc3ca3611e7acfeec86201c19fc0727dd","azureDigest":"sha256:fde7cf8bb887e106cd388bb5c3327e92682b2ec3ab4f03bb57b87f495b99f727","genericDigest":"sha256:cccfd3b886d52cb132c06acca8ca559f0fce91a6bd99016219b1a81fdbc4813a","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.2","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -767,7 +767,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.1","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.2","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |

packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml

@@ -26,10 +26,6 @@ spec:
   template:
     metadata:
       annotations:
-        {{- if and .Values.envoy.prometheus.enabled (not .Values.envoy.prometheus.serviceMonitor.enabled) }}
-        prometheus.io/port: "{{ .Values.envoy.prometheus.port }}"
-        prometheus.io/scrape: "true"
-        {{- end }}
         {{- if .Values.envoy.rollOutPods }}
         # ensure pods roll when configmap updates
         cilium.io/cilium-envoy-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-envoy/configmap.yaml") . | sha256sum | quote }}

packages/system/cilium/charts/cilium/templates/cilium-envoy/service.yaml

@@ -0,0 +1,33 @@
+{{- $envoyDS := eq (include "envoyDaemonSetEnabled" .) "true" -}}
+{{- if and $envoyDS (not .Values.preflight.enabled) .Values.envoy.prometheus.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: cilium-envoy
+  namespace: {{ .Release.Namespace }}
+  {{- if or (not .Values.envoy.prometheus.serviceMonitor.enabled) .Values.envoy.annotations }}
+  annotations:
+  {{- if not .Values.envoy.prometheus.serviceMonitor.enabled }}
+    prometheus.io/scrape: "true"
+    prometheus.io/port: {{ .Values.envoy.prometheus.port | quote }}
+  {{- end }}
+  {{- with .Values.envoy.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- end }}
+  labels:
+    k8s-app: cilium-envoy
+    app.kubernetes.io/name: cilium-envoy
+    app.kubernetes.io/part-of: cilium
+    io.cilium/app: proxy
+spec:
+  clusterIP: None
+  type: ClusterIP
+  selector:
+    k8s-app: cilium-envoy
+  ports:
+  - name: envoy-metrics
+    port: {{ .Values.envoy.prometheus.port }}
+    protocol: TCP
+    targetPort: envoy-metrics
+{{- end }}

packages/system/cilium/charts/cilium/templates/cilium-operator/deployment.yaml

@@ -362,7 +362,7 @@ spec:
               name: cilium-clustermesh
               optional: true
               # note: items are not explicitly listed here, since the entries of this secret
-              # depend on the peers configured, and that would cause a restart of all agents
+              # depend on the peers configured, and that would cause a restart of all operators
               # at every addition/removal. Leaving the field empty makes each secret entry
               # to be automatically projected into the volume as a file whose name is the key.
           - secret:
@@ -384,5 +384,28 @@ spec:
               - key: {{ .Values.tls.caBundle.key }}
                 path: common-etcd-client-ca.crt
           {{- end }}
+          # note: we configure the volume for the kvstoremesh-specific certificate
+          # regardless of whether KVStoreMesh is enabled or not, so that it can be
+          # automatically mounted in case KVStoreMesh gets subsequently enabled,
+          # without requiring an operator restart.
+          - secret:
+              name: clustermesh-apiserver-local-cert
+              optional: true
+              items:
+              - key: tls.key
+                path: local-etcd-client.key
+              - key: tls.crt
+                path: local-etcd-client.crt
+          {{- if not .Values.tls.caBundle.enabled }}
+              - key: ca.crt
+                path: local-etcd-client-ca.crt
+          {{- else }}
+          - {{ .Values.tls.caBundle.useSecret | ternary "secret" "configMap" }}:
+              name: {{ .Values.tls.caBundle.name }}
+              optional: true
+              items:
+              - key: {{ .Values.tls.caBundle.key }}
+                path: local-etcd-client-ca.crt
+          {{- end }}
       {{- end }}
 {{- end }}

packages/system/cilium/charts/cilium/templates/validate.yaml

@@ -1,3 +1,47 @@
+{{/* validate deprecated options are not being used */}}
+
+{{/* Options deprecated in v1.15 and removed in v1.16 */}}
+{{- if or
+  (dig "encryption" "keyFile" "" .Values.AsMap)
+  (dig "encryption" "mountPath" "" .Values.AsMap)
+  (dig "encryption" "secretName" "" .Values.AsMap)
+  (dig "encryption" "interface" "" .Values.AsMap)
+}}
+  {{ fail "encryption.{keyFile,mountPath,secretName,interface} were deprecated in v1.14 and has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }}
+{{- end }}
+{{- if or
+  ((dig "proxy" "prometheus" "enabled" "" .Values.AsMap) | toString)
+  (dig "proxy" "prometheus" "port" "" .Values.AsMap)
+}}
+  {{ fail "proxy.prometheus.enabled and proxy.prometheus.port were deprecated in v1.14 and has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }}
+{{- end }}
+{{- if (dig "endpointStatus" "" .Values.AsMap) }}
+  {{ fail "endpointStatus has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }}
+{{- end }}
+{{- if (dig "remoteNodeIdentity" "" .Values.AsMap) }}
+  {{ fail "remoteNodeIdentity was deprecated in v1.15 and has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }}
+{{- end }}
+{{- if (dig "containerRuntime" "integration" "" .Values.AsMap) }}
+  {{ fail "containerRuntime.integration was deprecated in v1.14 and has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }}
+{{- end }}
+{{- if (dig "etcd" "managed" "" .Values.AsMap) }}
+  {{ fail "etcd.managed was deprecated in v1.10 has been removed in v1.16. For details please refer to https://docs.cilium.io/en/v1.16/operations/upgrade/#helm-options" }}
+{{- end }}
+
+{{/* Options deprecated in v1.14 and removed in v1.15 */}}
+{{- if .Values.tunnel }}
+  {{ fail "tunnel was deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }}
+{{- end }}
+{{- if or (dig "clustermesh" "apiserver" "tls" "ca" "cert" "" .Values.AsMap) (dig "clustermesh" "apiserver" "tls" "ca" "key" "" .Values.AsMap) }}
+  {{ fail "clustermesh.apiserver.tls.ca.cert and clustermesh.apiserver.tls.ca.key were deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }}
+{{- end }}
+{{- if .Values.enableK8sEventHandover }}
+  {{ fail "enableK8sEventHandover was deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }}
+{{- end }}
+{{- if .Values.enableCnpStatusUpdates }}
+  {{ fail "enableCnpStatusUpdates was deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }}
+{{- end }}
+
 {{/* validate hubble config */}}
 {{- if and .Values.hubble.ui.enabled (not .Values.hubble.ui.standalone.enabled) }}
   {{- if not .Values.hubble.relay.enabled }}

packages/system/cilium/charts/cilium/values.yaml

@@ -153,10 +153,10 @@ image:
   # @schema
   override: ~
   repository: "quay.io/cilium/cilium"
-  tag: "v1.16.1"
+  tag: "v1.16.2"
   pullPolicy: "IfNotPresent"
   # cilium-digest
-  digest: "sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39"
+  digest: "sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea"
   useDigest: true
 # -- Affinity for cilium-agent.
 affinity:
@@ -1309,9 +1309,9 @@ hubble:
       # @schema
       override: ~
       repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.16.1"
+      tag: "v1.16.2"
       # hubble-relay-digest
-      digest: "sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35"
+      digest: "sha256:4b559907b378ac18af82541dafab430a857d94f1057f2598645624e6e7ea286c"
       useDigest: true
       pullPolicy: "IfNotPresent"
     # -- Specifies the resources for the hubble-relay pods
@@ -2158,9 +2158,9 @@ envoy:
     # @schema
     override: ~
     repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51"
+    tag: "v1.29.9-1726784081-a90146d13b4cd7d168d573396ccf2b3db5a3b047"
     pullPolicy: "IfNotPresent"
-    digest: "sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b"
+    digest: "sha256:9762041c3760de226a8b00cc12f27dacc28b7691ea926748f9b5c18862db503f"
     useDigest: true
   # -- Additional containers added to the cilium Envoy DaemonSet.
   extraContainers: []
@@ -2474,15 +2474,15 @@ operator:
     # @schema
     override: ~
     repository: "quay.io/cilium/operator"
-    tag: "v1.16.1"
+    tag: "v1.16.2"
     # operator-generic-digest
-    genericDigest: "sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4"
+    genericDigest: "sha256:cccfd3b886d52cb132c06acca8ca559f0fce91a6bd99016219b1a81fdbc4813a"
     # operator-azure-digest
-    azureDigest: "sha256:e55c222654a44ceb52db7ade3a7b9e8ef05681ff84c14ad1d46fea34869a7a22"
+    azureDigest: "sha256:fde7cf8bb887e106cd388bb5c3327e92682b2ec3ab4f03bb57b87f495b99f727"
     # operator-aws-digest
-    awsDigest: "sha256:e3876fcaf2d6ccc8d5b4aaaded7b1efa971f3f4175eaa2c8a499878d58c39df4"
+    awsDigest: "sha256:b6a73ec94407a56cccc8a395225e2aecc3ca3611e7acfeec86201c19fc0727dd"
     # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:4381adf48d76ec482551183947e537d44bcac9b6c31a635a9ac63f696d978804"
+    alibabacloudDigest: "sha256:16e33abb6b8381e2f66388b6d7141399f06c9b51b9ffa08fd159b8d321929716"
     useDigest: true
     pullPolicy: "IfNotPresent"
     suffix: ""
@@ -2756,9 +2756,9 @@ preflight:
     # @schema
     override: ~
     repository: "quay.io/cilium/cilium"
-    tag: "v1.16.1"
+    tag: "v1.16.2"
     # cilium-digest
-    digest: "sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39"
+    digest: "sha256:4386a8580d8d86934908eea022b0523f812e6a542f30a86a47edd8bed90d51ea"
     useDigest: true
     pullPolicy: "IfNotPresent"
   # -- The priority class to use for the preflight pod.
@@ -2905,9 +2905,9 @@ clustermesh:
       # @schema
       override: ~
       repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.16.1"
+      tag: "v1.16.2"
       # clustermesh-apiserver-digest
-      digest: "sha256:e9c77417cd474cc943b2303a76c5cf584ac7024dd513ebb8d608cb62fe28896f"
+      digest: "sha256:cc84190fed92e03a2b3a33bc670b2447b521ee258ad9b076baaad13be312ea73"
       useDigest: true
       pullPolicy: "IfNotPresent"
     # -- TCP port for the clustermesh-apiserver health API.
@@ -3406,7 +3406,7 @@ authentication:
           override: ~
           repository: "docker.io/library/busybox"
           tag: "1.36.1"
-          digest: "sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7"
+          digest: "sha256:c230832bd3b0be59a6c47ed64294f9ce71e91b327957920b6929a0caa8353140"
           useDigest: true
           pullPolicy: "IfNotPresent"
         # SPIRE agent configuration

packages/system/cilium/images/cilium/Dockerfile

@@ -1,2 +1,2 @@
-ARG VERSION=v1.16.1
+ARG VERSION=v1.16.2
 FROM quay.io/cilium/cilium:${VERSION}

packages/system/cilium/values-kubeovn.yaml

@@ -15,4 +15,4 @@ cilium:
   enableIdentityMark: false
   enableRuntimeDeviceDetection: true
   forceDeviceDetection: true
-  devices: ovn0
+  devices: "ovn0 genev_sys_6081"

packages/system/cilium/values.yaml

@@ -12,7 +12,7 @@ cilium:
     mode: "kubernetes"
   image:
     repository: ghcr.io/aenix-io/cozystack/cilium
-    tag: 1.16.1
-    digest: "sha256:9593dbc3bd25487b52d8f43330d4a308e450605479a8384a32117e9613289892"
+    tag: 1.16.2
+    digest: "sha256:534c5b04fef356a6be59234243c23c0c09702fe1e2c8872012afb391ce2965c4"
   envoy:
     enabled: false

packages/system/dashboard/values.yaml

@@ -33,11 +33,11 @@ kubeapps:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: dashboard
-      tag: v0.15.0
+      tag: v0.16.3
       digest: "sha256:4818712e9fc9c57cc321512760c3226af564a04e69d4b3ec9229ab91fd39abeb"
   kubeappsapis:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: kubeapps-apis
-      tag: v0.15.0
-      digest: "sha256:70c095c8f7e3ecfa11433a3a2c8f57f6ff5a0053f006939a2c171c180cc50baf"
+      tag: v0.16.3
+      digest: "sha256:55bc8e2495933112c7cb4bb9e3b1fcb8df46aa14e27fa007f78388a9757e3238"

packages/system/external-dns/.helmignore

@@ -0,0 +1,3 @@
+images
+hack
+.gitkeep

packages/system/external-dns/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-external-dns
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/external-dns/Makefile

@@ -0,0 +1,10 @@
+export NAME=external-dns
+export NAMESPACE=cozy-$(NAME)
+
+include ../../../scripts/package.mk
+
+update:
+	rm -rf charts
+	helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/
+	helm repo update external-dns
+	helm pull external-dns/external-dns --untar --untardir charts

packages/system/external-dns/charts/external-dns/.helmignore

@@ -21,6 +21,3 @@
 .idea/
 *.tmproj
 .vscode/
-
-# Ignore img folder used for documentation
-img/

