Update CNPG to 1.22.2

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-01-31 02:18:59 +00:00 · 2024-03-15 21:07:22 +01:00
29 changed files with 1191 additions and 32286 deletions
--- a/README.md
+++ b/README.md
@@ -44,8 +44,6 @@ If you encounter any difficulties, start with the [troubleshooting guide](https:
 Versioning adheres to the [Semantic Versioning](http://semver.org/) principles.  
 A full list of the available releases is available in the GitHub repository's [Release](https://github.com/aenix-io/cozystack/releases) section.

- [Roadmap](https://github.com/orgs/aenix-io/projects/2)
-
 ## Contributions

 Contributions are highly appreciated and very welcomed!
--- a/packages/apps/http-cache/Makefile
+++ b/packages/apps/http-cache/Makefile
@@ -2,7 +2,7 @@ PUSH := 1
 LOAD := 0
 REGISTRY := ghcr.io/aenix-io/cozystack
 NGINX_CACHE_TAG = v0.1.0
-TAG := v0.2.0
+TAG := v0.1.0

 image: image-nginx

--- a/packages/apps/kubernetes/Makefile
+++ b/packages/apps/kubernetes/Makefile
@@ -1,7 +1,7 @@
 PUSH := 1
 LOAD := 0
 REGISTRY := ghcr.io/aenix-io/cozystack
-TAG := v0.2.0
+TAG := v0.1.0
 UBUNTU_CONTAINER_DISK_TAG = v1.29.1

 image: image-ubuntu-container-disk
--- a/packages/core/installer/Makefile
+++ b/packages/core/installer/Makefile
@@ -3,7 +3,7 @@ NAME=installer
 PUSH := 1
 LOAD := 0
 REGISTRY := ghcr.io/aenix-io/cozystack
-TAG := v0.2.0
+TAG := v0.1.0
 TALOS_VERSION=$(shell awk '/^version:/ {print $$2}' images/talos/profiles/installer.yaml)

 show:
--- a/packages/system/dashboard/Makefile
+++ b/packages/system/dashboard/Makefile
@@ -3,7 +3,7 @@ NAMESPACE=cozy-dashboard
 PUSH := 1
 LOAD := 0
 REPOSITORY := ghcr.io/aenix-io/cozystack
-TAG := v0.2.0
+TAG := v0.1.0

 show:
 	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
--- a/packages/system/mariadb-operator/charts/mariadb-operator/Chart.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/Chart.yaml
@@ -1,19 +1,17 @@
 apiVersion: v2
-appVersion: v0.0.27
+appVersion: v0.0.22
 description: Run and operate MariaDB in a cloud native way
 home: https://github.com/mariadb-operator/mariadb-operator
-icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb_profile.svg
+icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb.png
 keywords:
 - mariadb
- mysql
 - operator
 - mariadb-operator
 - database
- maxscale
 kubeVersion: '>= 1.16.0-0'
 maintainers:
 - email: mariadb-operator@proton.me
  name: mmontes11
 name: mariadb-operator
 type: application
-version: 0.27.0
+version: 0.22.0
--- a/packages/system/mariadb-operator/charts/mariadb-operator/README.md
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/README.md
@@ -3,10 +3,10 @@
 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)

 <p align="center">
-<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator_centered_whitebg.svg" alt="mariadb" width="100%"/>
+<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator.png" alt="mariadb" width="250"/>
 </p>

-![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.27.0](https://img.shields.io/badge/Version-0.27.0-informational?style=flat-square) ![AppVersion: v0.0.27](https://img.shields.io/badge/AppVersion-v0.0.27-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.22.0](https://img.shields.io/badge/Version-0.22.0-informational?style=flat-square) ![AppVersion: v0.0.22](https://img.shields.io/badge/AppVersion-v0.0.22-informational?style=flat-square)

