Update CNPG to 1.22.2

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

README.md

@@ -44,8 +44,6 @@ If you encounter any difficulties, start with the [troubleshooting guide](https:
 Versioning adheres to the [Semantic Versioning](http://semver.org/) principles.  
 A full list of the available releases is available in the GitHub repository's [Release](https://github.com/aenix-io/cozystack/releases) section.
 
-- [Roadmap](https://github.com/orgs/aenix-io/projects/2)
-
 ## Contributions
 
 Contributions are highly appreciated and very welcomed!

packages/apps/http-cache/Makefile

@@ -2,7 +2,7 @@ PUSH := 1
 LOAD := 0
 REGISTRY := ghcr.io/aenix-io/cozystack
 NGINX_CACHE_TAG = v0.1.0
-TAG := v0.2.0
+TAG := v0.1.0
 
 image: image-nginx
 

packages/apps/kubernetes/Makefile

@@ -1,7 +1,7 @@
 PUSH := 1
 LOAD := 0
 REGISTRY := ghcr.io/aenix-io/cozystack
-TAG := v0.2.0
+TAG := v0.1.0
 UBUNTU_CONTAINER_DISK_TAG = v1.29.1
 
 image: image-ubuntu-container-disk

packages/core/installer/Makefile

@@ -3,7 +3,7 @@ NAME=installer
 PUSH := 1
 LOAD := 0
 REGISTRY := ghcr.io/aenix-io/cozystack
-TAG := v0.2.0
+TAG := v0.1.0
 TALOS_VERSION=$(shell awk '/^version:/ {print $$2}' images/talos/profiles/installer.yaml)
 
 show:

packages/system/dashboard/Makefile

@@ -3,7 +3,7 @@ NAMESPACE=cozy-dashboard
 PUSH := 1
 LOAD := 0
 REPOSITORY := ghcr.io/aenix-io/cozystack
-TAG := v0.2.0
+TAG := v0.1.0
 
 show:
 	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .

packages/system/mariadb-operator/charts/mariadb-operator/Chart.yaml

@@ -1,19 +1,17 @@
 apiVersion: v2
-appVersion: v0.0.27
+appVersion: v0.0.22
 description: Run and operate MariaDB in a cloud native way
 home: https://github.com/mariadb-operator/mariadb-operator
-icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb_profile.svg
+icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb.png
 keywords:
 - mariadb
-- mysql
 - operator
 - mariadb-operator
 - database
-- maxscale
 kubeVersion: '>= 1.16.0-0'
 maintainers:
 - email: mariadb-operator@proton.me
   name: mmontes11
 name: mariadb-operator
 type: application
-version: 0.27.0
+version: 0.22.0

packages/system/mariadb-operator/charts/mariadb-operator/README.md

@@ -3,10 +3,10 @@
 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)
 
 <p align="center">
-<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator_centered_whitebg.svg" alt="mariadb" width="100%"/>
+<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator.png" alt="mariadb" width="250"/>
 </p>
 
-![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.27.0](https://img.shields.io/badge/Version-0.27.0-informational?style=flat-square) ![AppVersion: v0.0.27](https://img.shields.io/badge/AppVersion-v0.0.27-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.22.0](https://img.shields.io/badge/Version-0.22.0-informational?style=flat-square) ![AppVersion: v0.0.22](https://img.shields.io/badge/AppVersion-v0.0.22-informational?style=flat-square)
 