packages/system/external-dns/charts/external-dns/CHANGELOG.md

@@ -0,0 +1,219 @@
+# ExternalDNS Helm Chart Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+---
+
+<!--
+### Added - For new features.
+### Changed - For changes in existing functionality.
+### Deprecated - For soon-to-be removed features.
+### Removed - For now removed features.
+### Fixed - For any bug fixes.
+### Security - In case of vulnerabilities.
+-->
+
+## [UNRELEASED]
+
+## [v1.15.0] - 2023-09-10
+
+### Changed
+
+- Updated _ExternalDNS_ OCI image version to [v0.15.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.15.0). ([#xxxx](https://github.com/kubernetes-sigs/external-dns/pull/xxxx)) _@stevehipwell_
+
+### Fixed
+
+- Fixed `provider.webhook.resources` behavior to correctly leverage resource limits. ([#4560](https://github.com/kubernetes-sigs/external-dns/pull/4560)) _@crutonjohn_
+- Fixed `provider.webhook.imagePullPolicy` behavior to correctly leverage pull policy. ([#4643](https://github.com/kubernetes-sigs/external-dns/pull/4643)) _@kimsondrup_
+- Fixed to add correct webhook metric port to `Service` and `ServiceMonitor`. ([#4643](https://github.com/kubernetes-sigs/external-dns/pull/4643)) _@kimsondrup_
+- Fixed to no longer require the unauthenticated webhook provider port to be exposed for health probes. ([#4691](https://github.com/kubernetes-sigs/external-dns/pull/4691)) _@kimsondrup_ & _@hatrx_
+
+## [v1.14.5] - 2023-06-10
+
+### Added
+
+- Added support for `extraContainers` argument. ([#4432](https://github.com/kubernetes-sigs/external-dns/pull/4432)) _@omerap12_
+- Added support for setting `excludeDomains` argument.  ([#4380](https://github.com/kubernetes-sigs/external-dns/pull/4380)) _@bford-evs_
+
+### Changed
+
+- Updated _ExternalDNS_ OCI image version to [v0.14.2](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.14.2). ([#4541](https://github.com/kubernetes-sigs/external-dns/pull/4541)) _@stevehipwell_
+- Updated `DNSEndpoint` CRD. ([#4541](https://github.com/kubernetes-sigs/external-dns/pull/4541)) _@stevehipwell_
+- Changed the implementation for `revisionHistoryLimit` to be more generic. ([#4541](https://github.com/kubernetes-sigs/external-dns/pull/4541)) _@stevehipwell_
+
+### Fixed
+
+- Fixed the `ServiceMonitor` job name to correctly use the instance label. ([#4541](https://github.com/kubernetes-sigs/external-dns/pull/4541)) _@stevehipwell_
+
+## [v1.14.4] - 2023-04-03
+
+### Added
+
+- Added support for setting `dnsConfig`. ([#4265](https://github.com/kubernetes-sigs/external-dns/pull/4265)) _@davhdavh_
+- Added support for `DNSEndpoint` CRD. ([#4322](https://github.com/kubernetes-sigs/external-dns/pull/4322)) _@onedr0p_
+
+### Changed
+
+- Updated _ExternalDNS_ OCI image version to [v0.14.1](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.14.1). ([#4357](https://github.com/kubernetes-sigs/external-dns/pull/4357)) _@stevehipwell_
+
+## [v1.14.3] - 2023-01-26
+
+### Fixed
+
+- Fixed args for webhook deployment. ([#4202](https://github.com/kubernetes-sigs/external-dns/pull/4202)) [@webwurst](https://github.com/webwurst)
+- Fixed support for `gateway-grpcroute`, `gateway-tlsroute`, `gateway-tcproute` & `gateway-udproute`. ([#4205](https://github.com/kubernetes-sigs/external-dns/pull/4205)) [@orenlevi111](https://github.com/orenlevi111)
+- Fixed incorrect implementation for setting the `automountServiceAccountToken`. ([#4208](https://github.com/kubernetes-sigs/external-dns/pull/4208)) [@stevehipwell](https://github.com/stevehipwell)
+
+## [v1.14.2] - 2024-01-22
+
+### Fixed
+
+- Restore template support in `.Values.provider` and `.Values.provider.name`
+
+## [v1.14.1] - 2024-01-11
+
+### Fixed
+
+- Fixed webhook install failure: `"http-webhook-metrics": must be no more than 15 characters`. ([#4173](https://github.com/kubernetes-sigs/external-dns/pull/4173)) [@gabe565](https://github.com/gabe565)
+
+## [v1.14.0] - 2024-01-10
+
+### Added
+
+- Added the option to explicitly enable or disable service account token automounting. ([#3983](https://github.com/kubernetes-sigs/external-dns/pull/3983)) [@gilles-gosuin](https://github.com/gilles-gosuin)
+- Added the option to configure revisionHistoryLimit on the K8s Deployment resource. ([#4008](https://github.com/kubernetes-sigs/external-dns/pull/4008)) [@arnisoph](https://github.com/arnisoph)
+- Added support for webhook providers, as a sidecar. ([#4032](https://github.com/kubernetes-sigs/external-dns/pull/4032) [@mloiseleur](https://github.com/mloiseleur)
+- Added the option to configure ipFamilyPolicy and ipFamilies of external-dns Service.  ([#4153](https://github.com/kubernetes-sigs/external-dns/pull/4153)) [@dongjiang1989](https://github.com/dongjiang1989)
+
+### Changed
+
+- Avoid unnecessary pod restart on each helm chart version. ([#4103](https://github.com/kubernetes-sigs/external-dns/pull/4103)) [@jkroepke](https://github.com/jkroepke)
+- Updated _ExternalDNS_ OCI image version to [v0.14.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.14.0). ([#4073](https://github.com/kubernetes-sigs/external-dns/pull/4073)) [@appkins](https://github.com/appkins)
+
+### Deprecated
+
+- The `secretConfiguration` value has been deprecated in favour of creating secrets external to the Helm chart and configuring their use via the `extraVolumes` & `extraVolumeMounts` values. ([#4161](https://github.com/kubernetes-sigs/external-dns/pull/4161)) [@stevehipwell](https://github.com/stevehipwell)
+
+## [v1.13.1] - 2023-09-07
+
+### Added
+
+- Added RBAC for Traefik to ClusterRole. ([#3325](https://github.com/kubernetes-sigs/external-dns/pull/3325)) [@ThomasK33](https://github.com/thomask33)
+- Added support for init containers. ([#3325](https://github.com/kubernetes-sigs/external-dns/pull/3838)) [@calvinbui](https://github.com/calvinbui)
+
+### Changed
+
+- Disallowed privilege escalation in container security context and set the seccomp profile type to `RuntimeDefault`. ([#3689](https://github.com/kubernetes-sigs/external-dns/pull/3689)) [@nrvnrvn](https://github.com/nrvnrvn)
+- Updated _ExternalDNS_ OCI image version to [v0.13.6](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.6). ([#3917](https://github.com/kubernetes-sigs/external-dns/pull/3917)) [@stevehipwell](https://github.com/stevehipwell)
+
+### Removed
+
+- Removed RBAC rule for already removed `contour-ingressroute` source. ([#3764](https://github.com/kubernetes-sigs/external-dns/pull/3764)) [@johngmyers](https://github.com/johngmyers)
+
+## [v1.13.0] - 2023-03-30
+
+### All Changes
+
+- Updated _ExternalDNS_ version to [v0.13.5](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.5). ([#3661](https://github.com/kubernetes-sigs/external-dns/pull/3661)) [@GMartinez-Sisti](https://github.com/GMartinez-Sisti)
+- Adding missing gateway-httproute cluster role permission. ([#3541](https://github.com/kubernetes-sigs/external-dns/pull/3541)) [@nicon89](https://github.com/nicon89)
+
+## [v1.12.2] - 2023-03-30
+
+### All Changes
+
+- Added support for ServiceMonitor relabelling. ([#3366](https://github.com/kubernetes-sigs/external-dns/pull/3366)) [@jkroepke](https://github.com/jkroepke)
+- Updated chart icon path. ([#3492](https://github.com/kubernetes-sigs/external-dns/pull/3494)) [kundan2707](https://github.com/kundan2707)
+- Added RBAC for Gateway-API resources to ClusterRole. ([#3499](https://github.com/kubernetes-sigs/external-dns/pull/3499)) [@michaelvl](https://github.com/MichaelVL)
+- Added RBAC for F5 VirtualServer to ClusterRole. ([#3503](https://github.com/kubernetes-sigs/external-dns/pull/3503)) [@mikejoh](https://github.com/mikejoh)
+- Added support for running ExternalDNS with namespaced scope. ([#3403](https://github.com/kubernetes-sigs/external-dns/pull/3403)) [@jkroepke](https://github.com/jkroepke)
+- Updated _ExternalDNS_ version to [v0.13.4](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.4). ([#3516](https://github.com/kubernetes-sigs/external-dns/pull/3516)) [@stevehipwell](https://github.com/stevehipwell)
+
+## [v1.12.1] - 2023-02-06
+
+### All Changes
+
+- Updated _ExternalDNS_ version to [v0.13.2](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.2). ([#3371](https://github.com/kubernetes-sigs/external-dns/pull/3371)) [@stevehipwell](https://github.com/stevehipwell)
+- Added `secretConfiguration.subPath` to mount specific files from secret as a sub-path. ([#3227](https://github.com/kubernetes-sigs/external-dns/pull/3227)) [@jkroepke](https://github.com/jkroepke)
+- Changed to use `registry.k8s.io` instead of `k8s.gcr.io`. ([#3261](https://github.com/kubernetes-sigs/external-dns/pull/3261)) [@johngmyers](https://github.com/johngmyers)
+
+## [v1.12.0] - 2022-11-29
+
+### All Changes
+
+- Added ability to provide ExternalDNS with secret configuration via `secretConfiguration`. ([#3144](https://github.com/kubernetes-sigs/external-dns/pull/3144)) [@jkroepke](https://github.com/jkroepke)
+- Added the ability to template `provider` & `extraArgs`. ([#3144](https://github.com/kubernetes-sigs/external-dns/pull/3144)) [@jkroepke](https://github.com/jkroepke)
+- Added the ability to customise the service account labels. ([#3145](https://github.com/kubernetes-sigs/external-dns/pull/3145)) [@jkroepke](https://github.com/jkroepke)
+- Updated _ExternalDNS_ version to [v0.13.1](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.1). ([#3197](https://github.com/kubernetes-sigs/external-dns/pull/3197)) [@stevehipwell](https://github.com/stevehipwell)
+
+## [v1.11.0] - 2022-08-10
+
+### Added
+
+- Added support to configure `dnsPolicy` on the Helm chart deployment. [@michelzanini](https://github.com/michelzanini)
+- Added ability to customise the deployment strategy. [mac-chaffee](https://github.com/mac-chaffee)
+
+### Changed
+
+- Updated _ExternalDNS_ version to [v0.12.2](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.12.2). [@stevehipwell](https://github.com/stevehipwell)
+- Changed default deployment strategy to `Recreate`. [mac-chaffee](https://github.com/mac-chaffee)
+
+## [v1.10.1] - 2022-07-11
+
+### Fixed
+
+- Fixed incorrect addition of `namespace` to `ClusterRole` & `ClusterRoleBinding`. [@stevehipwell](https://github.com/stevehipwell)
+
+## [v1.10.0] - 2022-07-08
+
+### Added
+
+- Added `commonLabels` value to allow the addition of labels to all resources. [@stevehipwell](https://github.com/stevehipwell)
+- Added support for [Process Namespace Sharing](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) via the `shareProcessNamespace`
+ value. ([#2715](https://github.com/kubernetes-sigs/external-dns/pull/2715)) [@wolffberg](https://github.com/wolffberg)
+
+### Changed
+
+- Update _ExternalDNS_ version to [v0.12.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.12.0). [@vojtechmares](https://github.com/vojtechmares)
+- Set resource namespaces to `{{ .Release.Namespace }}` in the templates instead of waiting until apply time for inference. [@stevehipwell](https://github.com/stevehipwell)
+- Fixed `rbac.additionalPermissions` default value.([#2796](https://github.com/kubernetes-sigs/external-dns/pull/2796)) [@tamalsaha](https://github.com/tamalsaha)
+
+## [v1.9.0] - 2022-04-19
+
+### Changed
+
+- Update _ExternalDNS_ version to [v0.11.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.11.0). ([#2690](https://github.com/kubernetes-sigs/external-dns/pull/2690)) [@stevehipwell](https://github.com/stevehipwell)
+
+## [v1.8.0] - 2022-04-13
+
+### Added
+
+- Add annotations to Deployment. ([#2477](https://github.com/kubernetes-sigs/external-dns/pull/2477)) [@beastob](https://github.com/beastob)
+
+### Changed
+
+- Fix RBAC for `istio-virtualservice` source when `istio-gateway` isn't also added. ([#2564](https://github.com/kubernetes-sigs/external-dns/pull/2564)) [@mcwarman](https://github.com/mcwarman)
+
+<!--
+RELEASE LINKS
+-->
+[UNRELEASED]: https://github.com/kubernetes-sigs/external-dns/tree/master/charts/external-dns
+[v1.15.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.15.0
+[v1.14.5]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.5
+[v1.14.4]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.4
+[v1.14.3]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.3
+[v1.14.2]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.2
+[v1.14.1]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.1
+[v1.14.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.0
+[v1.13.1]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.13.1
+[v1.13.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.13.0
+[v1.12.2]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.12.2
+[v1.12.1]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.12.1
+[v1.12.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.12.0
+[v1.11.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.11.0
+[v1.10.1]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.10.1
+[v1.10.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.10.0
+[v1.9.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.9.0
+[v1.8.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.8.0

packages/system/external-dns/charts/external-dns/Chart.yaml

@@ -0,0 +1,33 @@
+annotations:
+  artifacthub.io/changes: |
+    - kind: changed
+      description: "Updated _ExternalDNS_ OCI image version to [v0.15.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.15.0)."
+    - kind: fixed
+      description: "Fixed `provider.webhook.resources` behavior to correctly leverage resource limits."
+    - kind: fixed
+      description: "Fixed `provider.webhook.imagePullPolicy` behavior to correctly leverage pull policy."
+    - kind: fixed
+      description: "Fixed to add correct webhook metric port to `Service` and `ServiceMonitor`."
+    - kind: fixed
+      description: "Fixed to no longer require the unauthenticated webhook provider port to be exposed for health probes."
+apiVersion: v2
+appVersion: 0.15.0
+description: ExternalDNS synchronizes exposed Kubernetes Services and Ingresses with
+  DNS providers.
+home: https://github.com/kubernetes-sigs/external-dns/
+icon: https://github.com/kubernetes-sigs/external-dns/raw/master/docs/img/external-dns.png
+keywords:
+- kubernetes
+- externaldns
+- external-dns
+- dns
+- service
+- ingress
+maintainers:
+- email: steve.hipwell@gmail.com
+  name: stevehipwell
+name: external-dns
+sources:
+- https://github.com/kubernetes-sigs/external-dns/
+type: application
+version: 1.15.0