 Run and operate MariaDB in a cloud native way

@@ -26,50 +26,20 @@ helm uninstall mariadb-operator
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Affinity to add to controller Pod |
-| certController.affinity | object | `{}` | Affinity to add to controller Pod |
-| certController.caValidity | string | `"35064h"` | CA certificate validity. It must be greater than certValidity. |
-| certController.certValidity | string | `"8766h"` | Certificate validity. |
-| certController.enabled | bool | `true` | Specifies whether the cert-controller should be created. |
-| certController.extrArgs | list | `[]` | Extra arguments to be passed to the cert-controller entrypoint |
-| certController.extraVolumeMounts | list | `[]` | Extra volumes to mount to cert-controller container |
-| certController.extraVolumes | list | `[]` | Extra volumes to pass to cert-controller Pod |
-| certController.ha.enabled | bool | `false` | Enable high availability |
-| certController.ha.replicas | int | `3` | Number of replicas |
-| certController.image.pullPolicy | string | `"IfNotPresent"` |  |
-| certController.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
-| certController.image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
-| certController.imagePullSecrets | list | `[]` |  |
-| certController.lookaheadValidity | string | `"2160h"` | Duration used to verify whether a certificate is valid or not. |
-| certController.nodeSelector | object | `{}` | Node selectors to add to controller Pod |
-| certController.podAnnotations | object | `{}` | Annotations to add to cert-controller Pod |
-| certController.podSecurityContext | object | `{}` | Security context to add to cert-controller Pod |
-| certController.requeueDuration | string | `"5m"` | Requeue duration to ensure that certificate gets renewed. |
-| certController.resources | object | `{}` | Resources to add to cert-controller container |
-| certController.securityContext | object | `{}` | Security context to add to cert-controller container |
-| certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
-| certController.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the Pod |
-| certController.serviceAccount.enabled | bool | `true` | Specifies whether a service account should be created |
-| certController.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account |
-| certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and enabled is true, a name is generated using the fullname template |
-| certController.serviceMonitor.additionalLabels | object | `{}` | Labels to be added to the cert-controller ServiceMonitor |
-| certController.serviceMonitor.enabled | bool | `true` | Enable cert-controller ServiceMonitor. Metrics must be enabled |
-| certController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
-| certController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
-| certController.tolerations | list | `[]` | Tolerations to add to controller Pod |
 | clusterName | string | `"cluster.local"` | Cluster DNS name |
 | extrArgs | list | `[]` | Extra arguments to be passed to the controller entrypoint |
-| extraEnv | list | `[]` | Extra environment variables to be passed to the controller |
 | extraVolumeMounts | list | `[]` | Extra volumes to mount to the container. |
 | extraVolumes | list | `[]` | Extra volumes to pass to pod. |
 | fullnameOverride | string | `""` |  |
 | ha.enabled | bool | `false` | Enable high availability |
+| ha.leaseId | string | `"mariadb.mmontes.io"` | Lease resource name to be used for leader election |
 | ha.replicas | int | `3` | Number of replicas |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
 | image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
 | imagePullSecrets | list | `[]` |  |
 | logLevel | string | `"INFO"` | Controller log level |
-| metrics.enabled | bool | `false` | Enable operator internal metrics. Prometheus must be installed in the cluster |
+| metrics.enabled | bool | `false` | Enable prometheus metrics. Prometheus must be installed in the cluster |
 | metrics.serviceMonitor.additionalLabels | object | `{}` | Labels to be added to the controller ServiceMonitor |
 | metrics.serviceMonitor.enabled | bool | `true` | Enable controller ServiceMonitor |
 | metrics.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
@@ -89,19 +59,16 @@ helm uninstall mariadb-operator
 | tolerations | list | `[]` | Tolerations to add to controller Pod |
 | webhook.affinity | object | `{}` | Affinity to add to controller Pod |
 | webhook.annotations | object | `{}` | Annotations for webhook configurations. |
-| webhook.cert.caPath | string | `"/tmp/k8s-webhook-server/certificate-authority"` | Path where the CA certificate will be mounted. |
-| webhook.cert.certManager.duration | string | `""` | Duration to be used in the Certificate resource, |
-| webhook.cert.certManager.enabled | bool | `false` | Whether to use cert-manager to issue and rotate the certificate. If set to false, mariadb-operator's cert-controller will be used instead. |
-| webhook.cert.certManager.issuerRef | object | `{}` | Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used. |
-| webhook.cert.certManager.renewBefore | string | `""` | Renew before duration to be used in the Certificate resource. |
-| webhook.cert.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. |
-| webhook.cert.secretAnnotations | object | `{}` | Annotatioms to be added to webhook TLS secret. |
-| webhook.cert.secretLabels | object | `{}` | Labels to be added to webhook TLS secret. |
+| webhook.certificate.certManager | bool | `false` | Use cert-manager to issue and rotate the certificate. If set to false, a default certificate will be used. |
+| webhook.certificate.default | object | `{"annotations":{},"caExpirationDays":365,"certExpirationDays":365,"hook":""}` | Default certificate generated when the chart is installed or upgraded. |
+| webhook.certificate.default.annotations | object | `{}` | Annotations for certificate Secret. |
+| webhook.certificate.default.caExpirationDays | int | `365` | Certificate authority expiration in days. |
+| webhook.certificate.default.certExpirationDays | int | `365` | Certificate expiration in days. |
+| webhook.certificate.default.hook | string | `""` | Helm hook to be added to the default certificate. |
+| webhook.certificate.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. |
 | webhook.extrArgs | list | `[]` | Extra arguments to be passed to the webhook entrypoint |
 | webhook.extraVolumeMounts | list | `[]` | Extra volumes to mount to webhook container |
 | webhook.extraVolumes | list | `[]` | Extra volumes to pass to webhook Pod |
-| webhook.ha.enabled | bool | `false` | Enable high availability |
-| webhook.ha.replicas | int | `3` | Number of replicas |
 | webhook.hostNetwork | bool | `false` | Expose the webhook server in the host network |
 | webhook.image.pullPolicy | string | `"IfNotPresent"` |  |
 | webhook.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
@@ -110,7 +77,7 @@ helm uninstall mariadb-operator
 | webhook.nodeSelector | object | `{}` | Node selectors to add to controller Pod |
 | webhook.podAnnotations | object | `{}` | Annotations to add to webhook Pod |
 | webhook.podSecurityContext | object | `{}` | Security context to add to webhook Pod |
-| webhook.port | int | `9443` | Port to be used by the webhook server |
+| webhook.port | int | `10250` | Port to be used by the webhook server |
 | webhook.resources | object | `{}` | Resources to add to webhook container |
 | webhook.securityContext | object | `{}` | Security context to add to webhook container |
 | webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
--- a/packages/system/mariadb-operator/charts/mariadb-operator/README.md.gotmpl
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/README.md.gotmpl
@@ -4,7 +4,7 @@
 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)

 <p align="center">
-<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator_centered_whitebg.svg" alt="mariadb" width="100%"/>
+<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator.png" alt="mariadb" width="250"/>
 </p>

 {{ template "chart.typeBadge" . }}{{ template "chart.versionBadge" . }}{{ template "chart.appVersionBadge" . }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/crds/crds.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/crds/crds.yaml
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/_helpers.tpl
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/_helpers.tpl
@@ -71,23 +71,28 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}

 {{/*
-Cert-controller common labels
+Webhook certificate
 */}}
-{{- define "mariadb-operator-cert-controller.labels" -}}
-helm.sh/chart: {{ include "mariadb-operator.chart" . }}
-{{ include "mariadb-operator-cert-controller.selectorLabels" . }}
-{{ if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{ end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- define "mariadb-operator-webhook.certificate" -}}
+{{- if .Values.webhook.certificate.certManager }}
+{{- include "mariadb-operator.fullname" . }}-webhook-cert
+{{- else }}
+{{- include "mariadb-operator.fullname" . }}-webhook-default-cert
+{{- end }}
 {{- end }}

 {{/*
-Cert-controller selector labels
+Webhook certificate subject name
 */}}
-{{- define "mariadb-operator-cert-controller.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "mariadb-operator.name" . }}-cert-controller
-app.kubernetes.io/instance: {{ .Release.Name }}
+{{- define "mariadb-operator-webhook.subjectName" -}}
+{{- include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
+{{- end }}
+
+{{/*
+Webhook certificate subject alternative name
+*/}}
+{{- define "mariadb-operator-webhook.altName" -}}
+{{- include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterName }}
 {{- end }}