 Run and operate MariaDB in a cloud native way
 
@@ -26,50 +26,20 @@ helm uninstall mariadb-operator
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Affinity to add to controller Pod |
-| certController.affinity | object | `{}` | Affinity to add to controller Pod |
-| certController.caValidity | string | `"35064h"` | CA certificate validity. It must be greater than certValidity. |
-| certController.certValidity | string | `"8766h"` | Certificate validity. |
-| certController.enabled | bool | `true` | Specifies whether the cert-controller should be created. |
-| certController.extrArgs | list | `[]` | Extra arguments to be passed to the cert-controller entrypoint |
-| certController.extraVolumeMounts | list | `[]` | Extra volumes to mount to cert-controller container |
-| certController.extraVolumes | list | `[]` | Extra volumes to pass to cert-controller Pod |
-| certController.ha.enabled | bool | `false` | Enable high availability |
-| certController.ha.replicas | int | `3` | Number of replicas |
-| certController.image.pullPolicy | string | `"IfNotPresent"` |  |
-| certController.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
-| certController.image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
-| certController.imagePullSecrets | list | `[]` |  |
-| certController.lookaheadValidity | string | `"2160h"` | Duration used to verify whether a certificate is valid or not. |
-| certController.nodeSelector | object | `{}` | Node selectors to add to controller Pod |
-| certController.podAnnotations | object | `{}` | Annotations to add to cert-controller Pod |
-| certController.podSecurityContext | object | `{}` | Security context to add to cert-controller Pod |
-| certController.requeueDuration | string | `"5m"` | Requeue duration to ensure that certificate gets renewed. |
-| certController.resources | object | `{}` | Resources to add to cert-controller container |
-| certController.securityContext | object | `{}` | Security context to add to cert-controller container |
-| certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
-| certController.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the Pod |
-| certController.serviceAccount.enabled | bool | `true` | Specifies whether a service account should be created |
-| certController.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account |
-| certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and enabled is true, a name is generated using the fullname template |
-| certController.serviceMonitor.additionalLabels | object | `{}` | Labels to be added to the cert-controller ServiceMonitor |
-| certController.serviceMonitor.enabled | bool | `true` | Enable cert-controller ServiceMonitor. Metrics must be enabled |
-| certController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
-| certController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
-| certController.tolerations | list | `[]` | Tolerations to add to controller Pod |
 | clusterName | string | `"cluster.local"` | Cluster DNS name |
 | extrArgs | list | `[]` | Extra arguments to be passed to the controller entrypoint |
-| extraEnv | list | `[]` | Extra environment variables to be passed to the controller |
 | extraVolumeMounts | list | `[]` | Extra volumes to mount to the container. |
 | extraVolumes | list | `[]` | Extra volumes to pass to pod. |
 | fullnameOverride | string | `""` |  |
 | ha.enabled | bool | `false` | Enable high availability |
+| ha.leaseId | string | `"mariadb.mmontes.io"` | Lease resource name to be used for leader election |
 | ha.replicas | int | `3` | Number of replicas |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
 | image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
 | imagePullSecrets | list | `[]` |  |
 | logLevel | string | `"INFO"` | Controller log level |
-| metrics.enabled | bool | `false` | Enable operator internal metrics. Prometheus must be installed in the cluster |
+| metrics.enabled | bool | `false` | Enable prometheus metrics. Prometheus must be installed in the cluster |
 | metrics.serviceMonitor.additionalLabels | object | `{}` | Labels to be added to the controller ServiceMonitor |
 | metrics.serviceMonitor.enabled | bool | `true` | Enable controller ServiceMonitor |
 | metrics.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
@@ -89,19 +59,16 @@ helm uninstall mariadb-operator
 | tolerations | list | `[]` | Tolerations to add to controller Pod |
 | webhook.affinity | object | `{}` | Affinity to add to controller Pod |
 | webhook.annotations | object | `{}` | Annotations for webhook configurations. |
-| webhook.cert.caPath | string | `"/tmp/k8s-webhook-server/certificate-authority"` | Path where the CA certificate will be mounted. |
+| webhook.certificate.certManager | bool | `false` | Use cert-manager to issue and rotate the certificate. If set to false, a default certificate will be used. |
-| webhook.cert.certManager.duration | string | `""` | Duration to be used in the Certificate resource, |
+| webhook.certificate.default | object | `{"annotations":{},"caExpirationDays":365,"certExpirationDays":365,"hook":""}` | Default certificate generated when the chart is installed or upgraded. |
-| webhook.cert.certManager.enabled | bool | `false` | Whether to use cert-manager to issue and rotate the certificate. If set to false, mariadb-operator's cert-controller will be used instead. |
+| webhook.certificate.default.annotations | object | `{}` | Annotations for certificate Secret. |
-| webhook.cert.certManager.issuerRef | object | `{}` | Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used. |
+| webhook.certificate.default.caExpirationDays | int | `365` | Certificate authority expiration in days. |
-| webhook.cert.certManager.renewBefore | string | `""` | Renew before duration to be used in the Certificate resource. |
+| webhook.certificate.default.certExpirationDays | int | `365` | Certificate expiration in days. |
-| webhook.cert.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. |
+| webhook.certificate.default.hook | string | `""` | Helm hook to be added to the default certificate. |
-| webhook.cert.secretAnnotations | object | `{}` | Annotatioms to be added to webhook TLS secret. |
+| webhook.certificate.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. |
-| webhook.cert.secretLabels | object | `{}` | Labels to be added to webhook TLS secret. |
 | webhook.extrArgs | list | `[]` | Extra arguments to be passed to the webhook entrypoint |
 | webhook.extraVolumeMounts | list | `[]` | Extra volumes to mount to webhook container |
 | webhook.extraVolumes | list | `[]` | Extra volumes to pass to webhook Pod |
-| webhook.ha.enabled | bool | `false` | Enable high availability |
-| webhook.ha.replicas | int | `3` | Number of replicas |
 | webhook.hostNetwork | bool | `false` | Expose the webhook server in the host network |
 | webhook.image.pullPolicy | string | `"IfNotPresent"` |  |
 | webhook.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
@@ -110,7 +77,7 @@ helm uninstall mariadb-operator
 | webhook.nodeSelector | object | `{}` | Node selectors to add to controller Pod |
 | webhook.podAnnotations | object | `{}` | Annotations to add to webhook Pod |
 | webhook.podSecurityContext | object | `{}` | Security context to add to webhook Pod |
-| webhook.port | int | `9443` | Port to be used by the webhook server |
+| webhook.port | int | `10250` | Port to be used by the webhook server |
 | webhook.resources | object | `{}` | Resources to add to webhook container |
 | webhook.securityContext | object | `{}` | Security context to add to webhook container |
 | webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |

packages/system/mariadb-operator/charts/mariadb-operator/README.md.gotmpl

@@ -4,7 +4,7 @@
 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)
 
 <p align="center">
-<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator_centered_whitebg.svg" alt="mariadb" width="100%"/>
+<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator.png" alt="mariadb" width="250"/>
 </p>
 
 {{ template "chart.typeBadge" . }}{{ template "chart.versionBadge" . }}{{ template "chart.appVersionBadge" . }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/_helpers.tpl

@@ -71,23 +71,28 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
-Cert-controller common labels
+Webhook certificate
 */}}
-{{- define "mariadb-operator-cert-controller.labels" -}}
+{{- define "mariadb-operator-webhook.certificate" -}}
-helm.sh/chart: {{ include "mariadb-operator.chart" . }}
+{{- if .Values.webhook.certificate.certManager }}
-{{ include "mariadb-operator-cert-controller.selectorLabels" . }}
+{{- include "mariadb-operator.fullname" . }}-webhook-cert
-{{ if .Chart.AppVersion }}
+{{- else }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- include "mariadb-operator.fullname" . }}-webhook-default-cert
-{{ end }}
+{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
 {{/*
-Cert-controller selector labels
+Webhook certificate subject name
 */}}
-{{- define "mariadb-operator-cert-controller.selectorLabels" -}}
+{{- define "mariadb-operator-webhook.subjectName" -}}
-app.kubernetes.io/name: {{ include "mariadb-operator.name" . }}-cert-controller
+{{- include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
-app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Webhook certificate subject alternative name
+*/}}
+{{- define "mariadb-operator-webhook.altName" -}}
+{{- include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterName }}
 {{- end }}
 
 {{/*
@@ -111,14 +116,3 @@ Create the name of the webhook service account to use
 {{- default "default" .Values.webhook.serviceAccount.name }}
 {{- end }}
 {{- end }}
-
-{{/*
-Create the name of the cert-controller service account to use
-*/}}
-{{- define "mariadb-operator-cert-controller.serviceAccountName" -}}
-{{- if .Values.certController.serviceAccount.enabled }}
-{{- default (printf "%s-cert-controller" (include "mariadb-operator.fullname" .))  .Values.certController.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.certController.serviceAccount.name }}
-{{- end }}
-{{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-deployment.yaml