packages/system/external-dns/charts/external-dns/README.md

@@ -0,0 +1,182 @@
+# external-dns
+
+![Version: 1.15.0](https://img.shields.io/badge/Version-1.15.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)
+
+ExternalDNS synchronizes exposed Kubernetes Services and Ingresses with DNS providers.
+
+**Homepage:** <https://github.com/kubernetes-sigs/external-dns/>
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| stevehipwell | <steve.hipwell@gmail.com> |  |
+
+## Source Code
+
+* <https://github.com/kubernetes-sigs/external-dns/>
+
+## Installing the Chart
+
+Before you can install the chart you will need to add the `external-dns` repo to [Helm](https://helm.sh/).
+
+```shell
+helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/
+```
+
+After you've installed the repo you can install the chart.
+
+```shell
+helm upgrade --install external-dns external-dns/external-dns --version 1.15.0
+```
+
+## Providers
+
+Configuring the _ExternalDNS_ provider should be done via the `provider.name` value with provider specific configuration being set via the `provider.<name>.<key>` values, where supported, and the `extraArgs` value. For legacy support `provider` can be set to the name of the provider with all additional configuration being set via the `extraArgs` value.
+See [documentation](https://kubernetes-sigs.github.io/external-dns/#new-providers) for more info on available providers and tutorials.
+
+### Providers with Specific Configuration Support
+
+| Provider               | Supported  |
+|------------------------|------------|
+| `webhook`              | ✅         |
+
+### Other Providers
+
+For set up for a specific provider using the Helm chart, see the following links:
+
+- [AWS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#using-helm-with-oidc)
+- [akamai-edgedns](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/akamai-edgedns.md#using-helm)
+- [cloudflare](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/cloudflare.md#using-helm)
+- [digitalocean](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/digitalocean.md#using-helm)
+- [godaddy](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/godaddy.md#using-helm)
+- [ns1](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/ns1.md#using-helm)
+- [plural](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/plural.md#using-helm)
+
+## Namespaced Scoped Installation
+
+external-dns supports running on a namespaced only scope, too.
+If `namespaced=true` is defined, the helm chart will setup `Roles` and `RoleBindings` instead `ClusterRoles` and `ClusterRoleBindings`.
+
+### Limited Supported
+
+Not all sources are supported in namespaced scope, since some sources depends on cluster-wide resources.
+For example: Source `node` isn't supported, since `kind: Node` has scope `Cluster`.
+Sources like `istio-virtualservice` only work, if all resources like `Gateway` and `VirtualService` are present in the same
+namespaces as `external-dns`.
+
+The annotation `external-dns.alpha.kubernetes.io/endpoints-type: NodeExternalIP` is not supported.
+
+If `namespaced` is set to `true`, please ensure that `sources` my only contains supported sources (Default: `service,ingress`).
+
+### Support Matrix
+
+| Source                 | Supported  | Infos                  |
+|------------------------|------------|------------------------|
+| `ingress`              | ✅         |                        |
+| `istio-gateway`        | ✅         |                        |
+| `istio-virtualservice` | ✅         |                        |
+| `crd`                  | ✅         |                        |
+| `kong-tcpingress`      | ✅         |                        |
+| `openshift-route`      | ✅         |                        |
+| `skipper-routegroup`   | ✅         |                        |
+| `gloo-proxy`           | ✅         |                        |
+| `contour-httpproxy`    | ✅         |                        |
+| `service`              | ⚠️️         | NodePort not supported |
+| `node`                 | ❌         |                        |
+| `pod`                  | ❌         |                        |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` | Affinity settings for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels. |
+| automountServiceAccountToken | bool | `nil` | Set this to `false` to [opt out of API credential automounting](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the `Pod`. |
+| commonLabels | object | `{}` | Labels to add to all chart resources. |
+| deploymentAnnotations | object | `{}` | Annotations to add to the `Deployment`. |
+| deploymentStrategy | object | `{"type":"Recreate"}` | [Deployment Strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy). |
+| dnsConfig | object | `nil` | [DNS config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config) for the pod, if not set the default will be used. |
+| dnsPolicy | string | `nil` | [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) for the pod, if not set the default will be used. |
+| domainFilters | list | `[]` |  |
+| env | list | `[]` | [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `external-dns` container. |
+| excludeDomains | list | `[]` |  |
+| extraArgs | list | `[]` | Extra arguments to provide to _ExternalDNS_. |
+| extraContainers | object | `{}` | Extra containers to add to the `Deployment`. |
+| extraVolumeMounts | list | `[]` | Extra [volume mounts](https://kubernetes.io/docs/concepts/storage/volumes/) for the `external-dns` container. |
+| extraVolumes | list | `[]` | Extra [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the `Pod`. |
+| fullnameOverride | string | `nil` | Override the full name of the chart. |
+| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the `external-dns` container. |
+| image.repository | string | `"registry.k8s.io/external-dns/external-dns"` | Image repository for the `external-dns` container. |
+| image.tag | string | `nil` | Image tag for the `external-dns` container, this will default to `.Chart.AppVersion` if not set. |
+| imagePullSecrets | list | `[]` | Image pull secrets. |
+| initContainers | list | `[]` | [Init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) to add to the `Pod` definition. |
+| interval | string | `"1m"` | Interval for DNS updates. |
+| livenessProbe | object | See _values.yaml_ | [Liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container. |
+| logFormat | string | `"text"` | Log format. |
+| logLevel | string | `"info"` | Log level. |
+| nameOverride | string | `nil` | Override the name of the chart. |
+| namespaced | bool | `false` | if `true`, _ExternalDNS_ will run in a namespaced scope (`Role`` and `Rolebinding`` will be namespaced too). |
+| nodeSelector | object | `{}` | Node labels to match for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). |
+| podAnnotations | object | `{}` | Annotations to add to the `Pod`. |
+| podLabels | object | `{}` | Labels to add to the `Pod`. |
+| podSecurityContext | object | See _values.yaml_ | [Pod security context](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#podsecuritycontext-v1-core), this supports full customisation. |
+| policy | string | `"upsert-only"` | How DNS records are synchronized between sources and providers; available values are `sync` & `upsert-only`. |
+| priorityClassName | string | `nil` | Priority class name for the `Pod`. |
+| provider.name | string | `"aws"` | _ExternalDNS_ provider name; for the available providers and how to configure them see [README](https://github.com/kubernetes-sigs/external-dns/blob/master/charts/external-dns/README.md#providers). |
+| provider.webhook.args | list | `[]` | Extra arguments to provide for the `webhook` container. |
+| provider.webhook.env | list | `[]` | [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `webhook` container. |
+| provider.webhook.extraVolumeMounts | list | `[]` | Extra [volume mounts](https://kubernetes.io/docs/concepts/storage/volumes/) for the `webhook` container. |
+| provider.webhook.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the `webhook` container. |
+| provider.webhook.image.repository | string | `nil` | Image repository for the `webhook` container. |
+| provider.webhook.image.tag | string | `nil` | Image tag for the `webhook` container. |
+| provider.webhook.livenessProbe | object | See _values.yaml_ | [Liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container. |
+| provider.webhook.readinessProbe | object | See _values.yaml_ | [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `webhook` container. |
+| provider.webhook.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `webhook` container. |
+| provider.webhook.securityContext | object | See _values.yaml_ | [Pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `webhook` container. |
+| provider.webhook.service.port | int | `8080` | Webhook exposed HTTP port for the service. |
+| provider.webhook.serviceMonitor | object | See _values.yaml_ | Optional [Service Monitor](https://prometheus-operator.dev/docs/operator/design/#servicemonitor) configuration for the `webhook` container. |
+| rbac.additionalPermissions | list | `[]` | Additional rules to add to the `ClusterRole`. |
+| rbac.create | bool | `true` | If `true`, create a `ClusterRole` & `ClusterRoleBinding` with access to the Kubernetes API. |
+| readinessProbe | object | See _values.yaml_ | [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container. |
+| registry | string | `"txt"` | Specify the registry for storing ownership and labels. Valid values are `txt`, `aws-sd`, `dynamodb` & `noop`. |
+| resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `external-dns` container. |
+| revisionHistoryLimit | int | `nil` | Specify the number of old `ReplicaSets` to retain to allow rollback of the `Deployment``. |
+| secretConfiguration.data | object | `{}` | `Secret` data. |
+| secretConfiguration.enabled | bool | `false` | If `true`, create a `Secret` to store sensitive provider configuration (**DEPRECATED**). |
+| secretConfiguration.mountPath | string | `nil` | Mount path for the `Secret`, this can be templated. |
+| secretConfiguration.subPath | string | `nil` | Sub-path for mounting the `Secret`, this can be templated. |
+| securityContext | object | See _values.yaml_ | [Security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `external-dns` container. |
+| service.annotations | object | `{}` | Service annotations. |
+| service.ipFamilies | list | `[]` | Service IP families. |
+| service.ipFamilyPolicy | string | `nil` | Service IP family policy. |
+| service.port | int | `7979` | Service HTTP port. |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| serviceAccount.automountServiceAccountToken | string | `nil` | Set this to `false` to [opt out of API credential automounting](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the `ServiceAccount`. |
+| serviceAccount.create | bool | `true` | If `true`, create a new `ServiceAccount`. |
+| serviceAccount.labels | object | `{}` | Labels to add to the service account. |
+| serviceAccount.name | string | `nil` | If this is set and `serviceAccount.create` is `true` this will be used for the created `ServiceAccount` name, if set and `serviceAccount.create` is `false` then this will define an existing `ServiceAccount` to use. |
+| serviceMonitor.additionalLabels | object | `{}` | Additional labels for the `ServiceMonitor`. |
+| serviceMonitor.annotations | object | `{}` | Annotations to add to the `ServiceMonitor`. |
+| serviceMonitor.bearerTokenFile | string | `nil` | Provide a bearer token file for the `ServiceMonitor`. |
+| serviceMonitor.enabled | bool | `false` | If `true`, create a `ServiceMonitor` resource to support the _Prometheus Operator_. |
+| serviceMonitor.interval | string | `nil` | If set override the _Prometheus_ default interval. |
+| serviceMonitor.metricRelabelings | list | `[]` | [Metric relabel configs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) to apply to samples before ingestion. |
+| serviceMonitor.namespace | string | `nil` | If set create the `ServiceMonitor` in an alternate namespace. |
+| serviceMonitor.relabelings | list | `[]` | [Relabel configs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) to apply to samples before ingestion. |
+| serviceMonitor.scheme | string | `nil` | If set overrides the _Prometheus_ default scheme. |
+| serviceMonitor.scrapeTimeout | string | `nil` | If set override the _Prometheus_ default scrape timeout. |
+| serviceMonitor.targetLabels | list | `[]` | Provide target labels for the `ServiceMonitor`. |
+| serviceMonitor.tlsConfig | object | `{}` | Configure the `ServiceMonitor` [TLS config](https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig). |
+| shareProcessNamespace | bool | `false` | If `true`, the `Pod` will have [process namespace sharing](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) enabled. |
+| sources | list | `["service","ingress"]` | _Kubernetes_ resources to monitor for DNS entries. |
+| terminationGracePeriodSeconds | int | `nil` | Termination grace period for the `Pod` in seconds. |
+| tolerations | list | `[]` | Node taints which will be tolerated for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). |
+| topologySpreadConstraints | list | `[]` | Topology spread constraints for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). If an explicit label selector is not provided one will be created from the pod selector labels. |
+| triggerLoopOnEvent | bool | `false` | If `true`, triggers run loop on create/update/delete events in addition of regular interval. |
+| txtOwnerId | string | `nil` | Specify an identifier for this instance of _ExternalDNS_ wWhen using a registry other than `noop`. |
+| txtPrefix | string | `nil` | Specify a prefix for the domain names of TXT records created for the `txt` registry. Mutually exclusive with `txtSuffix`. |
+| txtSuffix | string | `nil` | Specify a suffix for the domain names of TXT records created for the `txt` registry. Mutually exclusive with `txtPrefix`. |
+
+----------------------------------------------
+
+Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/).

packages/system/external-dns/charts/external-dns/README.md.gotmpl

@@ -0,0 +1,91 @@
+{{ template "chart.header" . }}
+{{ template "chart.deprecationWarning" . }}
+
+{{ template "chart.badgesSection" . }}
+
+{{ template "chart.description" . }}
+
+{{ template "chart.homepageLine" . }}
+
+{{ template "chart.maintainersSection" . }}
+
+{{ template "chart.sourcesSection" . }}
+
+## Installing the Chart
+
+Before you can install the chart you will need to add the `external-dns` repo to [Helm](https://helm.sh/).
+
+```shell
+helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/
+```
+
+After you've installed the repo you can install the chart.
+
+```shell
+helm upgrade --install {{ template "chart.name" . }} external-dns/{{ template "chart.name" . }} --version {{ template "chart.version" . }}
+```
+
+## Providers
+
+Configuring the _ExternalDNS_ provider should be done via the `provider.name` value with provider specific configuration being set via the `provider.<name>.<key>` values, where supported, and the `extraArgs` value. For legacy support `provider` can be set to the name of the provider with all additional configuration being set via the `extraArgs` value.
+See [documentation](https://kubernetes-sigs.github.io/external-dns/#new-providers) for more info on available providers and tutorials.
+
+### Providers with Specific Configuration Support
+
+| Provider               | Supported  |
+|------------------------|------------|
+| `webhook`              | ✅         |
+
+### Other Providers
+
+For set up for a specific provider using the Helm chart, see the following links:
+
+- [AWS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#using-helm-with-oidc)
+- [akamai-edgedns](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/akamai-edgedns.md#using-helm)
+- [cloudflare](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/cloudflare.md#using-helm)
+- [digitalocean](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/digitalocean.md#using-helm)
+- [godaddy](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/godaddy.md#using-helm)
+- [ns1](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/ns1.md#using-helm)
+- [plural](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/plural.md#using-helm)
+
+## Namespaced Scoped Installation
+
+external-dns supports running on a namespaced only scope, too.
+If `namespaced=true` is defined, the helm chart will setup `Roles` and `RoleBindings` instead `ClusterRoles` and `ClusterRoleBindings`.
+
+### Limited Supported
+
+Not all sources are supported in namespaced scope, since some sources depends on cluster-wide resources.
+For example: Source `node` isn't supported, since `kind: Node` has scope `Cluster`.
+Sources like `istio-virtualservice` only work, if all resources like `Gateway` and `VirtualService` are present in the same
+namespaces as `external-dns`.
+
+The annotation `external-dns.alpha.kubernetes.io/endpoints-type: NodeExternalIP` is not supported.
+
+If `namespaced` is set to `true`, please ensure that `sources` my only contains supported sources (Default: `service,ingress`).
+
+### Support Matrix
+
+| Source                 | Supported  | Infos                  |
+|------------------------|------------|------------------------|
+| `ingress`              | ✅         |                        |
+| `istio-gateway`        | ✅         |                        |
+| `istio-virtualservice` | ✅         |                        |
+| `crd`                  | ✅         |                        |
+| `kong-tcpingress`      | ✅         |                        |
+| `openshift-route`      | ✅         |                        |
+| `skipper-routegroup`   | ✅         |                        |
+| `gloo-proxy`           | ✅         |                        |
+| `contour-httpproxy`    | ✅         |                        |
+| `service`              | ⚠️️         | NodePort not supported |
+| `node`                 | ❌         |                        |
+| `pod`                  | ❌         |                        |
+
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+----------------------------------------------
+
+Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/).

packages/system/external-dns/charts/external-dns/RELEASE.md

@@ -0,0 +1,10 @@
+### Changed
+
+- Updated _ExternalDNS_ OCI image version to [v0.15.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.15.0). ([#xxxx](https://github.com/kubernetes-sigs/external-dns/pull/xxxx)) _@stevehipwell_
+
+### Fixed
+
+- Fixed `provider.webhook.resources` behavior to correctly leverage resource limits. ([#4560](https://github.com/kubernetes-sigs/external-dns/pull/4560)) _@crutonjohn_
+- Fixed `provider.webhook.imagePullPolicy` behavior to correctly leverage pull policy. ([#4643](https://github.com/kubernetes-sigs/external-dns/pull/4643)) _@kimsondrup_
+- Fixed to add correct webhook metric port to `Service` and `ServiceMonitor`. ([#4643](https://github.com/kubernetes-sigs/external-dns/pull/4643)) _@kimsondrup_
+- Fixed to no longer require the unauthenticated webhook provider port to be exposed for health probes. ([#4691](https://github.com/kubernetes-sigs/external-dns/pull/4691)) _@kimsondrup_ & _@hatrx_

packages/system/external-dns/charts/external-dns/ci/ci-values.yaml

@@ -0,0 +1,2 @@
+provider:
+  name: inmemory

packages/system/external-dns/charts/external-dns/crds/dnsendpoint.yaml

@@ -0,0 +1,102 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: dnsendpoints.externaldns.k8s.io
+  annotations:
+    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/external-dns/pull/2007
+spec:
+  group: externaldns.k8s.io
+  names:
+    kind: DNSEndpoint
+    listKind: DNSEndpointList
+    plural: dnsendpoints
+    singular: dnsendpoint
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: DNSEndpointSpec defines the desired state of DNSEndpoint
+              properties:
+                endpoints:
+                  items:
+                    description:
+                      Endpoint is a high-level way of a connection between
+                      a service and an IP
+                    properties:
+                      dnsName:
+                        description: The hostname of the DNS record
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: Labels stores labels defined for the Endpoint
+                        type: object
+                      providerSpecific:
+                        description: ProviderSpecific stores provider specific config
+                        items:
+                          description:
+                            ProviderSpecificProperty holds the name and value
+                            of a configuration which is specific to individual DNS providers
+                          properties:
+                            name:
+                              type: string
+                            value:
+                              type: string
+                          type: object
+                        type: array
+                      recordTTL:
+                        description: TTL for the record
+                        format: int64
+                        type: integer
+                      recordType:
+                        description:
+                          RecordType type of record, e.g. CNAME, A, AAAA,
+                          SRV, TXT etc
+                        type: string
+                      setIdentifier:
+                        description:
+                          Identifier to distinguish multiple records with
+                          the same name and type (e.g. Route53 records with routing
+                          policies other than 'simple')
+                        type: string
+                      targets:
+                        description: The targets the DNS record points to
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  type: array
+              type: object
+            status:
+              description: DNSEndpointStatus defines the observed state of DNSEndpoint
+              properties:
+                observedGeneration:
+                  description: The generation observed by the external-dns controller.
+                  format: int64
+                  type: integer
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}

packages/system/external-dns/charts/external-dns/templates/NOTES.txt

@@ -0,0 +1,7 @@
+***********************************************************************
+* External DNS                                                        *
+***********************************************************************
+  Chart version: {{ .Chart.Version }}
+  App version:   {{ .Chart.AppVersion }}
+  Image tag:     {{ include "external-dns.image" . }}
+***********************************************************************

packages/system/external-dns/charts/external-dns/templates/_helpers.tpl

@@ -0,0 +1,95 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "external-dns.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "external-dns.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "external-dns.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "external-dns.labels" -}}
+helm.sh/chart: {{ include "external-dns.chart" . }}
+{{ include "external-dns.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "external-dns.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "external-dns.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "external-dns.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "external-dns.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+The image to use
+*/}}
+{{- define "external-dns.image" -}}
+{{- printf "%s:%s" .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }}
+{{- end }}
+
+{{/*
+Provider name, Keeps backward compatibility on provider
+*/}}
+{{- define "external-dns.providerName" -}}
+{{- if eq (typeOf .Values.provider) "string" }}
+{{- .Values.provider }}
+{{- else }}
+{{- .Values.provider.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+The image to use for optional webhook sidecar
+*/}}
+{{- define "external-dns.webhookImage" -}}
+{{- with .image }}
+{{- if or (empty .repository) (empty .tag) }}
+{{- fail "ERROR: webhook provider needs an image repository and a tag" }}
+{{- end }}
+{{- printf "%s:%s" .repository .tag }}
+{{- end }}
+{{- end }}

packages/system/external-dns/charts/external-dns/templates/clusterrole.yaml

@@ -0,0 +1,127 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ .Values.namespaced | ternary "Role" "ClusterRole" }}
+metadata:
+  name: {{ template "external-dns.fullname" . }}
+  labels:
+    {{- include "external-dns.labels" . | nindent 4 }}
+rules:
+{{- if and (not .Values.namespaced) (or (has "node" .Values.sources) (has "pod" .Values.sources) (has "service" .Values.sources) (has "contour-httpproxy" .Values.sources) (has "gloo-proxy" .Values.sources) (has "openshift-route" .Values.sources) (has "skipper-routegroup" .Values.sources)) }}
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["list","watch"]
+{{- end }}
+{{- if or (has "pod" .Values.sources) (has "service" .Values.sources) (has "contour-httpproxy" .Values.sources) (has "gloo-proxy" .Values.sources) (has "openshift-route" .Values.sources) (has "skipper-routegroup" .Values.sources) }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if or (has "service" .Values.sources) (has "contour-httpproxy" .Values.sources) (has "gloo-proxy" .Values.sources) (has "istio-gateway" .Values.sources) (has "istio-virtualservice" .Values.sources) (has "openshift-route" .Values.sources) (has "skipper-routegroup" .Values.sources) }}
+  - apiGroups: [""]
+    resources: ["services","endpoints"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if or (has "ingress" .Values.sources) (has "contour-httpproxy" .Values.sources) (has "openshift-route" .Values.sources) (has "skipper-routegroup" .Values.sources) }}
+  - apiGroups: ["extensions","networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if or (has "istio-gateway" .Values.sources) (has "istio-virtualservice" .Values.sources) }}
+  - apiGroups: ["networking.istio.io"]
+    resources: ["gateways"]
+    verbs: ["get","watch","list"]
+{{- end }}
+
+{{- if has "istio-virtualservice" .Values.sources }}
+  - apiGroups: ["networking.istio.io"]
+    resources: ["virtualservices"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "ambassador-host" .Values.sources }}
+  - apiGroups: ["getambassador.io"]
+    resources: ["hosts","ingresses"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "contour-httpproxy" .Values.sources }}
+  - apiGroups: ["projectcontour.io"]
+    resources: ["httpproxies"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "crd" .Values.sources }}
+  - apiGroups: ["externaldns.k8s.io"]
+    resources: ["dnsendpoints"]
+    verbs: ["get","watch","list"]
+  - apiGroups: ["externaldns.k8s.io"]
+    resources: ["dnsendpoints/status"]
+    verbs: ["*"]
+{{- end }}
+{{- if or (has "gateway-httproute" .Values.sources) (has "gateway-grpcroute" .Values.sources) (has "gateway-tlsroute" .Values.sources) (has "gateway-tcproute" .Values.sources) (has "gateway-udproute" .Values.sources) }}
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gateways"]
+    verbs: ["get","watch","list"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get","watch","list"]    
+{{- end }}
+{{- if has "gateway-httproute" .Values.sources }}
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["httproutes"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "gateway-grpcroute" .Values.sources }}
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["grpcroutes"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "gateway-tlsroute" .Values.sources }}
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["tlsroutes"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "gateway-tcproute" .Values.sources }}
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["tcproutes"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "gateway-udproute" .Values.sources }}
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["udproutes"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "gloo-proxy" .Values.sources }}
+  - apiGroups: ["gloo.solo.io","gateway.solo.io"]
+    resources: ["proxies","virtualservices"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "kong-tcpingress" .Values.sources }}
+  - apiGroups: ["configuration.konghq.com"]
+    resources: ["tcpingresses"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "traefik-proxy" .Values.sources }}
+  - apiGroups: ["traefik.containo.us", "traefik.io"]
+    resources: ["ingressroutes", "ingressroutetcps", "ingressrouteudps"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "openshift-route" .Values.sources }}
+  - apiGroups: ["route.openshift.io"]
+    resources: ["routes"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "skipper-routegroup" .Values.sources }}
+  - apiGroups: ["zalando.org"]
+    resources: ["routegroups"]
+    verbs: ["get","watch","list"]
+  - apiGroups: ["zalando.org"]
+    resources: ["routegroups/status"]
+    verbs: ["patch","update"]
+{{- end }}
+{{- if has "f5-virtualserver" .Values.sources }}
+  - apiGroups: ["cis.f5.com"]
+    resources: ["virtualservers"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- with .Values.rbac.additionalPermissions }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}