 {{/*
@@ -111,14 +116,3 @@ Create the name of the webhook service account to use
 {{- default "default" .Values.webhook.serviceAccount.name }}
 {{- end }}
 {{- end }}
-
-{{/*
-Create the name of the cert-controller service account to use
-*/}}
-{{- define "mariadb-operator-cert-controller.serviceAccountName" -}}
-{{- if .Values.certController.serviceAccount.enabled }}
-{{- default (printf "%s-cert-controller" (include "mariadb-operator.fullname" .))  .Values.certController.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.certController.serviceAccount.name }}
-{{- end }}
-{{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-deployment.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-deployment.yaml
@@ -1,103 +0,0 @@
-{{- if and .Values.certController.enabled  (not .Values.webhook.cert.certManager.enabled) -}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "mariadb-operator.fullname" . }}-cert-controller
-  labels:
-    {{ include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
-spec:
-  {{ if .Values.certController.ha.enabled }}
-  replicas: {{ .Values.certController.ha.replicas}}
-  {{ end }}
-  selector:
-    matchLabels:
-      {{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      {{ with .Values.certController.podAnnotations }}
-      annotations:
-        {{ toYaml . | nindent 8 }}
-      {{ end }}
-      labels:
-        {{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.certController.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
-      automountServiceAccountToken: {{ .Values.certController.serviceAccount.automount }}
-      {{ with .Values.certController.nodeSelector }}
-      nodeSelector:
-        {{ toYaml . | nindent 8 }}
-      {{ end }}
-      {{ with .Values.certController.tolerations }}
-      tolerations:
-        {{ toYaml . | nindent 8 }}
-      {{ end }}
-      {{ with .Values.certController.affinity }}
-      affinity:
-        {{ toYaml . | nindent 8 }}
-      {{ end }}
-      {{ with .Values.certController.podSecurityContext }}
-      securityContext:
-        {{ toYaml . | nindent 8 }}
-      {{ end }}
-      containers:
-        - image: "{{ .Values.certController.image.repository }}:{{ .Values.certController.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.certController.image.pullPolicy }}
-          name: cert-controller
-          args:
-            - cert-controller
-            - --ca-secret-name={{ include "mariadb-operator.fullname" . }}-webhook-ca
-            - --ca-secret-namespace={{ .Release.Namespace }}
-            - --ca-validity={{ .Values.certController.caValidity }}
-            - --cert-secret-name={{ include "mariadb-operator.fullname" . }}-webhook-cert
-            - --cert-secret-namespace={{ .Release.Namespace }}
-            - --cert-validity={{ .Values.certController.certValidity }}
-            - --lookahead-validity={{ .Values.certController.lookaheadValidity }}
-            - --service-name={{ include "mariadb-operator.fullname" . }}-webhook
-            - --service-namespace={{ .Release.Namespace }}
-            - --requeue-duration={{ .Values.certController.requeueDuration }}
-            - --metrics-addr=:8080
-            - --health-addr=:8081
-            - --log-level={{ .Values.logLevel }}
-            {{- if .Values.certController.ha.enabled }}
-            - --leader-elect
-            {{- end }}
-            {{- range .Values.certController.extrArgs }}
-            - {{ . }}
-            {{- end }}
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-            - containerPort: 8081
-              protocol: TCP
-              name: health
-          env: 
-            - name: CLUSTER_NAME
-              value: {{ .Values.clusterName }}
-          {{- with .Values.certController.extraVolumeMounts }}
-          volumeMounts:
-          {{- toYaml . | nindent 12 }}
-          {{- end }}
-          readinessProbe:
-            httpGet:
-              path: /readyz
-              port: 8081
-            initialDelaySeconds: 20
-            periodSeconds: 5
-          {{ with .Values.certController.resources }}
-          resources:
-            {{ toYaml . | nindent 12 }}
-          {{ end }}
-          {{ with .Values.certController.securityContext}}
-          securityContext:
-            {{ toYaml . | nindent 12 }}
-          {{ end }}
-      {{- with .Values.certController.extraVolumes }}
-      volumes:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-rbac.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-rbac.yaml
@@ -1,88 +0,0 @@
-{{- if and .Values.rbac.enabled .Values.certController.enabled (not .Values.webhook.cert.certManager.enabled) -}}
-{{ $fullName := include "mariadb-operator.fullname" . }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ $fullName }}-cert-controller
-rules:
- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ $fullName }}-cert-controller
-rules:
- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - validatingwebhookconfigurations
-  - mutatingwebhookconfigurations
-  verbs:
-  - get
-  - list
-  - update
-  - patch
-  - watch
- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create
-  - list
-  - patch
-  - watch
- apiGroups:
-  - ""
-  resources:
-  - endpoints
-  - endpoints/restricted
-  verbs:
-  - get
-  - list
-  - watch
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ $fullName }}-cert-controller
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ $fullName }}-cert-controller
-subjects:
- kind: ServiceAccount
-  name: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
-  namespace: {{ .Release.Namespace }}
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ $fullName }}-cert-controller
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ $fullName }}-cert-controller
-subjects:
- kind: ServiceAccount
-  name: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
-  namespace: {{ .Release.Namespace }}
-{{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-serviceaccount.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-serviceaccount.yaml
@@ -1,15 +0,0 @@
-{{- if and .Values.certController.enabled (not .Values.webhook.cert.certManager.enabled) -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
-  labels:
-    {{- include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
-    {{- with .Values.certController.serviceAccount.extraLabels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  {{- with .Values.certController.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-servicemonitor.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-servicemonitor.yaml
@@ -1,36 +0,0 @@
-{{ if and .Values.certController.enabled (not .Values.webhook.cert.certManager.enabled) .Values.metrics.enabled  .Values.certController.serviceMonitor.enabled }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "mariadb-operator.fullname" . }}-cert-controller-metrics
-  labels:
-    {{ include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
-spec:
-  ports:
-    - port: 8080
-      protocol: TCP
-      name: metrics
-  selector:
-    {{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 4 }}
---
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: {{ include "mariadb-operator.fullname" . }}-cert-controller