@@ -1,103 +0,0 @@
-{{- if and .Values.certController.enabled  (not .Values.webhook.cert.certManager.enabled) -}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "mariadb-operator.fullname" . }}-cert-controller
-  labels:
-    {{ include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
-spec:
-  {{ if .Values.certController.ha.enabled }}
-  replicas: {{ .Values.certController.ha.replicas}}
-  {{ end }}
-  selector:
-    matchLabels:
-      {{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      {{ with .Values.certController.podAnnotations }}
-      annotations:
-        {{ toYaml . | nindent 8 }}
-      {{ end }}
-      labels:
-        {{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.certController.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
-      automountServiceAccountToken: {{ .Values.certController.serviceAccount.automount }}
-      {{ with .Values.certController.nodeSelector }}
-      nodeSelector:
-        {{ toYaml . | nindent 8 }}
-      {{ end }}
-      {{ with .Values.certController.tolerations }}
-      tolerations:
-        {{ toYaml . | nindent 8 }}
-      {{ end }}
-      {{ with .Values.certController.affinity }}
-      affinity:
-        {{ toYaml . | nindent 8 }}
-      {{ end }}
-      {{ with .Values.certController.podSecurityContext }}
-      securityContext:
-        {{ toYaml . | nindent 8 }}
-      {{ end }}
-      containers:
-        - image: "{{ .Values.certController.image.repository }}:{{ .Values.certController.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.certController.image.pullPolicy }}
-          name: cert-controller
-          args:
-            - cert-controller
-            - --ca-secret-name={{ include "mariadb-operator.fullname" . }}-webhook-ca
-            - --ca-secret-namespace={{ .Release.Namespace }}
-            - --ca-validity={{ .Values.certController.caValidity }}
-            - --cert-secret-name={{ include "mariadb-operator.fullname" . }}-webhook-cert
-            - --cert-secret-namespace={{ .Release.Namespace }}
-            - --cert-validity={{ .Values.certController.certValidity }}
-            - --lookahead-validity={{ .Values.certController.lookaheadValidity }}
-            - --service-name={{ include "mariadb-operator.fullname" . }}-webhook
-            - --service-namespace={{ .Release.Namespace }}
-            - --requeue-duration={{ .Values.certController.requeueDuration }}
-            - --metrics-addr=:8080
-            - --health-addr=:8081
-            - --log-level={{ .Values.logLevel }}
-            {{- if .Values.certController.ha.enabled }}
-            - --leader-elect
-            {{- end }}
-            {{- range .Values.certController.extrArgs }}
-            - {{ . }}
-            {{- end }}
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-            - containerPort: 8081
-              protocol: TCP
-              name: health
-          env: 
-            - name: CLUSTER_NAME
-              value: {{ .Values.clusterName }}
-          {{- with .Values.certController.extraVolumeMounts }}
-          volumeMounts:
-          {{- toYaml . | nindent 12 }}
-          {{- end }}
-          readinessProbe:
-            httpGet:
-              path: /readyz
-              port: 8081
-            initialDelaySeconds: 20
-            periodSeconds: 5
-          {{ with .Values.certController.resources }}
-          resources:
-            {{ toYaml . | nindent 12 }}
-          {{ end }}
-          {{ with .Values.certController.securityContext}}
-          securityContext:
-            {{ toYaml . | nindent 12 }}
-          {{ end }}
-      {{- with .Values.certController.extraVolumes }}
-      volumes:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-rbac.yaml

@@ -1,88 +0,0 @@
-{{- if and .Values.rbac.enabled .Values.certController.enabled (not .Values.webhook.cert.certManager.enabled) -}}
-{{ $fullName := include "mariadb-operator.fullname" . }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ $fullName }}-cert-controller
-rules:
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ $fullName }}-cert-controller
-rules:
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - validatingwebhookconfigurations
-  - mutatingwebhookconfigurations
-  verbs:
-  - get
-  - list
-  - update
-  - patch
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create
-  - list
-  - patch
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - endpoints
-  - endpoints/restricted
-  verbs:
-  - get
-  - list
-  - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ $fullName }}-cert-controller
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ $fullName }}-cert-controller
-subjects:
-- kind: ServiceAccount
-  name: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
-  namespace: {{ .Release.Namespace }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ $fullName }}-cert-controller
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ $fullName }}-cert-controller
-subjects:
-- kind: ServiceAccount
-  name: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
-  namespace: {{ .Release.Namespace }}
-{{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-serviceaccount.yaml

@@ -1,15 +0,0 @@
-{{- if and .Values.certController.enabled (not .Values.webhook.cert.certManager.enabled) -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "mariadb-operator-cert-controller.serviceAccountName" . }}-cert-controller
-  labels:
-    {{- include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
-    {{- with .Values.certController.serviceAccount.extraLabels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  {{- with .Values.certController.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/cert-controller-servicemonitor.yaml

@@ -1,36 +0,0 @@
-{{ if and .Values.certController.enabled (not .Values.webhook.cert.certManager.enabled) .Values.metrics.enabled  .Values.certController.serviceMonitor.enabled }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "mariadb-operator.fullname" . }}-cert-controller-metrics
-  labels:
-    {{ include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
-spec:
-  ports:
-    - port: 8080
-      protocol: TCP
-      name: metrics
-  selector:
-    {{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 4 }}
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: {{ include "mariadb-operator.fullname" . }}-cert-controller
-  labels:
-    {{ include "mariadb-operator-cert-controller.labels" . | nindent 4 }}
-    {{ with .Values.certController.serviceMonitor.additionalLabels }}
-    {{ toYaml . | nindent 4 }}
-    {{ end }}
-spec:
-  selector:
-    matchLabels:
-      {{ include "mariadb-operator-cert-controller.selectorLabels" . | nindent 6 }}
-  namespaceSelector:
-    matchNames:
-    - {{ .Release.Namespace | quote }}
-  endpoints:
-  - port: metrics
-    interval: {{ .Values.certController.serviceMonitor.interval }}
-    scrapeTimeout: {{ .Values.certController.serviceMonitor.scrapeTimeout }}
-{{ end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/configmap.yaml

@@ -1,13 +0,0 @@
-apiVersion: v1
-data:
-  MARIADB_GALERA_AGENT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
-  MARIADB_GALERA_INIT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
-  MARIADB_GALERA_LIB_PATH: /usr/lib/galera/libgalera_smm.so
-  MARIADB_OPERATOR_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
-  RELATED_IMAGE_EXPORTER: prom/mysqld-exporter:v0.15.1
-  RELATED_IMAGE_MARIADB: mariadb:11.2.2
-  RELATED_IMAGE_MAXSCALE: mariadb/maxscale:23.08
-kind: ConfigMap
-metadata:
-  creationTimestamp: null
-  name: mariadb-operator-env

packages/system/mariadb-operator/charts/mariadb-operator/templates/deployment.yaml