packages/system/external-dns/charts/external-dns/templates/clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ .Values.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
+metadata:
+  name: {{ printf "%s-viewer" (include "external-dns.fullname" .) }}
+  labels:
+    {{- include "external-dns.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ .Values.namespaced | ternary "Role" "ClusterRole" }}
+  name: {{ template "external-dns.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "external-dns.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

packages/system/external-dns/charts/external-dns/templates/deployment.yaml

@@ -0,0 +1,209 @@
+{{- $providerName := tpl (include "external-dns.providerName" .) $ }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "external-dns.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "external-dns.labels" . | nindent 4 }}
+  {{- with .Values.deploymentAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "external-dns.selectorLabels" . | nindent 6 }}
+  strategy:
+    {{- toYaml .Values.deploymentStrategy | nindent 4 }}
+  {{- if not (has (quote .Values.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.revisionHistoryLimit | int64 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        {{- include "external-dns.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.secretConfiguration.enabled .Values.podAnnotations }}
+      annotations:
+        {{- if .Values.secretConfiguration.enabled }}
+        checksum/secret: {{ tpl (toYaml .Values.secretConfiguration.data) . | sha256sum }}
+        {{- end }}
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+    spec:
+    {{- if not (quote .Values.automountServiceAccountToken | empty) }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
+    {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "external-dns.serviceAccountName" . }}
+      {{- with .Values.shareProcessNamespace }}
+      shareProcessNamespace: {{ . }}
+      {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ . }}
+      {{- end }}
+      {{- with .Values.dnsPolicy }}
+      dnsPolicy: {{ . }}
+      {{- end }}
+      {{- with .Values.dnsConfig }}
+      dnsConfig:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.initContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+      {{- with .Values.extraContainers }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+        - name: external-dns
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          image: {{ include "external-dns.image" . }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.env }}
+          env:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          args:
+            - --log-level={{ .Values.logLevel }}
+            - --log-format={{ .Values.logFormat }}
+            - --interval={{ .Values.interval }}
+            {{- if .Values.triggerLoopOnEvent }}
+            - --events
+            {{- end }}
+            {{- range .Values.sources }}
+            - --source={{ . }}
+            {{- end }}
+            - --policy={{ .Values.policy }}
+            - --registry={{ .Values.registry }}
+            {{- if .Values.txtOwnerId }}
+            - --txt-owner-id={{ .Values.txtOwnerId }}
+            {{- end }}
+            {{- if .Values.txtPrefix }}
+            - --txt-prefix={{ .Values.txtPrefix }}
+            {{- end }}
+            {{- if and (eq .Values.txtPrefix "") (ne .Values.txtSuffix "") }}
+            - --txt-suffix={{ .Values.txtSuffix }}
+            {{- end }}
+            {{- if .Values.namespaced }}
+            - --namespace={{ .Release.Namespace }}
+            {{- end }}
+            {{- range .Values.domainFilters }}
+            - --domain-filter={{ . }}
+            {{- end }}
+            {{- range .Values.excludeDomains }}
+            - --exclude-domains={{ . }}
+            {{- end }}
+            - --provider={{ $providerName }}
+          {{- range .Values.extraArgs }}
+            - {{ tpl . $ }}
+          {{- end }}
+          ports:
+            - name: http
+              protocol: TCP
+              containerPort: 7979
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          {{- if or .Values.secretConfiguration.enabled .Values.extraVolumeMounts }}
+          volumeMounts:
+            {{- if .Values.secretConfiguration.enabled }}
+            - name: secrets
+              mountPath: {{ tpl .Values.secretConfiguration.mountPath $ }}
+            {{- with .Values.secretConfiguration.subPath }}
+              subPath: {{ tpl . $ }}
+            {{- end }}
+            {{- end }}
+            {{- with .Values.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- end }}
+          {{- with .Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        {{- if eq $providerName "webhook" }}
+        {{- with .Values.provider.webhook }}
+        - name: webhook
+          image: {{ include "external-dns.webhookImage" . }}
+          imagePullPolicy: {{ .image.pullPolicy }}
+          {{- with .env }}
+          env:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .args }}
+          args:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          ports:
+            - name: http-webhook
+              protocol: TCP
+              containerPort: 8080
+          livenessProbe:
+            {{- toYaml .livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .readinessProbe | nindent 12 }}
+          {{- if .extraVolumeMounts }}
+          volumeMounts:
+            {{- with .extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- end }}
+          {{- with .resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        {{- end }}
+        {{- end }}
+      {{- if or .Values.secretConfiguration.enabled .Values.extraVolumes }}
+      volumes:
+        {{- if .Values.secretConfiguration.enabled }}
+        - name: secrets
+          secret:
+            secretName: {{ include "external-dns.fullname" . }}
+        {{- end }}
+        {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

packages/system/external-dns/charts/external-dns/templates/secret.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.secretConfiguration.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "external-dns.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "external-dns.labels" . | nindent 4 }}
+data:
+{{- range $key, $value := .Values.secretConfiguration.data }}
+  {{ $key }}: {{ tpl $value $ | b64enc | quote }}
+{{- end }}
+{{- end }}

packages/system/external-dns/charts/external-dns/templates/service.yaml

@@ -0,0 +1,36 @@
+{{- $providerName := include "external-dns.providerName" . }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "external-dns.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "external-dns.labels" . | nindent 4 }}
+  {{- with .Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+{{- with .Values.service.ipFamilies }}
+  ipFamilies:
+    {{- toYaml . | nindent 4 }}
+{{- end }}
+{{- with .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ . }}
+{{- end }}
+  type: ClusterIP
+  selector:
+    {{- include "external-dns.selectorLabels" . | nindent 4 }}
+  ports:
+    - name: http
+      port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+    {{- if eq $providerName "webhook" }}
+    {{- with .Values.provider.webhook.service }}
+    - name: http-webhook
+      port: {{ .port }}
+      targetPort: http-webhook
+      protocol: TCP
+    {{- end }}
+    {{- end }}

packages/system/external-dns/charts/external-dns/templates/serviceaccount.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "external-dns.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "external-dns.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- end }}

packages/system/external-dns/charts/external-dns/templates/servicemonitor.yaml

@@ -0,0 +1,86 @@
+{{- if .Values.serviceMonitor.enabled -}}
+{{- $providerName := include "external-dns.providerName" . }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "external-dns.fullname" . }}
+  namespace: {{ default .Release.Namespace .Values.serviceMonitor.namespace }}
+  {{- with .Values.serviceMonitor.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "external-dns.labels" . | nindent 4 }}
+  {{- with .Values.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  jobLabel: app.kubernetes.io/instance
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "external-dns.selectorLabels" . | nindent 6 }}
+  endpoints:
+    - port: http
+      path: /metrics
+      {{- with .Values.serviceMonitor.interval }}
+      interval: {{ . }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.scheme }}
+      scheme: {{ . }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.bearerTokenFile }}
+      bearerTokenFile: {{ . }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.tlsConfig }}
+      tlsConfig:
+        {{- toYaml .| nindent 8 }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.metricRelabelings }}
+      metricRelabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.relabelings }}
+      relabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- if eq $providerName "webhook" }}
+    {{- with .Values.provider.webhook.serviceMonitor }}
+    - port: http-webhook
+      path: /metrics
+      {{- with .interval }}
+      interval: {{ . }}
+      {{- end }}
+      {{- with .scheme }}
+      scheme: {{ . }}
+      {{- end }}
+      {{- with .bearerTokenFile }}
+      bearerTokenFile: {{ . }}
+      {{- end }}
+      {{- with .tlsConfig }}
+      tlsConfig:
+        {{- toYaml .| nindent 8 }}
+      {{- end }}
+      {{- with .scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
+      {{- with .metricRelabelings }}
+      metricRelabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .relabelings }}
+      relabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+    {{- end }}
+  {{- with .Values.serviceMonitor.targetLabels }}
+  targetLabels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

packages/system/external-dns/charts/external-dns/values.schema.json

@@ -0,0 +1,91 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema",
+  "type": "object",
+  "properties": {
+    "provider": {
+      "anyOf": [
+        {
+          "type": "string"
+        },
+        {
+          "type": "object",
+          "properties": {
+            "name": {
+              "type": "string"
+            }
+          }
+        }
+      ]
+    },
+    "extraArgs": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      }
+    },
+    "secretConfiguration": {
+      "$comment": "This value is DEPRECATED as secrets should be configured external to the chart and exposed to the container via extraVolumes & extraVolumeMounts.",
+      "type": "object",
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        },
+        "mountPath": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "subPath": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "data": {
+          "type": "object",
+          "patternProperties": {
+            ".+": {
+              "type": "string"
+            }
+          }
+        }
+      }
+    },
+    "service": {
+      "type": "object",
+      "properties": {
+        "annotations": {
+          "type": "object"
+        },
+        "ipFamilies": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": [
+              "IPv6",
+              "IPv4"
+            ]
+          }
+        },
+        "ipFamilyPolicy": {
+          "type": [
+            "string",
+            "null"
+          ],
+          "items": {
+            "type": "string",
+            "enum": [
+              "SingleStack",
+              "PreferDualStack",
+              "RequireDualStack"
+            ]
+          }
+        },
+        "port": {
+          "type": "integer"
+        }
+      }
+    }
+  }
+}

packages/system/external-dns/charts/external-dns/values.yaml

@@ -0,0 +1,297 @@
+# Default values for external-dns.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+image:
+  # -- Image repository for the `external-dns` container.
+  repository: registry.k8s.io/external-dns/external-dns
+  # -- (string) Image tag for the `external-dns` container, this will default to `.Chart.AppVersion` if not set.
+  tag:
+  # -- Image pull policy for the `external-dns` container.
+  pullPolicy: IfNotPresent
+
+# -- Image pull secrets.
+imagePullSecrets: []
+
+# -- (string) Override the name of the chart.
+nameOverride:
+
+# -- (string) Override the full name of the chart.
+fullnameOverride:
+
+# -- Labels to add to all chart resources.
+commonLabels: {}
+
+serviceAccount:
+  # -- If `true`, create a new `ServiceAccount`.
+  create: true
+  # -- Labels to add to the service account.
+  labels: {}
+  # -- Annotations to add to the service account.
+  annotations: {}
+  # -- (string) If this is set and `serviceAccount.create` is `true` this will be used for the created `ServiceAccount` name, if set and `serviceAccount.create` is `false` then this will define an existing `ServiceAccount` to use.
+  name:
+  # -- Set this to `false` to [opt out of API credential automounting](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the `ServiceAccount`.
+  automountServiceAccountToken:
+
+service:
+  # -- Service annotations.
+  annotations: {}
+  # -- Service HTTP port.
+  port: 7979
+  # -- Service IP families.
+  ipFamilies: []
+  # -- (string) Service IP family policy.
+  ipFamilyPolicy:
+
+rbac:
+  # -- If `true`, create a `ClusterRole` & `ClusterRoleBinding` with access to the Kubernetes API.
+  create: true
+  # -- Additional rules to add to the `ClusterRole`.
+  additionalPermissions: []
+
+# -- Annotations to add to the `Deployment`.
+deploymentAnnotations: {}
+
+# -- Extra containers to add to the `Deployment`.
+extraContainers: {}
+
+# -- [Deployment Strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).
+deploymentStrategy:
+  type: Recreate
+
+# -- (int) Specify the number of old `ReplicaSets` to retain to allow rollback of the `Deployment``.
+revisionHistoryLimit:
+
+# -- Labels to add to the `Pod`.
+podLabels: {}
+
+# -- Annotations to add to the `Pod`.
+podAnnotations: {}
+
+# -- (bool) Set this to `false` to [opt out of API credential automounting](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the `Pod`.
+automountServiceAccountToken:
+
+# -- If `true`, the `Pod` will have [process namespace sharing](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) enabled.
+shareProcessNamespace: false
+
+# -- [Pod security context](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#podsecuritycontext-v1-core), this supports full customisation.
+# @default -- See _values.yaml_
+podSecurityContext:
+  runAsNonRoot: true
+  fsGroup: 65534
+  seccompProfile:
+    type: RuntimeDefault
+
+# -- (string) Priority class name for the `Pod`.
+priorityClassName:
+
+# -- (int) Termination grace period for the `Pod` in seconds.
+terminationGracePeriodSeconds:
+
+# -- (string) [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) for the pod, if not set the default will be used.
+dnsPolicy:
+
+# -- (object) [DNS config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config) for the pod, if not set the default will be used.
+dnsConfig:
+
+# -- [Init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) to add to the `Pod` definition.
+initContainers: []
+
+# -- [Security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `external-dns` container.
+# @default -- See _values.yaml_
+securityContext:
+  privileged: false
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 65532
+  runAsGroup: 65532
+  capabilities:
+    drop: ["ALL"]
+
+# -- [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `external-dns` container.
+env: []
+
+# -- [Liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container.
+# @default -- See _values.yaml_
+livenessProbe:
+  httpGet:
+    path: /healthz
+    port: http
+  initialDelaySeconds: 10
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 2
+  successThreshold: 1
+
+# -- [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container.
+# @default -- See _values.yaml_
+readinessProbe:
+  httpGet:
+    path: /healthz
+    port: http
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
+
+# -- Extra [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the `Pod`.
+extraVolumes: []
+
+# -- Extra [volume mounts](https://kubernetes.io/docs/concepts/storage/volumes/) for the `external-dns` container.
+extraVolumeMounts: []
+
+# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `external-dns` container.
+resources: {}
+
+# -- Node labels to match for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
+nodeSelector: {}
+
+# -- Affinity settings for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels.
+affinity: {}
+
+# -- Topology spread constraints for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). If an explicit label selector is not provided one will be created from the pod selector labels.
+topologySpreadConstraints: []
+
+# -- Node taints which will be tolerated for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
+tolerations: []
+
+serviceMonitor:
+  # -- If `true`, create a `ServiceMonitor` resource to support the _Prometheus Operator_.
+  enabled: false
+  # -- Additional labels for the `ServiceMonitor`.
+  additionalLabels: {}
+  # -- Annotations to add to the `ServiceMonitor`.
+  annotations: {}
+  # -- (string) If set create the `ServiceMonitor` in an alternate namespace.
+  namespace:
+  # -- (string) If set override the _Prometheus_ default interval.
+  interval:
+  # -- (string) If set override the _Prometheus_ default scrape timeout.
+  scrapeTimeout:
+  # -- (string) If set overrides the _Prometheus_ default scheme.
+  scheme:
+  # -- Configure the `ServiceMonitor` [TLS config](https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig).
+  tlsConfig: {}
+  # -- (string) Provide a bearer token file for the `ServiceMonitor`.
+  bearerTokenFile:
+  # -- [Relabel configs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) to apply to samples before ingestion.
+  relabelings: []
+  # -- [Metric relabel configs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) to apply to samples before ingestion.
+  metricRelabelings: []
+  # -- Provide target labels for the `ServiceMonitor`.
+  targetLabels: []
+
+# -- Log level.
+logLevel: info
+
+# -- Log format.
+logFormat: text
+
+# -- Interval for DNS updates.
+interval: 1m
+
+# -- If `true`, triggers run loop on create/update/delete events in addition of regular interval.
+triggerLoopOnEvent: false
+
+# -- if `true`, _ExternalDNS_ will run in a namespaced scope (`Role`` and `Rolebinding`` will be namespaced too).
+namespaced: false
+
+# -- _Kubernetes_ resources to monitor for DNS entries.
+sources:
+  - service
+  - ingress
+
+# -- How DNS records are synchronized between sources and providers; available values are `sync` & `upsert-only`.
+policy: upsert-only
+
+# -- Specify the registry for storing ownership and labels.
+# Valid values are `txt`, `aws-sd`, `dynamodb` & `noop`.
+registry: txt
+# -- (string) Specify an identifier for this instance of _ExternalDNS_ wWhen using a registry other than `noop`.
+txtOwnerId:
+# -- (string) Specify a prefix for the domain names of TXT records created for the `txt` registry.
+# Mutually exclusive with `txtSuffix`.
+txtPrefix:
+# -- (string) Specify a suffix for the domain names of TXT records created for the `txt` registry.
+# Mutually exclusive with `txtPrefix`.
+txtSuffix:
+
+## - Limit possible target zones by domain suffixes.
+domainFilters: []
+
+## -- Intentionally exclude domains from being managed.
+excludeDomains: []
+
+provider:
+  # -- _ExternalDNS_ provider name; for the available providers and how to configure them see [README](https://github.com/kubernetes-sigs/external-dns/blob/master/charts/external-dns/README.md#providers).
+  name: aws
+  webhook:
+    image:
+      # -- (string) Image repository for the `webhook` container.
+      repository:
+      # -- (string) Image tag for the `webhook` container.
+      tag:
+      # -- Image pull policy for the `webhook` container.
+      pullPolicy: IfNotPresent
+    # -- [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `webhook` container.
+    env: []
+    # -- Extra arguments to provide for the `webhook` container.
+    args: []
+    # -- Extra [volume mounts](https://kubernetes.io/docs/concepts/storage/volumes/) for the `webhook` container.
+    extraVolumeMounts: []
+    # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `webhook` container.
+    resources: {}
+    # -- [Pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `webhook` container.
+    # @default -- See _values.yaml_
+    securityContext: {}
+    # -- [Liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container.
+    # @default -- See _values.yaml_
+    livenessProbe:
+      httpGet:
+        path: /healthz
+        port: http-webhook
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 2
+      successThreshold: 1
+    # -- [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `webhook` container.
+    # @default -- See _values.yaml_
+    readinessProbe:
+      httpGet:
+        path: /healthz
+        port: http-webhook
+      initialDelaySeconds: 5
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 6
+      successThreshold: 1
+    service:
+      # -- Webhook exposed HTTP port for the service.
+      port: 8080
+    # -- Optional [Service Monitor](https://prometheus-operator.dev/docs/operator/design/#servicemonitor) configuration for the `webhook` container.
+    # @default -- See _values.yaml_
+    serviceMonitor:
+      interval:
+      scheme:
+      tlsConfig: {}
+      bearerTokenFile:
+      scrapeTimeout:
+      metricRelabelings: []
+      relabelings: []
+
+# -- Extra arguments to provide to _ExternalDNS_.
+extraArgs: []
+
+secretConfiguration:
+  # -- If `true`, create a `Secret` to store sensitive provider configuration (**DEPRECATED**).
+  enabled: false
+  # -- Mount path for the `Secret`, this can be templated.
+  mountPath:
+  # -- Sub-path for mounting the `Secret`, this can be templated.
+  subPath:
+  # -- `Secret` data.
+  data: {}