-  labels:
-    {{ include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
-    {{ with .Values.certController.serviceMonitor.additionalLabels }}
-    {{ toYaml . | nindent 4 }}
-    {{ end }}
-spec:
-  selector:
-    matchLabels:
-      {{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 6 }}
-  namespaceSelector:
-    matchNames:
-    - {{ .Release.Namespace | quote }}
-  endpoints:
-  - port: metrics
-    interval: {{ .Values.certController.serviceMonitor.interval }}
-    scrapeTimeout: {{ .Values.certController.serviceMonitor.scrapeTimeout }}
-{{ end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/configmap.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/configmap.yaml
@@ -1,13 +0,0 @@
-apiVersion: v1
-data:
-  MARIADB_GALERA_AGENT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
-  MARIADB_GALERA_INIT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
-  MARIADB_GALERA_LIB_PATH: /usr/lib/galera/libgalera_smm.so
-  MARIADB_OPERATOR_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
-  RELATED_IMAGE_EXPORTER: prom/mysqld-exporter:v0.15.1
-  RELATED_IMAGE_MARIADB: mariadb:11.2.2
-  RELATED_IMAGE_MAXSCALE: mariadb/maxscale:23.08
-kind: ConfigMap
-metadata:
-  creationTimestamp: null
-  name: mariadb-operator-env
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/deployment.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/deployment.yaml
@@ -53,17 +53,17 @@ spec:
            {{- if .Values.ha.enabled }}
            - --leader-elect
            {{- end }}
-            {{- range .Values.extraArgs }}
+            {{- if .Values.metrics.enabled }}
+            - --service-monitor-reconciler
+            {{- end }}
+            {{- range .Values.extrArgs }}
            - {{ . }}
            {{- end }}
          ports:
            - containerPort: 8080
              protocol: TCP
              name: metrics
-          envFrom:
-            - configMapRef:
-                name: mariadb-operator-env
-          env:
+          env: 
            - name: CLUSTER_NAME
              value: {{ .Values.clusterName }}
            - name: MARIADB_OPERATOR_NAME
@@ -76,9 +76,6 @@ spec:
                  fieldPath: metadata.namespace
            - name: MARIADB_OPERATOR_SA_PATH
              value: /var/run/secrets/kubernetes.io/serviceaccount/token
-            {{- with .Values.extraEnv }}
-            {{- toYaml . | nindent 12 }}
-            {{- end }}
          {{- if .Values.extraVolumeMounts }}
          volumeMounts:
          {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
@@ -91,6 +88,21 @@ spec:
          securityContext:
            {{ toYaml . | nindent 12 }}
          {{ end }}
+          readinessProbe:
+            tcpSocket:
+              port: 8080
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          livenessProbe:
+            tcpSocket:
+              port: 8080
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          startupProbe:
+            tcpSocket:
+              port: 8080
+            initialDelaySeconds: 20
+            periodSeconds: 10
      {{- if .Values.extraVolumes }}
      volumes:
      {{- toYaml .Values.extraVolumes | nindent 8 }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/rbac.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/rbac.yaml
@@ -56,15 +56,6 @@ rules:
  - ""
  resources:
  - endpoints
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - watch
- apiGroups:
-  - ""
-  resources:
  - endpoints/restricted
  verbs:
  - create
@@ -99,12 +90,6 @@ rules:
  - get
  - list
  - watch
- apiGroups:
-  - ""
-  resources:
-  - pvcs
-  verbs:
-  - list
 - apiGroups:
  - ""
  resources:
@@ -132,38 +117,16 @@ rules:
  - list
  - patch
  - watch
- apiGroups:
-  - apps
-  resources:
-  - deployments
-  verbs:
-  - create
-  - list
-  - patch
-  - watch
 - apiGroups:
  - apps
  resources:
  - statefulsets
  verbs:
  - create
-  - delete
  - get
  - list
  - patch
  - watch
- apiGroups:
-  - authentication.k8s.io
-  resources:
-  - tokenreviews
-  verbs:
-  - create
- apiGroups:
-  - authorization.k8s.io
-  resources:
-  - subjectaccessreviews
-  verbs:
-  - create
 - apiGroups:
  - batch
  resources:
@@ -179,12 +142,11 @@ rules:
  - jobs
  verbs:
  - create
-  - delete
  - list
  - patch
  - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - backups
  verbs:
@@ -196,13 +158,13 @@ rules:
  - update
  - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - backups/finalizers
  verbs:
  - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - backups/status
  verbs:
@@ -210,7 +172,7 @@ rules:
  - patch
  - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - connections
  verbs:
@@ -222,37 +184,23 @@ rules:
  - update
  - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - connections
-  - grants
-  - maxscale
  - restores
-  - users
  verbs:
  - create
  - list
  - patch
  - watch
 - apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - connections
-  - grants
-  - users
-  verbs:
-  - create
-  - list
-  - patch
-  - watch
- apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - connections/finalizers
  verbs:
  - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - connections/status
  verbs:
@@ -260,7 +208,7 @@ rules:
  - patch
  - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - databases
  verbs:
@@ -272,13 +220,13 @@ rules:
  - update
  - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - databases/finalizers
  verbs:
  - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - databases/status
  verbs:
@@ -286,7 +234,7 @@ rules:
  - patch
  - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - grants
  verbs:
@@ -298,13 +246,13 @@ rules:
  - update
  - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - grants/finalizers
  verbs:
  - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - grants/status
  verbs:
@@ -312,7 +260,7 @@ rules:
  - patch
  - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - mariadbs
  verbs:
@@ -324,13 +272,13 @@ rules:
  - update
  - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - mariadbs/finalizers
  verbs:
  - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - mariadbs/status
  verbs:
@@ -338,33 +286,7 @@ rules:
  - patch
  - update
 - apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - maxscales
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - maxscales/finalizers
-  verbs:
-  - update
- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - maxscales/status
-  verbs:
-  - get
-  - patch
-  - update
- apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - restores
  verbs:
@@ -376,13 +298,13 @@ rules:
  - update
  - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - restores/finalizers
  verbs:
  - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - restores/status
  verbs:
@@ -390,7 +312,7 @@ rules:
  - patch
  - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - sqljobs
  verbs:
@@ -402,13 +324,13 @@ rules:
  - update
  - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - sqljobs/finalizers
  verbs:
  - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - sqljobs/status
  verbs:
@@ -416,7 +338,7 @@ rules:
  - patch
  - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - users
  verbs:
@@ -428,13 +350,13 @@ rules:
  - update
  - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - users/finalizers
  verbs:
  - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
  resources:
  - users/status
  verbs:
@@ -509,4 +431,4 @@ subjects:
 - kind: ServiceAccount
  name: {{ include "mariadb-operator.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
-{{- end }}
+{{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/metrics-servicemonitor.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/metrics-servicemonitor.yaml
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-certificate.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-certificate.yaml
@@ -1,5 +1,4 @@
-{{ if .Values.webhook.cert.certManager.enabled }}
-{{ if not .Values.webhook.cert.certManager.issuerRef }}
+{{ if .Values.webhook.certificate.certManager }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -8,7 +7,6 @@ metadata:
    {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
 spec:
  selfSigned: {}
-{{ end }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -17,33 +15,11 @@ metadata:
  labels:
    {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
 spec:
-  commonName: {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
  dnsNames:
-    - {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterName }}
-    - {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
-    - {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}
-    - {{ include "mariadb-operator.fullname" . }}-webhook
+    - {{ include "mariadb-operator-webhook.subjectName" . }}
+    - {{ include "mariadb-operator-webhook.altName" . }}
  issuerRef:
-  {{- if .Values.webhook.cert.certManager.issuerRef -}}
-    {{ toYaml .Values.webhook.cert.certManager.issuerRef | nindent 4 }}
-  {{- else }}
    kind: Issuer
    name: {{ include "mariadb-operator.fullname" . }}-selfsigned-issuer
-  {{- end }}
-  {{- with .Values.webhook.cert.certManager.duration }}
-  duration: {{ . | quote }}
-  {{- end }}
-  {{- with .Values.webhook.cert.certManager.renewBefore }}
-  renewBefore: {{ . | quote }}
-  {{- end }}
  secretName: {{ include "mariadb-operator.fullname" . }}-webhook-cert
-  secretTemplate:
-    {{- with .Values.webhook.cert.secretLabels }}
-    labels:
-      {{- toYaml . | nindent 6 }}
-    {{- end }}
-    {{- with .Values.webhook.cert.secretAnnotations }}
-    annotations:
-      {{- toYaml . | nindent 4 }}
-    {{- end }}
-{{ end }}
+{{ end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-config.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-config.yaml
@@ -1,4 +1,30 @@
 {{ $fullName := include "mariadb-operator.fullname" . }}
+{{ $subjectName := include "mariadb-operator-webhook.subjectName" . }}
+{{ $altNames := list }}
+{{ $altNames := append $altNames $subjectName }}
+{{ $altNames := append $altNames (include "mariadb-operator-webhook.altName" . ) }}
+{{ $ca := genCA $fullName (.Values.webhook.certificate.default.caExpirationDays | int) }}
+{{ $cert := genSignedCert $subjectName nil $altNames (.Values.webhook.certificate.default.certExpirationDays | int) $ca }}
+{{ if not .Values.webhook.certificate.certManager }}
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/tls
+metadata:
+  name: {{ $fullName }}-webhook-default-cert
+  labels:
+    {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
+  annotations:
+    {{ with .Values.webhook.certificate.default.hook }}
+    helm.sh/hook: {{ . }}
+    {{ end }}
+    {{ with .Values.webhook.certificate.default.annotations }}
+    {{ toYaml . | nindent 4 }}
+    {{ end }}
+data:
+  tls.crt: {{ $cert.Cert | b64enc }}
+  tls.key: {{ $cert.Key | b64enc }} 
+{{ end }}
+---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -6,11 +32,12 @@ metadata:
  labels:
    {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
  annotations:
-    {{- if .Values.webhook.cert.certManager.enabled }}
+    {{ if .Values.webhook.certificate.certManager }}
    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "mariadb-operator.fullname" . }}-webhook-cert
-    {{- else }}
-    k8s.mariadb.com/webhook: ""
-    {{- end }}
+    {{ end }}
+    {{ with .Values.webhook.certificate.default.hook }}
+    helm.sh/hook: {{ . }}
+    {{ end }}
    {{ with .Values.webhook.annotations }}
    {{ toYaml . | indent 4 }}
    {{ end }}
@@ -21,12 +48,15 @@ webhooks:
    service:
      name: {{ $fullName }}-webhook
      namespace: {{ .Release.Namespace }}
-      path: /mutate-k8s-mariadb-com-v1alpha1-mariadb
+      path: /mutate-mariadb-mmontes-io-v1alpha1-mariadb
+    {{ if not .Values.webhook.certificate.certManager }}
+    caBundle: {{ $ca.Cert | b64enc }}
+    {{ end }}
  failurePolicy: Fail
  name: mmariadb.kb.io
  rules:
  - apiGroups:
-    - k8s.mariadb.com
+    - mariadb.mmontes.io
    apiVersions:
    - v1alpha1
    operations:
@@ -43,11 +73,12 @@ metadata:
  labels:
    {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
  annotations:
-    {{- if .Values.webhook.cert.certManager.enabled }}
+    {{ if .Values.webhook.certificate.certManager }}
    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "mariadb-operator.fullname" . }}-webhook-cert
-    {{- else }}
-    k8s.mariadb.com/webhook: ""
-    {{- end }}
+    {{ end }}
+    {{ with .Values.webhook.certificate.default.hook }}
+    helm.sh/hook: {{ . }}
+    {{ end }}
    {{ with .Values.webhook.annotations }}
    {{ toYaml . | indent 4 }}
    {{ end }}
@@ -58,12 +89,15 @@ webhooks:
      service:
        name: {{ $fullName }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-backup
+        path: /validate-mariadb-mmontes-io-v1alpha1-backup
+      {{ if not .Values.webhook.certificate.certManager }}
+      caBundle: {{ $ca.Cert | b64enc }}
+      {{ end }}
    failurePolicy: Fail
    name: vbackup.kb.io
    rules:
      - apiGroups:
-          - k8s.mariadb.com
+          - mariadb.mmontes.io
        apiVersions:
          - v1alpha1
        operations:
@@ -78,12 +112,15 @@ webhooks:
      service:
        name: {{ $fullName }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-connection
+        path: /validate-mariadb-mmontes-io-v1alpha1-connection
+      {{ if not .Values.webhook.certificate.certManager }}
+      caBundle: {{ $ca.Cert | b64enc }}
+      {{ end }}
    failurePolicy: Fail
    name: vconnection.kb.io
    rules:
      - apiGroups:
-          - k8s.mariadb.com
+          - mariadb.mmontes.io
        apiVersions:
          - v1alpha1
        operations:
@@ -98,12 +135,15 @@ webhooks:
      service:
        name: {{ $fullName }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-database
+        path: /validate-mariadb-mmontes-io-v1alpha1-database
+      {{ if not .Values.webhook.certificate.certManager }}
+      caBundle: {{ $ca.Cert | b64enc }}
+      {{ end }}
    failurePolicy: Fail
    name: vdatabase.kb.io
    rules:
      - apiGroups:
-          - k8s.mariadb.com
+          - mariadb.mmontes.io
        apiVersions:
          - v1alpha1
        operations:
@@ -118,12 +158,15 @@ webhooks:
      service:
        name: {{ $fullName }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-grant
+        path: /validate-mariadb-mmontes-io-v1alpha1-grant