@@ -53,17 +53,17 @@ spec:
             {{- if .Values.ha.enabled }}
             - --leader-elect
             {{- end }}
-            {{- range .Values.extraArgs }}
+            {{- if .Values.metrics.enabled }}
+            - --service-monitor-reconciler
+            {{- end }}
+            {{- range .Values.extrArgs }}
             - {{ . }}
             {{- end }}
           ports:
             - containerPort: 8080
               protocol: TCP
               name: metrics
-          envFrom:
+          env: 
-            - configMapRef:
-                name: mariadb-operator-env
-          env:
             - name: CLUSTER_NAME
               value: {{ .Values.clusterName }}
             - name: MARIADB_OPERATOR_NAME
@@ -76,9 +76,6 @@ spec:
                   fieldPath: metadata.namespace
             - name: MARIADB_OPERATOR_SA_PATH
               value: /var/run/secrets/kubernetes.io/serviceaccount/token
-            {{- with .Values.extraEnv }}
-            {{- toYaml . | nindent 12 }}
-            {{- end }}
           {{- if .Values.extraVolumeMounts }}
           volumeMounts:
           {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
@@ -91,6 +88,21 @@ spec:
           securityContext:
             {{ toYaml . | nindent 12 }}
           {{ end }}
+          readinessProbe:
+            tcpSocket:
+              port: 8080
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          livenessProbe:
+            tcpSocket:
+              port: 8080
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          startupProbe:
+            tcpSocket:
+              port: 8080
+            initialDelaySeconds: 20
+            periodSeconds: 10
       {{- if .Values.extraVolumes }}
       volumes:
       {{- toYaml .Values.extraVolumes | nindent 8 }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/rbac.yaml

@@ -56,15 +56,6 @@ rules:
   - ""
   resources:
   - endpoints
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - watch
-- apiGroups:
-  - ""
-  resources:
   - endpoints/restricted
   verbs:
   - create
@@ -99,12 +90,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - pvcs
-  verbs:
-  - list
 - apiGroups:
   - ""
   resources:
@@ -132,38 +117,16 @@ rules:
   - list
   - patch
   - watch
-- apiGroups:
-  - apps
-  resources:
-  - deployments
-  verbs:
-  - create
-  - list
-  - patch
-  - watch
 - apiGroups:
   - apps
   resources:
   - statefulsets
   verbs:
   - create
-  - delete
   - get
   - list
   - patch
   - watch
-- apiGroups:
-  - authentication.k8s.io
-  resources:
-  - tokenreviews
-  verbs:
-  - create
-- apiGroups:
-  - authorization.k8s.io
-  resources:
-  - subjectaccessreviews
-  verbs:
-  - create
 - apiGroups:
   - batch
   resources:
@@ -179,12 +142,11 @@ rules:
   - jobs
   verbs:
   - create
-  - delete
   - list
   - patch
   - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - backups
   verbs:
@@ -196,13 +158,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - backups/finalizers
   verbs:
   - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - backups/status
   verbs:
@@ -210,7 +172,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - connections
   verbs:
@@ -222,37 +184,23 @@ rules:
   - update
   - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - connections
-  - grants
-  - maxscale
   - restores
-  - users
   verbs:
   - create
   - list
   - patch
   - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
-  resources:
-  - connections
-  - grants
-  - users
-  verbs:
-  - create
-  - list
-  - patch
-  - watch
-- apiGroups:
-  - k8s.mariadb.com
   resources:
   - connections/finalizers
   verbs:
   - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - connections/status
   verbs:
@@ -260,7 +208,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - databases
   verbs:
@@ -272,13 +220,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - databases/finalizers
   verbs:
   - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - databases/status
   verbs:
@@ -286,7 +234,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - grants
   verbs:
@@ -298,13 +246,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - grants/finalizers
   verbs:
   - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - grants/status
   verbs:
@@ -312,7 +260,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - mariadbs
   verbs:
@@ -324,13 +272,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - mariadbs/finalizers
   verbs:
   - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - mariadbs/status
   verbs:
@@ -338,33 +286,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
-  resources:
-  - maxscales
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - maxscales/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - maxscales/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - k8s.mariadb.com
   resources:
   - restores
   verbs:
@@ -376,13 +298,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - restores/finalizers
   verbs:
   - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - restores/status
   verbs:
@@ -390,7 +312,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - sqljobs
   verbs:
@@ -402,13 +324,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - sqljobs/finalizers
   verbs:
   - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - sqljobs/status
   verbs:
@@ -416,7 +338,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - users
   verbs:
@@ -428,13 +350,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - users/finalizers
   verbs:
   - update
 - apiGroups:
-  - k8s.mariadb.com
+  - mariadb.mmontes.io
   resources:
   - users/status
   verbs:
@@ -509,4 +431,4 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "mariadb-operator.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
-{{- end }}
+{{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-certificate.yaml

@@ -1,5 +1,4 @@
-{{ if .Values.webhook.cert.certManager.enabled }}
+{{ if .Values.webhook.certificate.certManager }}
-{{ if not .Values.webhook.cert.certManager.issuerRef }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -8,7 +7,6 @@ metadata:
     {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
 spec:
   selfSigned: {}
-{{ end }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -17,33 +15,11 @@ metadata:
   labels:
     {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
 spec:
-  commonName: {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
   dnsNames:
-    - {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterName }}
+    - {{ include "mariadb-operator-webhook.subjectName" . }}
-    - {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
+    - {{ include "mariadb-operator-webhook.altName" . }}
-    - {{ include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}
-    - {{ include "mariadb-operator.fullname" . }}-webhook
   issuerRef:
-  {{- if .Values.webhook.cert.certManager.issuerRef -}}
-    {{ toYaml .Values.webhook.cert.certManager.issuerRef | nindent 4 }}
-  {{- else }}
     kind: Issuer
     name: {{ include "mariadb-operator.fullname" . }}-selfsigned-issuer
-  {{- end }}
-  {{- with .Values.webhook.cert.certManager.duration }}
-  duration: {{ . | quote }}
-  {{- end }}
-  {{- with .Values.webhook.cert.certManager.renewBefore }}
-  renewBefore: {{ . | quote }}
-  {{- end }}
   secretName: {{ include "mariadb-operator.fullname" . }}-webhook-cert
-  secretTemplate:
+{{ end }}
-    {{- with .Values.webhook.cert.secretLabels }}
-    labels:
-      {{- toYaml . | nindent 6 }}
-    {{- end }}
-    {{- with .Values.webhook.cert.secretAnnotations }}
-    annotations:
-      {{- toYaml . | nindent 4 }}
-    {{- end }}
-{{ end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-config.yaml