packages/system/external-dns/values.yaml

@@ -0,0 +1,23 @@
+external-dns:
+    # -- How DNS records are synchronized between sources and providers; available values are `sync` & `upsert-only`.
+  policy: upsert-only
+  # -- Specify the registry for storing ownership and labels.
+  # Valid values are `txt`, `aws-sd`, `dynamodb` & `noop`.
+  registry: txt
+  # -- (string) Specify an identifier for this instance of _ExternalDNS_ wWhen using a registry other than `noop`.
+  txtOwnerId:
+  # -- (string) Specify a prefix for the domain names of TXT records created for the `txt` registry.
+  # Mutually exclusive with `txtSuffix`.
+  txtPrefix:
+  # -- (string) Specify a suffix for the domain names of TXT records created for the `txt` registry.
+  # Mutually exclusive with `txtPrefix`.
+  txtSuffix:
+
+    ## - Limit possible target zones by domain suffixes.
+  domainFilters: []
+  ## -- Intentionally exclude domains from being managed.
+  excludeDomains: []
+
+  # -- Specify the DNS provider (e.g., "aws", "google", "azure", etc.)
+  provider:
+    name: ""

packages/system/external-secrets-operator/.helmignore

@@ -0,0 +1,3 @@
+images
+hack
+.gitkeep

packages/system/external-secrets-operator/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-external-secrets-operator
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/external-secrets-operator/Makefile

@@ -0,0 +1,11 @@
+export NAME=external-secrets-operator
+export NAMESPACE=cozy-$(NAME)
+
+include ../../../scripts/package.mk
+
+update:
+	rm -rf charts
+	helm repo add external-secrets https://charts.external-secrets.io
+	helm repo update external-secrets
+	helm pull external-secrets/external-secrets --untar --untardir charts
+	rm -rf charts/external-secrets/charts

packages/system/external-secrets-operator/charts/external-secrets/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: bitwarden-sdk-server
+  repository: oci://ghcr.io/external-secrets/charts
+  version: v0.3.1
+digest: sha256:2d01e9083fc32c18dca4f9614625e0172e338a663138c2670e5b911645b6b8ee
+generated: "2024-09-20T12:57:07.63511+02:00"

packages/system/external-secrets-operator/charts/external-secrets/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+appVersion: v0.10.4
+dependencies:
+- condition: bitwarden-sdk-server.enabled
+  name: bitwarden-sdk-server
+  repository: oci://ghcr.io/external-secrets/charts
+  version: v0.3.1
+description: External secret management for Kubernetes
+home: https://github.com/external-secrets/external-secrets
+icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png
+keywords:
+- kubernetes-external-secrets
+- secrets
+kubeVersion: '>= 1.19.0-0'
+maintainers:
+- email: kellinmcavoy@gmail.com
+  name: mcavoyk
+name: external-secrets
+type: application
+version: 0.10.4

packages/system/external-secrets-operator/charts/external-secrets/README.md

@@ -0,0 +1,225 @@
+# External Secrets
+
+<p><img src="https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png" width="100x"  alt="external-secrets"></p>
+
+[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
+
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.10.4](https://img.shields.io/badge/Version-0.10.4-informational?style=flat-square)
+
+External secret management for Kubernetes
+
+## TL;DR
+```bash
+helm repo add external-secrets https://charts.external-secrets.io
+helm install external-secrets external-secrets/external-secrets
+```
+
+## Installing the Chart
+To install the chart with the release name `external-secrets`:
+```bash
+helm install external-secrets external-secrets/external-secrets
+```
+
+### Custom Resources
+By default, the chart will install external-secrets CRDs, this can be controlled with `installCRDs` value.
+
+## Uninstalling the Chart
+To uninstall the `external-secrets` deployment:
+```bash
+helm uninstall external-secrets
+```
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| bitwarden-sdk-server.enabled | bool | `false` |  |
+| certController.affinity | object | `{}` |  |
+| certController.create | bool | `true` | Specifies whether a certificate controller deployment be created. |
+| certController.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
+| certController.extraArgs | object | `{}` |  |
+| certController.extraEnv | list | `[]` |  |
+| certController.extraVolumeMounts | list | `[]` |  |
+| certController.extraVolumes | list | `[]` |  |
+| certController.fullnameOverride | string | `""` |  |
+| certController.hostNetwork | bool | `false` | Run the certController on the host network |
+| certController.image.flavour | string | `""` |  |
+| certController.image.pullPolicy | string | `"IfNotPresent"` |  |
+| certController.image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` |  |
+| certController.image.tag | string | `""` |  |
+| certController.imagePullSecrets | list | `[]` |  |
+| certController.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
+| certController.metrics.listen.port | int | `8080` |  |
+| certController.metrics.service.annotations | object | `{}` | Additional service annotations |
+| certController.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
+| certController.metrics.service.port | int | `8080` | Metrics service port to scrape |
+| certController.nameOverride | string | `""` |  |
+| certController.nodeSelector | object | `{}` |  |
+| certController.podAnnotations | object | `{}` | Annotations to add to Pod |
+| certController.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
+| certController.podLabels | object | `{}` |  |
+| certController.podSecurityContext.enabled | bool | `true` |  |
+| certController.priorityClassName | string | `""` | Pod priority class name. |
+| certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
+| certController.readinessProbe.address | string | `""` | Address for readiness probe |
+| certController.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
+| certController.replicaCount | int | `1` |  |
+| certController.requeueInterval | string | `"5m"` |  |
+| certController.resources | object | `{}` |  |
+| certController.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
+| certController.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| certController.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| certController.securityContext.enabled | bool | `true` |  |
+| certController.securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| certController.securityContext.runAsNonRoot | bool | `true` |  |
+| certController.securityContext.runAsUser | int | `1000` |  |
+| certController.securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| certController.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
+| certController.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
+| certController.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
+| certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
+| certController.tolerations | list | `[]` |  |
+| certController.topologySpreadConstraints | list | `[]` |  |
+| commonLabels | object | `{}` | Additional labels added to all helm chart resources. |
+| concurrent | int | `1` | Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
+| controllerClass | string | `""` | If set external secrets will filter matching Secret Stores with the appropriate controller values. |
+| crds.annotations | object | `{}` |  |
+| crds.conversion.enabled | bool | `true` |  |
+| crds.createClusterExternalSecret | bool | `true` | If true, create CRDs for Cluster External Secret. |
+| crds.createClusterSecretStore | bool | `true` | If true, create CRDs for Cluster Secret Store. |
+| crds.createPushSecret | bool | `true` | If true, create CRDs for Push Secret. |
+| createOperator | bool | `true` | Specifies whether an external secret operator deployment be created. |
+| deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
+| dnsConfig | object | `{}` | Specifies `dnsOptions` to deployment |
+| dnsPolicy | string | `"ClusterFirst"` | Specifies `dnsPolicy` to deployment |
+| extendedMetricLabels | bool | `false` | If true external secrets will use recommended kubernetes annotations as prometheus metric labels. |
+| extraArgs | object | `{}` |  |
+| extraContainers | list | `[]` |  |
+| extraEnv | list | `[]` |  |
+| extraObjects | list | `[]` |  |
+| extraVolumeMounts | list | `[]` |  |
+| extraVolumes | list | `[]` |  |
+| fullnameOverride | string | `""` |  |
+| global.affinity | object | `{}` |  |
+| global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Manages the securityContext properties to make them compatible with OpenShift. Possible values: auto - Apply configurations if it is detected that OpenShift is the target platform. force - Always apply configurations. disabled - No modification applied. |
+| global.nodeSelector | object | `{}` |  |
+| global.tolerations | list | `[]` |  |
+| global.topologySpreadConstraints | list | `[]` |  |
+| hostNetwork | bool | `false` | Run the controller on the host network |
+| image.flavour | string | `""` | The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default, the distroless image is used. |
+| image.pullPolicy | string | `"IfNotPresent"` |  |
+| image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` |  |
+| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
+| imagePullSecrets | list | `[]` |  |
+| installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. |
+| leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. |
+| log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
+| metrics.listen.port | int | `8080` |  |
+| metrics.service.annotations | object | `{}` | Additional service annotations |
+| metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
+| metrics.service.port | int | `8080` | Metrics service port to scrape |
+| nameOverride | string | `""` |  |
+| namespaceOverride | string | `""` |  |
+| nodeSelector | object | `{}` |  |
+| podAnnotations | object | `{}` | Annotations to add to Pod |
+| podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
+| podLabels | object | `{}` |  |
+| podSecurityContext.enabled | bool | `true` |  |
+| podSpecExtra | object | `{}` | Any extra pod spec on the deployment |
+| priorityClassName | string | `""` | Pod priority class name. |
+| processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. |
+| processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. |
+| processPushSecret | bool | `true` | if true, the operator will process push secret. Else, it will ignore them. |
+| rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
+| rbac.servicebindings.create | bool | `true` | Specifies whether a clusterrole to give servicebindings read access should be created. |
+| replicaCount | int | `1` |  |
+| resources | object | `{}` |  |
+| revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
+| scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace |
+| scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets |
+| securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| securityContext.enabled | bool | `true` |  |
+| securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| securityContext.runAsNonRoot | bool | `true` |  |
+| securityContext.runAsUser | int | `1000` |  |
+| securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| service.ipFamilies | list | `[]` | Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. |
+| service.ipFamilyPolicy | string | `""` | Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
+| serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
+| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
+| serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
+| serviceMonitor.honorLabels | bool | `false` | Let prometheus add an exported_ prefix to conflicting labels |
+| serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
+| serviceMonitor.metricRelabelings | list | `[]` | Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) |
+| serviceMonitor.namespace | string | `""` | namespace where you want to install ServiceMonitors |
+| serviceMonitor.relabelings | list | `[]` | Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) |
+| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
+| tolerations | list | `[]` |  |
+| topologySpreadConstraints | list | `[]` |  |
+| webhook.affinity | object | `{}` |  |
+| webhook.certCheckInterval | string | `"5m"` | Specifices the time to check if the cert is valid |
+| webhook.certDir | string | `"/tmp/certs"` |  |
+| webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector |
+| webhook.certManager.cert.annotations | object | `{}` | Add extra annotations to the Certificate resource. |
+| webhook.certManager.cert.create | bool | `true` | Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/ |
+| webhook.certManager.cert.duration | string | `"8760h"` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default. |
+| webhook.certManager.cert.issuerRef | object | `{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}` | For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec |
+| webhook.certManager.cert.renewBefore | string | `""` | How long before the currently issued certificate’s expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid. |
+| webhook.certManager.enabled | bool | `false` | Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ |
+| webhook.create | bool | `true` | Specifies whether a webhook deployment be created. |
+| webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
+| webhook.extraArgs | object | `{}` |  |
+| webhook.extraEnv | list | `[]` |  |
+| webhook.extraVolumeMounts | list | `[]` |  |
+| webhook.extraVolumes | list | `[]` |  |
+| webhook.failurePolicy | string | `"Fail"` | Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore |
+| webhook.fullnameOverride | string | `""` |  |
+| webhook.hostNetwork | bool | `false` | Specifies if webhook pod should use hostNetwork or not. |
+| webhook.image.flavour | string | `""` | The flavour of tag you want to use |
+| webhook.image.pullPolicy | string | `"IfNotPresent"` |  |
+| webhook.image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` |  |
+| webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
+| webhook.imagePullSecrets | list | `[]` |  |
+| webhook.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
+| webhook.lookaheadInterval | string | `""` | Specifices the lookaheadInterval for certificate validity |
+| webhook.metrics.listen.port | int | `8080` |  |
+| webhook.metrics.service.annotations | object | `{}` | Additional service annotations |
+| webhook.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
+| webhook.metrics.service.port | int | `8080` | Metrics service port to scrape |
+| webhook.nameOverride | string | `""` |  |
+| webhook.nodeSelector | object | `{}` |  |
+| webhook.podAnnotations | object | `{}` | Annotations to add to Pod |
+| webhook.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
+| webhook.podLabels | object | `{}` |  |
+| webhook.podSecurityContext.enabled | bool | `true` |  |
+| webhook.port | int | `10250` | The port the webhook will listen to |
+| webhook.priorityClassName | string | `""` | Pod priority class name. |
+| webhook.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
+| webhook.readinessProbe.address | string | `""` | Address for readiness probe |
+| webhook.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
+| webhook.replicaCount | int | `1` |  |
+| webhook.resources | object | `{}` |  |
+| webhook.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
+| webhook.secretAnnotations | object | `{}` | Annotations to add to Secret |
+| webhook.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| webhook.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| webhook.securityContext.enabled | bool | `true` |  |
+| webhook.securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| webhook.securityContext.runAsNonRoot | bool | `true` |  |
+| webhook.securityContext.runAsUser | int | `1000` |  |
+| webhook.securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| webhook.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
+| webhook.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
+| webhook.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
+| webhook.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
+| webhook.tolerations | list | `[]` |  |
+| webhook.topologySpreadConstraints | list | `[]` |  |

packages/system/external-secrets-operator/charts/external-secrets/templates/NOTES.txt

@@ -0,0 +1,7 @@
+external-secrets has been deployed successfully in namespace {{ template "external-secrets.namespace" . }}!
+
+In order to begin using ExternalSecrets, you will need to set up a SecretStore
+or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore).
+
+More information on the different types of SecretStores and how to configure them
+can be found in our Github: {{ .Chart.Home }}

packages/system/external-secrets-operator/charts/external-secrets/templates/_helpers.tpl