+      {{ if not .Values.webhook.certificate.certManager }}
+      caBundle: {{ $ca.Cert | b64enc }}
+      {{ end }}
    failurePolicy: Fail
    name: vgrant.kb.io
    rules:
      - apiGroups:
-          - k8s.mariadb.com
+          - mariadb.mmontes.io
        apiVersions:
          - v1alpha1
        operations:
@@ -138,12 +181,15 @@ webhooks:
      service:
        name: {{ $fullName }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-mariadb
+        path: /validate-mariadb-mmontes-io-v1alpha1-mariadb
+      {{ if not .Values.webhook.certificate.certManager }}
+      caBundle: {{ $ca.Cert | b64enc }}
+      {{ end }}
    failurePolicy: Fail
    name: vmariadb.kb.io
    rules:
      - apiGroups:
-          - k8s.mariadb.com
+          - mariadb.mmontes.io
        apiVersions:
          - v1alpha1
        operations:
@@ -152,38 +198,21 @@ webhooks:
        resources:
          - mariadbs
    sideEffects: None
-  - admissionReviewVersions:
-    - v1
-    clientConfig:
-      service:
-        name: {{ $fullName }}-webhook
-        namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-maxscale
-    failurePolicy: Fail
-    name: vmaxscale.kb.io
-    rules:
-    - apiGroups:
-      - k8s.mariadb.com
-      apiVersions:
-      - v1alpha1
-      operations:
-      - CREATE
-      - UPDATE
-      resources:
-      - maxscales
-    sideEffects: None
  - admissionReviewVersions:
      - v1
    clientConfig:
      service:
        name: {{ $fullName }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-restore
+        path: /validate-mariadb-mmontes-io-v1alpha1-restore
+      {{ if not .Values.webhook.certificate.certManager }}
+      caBundle: {{ $ca.Cert | b64enc }}
+      {{ end }}
    failurePolicy: Fail
    name: vrestore.kb.io
    rules:
      - apiGroups:
-          - k8s.mariadb.com
+          - mariadb.mmontes.io
        apiVersions:
          - v1alpha1
        operations:
@@ -198,12 +227,15 @@ webhooks:
      service:
        name: {{ $fullName }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-sqljob
+        path: /validate-mariadb-mmontes-io-v1alpha1-sqljob
+      {{ if not .Values.webhook.certificate.certManager }}
+      caBundle: {{ $ca.Cert | b64enc }}
+      {{ end }}
    failurePolicy: Fail
    name: vsqljob.kb.io
    rules:
      - apiGroups:
-          - k8s.mariadb.com
+          - mariadb.mmontes.io
        apiVersions:
          - v1alpha1
        operations:
@@ -218,12 +250,15 @@ webhooks:
      service:
        name: {{ $fullName }}-webhook
        namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-user
+        path: /validate-mariadb-mmontes-io-v1alpha1-user
+      {{ if not .Values.webhook.certificate.certManager }}
+      caBundle: {{ $ca.Cert | b64enc }}
+      {{ end }}
    failurePolicy: Fail
    name: vuser.kb.io
    rules:
      - apiGroups:
-          - k8s.mariadb.com
+          - mariadb.mmontes.io
        apiVersions:
          - v1alpha1
        operations:
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-deployment.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-deployment.yaml
@@ -1,14 +1,10 @@
-{{ $fullName := include "mariadb-operator.fullname" . }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ $fullName }}-webhook
+  name: {{ include "mariadb-operator.fullname" . }}-webhook
  labels:
    {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
 spec:
-  {{ if .Values.webhook.ha.enabled }}
-  replicas: {{ .Values.webhook.ha.replicas}}
-  {{ end }}
  selector:
    matchLabels:
      {{ include "mariadb-operator-webhook.selectorLabels" . | nindent 6 }}
@@ -50,18 +46,12 @@ spec:
          name: webhook
          args:
            - webhook
-            {{- if .Values.webhook.cert.certManager.enabled }}
-            - --ca-cert-path={{ .Values.webhook.cert.path }}/ca.crt
-            {{- else }}
-            - --ca-cert-path={{ .Values.webhook.cert.caPath }}/tls.crt
-            {{- end }}
-            - --cert-dir={{ .Values.webhook.cert.path }}
-            - --dns-name={{ $fullName }}-webhook.{{ .Release.Namespace }}.svc
+            - --cert-dir={{ .Values.webhook.certificate.path }}
            - --port={{ .Values.webhook.port }}
            - --metrics-addr=:8080
            - --health-addr=:8081
            - --log-level={{ .Values.logLevel }}
-            {{- range .Values.webhook.extrArgs }}
+            {{- range .Values.extrArgs }}
            - {{ . }}
            {{- end }}
          ports:
@@ -75,12 +65,7 @@ spec:
              protocol: TCP
              name: health
          volumeMounts:
-            {{- if not .Values.webhook.cert.certManager.enabled }}
-            - mountPath: {{ .Values.webhook.cert.caPath }}
-              name: ca
-              readOnly: true
-            {{- end }}
-            - mountPath: {{ .Values.webhook.cert.path }}
+            - mountPath: {{ .Values.webhook.certificate.path }}
              name: cert
              readOnly: true
          {{- if .Values.webhook.extraVolumeMounts }}
@@ -88,10 +73,22 @@ spec:
          {{- end }}
          readinessProbe:
            httpGet:
-              path: /readyz
+              path: /healthz
              port: 8081
-            initialDelaySeconds: 20
-            periodSeconds: 5
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          startupProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
          {{ with .Values.webhook.resources }}
          resources:
            {{ toYaml . | nindent 12 }}
@@ -101,16 +98,10 @@ spec:
            {{ toYaml . | nindent 12 }}
          {{ end }}
      volumes:
-        {{- if not .Values.webhook.cert.certManager.enabled }}
-        - name: ca
-          secret:
-            defaultMode: 420
-            secretName: {{ $fullName }}-webhook-ca
-        {{- end }}
        - name: cert
          secret:
            defaultMode: 420
-            secretName: {{ $fullName }}-webhook-cert
+            secretName: {{ include "mariadb-operator-webhook.certificate" . }}
      {{- if .Values.webhook.extraVolumes }}
      {{- toYaml .Values.webhook.extraVolumes | nindent 8 }}
      {{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-secret.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-secret.yaml
@@ -1,25 +0,0 @@
-{{- if not .Values.webhook.cert.certManager.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "mariadb-operator.fullname" . }}-webhook-ca
-  labels:
-    {{- include "mariadb-operator-webhook.labels" . | nindent 4 }}
-    mariadb-operator.io/component: webhook
-  {{- with .Values.webhook.cert.secretAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "mariadb-operator.fullname" . }}-webhook-cert
-  labels:
-    {{- include "mariadb-operator-webhook.labels" . | nindent 4 }}
-    mariadb-operator.io/component: webhook
-  {{- with .Values.webhook.cert.secretAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}
--- a/packages/system/mariadb-operator/charts/mariadb-operator/values.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/values.yaml
@@ -19,9 +19,11 @@ ha:
  enabled: false
  # -- Number of replicas
  replicas: 3
+  # -- Lease resource name to be used for leader election
+  leaseId: mariadb.mmontes.io