@@ -1,4 +1,30 @@
 {{ $fullName := include "mariadb-operator.fullname" . }}
+{{ $subjectName := include "mariadb-operator-webhook.subjectName" . }}
+{{ $altNames := list }}
+{{ $altNames := append $altNames $subjectName }}
+{{ $altNames := append $altNames (include "mariadb-operator-webhook.altName" . ) }}
+{{ $ca := genCA $fullName (.Values.webhook.certificate.default.caExpirationDays | int) }}
+{{ $cert := genSignedCert $subjectName nil $altNames (.Values.webhook.certificate.default.certExpirationDays | int) $ca }}
+{{ if not .Values.webhook.certificate.certManager }}
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/tls
+metadata:
+  name: {{ $fullName }}-webhook-default-cert
+  labels:
+    {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
+  annotations:
+    {{ with .Values.webhook.certificate.default.hook }}
+    helm.sh/hook: {{ . }}
+    {{ end }}
+    {{ with .Values.webhook.certificate.default.annotations }}
+    {{ toYaml . | nindent 4 }}
+    {{ end }}
+data:
+  tls.crt: {{ $cert.Cert | b64enc }}
+  tls.key: {{ $cert.Key | b64enc }} 
+{{ end }}
+---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -6,11 +32,12 @@ metadata:
   labels:
     {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
   annotations:
-    {{- if .Values.webhook.cert.certManager.enabled }}
+    {{ if .Values.webhook.certificate.certManager }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "mariadb-operator.fullname" . }}-webhook-cert
-    {{- else }}
+    {{ end }}
-    k8s.mariadb.com/webhook: ""
+    {{ with .Values.webhook.certificate.default.hook }}
-    {{- end }}
+    helm.sh/hook: {{ . }}
+    {{ end }}
     {{ with .Values.webhook.annotations }}
     {{ toYaml . | indent 4 }}
     {{ end }}
@@ -21,12 +48,15 @@ webhooks:
     service:
       name: {{ $fullName }}-webhook
       namespace: {{ .Release.Namespace }}
-      path: /mutate-k8s-mariadb-com-v1alpha1-mariadb
+      path: /mutate-mariadb-mmontes-io-v1alpha1-mariadb
+    {{ if not .Values.webhook.certificate.certManager }}
+    caBundle: {{ $ca.Cert | b64enc }}
+    {{ end }}
   failurePolicy: Fail
   name: mmariadb.kb.io
   rules:
   - apiGroups:
-    - k8s.mariadb.com
+    - mariadb.mmontes.io
     apiVersions:
     - v1alpha1
     operations:
@@ -43,11 +73,12 @@ metadata:
   labels:
     {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
   annotations:
-    {{- if .Values.webhook.cert.certManager.enabled }}
+    {{ if .Values.webhook.certificate.certManager }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "mariadb-operator.fullname" . }}-webhook-cert
-    {{- else }}
+    {{ end }}
-    k8s.mariadb.com/webhook: ""
+    {{ with .Values.webhook.certificate.default.hook }}
-    {{- end }}
+    helm.sh/hook: {{ . }}
+    {{ end }}
     {{ with .Values.webhook.annotations }}
     {{ toYaml . | indent 4 }}
     {{ end }}
@@ -58,12 +89,15 @@ webhooks:
       service:
         name: {{ $fullName }}-webhook
         namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-backup
+        path: /validate-mariadb-mmontes-io-v1alpha1-backup
+      {{ if not .Values.webhook.certificate.certManager }}
+      caBundle: {{ $ca.Cert | b64enc }}
+      {{ end }}
     failurePolicy: Fail
     name: vbackup.kb.io
     rules:
       - apiGroups:
-          - k8s.mariadb.com
+          - mariadb.mmontes.io
         apiVersions:
           - v1alpha1
         operations:
@@ -78,12 +112,15 @@ webhooks:
       service:
         name: {{ $fullName }}-webhook
         namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-connection
+        path: /validate-mariadb-mmontes-io-v1alpha1-connection
+      {{ if not .Values.webhook.certificate.certManager }}
+      caBundle: {{ $ca.Cert | b64enc }}
+      {{ end }}
     failurePolicy: Fail
     name: vconnection.kb.io
     rules:
       - apiGroups:
-          - k8s.mariadb.com
+          - mariadb.mmontes.io
         apiVersions:
           - v1alpha1
         operations:
@@ -98,12 +135,15 @@ webhooks:
       service:
         name: {{ $fullName }}-webhook
         namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-database
+        path: /validate-mariadb-mmontes-io-v1alpha1-database
+      {{ if not .Values.webhook.certificate.certManager }}
+      caBundle: {{ $ca.Cert | b64enc }}
+      {{ end }}
     failurePolicy: Fail
     name: vdatabase.kb.io
     rules:
       - apiGroups:
-          - k8s.mariadb.com
+          - mariadb.mmontes.io
         apiVersions:
           - v1alpha1
         operations:
@@ -118,12 +158,15 @@ webhooks:
       service:
         name: {{ $fullName }}-webhook
         namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-grant
+        path: /validate-mariadb-mmontes-io-v1alpha1-grant
+      {{ if not .Values.webhook.certificate.certManager }}
+      caBundle: {{ $ca.Cert | b64enc }}
+      {{ end }}
     failurePolicy: Fail
     name: vgrant.kb.io
     rules:
       - apiGroups:
-          - k8s.mariadb.com
+          - mariadb.mmontes.io
         apiVersions:
           - v1alpha1
         operations:
@@ -138,12 +181,15 @@ webhooks:
       service:
         name: {{ $fullName }}-webhook
         namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-mariadb
+        path: /validate-mariadb-mmontes-io-v1alpha1-mariadb
+      {{ if not .Values.webhook.certificate.certManager }}
+      caBundle: {{ $ca.Cert | b64enc }}
+      {{ end }}
     failurePolicy: Fail
     name: vmariadb.kb.io
     rules:
       - apiGroups:
-          - k8s.mariadb.com
+          - mariadb.mmontes.io
         apiVersions:
           - v1alpha1
         operations:
@@ -152,38 +198,21 @@ webhooks:
         resources:
           - mariadbs
     sideEffects: None
-  - admissionReviewVersions:
-    - v1
-    clientConfig:
-      service:
-        name: {{ $fullName }}-webhook
-        namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-maxscale
-    failurePolicy: Fail
-    name: vmaxscale.kb.io
-    rules:
-    - apiGroups:
-      - k8s.mariadb.com
-      apiVersions:
-      - v1alpha1
-      operations:
-      - CREATE
-      - UPDATE
-      resources:
-      - maxscales
-    sideEffects: None
   - admissionReviewVersions:
       - v1
     clientConfig:
       service:
         name: {{ $fullName }}-webhook
         namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-restore
+        path: /validate-mariadb-mmontes-io-v1alpha1-restore
+      {{ if not .Values.webhook.certificate.certManager }}
+      caBundle: {{ $ca.Cert | b64enc }}
+      {{ end }}
     failurePolicy: Fail
     name: vrestore.kb.io
     rules:
       - apiGroups:
-          - k8s.mariadb.com
+          - mariadb.mmontes.io
         apiVersions:
           - v1alpha1
         operations:
@@ -198,12 +227,15 @@ webhooks:
       service:
         name: {{ $fullName }}-webhook
         namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-sqljob
+        path: /validate-mariadb-mmontes-io-v1alpha1-sqljob
+      {{ if not .Values.webhook.certificate.certManager }}
+      caBundle: {{ $ca.Cert | b64enc }}
+      {{ end }}
     failurePolicy: Fail
     name: vsqljob.kb.io
     rules:
       - apiGroups:
-          - k8s.mariadb.com
+          - mariadb.mmontes.io
         apiVersions:
           - v1alpha1
         operations:
@@ -218,12 +250,15 @@ webhooks:
       service:
         name: {{ $fullName }}-webhook
         namespace: {{ .Release.Namespace }}
-        path: /validate-k8s-mariadb-com-v1alpha1-user
+        path: /validate-mariadb-mmontes-io-v1alpha1-user
+      {{ if not .Values.webhook.certificate.certManager }}
+      caBundle: {{ $ca.Cert | b64enc }}
+      {{ end }}
     failurePolicy: Fail
     name: vuser.kb.io
     rules:
       - apiGroups:
-          - k8s.mariadb.com
+          - mariadb.mmontes.io
         apiVersions:
           - v1alpha1
         operations:

packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-deployment.yaml

@@ -1,14 +1,10 @@
-{{ $fullName := include "mariadb-operator.fullname" . }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ $fullName }}-webhook
+  name: {{ include "mariadb-operator.fullname" . }}-webhook
   labels:
     {{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
 spec:
-  {{ if .Values.webhook.ha.enabled }}
-  replicas: {{ .Values.webhook.ha.replicas}}
-  {{ end }}
   selector:
     matchLabels:
       {{ include "mariadb-operator-webhook.selectorLabels" . | nindent 6 }}
@@ -50,18 +46,12 @@ spec:
           name: webhook
           args:
             - webhook
-            {{- if .Values.webhook.cert.certManager.enabled }}
+            - --cert-dir={{ .Values.webhook.certificate.path }}
-            - --ca-cert-path={{ .Values.webhook.cert.path }}/ca.crt
-            {{- else }}
-            - --ca-cert-path={{ .Values.webhook.cert.caPath }}/tls.crt
-            {{- end }}
-            - --cert-dir={{ .Values.webhook.cert.path }}
-            - --dns-name={{ $fullName }}-webhook.{{ .Release.Namespace }}.svc
             - --port={{ .Values.webhook.port }}
             - --metrics-addr=:8080
             - --health-addr=:8081
             - --log-level={{ .Values.logLevel }}
-            {{- range .Values.webhook.extrArgs }}
+            {{- range .Values.extrArgs }}
             - {{ . }}
             {{- end }}
           ports:
@@ -75,12 +65,7 @@ spec:
               protocol: TCP
               name: health
           volumeMounts:
-            {{- if not .Values.webhook.cert.certManager.enabled }}
+            - mountPath: {{ .Values.webhook.certificate.path }}
-            - mountPath: {{ .Values.webhook.cert.caPath }}
-              name: ca
-              readOnly: true
-            {{- end }}
-            - mountPath: {{ .Values.webhook.cert.path }}
               name: cert
               readOnly: true
           {{- if .Values.webhook.extraVolumeMounts }}
@@ -88,10 +73,22 @@ spec:
           {{- end }}
           readinessProbe:
             httpGet:
-              path: /readyz
+              path: /healthz
               port: 8081
-            initialDelaySeconds: 20
+            initialDelaySeconds: 5
-            periodSeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          startupProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
           {{ with .Values.webhook.resources }}
           resources:
             {{ toYaml . | nindent 12 }}
@@ -101,16 +98,10 @@ spec:
             {{ toYaml . | nindent 12 }}
           {{ end }}
       volumes:
-        {{- if not .Values.webhook.cert.certManager.enabled }}
-        - name: ca
-          secret:
-            defaultMode: 420
-            secretName: {{ $fullName }}-webhook-ca
-        {{- end }}
         - name: cert
           secret:
             defaultMode: 420
-            secretName: {{ $fullName }}-webhook-cert
+            secretName: {{ include "mariadb-operator-webhook.certificate" . }}
       {{- if .Values.webhook.extraVolumes }}
       {{- toYaml .Values.webhook.extraVolumes | nindent 8 }}
       {{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-secret.yaml

@@ -1,25 +0,0 @@
-{{- if not .Values.webhook.cert.certManager.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "mariadb-operator.fullname" . }}-webhook-ca
-  labels:
-    {{- include "mariadb-operator-webhook.labels" . | nindent 4 }}
-    mariadb-operator.io/component: webhook
-  {{- with .Values.webhook.cert.secretAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "mariadb-operator.fullname" . }}-webhook-cert
-  labels:
-    {{- include "mariadb-operator-webhook.labels" . | nindent 4 }}
-    mariadb-operator.io/component: webhook
-  {{- with .Values.webhook.cert.secretAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/values.yaml