@@ -0,0 +1,198 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "external-secrets.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "external-secrets.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define namespace of chart, useful for multi-namespace deployments
+*/}}
+{{- define "external-secrets.namespace" -}}
+{{- if .Values.namespaceOverride }}
+{{- .Values.namespaceOverride }}
+{{- else }}
+{{- .Release.Namespace }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "external-secrets.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "external-secrets.labels" -}}
+helm.sh/chart: {{ include "external-secrets.chart" . }}
+{{ include "external-secrets.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{- define "external-secrets-webhook.labels" -}}
+helm.sh/chart: {{ include "external-secrets.chart" . }}
+{{ include "external-secrets-webhook.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{- define "external-secrets-webhook-metrics.labels" -}}
+{{ include "external-secrets-webhook.selectorLabels" . }}
+app.kubernetes.io/metrics: "webhook"
+{{- with .Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{- define "external-secrets-cert-controller.labels" -}}
+helm.sh/chart: {{ include "external-secrets.chart" . }}
+{{ include "external-secrets-cert-controller.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{- define "external-secrets-cert-controller-metrics.labels" -}}
+{{ include "external-secrets-cert-controller.selectorLabels" . }}
+app.kubernetes.io/metrics: "cert-controller"
+{{- with .Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "external-secrets.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "external-secrets.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+{{- define "external-secrets-webhook.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "external-secrets.name" . }}-webhook
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+{{- define "external-secrets-cert-controller.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "external-secrets.name" . }}-cert-controller
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "external-secrets.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "external-secrets.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "external-secrets-webhook.serviceAccountName" -}}
+{{- if .Values.webhook.serviceAccount.create }}
+{{- default "external-secrets-webhook" .Values.webhook.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.webhook.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "external-secrets-cert-controller.serviceAccountName" -}}
+{{- if .Values.certController.serviceAccount.create }}
+{{- default "external-secrets-cert-controller" .Values.certController.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.certController.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Determine the image to use, including if using a flavour.
+*/}}
+{{- define "external-secrets.image" -}}
+{{- if .image.flavour -}}
+{{ printf "%s:%s-%s" .image.repository (.image.tag | default .chartAppVersion) .image.flavour }}
+{{- else }}
+{{ printf "%s:%s" .image.repository (.image.tag | default .chartAppVersion) }}
+{{- end }}
+{{- end }}
+
+{{/*
+Renders a complete tree, even values that contains template.
+*/}}
+{{- define "external-secrets.render" -}}
+  {{- if typeIs "string" .value }}
+    {{- tpl .value .context }}
+  {{ else }}
+    {{- tpl (.value | toYaml) .context }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+Return true if the OpenShift is the detected platform
+Usage:
+{{- include "external-secrets.isOpenShift" . -}}
+*/}}
+{{- define "external-secrets.isOpenShift" -}}
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+{{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render the securityContext based on the provided securityContext
+  {{- include "external-secrets.renderSecurityContext" (dict "securityContext" .Values.securityContext "context" $) -}}
+*/}}
+{{- define "external-secrets.renderSecurityContext" -}}
+{{- $adaptedContext := .securityContext -}}
+{{- if .context.Values.global.compatibility -}}
+  {{- if .context.Values.global.compatibility.openshift -}}
+    {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "external-secrets.isOpenShift" .context)) -}}
+      {{/* Remove OpenShift managed fields */}}
+      {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
+      {{- if not .securityContext.seLinuxOptions -}}
+        {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{- omit $adaptedContext "enabled" | toYaml -}}
+{{- end -}}

packages/system/external-secrets-operator/charts/external-secrets/templates/cert-controller-deployment.yaml

@@ -0,0 +1,124 @@
+{{- if and .Values.certController.create (not .Values.webhook.certManager.enabled) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "external-secrets.fullname" . }}-cert-controller
+  namespace: {{ template "external-secrets.namespace" . }}
+  labels:
+    {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+  {{- with .Values.certController.deploymentAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.certController.replicaCount }}
+  revisionHistoryLimit: {{ .Values.certController.revisionHistoryLimit }}
+  selector:
+    matchLabels:
+      {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.certController.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "external-secrets-cert-controller.labels" . | nindent 8 }}
+        {{- with .Values.certController.podLabels }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.certController.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.certController.serviceAccount.automount }}
+      {{- with .Values.certController.podSecurityContext }}
+       {{- if and (.enabled) (gt (keys . | len) 1) }}
+      securityContext:
+        {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }}
+      {{- end }}
+      {{- end }}
+      hostNetwork: {{ .Values.certController.hostNetwork }}
+      containers:
+        - name: cert-controller
+          {{- with .Values.certController.securityContext }}
+          {{- if and (.enabled) (gt (keys . | len) 1) }}
+          securityContext:
+            {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }}
+          {{- end }}
+          {{- end }}
+          image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.certController.image) | trim }}
+          imagePullPolicy: {{ .Values.certController.image.pullPolicy }}
+          args:
+          - certcontroller
+          - --crd-requeue-interval={{ .Values.certController.requeueInterval }}
+          - --service-name={{ include "external-secrets.fullname" . }}-webhook
+          - --service-namespace={{ template "external-secrets.namespace" . }}
+          - --secret-name={{ include "external-secrets.fullname" . }}-webhook
+          - --secret-namespace={{ template "external-secrets.namespace" . }}
+          - --metrics-addr=:{{ .Values.certController.metrics.listen.port }}
+          - --healthz-addr={{ .Values.certController.readinessProbe.address }}:{{ .Values.certController.readinessProbe.port }}
+          - --loglevel={{ .Values.certController.log.level }}
+          - --zap-time-encoding={{ .Values.certController.log.timeEncoding }}
+          {{- if not .Values.crds.createClusterSecretStore }}
+          - --crd-names=externalsecrets.external-secrets.io
+          - --crd-names=secretstores.external-secrets.io
+          {{- end }}
+          {{- if .Values.installCRDs }}
+          - --enable-partial-cache=true
+          {{- end }}
+          {{- range $key, $value := .Values.certController.extraArgs }}
+            {{- if $value }}
+          - --{{ $key }}={{ $value }}
+            {{- else }}
+          - --{{ $key }}
+            {{- end }}
+          {{- end }}
+          ports:
+            - containerPort: {{ .Values.certController.metrics.listen.port }}
+              protocol: TCP
+              name: metrics
+          readinessProbe:
+            httpGet:
+              port: {{ .Values.certController.readinessProbe.port }}
+              path: /readyz
+            initialDelaySeconds: 20
+            periodSeconds: 5
+          {{- with .Values.certController.extraEnv }}
+          env:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.certController.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.certController.extraVolumeMounts }}
+          volumeMounts:
+          {{- toYaml .Values.certController.extraVolumeMounts | nindent 12 }}
+          {{- end }}
+      {{- if .Values.certController.extraVolumes }}
+      volumes:
+      {{- toYaml .Values.certController.extraVolumes | nindent 8 }}
+      {{- end }}
+      {{- with .Values.certController.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.certController.affinity | default .Values.global.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.certController.tolerations | default .Values.global.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.certController.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.certController.priorityClassName }}
+      priorityClassName: {{ .Values.certController.priorityClassName }}
+      {{- end }}
+{{- end }}

packages/system/external-secrets-operator/charts/external-secrets/templates/cert-controller-poddisruptionbudget.yaml

@@ -0,0 +1,19 @@
+{{- if and .Values.certController.create .Values.certController.podDisruptionBudget.enabled (not .Values.webhook.certManager.enabled) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "external-secrets.fullname" . }}-cert-controller-pdb
+  namespace: {{ template "external-secrets.namespace" . }}
+  labels:
+    {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+spec:
+  {{- if .Values.certController.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.certController.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if .Values.certController.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.certController.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 6 }}
+{{- end }}

packages/system/external-secrets-operator/charts/external-secrets/templates/cert-controller-rbac.yaml

@@ -0,0 +1,86 @@
+{{- if and .Values.certController.create .Values.certController.rbac.create (not .Values.webhook.certManager.enabled) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "external-secrets.fullname" . }}-cert-controller
+  labels:
+    {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+    - "apiextensions.k8s.io"
+    resources:
+    - "customresourcedefinitions"
+    verbs:
+    - "get"
+    - "list"
+    - "watch"
+    - "update"
+    - "patch"
+  - apiGroups:
+    - "admissionregistration.k8s.io"
+    resources:
+    - "validatingwebhookconfigurations"
+    verbs:
+    - "list"
+    - "watch"
+    - "get"
+  - apiGroups:
+    - "admissionregistration.k8s.io"
+    resources:
+    - "validatingwebhookconfigurations"
+    resourceNames:
+    - "secretstore-validate"
+    - "externalsecret-validate"
+    verbs:
+    - "update"
+    - "patch"
+  - apiGroups:
+    - ""
+    resources:
+    - "endpoints"
+    verbs:
+    - "list"
+    - "get"
+    - "watch"
+  - apiGroups:
+    - ""
+    resources:
+    - "events"
+    verbs:
+    - "create"
+    - "patch"
+  - apiGroups:
+    - ""
+    resources:
+    - "secrets"
+    verbs:
+    - "get"
+    - "list"
+    - "watch"
+    - "update"
+    - "patch"
+  - apiGroups:
+    - "coordination.k8s.io"
+    resources:
+    - "leases"
+    verbs:
+    - "get"
+    - "create"
+    - "update"
+    - "patch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "external-secrets.fullname" . }}-cert-controller
+  labels:
+    {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "external-secrets.fullname" . }}-cert-controller
+subjects:
+  - name: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
+    namespace: {{ template "external-secrets.namespace" . }}
+    kind: ServiceAccount
+{{- end }}

packages/system/external-secrets-operator/charts/external-secrets/templates/cert-controller-service.yaml

@@ -0,0 +1,28 @@
+{{- if and .Values.certController.create .Values.certController.metrics.service.enabled (not .Values.webhook.certManager.enabled) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
+  namespace: {{ template "external-secrets.namespace" . }}
+  labels:
+    {{- include "external-secrets.labels" . | nindent 4 }}
+  {{- with .Values.metrics.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: ClusterIP
+  {{- if .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.service.ipFamilies }}
+  ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
+  {{- end }}
+  ports:
+  - port: {{ .Values.certController.metrics.service.port }}
+    protocol: TCP
+    targetPort: metrics
+    name: metrics
+  selector:
+    {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 4 }}
+{{- end }}

packages/system/external-secrets-operator/charts/external-secrets/templates/cert-controller-serviceaccount.yaml

@@ -0,0 +1,16 @@
+{{- if and .Values.certController.create .Values.certController.serviceAccount.create (not .Values.webhook.certManager.enabled) -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
+  namespace: {{ template "external-secrets.namespace" . }}
+  labels:
+    {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+    {{- with .Values.certController.serviceAccount.extraLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.certController.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

packages/system/external-secrets-operator/charts/external-secrets/templates/crds/acraccesstoken.yaml

@@ -0,0 +1,204 @@
+{{- if .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    {{- with .Values.crds.annotations }}
+    {{- toYaml . | nindent 4}}
+    {{- end }}
+    {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.16.3
+  labels:
+    external-secrets.io/component: controller
+  name: acraccesstokens.generators.external-secrets.io
+spec:
+  group: generators.external-secrets.io
+  names:
+    categories:
+      - external-secrets
+      - external-secrets-generators
+    kind: ACRAccessToken
+    listKind: ACRAccessTokenList
+    plural: acraccesstokens
+    shortNames:
+      - acraccesstoken
+    singular: acraccesstoken
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: |-
+            ACRAccessToken returns a Azure Container Registry token
+            that can be used for pushing/pulling images.
+            Note: by default it will return an ACR Refresh Token with full access
+            (depending on the identity).
+            This can be scoped down to the repository level using .spec.scope.
+            In case scope is defined it will return an ACR Access Token.
+
+            See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: |-
+                ACRAccessTokenSpec defines how to generate the access token
+                e.g. how to authenticate and which registry to use.
+                see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
+              properties:
+                auth:
+                  properties:
+                    managedIdentity:
+                      description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
+                      properties:
+                        identityId:
+                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
+                          type: string
+                      type: object
+                    servicePrincipal:
+                      description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
+                      properties:
+                        secretRef:
+                          description: |-
+                            Configuration used to authenticate with Azure using static
+                            credentials stored in a Kind=Secret.
+                          properties:
+                            clientId:
+                              description: The Azure clientId of the service principle used for authentication.
+                              properties:
+                                key:
+                                  description: |-
+                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+                                    defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: |-
+                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+                                    to the namespace of the referent.
+                                  type: string
+                              type: object
+                            clientSecret:
+                              description: The Azure ClientSecret of the service principle used for authentication.
+                              properties:
+                                key:
+                                  description: |-
+                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+                                    defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: |-
+                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+                                    to the namespace of the referent.
+                                  type: string
+                              type: object
+                          type: object
+                      required:
+                        - secretRef
+                      type: object
+                    workloadIdentity:
+                      description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
+                      properties:
+                        serviceAccountRef:
+                          description: |-
+                            ServiceAccountRef specified the service account
+                            that should be used when authenticating with WorkloadIdentity.
+                          properties:
+                            audiences:
+                              description: |-
+                                Audience specifies the `aud` claim for the service account token
+                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+                                then this audiences will be appended to the list
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: The name of the ServiceAccount resource being referred to.
+                              type: string
+                            namespace:
+                              description: |-
+                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+                                to the namespace of the referent.
+                              type: string
+                          required:
+                            - name
+                          type: object
+                      type: object
+                  type: object
+                environmentType:
+                  default: PublicCloud
+                  description: |-
+                    EnvironmentType specifies the Azure cloud environment endpoints to use for
+                    connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
+                    The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
+                    PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
+                  enum:
+                    - PublicCloud
+                    - USGovernmentCloud
+                    - ChinaCloud
+                    - GermanCloud
+                  type: string
+                registry:
+                  description: |-
+                    the domain name of the ACR registry
+                    e.g. foobarexample.azurecr.io
+                  type: string
+                scope:
+                  description: |-
+                    Define the scope for the access token, e.g. pull/push access for a repository.
+                    if not provided it will return a refresh token that has full scope.
+                    Note: you need to pin it down to the repository level, there is no wildcard available.
+
+                    examples:
+                    repository:my-repository:pull,push
+                    repository:my-repository:pull
+
+                    see docs for details: https://docs.docker.com/registry/spec/auth/scope/
+                  type: string
+                tenantId:
+                  description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
+                  type: string
+              required:
+                - auth
+                - registry
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+{{- if .Values.crds.conversion.enabled }}
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions:
+        - v1
+      clientConfig:
+        service:
+          name: {{ include "external-secrets.fullname" . }}-webhook
+          namespace: {{ .Release.Namespace | quote }}
+          path: /convert
+{{- end }}
+{{- end }}

packages/system/external-secrets-operator/charts/external-secrets/templates/crds/clusterexternalsecret.yaml