 metrics:
-  # -- Enable operator internal metrics. Prometheus must be installed in the cluster
+  # -- Enable prometheus metrics. Prometheus must be installed in the cluster
  enabled: false
  serviceMonitor:
    # -- Enable controller ServiceMonitor
@@ -54,9 +56,6 @@ rbac:
 # -- Extra arguments to be passed to the controller entrypoint
 extrArgs: []

-# -- Extra environment variables to be passed to the controller
-extraEnv: []
-
 # -- Extra volumes to pass to pod.
 extraVolumes: []

@@ -88,37 +87,31 @@ tolerations: []
 affinity: {}

 webhook:
+  # -- Annotations for webhook configurations.
+  annotations: {}
  image:
    repository: ghcr.io/mariadb-operator/mariadb-operator
    pullPolicy: IfNotPresent
    # -- Image tag to use. By default the chart appVersion is used
    tag: ""
  imagePullSecrets: []
-  ha:
-    # -- Enable high availability
-    enabled: false
-    # -- Number of replicas
-    replicas: 3
-  cert:
-    certManager:
-      # -- Whether to use cert-manager to issue and rotate the certificate. If set to false, mariadb-operator's cert-controller will be used instead.
-      enabled: false
-      # -- Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used.
-      issuerRef: {}
-       # -- Duration to be used in the Certificate resource,
-      duration: ""
-       # -- Renew before duration to be used in the Certificate resource.
-      renewBefore: ""
-    # -- Annotatioms to be added to webhook TLS secret.
-    secretAnnotations: {}
-    # -- Labels to be added to webhook TLS secret.
-    secretLabels: {}
-    # -- Path where the CA certificate will be mounted.
-    caPath: /tmp/k8s-webhook-server/certificate-authority
+  certificate:
+    # -- Use cert-manager to issue and rotate the certificate. If set to false, a default certificate will be used.
+    certManager: false
+    # -- Default certificate generated when the chart is installed or upgraded.
+    default:
+      # -- Certificate authority expiration in days.
+      caExpirationDays: 365
+      # -- Certificate expiration in days.
+      certExpirationDays: 365
+      # -- Annotations for certificate Secret.
+      annotations: {}
+      # -- Helm hook to be added to the default certificate.
+      hook: ""
    # -- Path where the certificate will be mounted.
    path: /tmp/k8s-webhook-server/serving-certs
  # -- Port to be used by the webhook server
-  port: 9443
+  port: 10250
  # -- Expose the webhook server in the host network
  hostNetwork: false
  serviceMonitor:
@@ -143,8 +136,6 @@ webhook:
    # -- The name of the service account to use.
    # If not set and enabled is true, a name is generated using the fullname template
    name: ""
-  # -- Annotations for webhook configurations.
-  annotations: {}
  # -- Extra arguments to be passed to the webhook entrypoint
  extrArgs: []
  # -- Extra volumes to pass to webhook Pod
@@ -168,71 +159,3 @@ webhook:
  tolerations: []
  # -- Affinity to add to controller Pod
  affinity: {}
-
-certController:
-  # -- Specifies whether the cert-controller should be created.
-  enabled: true
-  image:
-    repository: ghcr.io/mariadb-operator/mariadb-operator
-    pullPolicy: IfNotPresent
-    # -- Image tag to use. By default the chart appVersion is used
-    tag: ""
-  imagePullSecrets: []
-  ha:
-    # -- Enable high availability
-    enabled: false
-    # -- Number of replicas
-    replicas: 3
-  # -- CA certificate validity. It must be greater than certValidity.
-  caValidity: 35064h
-  # -- Certificate validity.
-  certValidity: 8766h
-  # -- Duration used to verify whether a certificate is valid or not.
-  lookaheadValidity: 2160h
-  # -- Requeue duration to ensure that certificate gets renewed.
-  requeueDuration: 5m
-  serviceMonitor:
-    # -- Enable cert-controller ServiceMonitor. Metrics must be enabled
-    enabled: true
-    # -- Labels to be added to the cert-controller ServiceMonitor
-    additionalLabels: {}
-    # release: kube-prometheus-stack
-    # --  Interval to scrape metrics
-    interval: 30s
-    # -- Timeout if metrics can't be retrieved in given time interval
-    scrapeTimeout: 25s
-  serviceAccount:
-    # -- Specifies whether a service account should be created
-    enabled: true
-    # -- Automounts the service account token in all containers of the Pod
-    automount: true
-    # -- Annotations to add to the service account
-    annotations: {}
-    # -- Extra Labels to add to the service account
-    extraLabels: {}
-    # -- The name of the service account to use.
-    # If not set and enabled is true, a name is generated using the fullname template
-    name: ""
-  # -- Extra arguments to be passed to the cert-controller entrypoint
-  extrArgs: []
-  # -- Extra volumes to pass to cert-controller Pod
-  extraVolumes: []
-  # -- Extra volumes to mount to cert-controller container
-  extraVolumeMounts: []
-  # -- Annotations to add to cert-controller Pod
-  podAnnotations: {}
-  # -- Security context to add to cert-controller Pod
-  podSecurityContext: {}
-  # -- Security context to add to cert-controller container
-  securityContext: {}
-  # -- Resources to add to cert-controller container
-  resources: {}
-  # requests:
-  #   cpu: 10m
-  #   memory: 32Mi
-  # -- Node selectors to add to controller Pod
-  nodeSelector: {}
-  # -- Tolerations to add to controller Pod
-  tolerations: []
-  # -- Affinity to add to controller Pod
-  affinity: {}
--- a/packages/system/piraeus-operator/charts/piraeus/Chart.yaml
+++ b/packages/system/piraeus-operator/charts/piraeus/Chart.yaml
@@ -3,8 +3,8 @@ name: piraeus
 description: |
  The Piraeus Operator manages software defined storage clusters using LINSTOR in Kubernetes.
 type: application
-version: 2.4.1
-appVersion: "v2.4.1"
+version: 2.3.0
+appVersion: "v2.3.0"
 maintainers:
  - name: Piraeus Datastore
    url: https://piraeus.io
--- a/packages/system/piraeus-operator/charts/piraeus/templates/config.yaml
+++ b/packages/system/piraeus-operator/charts/piraeus/templates/config.yaml
@@ -17,19 +17,19 @@ data:
    #   quay.io/piraeusdatastore/piraeus-server:v1.24.2
    components:
      linstor-controller:
-        tag: v1.26.2
+        tag: v1.25.1
        image: piraeus-server
      linstor-satellite:
-        tag: v1.26.2
+        tag: v1.25.1
        image: piraeus-server
      linstor-csi:
-        tag: v1.4.0
+        tag: v1.3.0
        image: piraeus-csi
      drbd-reactor:
        tag: v1.4.0
        image: drbd-reactor
      ha-controller:
-        tag: v1.2.0
+        tag: v1.1.4
        image: piraeus-ha-controller
      drbd-shutdown-guard:
        tag: v1.0.0
@@ -38,7 +38,7 @@ data:
        tag: v0.10
        image: ktls-utils
      drbd-module-loader:
-        tag: v9.2.8
+        tag: v9.2.6
        # The special "match" attribute is used to select an image based on the node's reported OS.
        # The operator will first check the k8s node's ".status.nodeInfo.osImage" field, and compare it against the list
        # here. If one matches, that specific image name will be used instead of the fallback image.
@@ -54,18 +54,12 @@ data:
            image: drbd9-almalinux8
          - osImage: AlmaLinux 9
            image: drbd9-almalinux9
-          - osImage: Rocky Linux 8
-            image: drbd9-almalinux8
-          - osImage: Rocky Linux 9
-            image: drbd9-almalinux9
          - osImage: Ubuntu 18\.04
            image: drbd9-bionic
          - osImage: Ubuntu 20\.04
            image: drbd9-focal
          - osImage: Ubuntu 22\.04
            image: drbd9-jammy
-          - osImage: Debian GNU/Linux 12
-            image: drbd9-bookworm
          - osImage: Debian GNU/Linux 11
            image: drbd9-bullseye
          - osImage: Debian GNU/Linux 10
@@ -75,25 +69,25 @@ data:
    base: registry.k8s.io/sig-storage
    components:
      csi-attacher:
-        tag: v4.5.0
+        tag: v4.4.2
        image: csi-attacher
      csi-livenessprobe:
-        tag: v2.12.0
+        tag: v2.11.0
        image: livenessprobe
      csi-provisioner:
-        tag: v4.0.0
+        tag: v3.6.2
        image: csi-provisioner
      csi-snapshotter:
-        tag: v7.0.1
+        tag: v6.3.2
        image: csi-snapshotter
      csi-resizer:
-        tag: v1.10.0
+        tag: v1.9.2
        image: csi-resizer
      csi-external-health-monitor-controller:
-        tag: v0.11.0
+        tag: v0.10.0
        image: csi-external-health-monitor-controller
      csi-node-driver-registrar:
-        tag: v2.10.0
+        tag: v2.9.1
        image: csi-node-driver-registrar
  {{- range $idx, $value := .Values.imageConfigOverride }}
  {{ add $idx 1 }}_helm_override.yaml: |
--- a/packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml
+++ b/packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml
--- a/packages/system/piraeus-operator/charts/piraeus/templates/validating-webhook-configuration.yaml
+++ b/packages/system/piraeus-operator/charts/piraeus/templates/validating-webhook-configuration.yaml
@@ -152,27 +152,3 @@ webhooks:
    resources:
    - linstorsatelliteconfigurations
  sideEffects: None
- admissionReviewVersions:
-    - v1
-  clientConfig:
-    service:
-      name: '{{ include "piraeus-operator.fullname" . }}-webhook-service'
-      namespace: '{{ .Release.Namespace }}'
-      path: /validate-storage-k8s-io-v1-storageclass
-    {{- if not .Values.tls.certManagerIssuerRef }}
-    caBundle: {{ $ca }}
-    {{- end }}
-  failurePolicy: {{ .Values.webhook.failurePolicy }}
-  timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
-  name: vstorageclass.kb.io
-  rules:
-    - apiGroups:
-        - storage.k8s.io
-      apiVersions:
-        - v1
-      operations:
-        - CREATE
-        - UPDATE
-      resources:
-        - storageclasses
-  sideEffects: None
--- a/scripts/installer.sh
+++ b/scripts/installer.sh
@@ -1,18 +1,9 @@
 #!/bin/sh
-VERSION=2
 set -o pipefail
 set -e