@@ -19,9 +19,11 @@ ha:
   enabled: false
   # -- Number of replicas
   replicas: 3
+  # -- Lease resource name to be used for leader election
+  leaseId: mariadb.mmontes.io
 
 metrics:
-  # -- Enable operator internal metrics. Prometheus must be installed in the cluster
+  # -- Enable prometheus metrics. Prometheus must be installed in the cluster
   enabled: false
   serviceMonitor:
     # -- Enable controller ServiceMonitor
@@ -54,9 +56,6 @@ rbac:
 # -- Extra arguments to be passed to the controller entrypoint
 extrArgs: []
 
-# -- Extra environment variables to be passed to the controller
-extraEnv: []
-
 # -- Extra volumes to pass to pod.
 extraVolumes: []
 
@@ -88,37 +87,31 @@ tolerations: []
 affinity: {}
 
 webhook:
+  # -- Annotations for webhook configurations.
+  annotations: {}
   image:
     repository: ghcr.io/mariadb-operator/mariadb-operator
     pullPolicy: IfNotPresent
     # -- Image tag to use. By default the chart appVersion is used
     tag: ""
   imagePullSecrets: []
-  ha:
+  certificate:
-    # -- Enable high availability
+    # -- Use cert-manager to issue and rotate the certificate. If set to false, a default certificate will be used.
-    enabled: false
+    certManager: false
-    # -- Number of replicas
+    # -- Default certificate generated when the chart is installed or upgraded.
-    replicas: 3
+    default:
-  cert:
+      # -- Certificate authority expiration in days.
-    certManager:
+      caExpirationDays: 365
-      # -- Whether to use cert-manager to issue and rotate the certificate. If set to false, mariadb-operator's cert-controller will be used instead.
+      # -- Certificate expiration in days.
-      enabled: false
+      certExpirationDays: 365
-      # -- Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used.
+      # -- Annotations for certificate Secret.
-      issuerRef: {}
+      annotations: {}
-       # -- Duration to be used in the Certificate resource,
+      # -- Helm hook to be added to the default certificate.
-      duration: ""
+      hook: ""
-       # -- Renew before duration to be used in the Certificate resource.
-      renewBefore: ""
-    # -- Annotatioms to be added to webhook TLS secret.
-    secretAnnotations: {}
-    # -- Labels to be added to webhook TLS secret.
-    secretLabels: {}
-    # -- Path where the CA certificate will be mounted.
-    caPath: /tmp/k8s-webhook-server/certificate-authority
     # -- Path where the certificate will be mounted.
     path: /tmp/k8s-webhook-server/serving-certs
   # -- Port to be used by the webhook server
-  port: 9443
+  port: 10250
   # -- Expose the webhook server in the host network
   hostNetwork: false
   serviceMonitor:
@@ -143,8 +136,6 @@ webhook:
     # -- The name of the service account to use.
     # If not set and enabled is true, a name is generated using the fullname template
     name: ""
-  # -- Annotations for webhook configurations.
-  annotations: {}
   # -- Extra arguments to be passed to the webhook entrypoint
   extrArgs: []
   # -- Extra volumes to pass to webhook Pod
@@ -168,71 +159,3 @@ webhook:
   tolerations: []
   # -- Affinity to add to controller Pod
   affinity: {}
-
-certController:
-  # -- Specifies whether the cert-controller should be created.
-  enabled: true
-  image:
-    repository: ghcr.io/mariadb-operator/mariadb-operator
-    pullPolicy: IfNotPresent
-    # -- Image tag to use. By default the chart appVersion is used
-    tag: ""
-  imagePullSecrets: []
-  ha:
-    # -- Enable high availability
-    enabled: false
-    # -- Number of replicas
-    replicas: 3
-  # -- CA certificate validity. It must be greater than certValidity.
-  caValidity: 35064h
-  # -- Certificate validity.
-  certValidity: 8766h
-  # -- Duration used to verify whether a certificate is valid or not.
-  lookaheadValidity: 2160h
-  # -- Requeue duration to ensure that certificate gets renewed.
-  requeueDuration: 5m
-  serviceMonitor:
-    # -- Enable cert-controller ServiceMonitor. Metrics must be enabled
-    enabled: true
-    # -- Labels to be added to the cert-controller ServiceMonitor
-    additionalLabels: {}
-    # release: kube-prometheus-stack
-    # --  Interval to scrape metrics
-    interval: 30s
-    # -- Timeout if metrics can't be retrieved in given time interval
-    scrapeTimeout: 25s
-  serviceAccount:
-    # -- Specifies whether a service account should be created
-    enabled: true
-    # -- Automounts the service account token in all containers of the Pod
-    automount: true
-    # -- Annotations to add to the service account
-    annotations: {}
-    # -- Extra Labels to add to the service account
-    extraLabels: {}
-    # -- The name of the service account to use.
-    # If not set and enabled is true, a name is generated using the fullname template
-    name: ""
-  # -- Extra arguments to be passed to the cert-controller entrypoint
-  extrArgs: []
-  # -- Extra volumes to pass to cert-controller Pod
-  extraVolumes: []
-  # -- Extra volumes to mount to cert-controller container
-  extraVolumeMounts: []
-  # -- Annotations to add to cert-controller Pod
-  podAnnotations: {}
-  # -- Security context to add to cert-controller Pod
-  podSecurityContext: {}
-  # -- Security context to add to cert-controller container
-  securityContext: {}
-  # -- Resources to add to cert-controller container
-  resources: {}
-  # requests:
-  #   cpu: 10m
-  #   memory: 32Mi
-  # -- Node selectors to add to controller Pod
-  nodeSelector: {}
-  # -- Tolerations to add to controller Pod
-  tolerations: []
-  # -- Affinity to add to controller Pod
-  affinity: {}

packages/system/piraeus-operator/charts/piraeus/Chart.yaml

@@ -3,8 +3,8 @@ name: piraeus
 description: |
   The Piraeus Operator manages software defined storage clusters using LINSTOR in Kubernetes.
 type: application
-version: 2.4.1
+version: 2.3.0
-appVersion: "v2.4.1"
+appVersion: "v2.3.0"
 maintainers:
   - name: Piraeus Datastore
     url: https://piraeus.io