@@ -0,0 +1,666 @@
+{{- if and (.Values.installCRDs) (.Values.crds.createClusterExternalSecret) }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    {{- with .Values.crds.annotations }}
+    {{- toYaml . | nindent 4}}
+    {{- end }}
+    {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.16.3
+  labels:
+    external-secrets.io/component: controller
+  name: clusterexternalsecrets.external-secrets.io
+spec:
+  group: external-secrets.io
+  names:
+    categories:
+      - external-secrets
+    kind: ClusterExternalSecret
+    listKind: ClusterExternalSecretList
+    plural: clusterexternalsecrets
+    shortNames:
+      - ces
+    singular: clusterexternalsecret
+  scope: Cluster
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
+          name: Store
+          type: string
+        - jsonPath: .spec.refreshTime
+          name: Refresh Interval
+          type: string
+        - jsonPath: .status.conditions[?(@.type=="Ready")].status
+          name: Ready
+          type: string
+      name: v1beta1
+      schema:
+        openAPIV3Schema:
+          description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
+              properties:
+                externalSecretMetadata:
+                  description: The metadata of the external secrets to be created
+                  properties:
+                    annotations:
+                      additionalProperties:
+                        type: string
+                      type: object
+                    labels:
+                      additionalProperties:
+                        type: string
+                      type: object
+                  type: object
+                externalSecretName:
+                  description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
+                  type: string
+                externalSecretSpec:
+                  description: The spec for the ExternalSecrets to be created
+                  properties:
+                    data:
+                      description: Data defines the connection between the Kubernetes Secret keys and the Provider data
+                      items:
+                        description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
+                        properties:
+                          remoteRef:
+                            description: |-
+                              RemoteRef points to the remote secret and defines
+                              which secret (version/property/..) to fetch.
+                            properties:
+                              conversionStrategy:
+                                default: Default
+                                description: Used to define a conversion Strategy
+                                enum:
+                                  - Default
+                                  - Unicode
+                                type: string
+                              decodingStrategy:
+                                default: None
+                                description: Used to define a decoding Strategy
+                                enum:
+                                  - Auto
+                                  - Base64
+                                  - Base64URL
+                                  - None
+                                type: string
+                              key:
+                                description: Key is the key used in the Provider, mandatory
+                                type: string
+                              metadataPolicy:
+                                default: None
+                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
+                                enum:
+                                  - None
+                                  - Fetch
+                                type: string
+                              property:
+                                description: Used to select a specific property of the Provider value (if a map), if supported
+                                type: string
+                              version:
+                                description: Used to select a specific version of the Provider value, if supported
+                                type: string
+                            required:
+                              - key
+                            type: object
+                          secretKey:
+                            description: |-
+                              SecretKey defines the key in which the controller stores
+                              the value. This is the key in the Kind=Secret
+                            type: string
+                          sourceRef:
+                            description: |-
+                              SourceRef allows you to override the source
+                              from which the value will pulled from.
+                            maxProperties: 1
+                            properties:
+                              generatorRef:
+                                description: |-
+                                  GeneratorRef points to a generator custom resource.
+
+                                  Deprecated: The generatorRef is not implemented in .data[].
+                                  this will be removed with v1.
+                                properties:
+                                  apiVersion:
+                                    default: generators.external-secrets.io/v1alpha1
+                                    description: Specify the apiVersion of the generator resource
+                                    type: string
+                                  kind:
+                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
+                                    type: string
+                                  name:
+                                    description: Specify the name of the generator resource
+                                    type: string
+                                required:
+                                  - kind
+                                  - name
+                                type: object
+                              storeRef:
+                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+                                properties:
+                                  kind:
+                                    description: |-
+                                      Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+                                      Defaults to `SecretStore`
+                                    type: string
+                                  name:
+                                    description: Name of the SecretStore resource
+                                    type: string
+                                required:
+                                  - name
+                                type: object
+                            type: object
+                        required:
+                          - remoteRef
+                          - secretKey
+                        type: object
+                      type: array
+                    dataFrom:
+                      description: |-
+                        DataFrom is used to fetch all properties from a specific Provider data
+                        If multiple entries are specified, the Secret keys are merged in the specified order
+                      items:
+                        properties:
+                          extract:
+                            description: |-
+                              Used to extract multiple key/value pairs from one secret
+                              Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
+                            properties:
+                              conversionStrategy:
+                                default: Default
+                                description: Used to define a conversion Strategy
+                                enum:
+                                  - Default
+                                  - Unicode
+                                type: string
+                              decodingStrategy:
+                                default: None
+                                description: Used to define a decoding Strategy
+                                enum:
+                                  - Auto
+                                  - Base64
+                                  - Base64URL
+                                  - None
+                                type: string
+                              key:
+                                description: Key is the key used in the Provider, mandatory
+                                type: string
+                              metadataPolicy:
+                                default: None
+                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
+                                enum:
+                                  - None
+                                  - Fetch
+                                type: string
+                              property:
+                                description: Used to select a specific property of the Provider value (if a map), if supported
+                                type: string
+                              version:
+                                description: Used to select a specific version of the Provider value, if supported
+                                type: string
+                            required:
+                              - key
+                            type: object
+                          find:
+                            description: |-
+                              Used to find secrets based on tags or regular expressions
+                              Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
+                            properties:
+                              conversionStrategy:
+                                default: Default
+                                description: Used to define a conversion Strategy
+                                enum:
+                                  - Default
+                                  - Unicode
+                                type: string
+                              decodingStrategy:
+                                default: None
+                                description: Used to define a decoding Strategy
+                                enum:
+                                  - Auto
+                                  - Base64
+                                  - Base64URL
+                                  - None
+                                type: string
+                              name:
+                                description: Finds secrets based on the name.
+                                properties:
+                                  regexp:
+                                    description: Finds secrets base
+                                    type: string
+                                type: object
+                              path:
+                                description: A root path to start the find operations.
+                                type: string
+                              tags:
+                                additionalProperties:
+                                  type: string
+                                description: Find secrets based on tags.
+                                type: object
+                            type: object
+                          rewrite:
+                            description: |-
+                              Used to rewrite secret Keys after getting them from the secret Provider
+                              Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
+                            items:
+                              properties:
+                                regexp:
+                                  description: |-
+                                    Used to rewrite with regular expressions.
+                                    The resulting key will be the output of a regexp.ReplaceAll operation.
+                                  properties:
+                                    source:
+                                      description: Used to define the regular expression of a re.Compiler.
+                                      type: string
+                                    target:
+                                      description: Used to define the target pattern of a ReplaceAll operation.
+                                      type: string
+                                  required:
+                                    - source
+                                    - target
+                                  type: object
+                                transform:
+                                  description: |-
+                                    Used to apply string transformation on the secrets.
+                                    The resulting key will be the output of the template applied by the operation.
+                                  properties:
+                                    template:
+                                      description: |-
+                                        Used to define the template to apply on the secret name.
+                                        `.value ` will specify the secret name in the template.
+                                      type: string
+                                  required:
+                                    - template
+                                  type: object
+                              type: object
+                            type: array
+                          sourceRef:
+                            description: |-
+                              SourceRef points to a store or generator
+                              which contains secret values ready to use.
+                              Use this in combination with Extract or Find pull values out of
+                              a specific SecretStore.
+                              When sourceRef points to a generator Extract or Find is not supported.
+                              The generator returns a static map of values
+                            maxProperties: 1
+                            properties:
+                              generatorRef:
+                                description: GeneratorRef points to a generator custom resource.
+                                properties:
+                                  apiVersion:
+                                    default: generators.external-secrets.io/v1alpha1
+                                    description: Specify the apiVersion of the generator resource
+                                    type: string
+                                  kind:
+                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
+                                    type: string
+                                  name:
+                                    description: Specify the name of the generator resource
+                                    type: string
+                                required:
+                                  - kind
+                                  - name
+                                type: object
+                              storeRef:
+                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+                                properties:
+                                  kind:
+                                    description: |-
+                                      Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+                                      Defaults to `SecretStore`
+                                    type: string
+                                  name:
+                                    description: Name of the SecretStore resource
+                                    type: string
+                                required:
+                                  - name
+                                type: object
+                            type: object
+                        type: object
+                      type: array
+                    refreshInterval:
+                      default: 1h
+                      description: |-
+                        RefreshInterval is the amount of time before the values are read again from the SecretStore provider
+                        Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+                        May be set to zero to fetch and create it once. Defaults to 1h.
+                      type: string
+                    secretStoreRef:
+                      description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+                      properties:
+                        kind:
+                          description: |-
+                            Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+                            Defaults to `SecretStore`
+                          type: string
+                        name:
+                          description: Name of the SecretStore resource
+                          type: string
+                      required:
+                        - name
+                      type: object
+                    target:
+                      default:
+                        creationPolicy: Owner
+                        deletionPolicy: Retain
+                      description: |-
+                        ExternalSecretTarget defines the Kubernetes Secret to be created
+                        There can be only one target per ExternalSecret.
+                      properties:
+                        creationPolicy:
+                          default: Owner
+                          description: |-
+                            CreationPolicy defines rules on how to create the resulting Secret
+                            Defaults to 'Owner'
+                          enum:
+                            - Owner
+                            - Orphan
+                            - Merge
+                            - None
+                          type: string
+                        deletionPolicy:
+                          default: Retain
+                          description: |-
+                            DeletionPolicy defines rules on how to delete the resulting Secret
+                            Defaults to 'Retain'
+                          enum:
+                            - Delete
+                            - Merge
+                            - Retain
+                          type: string
+                        immutable:
+                          description: Immutable defines if the final secret will be immutable
+                          type: boolean
+                        name:
+                          description: |-
+                            Name defines the name of the Secret resource to be managed
+                            This field is immutable
+                            Defaults to the .metadata.name of the ExternalSecret resource
+                          type: string
+                        template:
+                          description: Template defines a blueprint for the created Secret resource.
+                          properties:
+                            data:
+                              additionalProperties:
+                                type: string
+                              type: object
+                            engineVersion:
+                              default: v2
+                              description: |-
+                                EngineVersion specifies the template engine version
+                                that should be used to compile/execute the
+                                template specified in .data and .templateFrom[].
+                              enum:
+                                - v1
+                                - v2
+                              type: string
+                            mergePolicy:
+                              default: Replace
+                              enum:
+                                - Replace
+                                - Merge
+                              type: string
+                            metadata:
+                              description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
+                              properties:
+                                annotations:
+                                  additionalProperties:
+                                    type: string
+                                  type: object
+                                labels:
+                                  additionalProperties:
+                                    type: string
+                                  type: object
+                              type: object
+                            templateFrom:
+                              items:
+                                properties:
+                                  configMap:
+                                    properties:
+                                      items:
+                                        items:
+                                          properties:
+                                            key:
+                                              type: string
+                                            templateAs:
+                                              default: Values
+                                              enum:
+                                                - Values
+                                                - KeysAndValues
+                                              type: string
+                                          required:
+                                            - key
+                                          type: object
+                                        type: array
+                                      name:
+                                        type: string
+                                    required:
+                                      - items
+                                      - name
+                                    type: object
+                                  literal:
+                                    type: string
+                                  secret:
+                                    properties:
+                                      items:
+                                        items:
+                                          properties:
+                                            key:
+                                              type: string
+                                            templateAs:
+                                              default: Values
+                                              enum:
+                                                - Values
+                                                - KeysAndValues
+                                              type: string
+                                          required:
+                                            - key
+                                          type: object
+                                        type: array
+                                      name:
+                                        type: string
+                                    required:
+                                      - items
+                                      - name
+                                    type: object
+                                  target:
+                                    default: Data
+                                    enum:
+                                      - Data
+                                      - Annotations
+                                      - Labels
+                                    type: string
+                                type: object
+                              type: array
+                            type:
+                              type: string
+                          type: object
+                      type: object
+                  type: object
+                namespaceSelector:
+                  description: |-
+                    The labels to select by to find the Namespaces to create the ExternalSecrets in.
+                    Deprecated: Use NamespaceSelectors instead.
+                  properties:
+                    matchExpressions:
+                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                      items:
+                        description: |-
+                          A label selector requirement is a selector that contains values, a key, and an operator that
+                          relates the key and values.
+                        properties:
+                          key:
+                            description: key is the label key that the selector applies to.
+                            type: string
+                          operator:
+                            description: |-
+                              operator represents a key's relationship to a set of values.
+                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                            type: string
+                          values:
+                            description: |-
+                              values is an array of string values. If the operator is In or NotIn,
+                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                              the values array must be empty. This array is replaced during a strategic
+                              merge patch.
+                            items:
+                              type: string
+                            type: array
+                            x-kubernetes-list-type: atomic
+                        required:
+                          - key
+                          - operator
+                        type: object
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    matchLabels:
+                      additionalProperties:
+                        type: string
+                      description: |-
+                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                      type: object
+                  type: object
+                  x-kubernetes-map-type: atomic
+                namespaceSelectors:
+                  description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
+                  items:
+                    description: |-
+                      A label selector is a label query over a set of resources. The result of matchLabels and
+                      matchExpressions are ANDed. An empty label selector matches all objects. A null
+                      label selector matches no objects.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: |-
+                            A label selector requirement is a selector that contains values, a key, and an operator that
+                            relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: |-
+                                operator represents a key's relationship to a set of values.
+                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: |-
+                                values is an array of string values. If the operator is In or NotIn,
+                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                the values array must be empty. This array is replaced during a strategic
+                                merge patch.
+                              items:
+                                type: string
+                              type: array
+                              x-kubernetes-list-type: atomic
+                          required:
+                            - key
+                            - operator
+                          type: object
+                        type: array
+                        x-kubernetes-list-type: atomic
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  type: array
+                namespaces:
+                  description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
+                  items:
+                    type: string
+                  type: array
+                refreshTime:
+                  description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
+                  type: string
+              required:
+                - externalSecretSpec
+              type: object
+            status:
+              description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
+              properties:
+                conditions:
+                  items:
+                    properties:
+                      message:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                      - status
+                      - type
+                    type: object
+                  type: array
+                externalSecretName:
+                  description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
+                  type: string
+                failedNamespaces:
+                  description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
+                  items:
+                    description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
+                    properties:
+                      namespace:
+                        description: Namespace is the namespace that failed when trying to apply an ExternalSecret
+                        type: string
+                      reason:
+                        description: Reason is why the ExternalSecret failed to apply to the namespace
+                        type: string
+                    required:
+                      - namespace
+                    type: object
+                  type: array
+                provisionedNamespaces:
+                  description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
+                  items:
+                    type: string
+                  type: array
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+{{- if .Values.crds.conversion.enabled }}
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions:
+        - v1
+      clientConfig:
+        service:
+          name: {{ include "external-secrets.fullname" . }}-webhook
+          namespace: {{ .Release.Namespace | quote }}
+          path: /convert
+{{- end }}
+{{- end }}

packages/system/external-secrets-operator/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml

@@ -0,0 +1,178 @@
+{{- if .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    {{- with .Values.crds.annotations }}
+    {{- toYaml . | nindent 4}}
+    {{- end }}
+    {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.16.3
+  labels:
+    external-secrets.io/component: controller
+  name: ecrauthorizationtokens.generators.external-secrets.io
+spec:
+  group: generators.external-secrets.io
+  names:
+    categories:
+      - external-secrets
+      - external-secrets-generators
+    kind: ECRAuthorizationToken
+    listKind: ECRAuthorizationTokenList
+    plural: ecrauthorizationtokens
+    shortNames:
+      - ecrauthorizationtoken
+    singular: ecrauthorizationtoken
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: |-
+            ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an
+            authorization token.
+            The authorization token is valid for 12 hours.
+            The authorizationToken returned is a base64 encoded string that can be decoded
+            and used in a docker login command to authenticate to a registry.
+            For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              properties:
+                auth:
+                  description: Auth defines how to authenticate with AWS
+                  properties:
+                    jwt:
+                      description: Authenticate against AWS using service account tokens.
+                      properties:
+                        serviceAccountRef:
+                          description: A reference to a ServiceAccount resource.
+                          properties:
+                            audiences:
+                              description: |-
+                                Audience specifies the `aud` claim for the service account token
+                                If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+                                then this audiences will be appended to the list
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: The name of the ServiceAccount resource being referred to.
+                              type: string
+                            namespace:
+                              description: |-
+                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+                                to the namespace of the referent.
+                              type: string
+                          required:
+                            - name
+                          type: object
+                      type: object
+                    secretRef:
+                      description: |-
+                        AWSAuthSecretRef holds secret references for AWS credentials
+                        both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+                      properties:
+                        accessKeyIDSecretRef:
+                          description: The AccessKeyID is used for authentication
+                          properties:
+                            key:
+                              description: |-
+                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+                                defaulted, in others it may be required.
+                              type: string
+                            name:
+                              description: The name of the Secret resource being referred to.
+                              type: string
+                            namespace:
+                              description: |-
+                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+                                to the namespace of the referent.
+                              type: string
+                          type: object
+                        secretAccessKeySecretRef:
+                          description: The SecretAccessKey is used for authentication
+                          properties:
+                            key:
+                              description: |-
+                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+                                defaulted, in others it may be required.
+                              type: string
+                            name:
+                              description: The name of the Secret resource being referred to.
+                              type: string
+                            namespace:
+                              description: |-
+                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+                                to the namespace of the referent.
+                              type: string
+                          type: object
+                        sessionTokenSecretRef:
+                          description: |-
+                            The SessionToken used for authentication
+                            This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
+                            see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+                          properties:
+                            key:
+                              description: |-
+                                The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+                                defaulted, in others it may be required.
+                              type: string
+                            name:
+                              description: The name of the Secret resource being referred to.
+                              type: string
+                            namespace:
+                              description: |-
+                                Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+                                to the namespace of the referent.
+                              type: string
+                          type: object
+                      type: object
+                  type: object
+                region:
+                  description: Region specifies the region to operate in.
+                  type: string
+                role:
+                  description: |-
+                    You can assume a role before making calls to the
+                    desired AWS service.
+                  type: string
+              required:
+                - region
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+{{- if .Values.crds.conversion.enabled }}
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions:
+        - v1
+      clientConfig:
+        service:
+          name: {{ include "external-secrets.fullname" . }}-webhook
+          namespace: {{ .Release.Namespace | quote }}
+          path: /convert
+{{- end }}
+{{- end }}

packages/system/external-secrets-operator/charts/external-secrets/templates/crds/externalsecret.yaml