 run_migrations() {
-  if ! kubectl get configmap -n cozy-system cozystack-version; then
-    kubectl create configmap -n cozy-system cozystack-version --from-literal=version="$VERSION" --dry-run=client -o yaml | kubectl create -f-
-  fi
-  current_version=$(kubectl get configmap -n cozy-system cozystack-version -o jsonpath='{.data.version}') || true
-  until [ "$current_version" = "$VERSION" ]; do
-    echo "run migration: $current_version --> $VERSION"
-    scripts/migrations/$current_version
-    current_version=$(kubectl get configmap -n cozy-system cozystack-version -o jsonpath='{.data.version}')
-  done
+  return 0
 }

 flux_is_ok() {
@@ -27,9 +18,6 @@ install_basic_charts() {

 cd "$(dirname "$0")/.."

-# Run migrations
-run_migrations
-
 # Install namespaces
 make -C packages/core/platform namespaces-apply

@@ -38,6 +26,9 @@ if ! flux_is_ok; then
  install_basic_charts
 fi

+# Run migrations
+run_migrations
+
 # Reconcile Helm repositories
 kubectl annotate helmrepositories.source.toolkit.fluxcd.io -A -l cozystack.io/repository reconcile.fluxcd.io/requestedAt=$(date +"%Y-%m-%dT%H:%M:%SZ") --overwrite

--- a/scripts/migrations/1
+++ b/scripts/migrations/1
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-if kubectl get -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert; then
-  kubectl annotate -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert meta.helm.sh/release-namespace=cozy-mariadb-operator meta.helm.sh/release-name=mariadb-operator
-  kubectl label -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert app.kubernetes.io/managed-by=Helm
-fi
-
-kubectl create configmap -n cozy-system cozystack-version --from-literal=version=2 --dry-run=client -o yaml | kubectl apply -f-