packages/system/piraeus-operator/charts/piraeus/templates/config.yaml

@@ -17,19 +17,19 @@ data:
     #   quay.io/piraeusdatastore/piraeus-server:v1.24.2
     components:
       linstor-controller:
-        tag: v1.26.2
+        tag: v1.25.1
         image: piraeus-server
       linstor-satellite:
-        tag: v1.26.2
+        tag: v1.25.1
         image: piraeus-server
       linstor-csi:
-        tag: v1.4.0
+        tag: v1.3.0
         image: piraeus-csi
       drbd-reactor:
         tag: v1.4.0
         image: drbd-reactor
       ha-controller:
-        tag: v1.2.0
+        tag: v1.1.4
         image: piraeus-ha-controller
       drbd-shutdown-guard:
         tag: v1.0.0
@@ -38,7 +38,7 @@ data:
         tag: v0.10
         image: ktls-utils
       drbd-module-loader:
-        tag: v9.2.8
+        tag: v9.2.6
         # The special "match" attribute is used to select an image based on the node's reported OS.
         # The operator will first check the k8s node's ".status.nodeInfo.osImage" field, and compare it against the list
         # here. If one matches, that specific image name will be used instead of the fallback image.
@@ -54,18 +54,12 @@ data:
             image: drbd9-almalinux8
           - osImage: AlmaLinux 9
             image: drbd9-almalinux9
-          - osImage: Rocky Linux 8
-            image: drbd9-almalinux8
-          - osImage: Rocky Linux 9
-            image: drbd9-almalinux9
           - osImage: Ubuntu 18\.04
             image: drbd9-bionic
           - osImage: Ubuntu 20\.04
             image: drbd9-focal
           - osImage: Ubuntu 22\.04
             image: drbd9-jammy
-          - osImage: Debian GNU/Linux 12
-            image: drbd9-bookworm
           - osImage: Debian GNU/Linux 11
             image: drbd9-bullseye
           - osImage: Debian GNU/Linux 10
@@ -75,25 +69,25 @@ data:
     base: registry.k8s.io/sig-storage
     components:
       csi-attacher:
-        tag: v4.5.0
+        tag: v4.4.2
         image: csi-attacher
       csi-livenessprobe:
-        tag: v2.12.0
+        tag: v2.11.0
         image: livenessprobe
       csi-provisioner:
-        tag: v4.0.0
+        tag: v3.6.2
         image: csi-provisioner
       csi-snapshotter:
-        tag: v7.0.1
+        tag: v6.3.2
         image: csi-snapshotter
       csi-resizer:
-        tag: v1.10.0
+        tag: v1.9.2
         image: csi-resizer
       csi-external-health-monitor-controller:
-        tag: v0.11.0
+        tag: v0.10.0
         image: csi-external-health-monitor-controller
       csi-node-driver-registrar:
-        tag: v2.10.0
+        tag: v2.9.1
         image: csi-node-driver-registrar
   {{- range $idx, $value := .Values.imageConfigOverride }}
   {{ add $idx 1 }}_helm_override.yaml: |

packages/system/piraeus-operator/charts/piraeus/templates/validating-webhook-configuration.yaml

@@ -152,27 +152,3 @@ webhooks:
     resources:
     - linstorsatelliteconfigurations
   sideEffects: None
-- admissionReviewVersions:
-    - v1
-  clientConfig:
-    service:
-      name: '{{ include "piraeus-operator.fullname" . }}-webhook-service'
-      namespace: '{{ .Release.Namespace }}'
-      path: /validate-storage-k8s-io-v1-storageclass
-    {{- if not .Values.tls.certManagerIssuerRef }}
-    caBundle: {{ $ca }}
-    {{- end }}
-  failurePolicy: {{ .Values.webhook.failurePolicy }}
-  timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
-  name: vstorageclass.kb.io
-  rules:
-    - apiGroups:
-        - storage.k8s.io
-      apiVersions:
-        - v1
-      operations:
-        - CREATE
-        - UPDATE
-      resources:
-        - storageclasses
-  sideEffects: None

scripts/installer.sh

@@ -1,18 +1,9 @@
 #!/bin/sh
-VERSION=2
 set -o pipefail
 set -e
 
 run_migrations() {
-  if ! kubectl get configmap -n cozy-system cozystack-version; then
+  return 0
-    kubectl create configmap -n cozy-system cozystack-version --from-literal=version="$VERSION" --dry-run=client -o yaml | kubectl create -f-
-  fi
-  current_version=$(kubectl get configmap -n cozy-system cozystack-version -o jsonpath='{.data.version}') || true
-  until [ "$current_version" = "$VERSION" ]; do
-    echo "run migration: $current_version --> $VERSION"
-    scripts/migrations/$current_version
-    current_version=$(kubectl get configmap -n cozy-system cozystack-version -o jsonpath='{.data.version}')
-  done
 }
 
 flux_is_ok() {
@@ -27,9 +18,6 @@ install_basic_charts() {
 
 cd "$(dirname "$0")/.."
 
-# Run migrations
-run_migrations
-
 # Install namespaces
 make -C packages/core/platform namespaces-apply
 
@@ -38,6 +26,9 @@ if ! flux_is_ok; then
   install_basic_charts
 fi
 
+# Run migrations
+run_migrations
+
 # Reconcile Helm repositories
 kubectl annotate helmrepositories.source.toolkit.fluxcd.io -A -l cozystack.io/repository reconcile.fluxcd.io/requestedAt=$(date +"%Y-%m-%dT%H:%M:%SZ") --overwrite
 

scripts/migrations/1

@@ -1,8 +0,0 @@
-#!/bin/sh
-
-if kubectl get -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert; then
-  kubectl annotate -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert meta.helm.sh/release-namespace=cozy-mariadb-operator meta.helm.sh/release-name=mariadb-operator
-  kubectl label -n cozy-mariadb-operator secret/mariadb-operator-webhook-cert app.kubernetes.io/managed-by=Helm
-fi
-
-kubectl create configmap -n cozy-system cozystack-version --from-literal=version=2 --dry-run=client -o yaml | kubectl apply -f-