@@ -0,0 +1,820 @@
+{{- if .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    {{- with .Values.crds.annotations }}
+    {{- toYaml . | nindent 4}}
+    {{- end }}
+    {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.16.3
+  labels:
+    external-secrets.io/component: controller
+  name: externalsecrets.external-secrets.io
+spec:
+  group: external-secrets.io
+  names:
+    categories:
+      - external-secrets
+    kind: ExternalSecret
+    listKind: ExternalSecretList
+    plural: externalsecrets
+    shortNames:
+      - es
+    singular: externalsecret
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .spec.secretStoreRef.name
+          name: Store
+          type: string
+        - jsonPath: .spec.refreshInterval
+          name: Refresh Interval
+          type: string
+        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+          name: Status
+          type: string
+      deprecated: true
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: ExternalSecret is the Schema for the external-secrets API.
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: ExternalSecretSpec defines the desired state of ExternalSecret.
+              properties:
+                data:
+                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
+                  items:
+                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
+                    properties:
+                      remoteRef:
+                        description: ExternalSecretDataRemoteRef defines Provider data location.
+                        properties:
+                          conversionStrategy:
+                            default: Default
+                            description: Used to define a conversion Strategy
+                            enum:
+                              - Default
+                              - Unicode
+                            type: string
+                          key:
+                            description: Key is the key used in the Provider, mandatory
+                            type: string
+                          property:
+                            description: Used to select a specific property of the Provider value (if a map), if supported
+                            type: string
+                          version:
+                            description: Used to select a specific version of the Provider value, if supported
+                            type: string
+                        required:
+                          - key
+                        type: object
+                      secretKey:
+                        type: string
+                    required:
+                      - remoteRef
+                      - secretKey
+                    type: object
+                  type: array
+                dataFrom:
+                  description: |-
+                    DataFrom is used to fetch all properties from a specific Provider data
+                    If multiple entries are specified, the Secret keys are merged in the specified order
+                  items:
+                    description: ExternalSecretDataRemoteRef defines Provider data location.
+                    properties:
+                      conversionStrategy:
+                        default: Default
+                        description: Used to define a conversion Strategy
+                        enum:
+                          - Default
+                          - Unicode
+                        type: string
+                      key:
+                        description: Key is the key used in the Provider, mandatory
+                        type: string
+                      property:
+                        description: Used to select a specific property of the Provider value (if a map), if supported
+                        type: string
+                      version:
+                        description: Used to select a specific version of the Provider value, if supported
+                        type: string
+                    required:
+                      - key
+                    type: object
+                  type: array
+                refreshInterval:
+                  default: 1h
+                  description: |-
+                    RefreshInterval is the amount of time before the values are read again from the SecretStore provider
+                    Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+                    May be set to zero to fetch and create it once. Defaults to 1h.
+                  type: string
+                secretStoreRef:
+                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+                  properties:
+                    kind:
+                      description: |-
+                        Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+                        Defaults to `SecretStore`
+                      type: string
+                    name:
+                      description: Name of the SecretStore resource
+                      type: string
+                  required:
+                    - name
+                  type: object
+                target:
+                  description: |-
+                    ExternalSecretTarget defines the Kubernetes Secret to be created
+                    There can be only one target per ExternalSecret.
+                  properties:
+                    creationPolicy:
+                      default: Owner
+                      description: |-
+                        CreationPolicy defines rules on how to create the resulting Secret
+                        Defaults to 'Owner'
+                      enum:
+                        - Owner
+                        - Merge
+                        - None
+                      type: string
+                    immutable:
+                      description: Immutable defines if the final secret will be immutable
+                      type: boolean
+                    name:
+                      description: |-
+                        Name defines the name of the Secret resource to be managed
+                        This field is immutable
+                        Defaults to the .metadata.name of the ExternalSecret resource
+                      type: string
+                    template:
+                      description: Template defines a blueprint for the created Secret resource.
+                      properties:
+                        data:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        engineVersion:
+                          default: v1
+                          description: |-
+                            EngineVersion specifies the template engine version
+                            that should be used to compile/execute the
+                            template specified in .data and .templateFrom[].
+                          enum:
+                            - v1
+                            - v2
+                          type: string
+                        metadata:
+                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              type: object
+                            labels:
+                              additionalProperties:
+                                type: string
+                              type: object
+                          type: object
+                        templateFrom:
+                          items:
+                            maxProperties: 1
+                            minProperties: 1
+                            properties:
+                              configMap:
+                                properties:
+                                  items:
+                                    items:
+                                      properties:
+                                        key:
+                                          type: string
+                                      required:
+                                        - key
+                                      type: object
+                                    type: array
+                                  name:
+                                    type: string
+                                required:
+                                  - items
+                                  - name
+                                type: object
+                              secret:
+                                properties:
+                                  items:
+                                    items:
+                                      properties:
+                                        key:
+                                          type: string
+                                      required:
+                                        - key
+                                      type: object
+                                    type: array
+                                  name:
+                                    type: string
+                                required:
+                                  - items
+                                  - name
+                                type: object
+                            type: object
+                          type: array
+                        type:
+                          type: string
+                      type: object
+                  type: object
+              required:
+                - secretStoreRef
+                - target
+              type: object
+            status:
+              properties:
+                binding:
+                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
+                  properties:
+                    name:
+                      default: ""
+                      description: |-
+                        Name of the referent.
+                        This field is effectively required, but due to backwards compatibility is
+                        allowed to be empty. Instances of this type with an empty value here are
+                        almost certainly wrong.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      type: string
+                  type: object
+                  x-kubernetes-map-type: atomic
+                conditions:
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        format: date-time
+                        type: string
+                      message:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                      - status
+                      - type
+                    type: object
+                  type: array
+                refreshTime:
+                  description: |-
+                    refreshTime is the time and date the external secret was fetched and
+                    the target secret updated
+                  format: date-time
+                  nullable: true
+                  type: string
+                syncedResourceVersion:
+                  description: SyncedResourceVersion keeps track of the last synced version
+                  type: string
+              type: object
+          type: object
+      served: true
+      storage: false
+      subresources:
+        status: {}
+    - additionalPrinterColumns:
+        - jsonPath: .spec.secretStoreRef.name
+          name: Store
+          type: string
+        - jsonPath: .spec.refreshInterval
+          name: Refresh Interval
+          type: string
+        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+          name: Status
+          type: string
+        - jsonPath: .status.conditions[?(@.type=="Ready")].status
+          name: Ready
+          type: string
+      name: v1beta1
+      schema:
+        openAPIV3Schema:
+          description: ExternalSecret is the Schema for the external-secrets API.
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: ExternalSecretSpec defines the desired state of ExternalSecret.
+              properties:
+                data:
+                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
+                  items:
+                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
+                    properties:
+                      remoteRef:
+                        description: |-
+                          RemoteRef points to the remote secret and defines
+                          which secret (version/property/..) to fetch.
+                        properties:
+                          conversionStrategy:
+                            default: Default
+                            description: Used to define a conversion Strategy
+                            enum:
+                              - Default
+                              - Unicode
+                            type: string
+                          decodingStrategy:
+                            default: None
+                            description: Used to define a decoding Strategy
+                            enum:
+                              - Auto
+                              - Base64
+                              - Base64URL
+                              - None
+                            type: string
+                          key:
+                            description: Key is the key used in the Provider, mandatory
+                            type: string
+                          metadataPolicy:
+                            default: None
+                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
+                            enum:
+                              - None
+                              - Fetch
+                            type: string
+                          property:
+                            description: Used to select a specific property of the Provider value (if a map), if supported
+                            type: string
+                          version:
+                            description: Used to select a specific version of the Provider value, if supported
+                            type: string
+                        required:
+                          - key
+                        type: object
+                      secretKey:
+                        description: |-
+                          SecretKey defines the key in which the controller stores
+                          the value. This is the key in the Kind=Secret
+                        type: string
+                      sourceRef:
+                        description: |-
+                          SourceRef allows you to override the source
+                          from which the value will pulled from.
+                        maxProperties: 1
+                        properties:
+                          generatorRef:
+                            description: |-
+                              GeneratorRef points to a generator custom resource.
+
+                              Deprecated: The generatorRef is not implemented in .data[].
+                              this will be removed with v1.
+                            properties:
+                              apiVersion:
+                                default: generators.external-secrets.io/v1alpha1
+                                description: Specify the apiVersion of the generator resource
+                                type: string
+                              kind:
+                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
+                                type: string
+                              name:
+                                description: Specify the name of the generator resource
+                                type: string
+                            required:
+                              - kind
+                              - name
+                            type: object
+                          storeRef:
+                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+                            properties:
+                              kind:
+                                description: |-
+                                  Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+                                  Defaults to `SecretStore`
+                                type: string
+                              name:
+                                description: Name of the SecretStore resource
+                                type: string
+                            required:
+                              - name
+                            type: object
+                        type: object
+                    required:
+                      - remoteRef
+                      - secretKey
+                    type: object
+                  type: array
+                dataFrom:
+                  description: |-
+                    DataFrom is used to fetch all properties from a specific Provider data
+                    If multiple entries are specified, the Secret keys are merged in the specified order
+                  items:
+                    properties:
+                      extract:
+                        description: |-
+                          Used to extract multiple key/value pairs from one secret
+                          Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
+                        properties:
+                          conversionStrategy:
+                            default: Default
+                            description: Used to define a conversion Strategy
+                            enum:
+                              - Default
+                              - Unicode
+                            type: string
+                          decodingStrategy:
+                            default: None
+                            description: Used to define a decoding Strategy
+                            enum:
+                              - Auto
+                              - Base64
+                              - Base64URL
+                              - None
+                            type: string
+                          key:
+                            description: Key is the key used in the Provider, mandatory
+                            type: string
+                          metadataPolicy:
+                            default: None
+                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
+                            enum:
+                              - None
+                              - Fetch
+                            type: string
+                          property:
+                            description: Used to select a specific property of the Provider value (if a map), if supported
+                            type: string
+                          version:
+                            description: Used to select a specific version of the Provider value, if supported
+                            type: string
+                        required:
+                          - key
+                        type: object
+                      find:
+                        description: |-
+                          Used to find secrets based on tags or regular expressions
+                          Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
+                        properties:
+                          conversionStrategy:
+                            default: Default
+                            description: Used to define a conversion Strategy
+                            enum:
+                              - Default
+                              - Unicode
+                            type: string
+                          decodingStrategy:
+                            default: None
+                            description: Used to define a decoding Strategy
+                            enum:
+                              - Auto
+                              - Base64
+                              - Base64URL
+                              - None
+                            type: string
+                          name:
+                            description: Finds secrets based on the name.
+                            properties:
+                              regexp:
+                                description: Finds secrets base
+                                type: string
+                            type: object
+                          path:
+                            description: A root path to start the find operations.
+                            type: string
+                          tags:
+                            additionalProperties:
+                              type: string
+                            description: Find secrets based on tags.
+                            type: object
+                        type: object
+                      rewrite:
+                        description: |-
+                          Used to rewrite secret Keys after getting them from the secret Provider
+                          Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
+                        items:
+                          properties:
+                            regexp:
+                              description: |-
+                                Used to rewrite with regular expressions.
+                                The resulting key will be the output of a regexp.ReplaceAll operation.
+                              properties:
+                                source:
+                                  description: Used to define the regular expression of a re.Compiler.
+                                  type: string
+                                target:
+                                  description: Used to define the target pattern of a ReplaceAll operation.
+                                  type: string
+                              required:
+                                - source
+                                - target
+                              type: object
+                            transform:
+                              description: |-
+                                Used to apply string transformation on the secrets.
+                                The resulting key will be the output of the template applied by the operation.
+                              properties:
+                                template:
+                                  description: |-
+                                    Used to define the template to apply on the secret name.
+                                    `.value ` will specify the secret name in the template.
+                                  type: string
+                              required:
+                                - template
+                              type: object
+                          type: object
+                        type: array
+                      sourceRef:
+                        description: |-
+                          SourceRef points to a store or generator
+                          which contains secret values ready to use.
+                          Use this in combination with Extract or Find pull values out of
+                          a specific SecretStore.
+                          When sourceRef points to a generator Extract or Find is not supported.
+                          The generator returns a static map of values
+                        maxProperties: 1
+                        properties:
+                          generatorRef:
+                            description: GeneratorRef points to a generator custom resource.
+                            properties:
+                              apiVersion:
+                                default: generators.external-secrets.io/v1alpha1
+                                description: Specify the apiVersion of the generator resource
+                                type: string
+                              kind:
+                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
+                                type: string
+                              name:
+                                description: Specify the name of the generator resource
+                                type: string
+                            required:
+                              - kind
+                              - name
+                            type: object
+                          storeRef:
+                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+                            properties:
+                              kind:
+                                description: |-
+                                  Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+                                  Defaults to `SecretStore`
+                                type: string
+                              name:
+                                description: Name of the SecretStore resource
+                                type: string
+                            required:
+                              - name
+                            type: object
+                        type: object
+                    type: object
+                  type: array
+                refreshInterval:
+                  default: 1h
+                  description: |-
+                    RefreshInterval is the amount of time before the values are read again from the SecretStore provider
+                    Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+                    May be set to zero to fetch and create it once. Defaults to 1h.
+                  type: string
+                secretStoreRef:
+                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+                  properties:
+                    kind:
+                      description: |-
+                        Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+                        Defaults to `SecretStore`
+                      type: string
+                    name:
+                      description: Name of the SecretStore resource
+                      type: string
+                  required:
+                    - name
+                  type: object
+                target:
+                  default:
+                    creationPolicy: Owner
+                    deletionPolicy: Retain
+                  description: |-
+                    ExternalSecretTarget defines the Kubernetes Secret to be created
+                    There can be only one target per ExternalSecret.
+                  properties:
+                    creationPolicy:
+                      default: Owner
+                      description: |-
+                        CreationPolicy defines rules on how to create the resulting Secret
+                        Defaults to 'Owner'
+                      enum:
+                        - Owner
+                        - Orphan
+                        - Merge
+                        - None
+                      type: string
+                    deletionPolicy:
+                      default: Retain
+                      description: |-
+                        DeletionPolicy defines rules on how to delete the resulting Secret
+                        Defaults to 'Retain'
+                      enum:
+                        - Delete
+                        - Merge
+                        - Retain
+                      type: string
+                    immutable:
+                      description: Immutable defines if the final secret will be immutable
+                      type: boolean
+                    name:
+                      description: |-
+                        Name defines the name of the Secret resource to be managed
+                        This field is immutable
+                        Defaults to the .metadata.name of the ExternalSecret resource
+                      type: string
+                    template:
+                      description: Template defines a blueprint for the created Secret resource.
+                      properties:
+                        data:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        engineVersion:
+                          default: v2
+                          description: |-
+                            EngineVersion specifies the template engine version
+                            that should be used to compile/execute the
+                            template specified in .data and .templateFrom[].
+                          enum:
+                            - v1
+                            - v2
+                          type: string
+                        mergePolicy:
+                          default: Replace
+                          enum:
+                            - Replace
+                            - Merge
+                          type: string
+                        metadata:
+                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              type: object
+                            labels:
+                              additionalProperties:
+                                type: string
+                              type: object
+                          type: object
+                        templateFrom:
+                          items:
+                            properties:
+                              configMap:
+                                properties:
+                                  items:
+                                    items:
+                                      properties:
+                                        key:
+                                          type: string
+                                        templateAs:
+                                          default: Values
+                                          enum:
+                                            - Values
+                                            - KeysAndValues
+                                          type: string
+                                      required:
+                                        - key
+                                      type: object
+                                    type: array
+                                  name:
+                                    type: string
+                                required:
+                                  - items
+                                  - name
+                                type: object
+                              literal:
+                                type: string
+                              secret:
+                                properties:
+                                  items:
+                                    items:
+                                      properties:
+                                        key:
+                                          type: string
+                                        templateAs:
+                                          default: Values
+                                          enum:
+                                            - Values
+                                            - KeysAndValues
+                                          type: string
+                                      required:
+                                        - key
+                                      type: object
+                                    type: array
+                                  name:
+                                    type: string
+                                required:
+                                  - items
+                                  - name
+                                type: object
+                              target:
+                                default: Data
+                                enum:
+                                  - Data
+                                  - Annotations
+                                  - Labels
+                                type: string
+                            type: object
+                          type: array
+                        type:
+                          type: string
+                      type: object
+                  type: object
+              type: object
+            status:
+              properties:
+                binding:
+                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
+                  properties:
+                    name:
+                      default: ""
+                      description: |-
+                        Name of the referent.
+                        This field is effectively required, but due to backwards compatibility is
+                        allowed to be empty. Instances of this type with an empty value here are
+                        almost certainly wrong.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      type: string
+                  type: object
+                  x-kubernetes-map-type: atomic
+                conditions:
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        format: date-time
+                        type: string
+                      message:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                      - status
+                      - type
+                    type: object
+                  type: array
+                refreshTime:
+                  description: |-
+                    refreshTime is the time and date the external secret was fetched and
+                    the target secret updated
+                  format: date-time
+                  nullable: true
+                  type: string
+                syncedResourceVersion:
+                  description: SyncedResourceVersion keeps track of the last synced version
+                  type: string
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+{{- if .Values.crds.conversion.enabled }}
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions:
+        - v1
+      clientConfig:
+        service:
+          name: {{ include "external-secrets.fullname" . }}-webhook
+          namespace: {{ .Release.Namespace | quote }}
+          path: /convert
+{{- end }}
+{{- end }}

packages/system/external-secrets-operator/charts/external-secrets/templates/crds/fake.yaml

@@ -0,0 +1,87 @@
+{{- if .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    {{- with .Values.crds.annotations }}
+    {{- toYaml . | nindent 4}}
+    {{- end }}
+    {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.16.3
+  labels:
+    external-secrets.io/component: controller
+  name: fakes.generators.external-secrets.io
+spec:
+  group: generators.external-secrets.io
+  names:
+    categories:
+      - external-secrets
+      - external-secrets-generators
+    kind: Fake
+    listKind: FakeList
+    plural: fakes
+    shortNames:
+      - fake
+    singular: fake
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: |-
+            Fake generator is used for testing. It lets you define
+            a static set of credentials that is always returned.
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: FakeSpec contains the static data.
+              properties:
+                controller:
+                  description: |-
+                    Used to select the correct ESO controller (think: ingress.ingressClassName)
+                    The ESO controller is instantiated with a specific controller name and filters VDS based on this property
+                  type: string
+                data:
+                  additionalProperties:
+                    type: string
+                  description: |-
+                    Data defines the static data returned
+                    by this generator.
+                  type: object
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+{{- if .Values.crds.conversion.enabled }}
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions:
+        - v1
+      clientConfig:
+        service:
+          name: {{ include "external-secrets.fullname" . }}-webhook
+          namespace: {{ .Release.Namespace | quote }}
+          path: /convert
+{{- end }}
+{{- end }}