Positioning Cozystack as framework for building clouds

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

.gitignore

@@ -1,3 +1 @@
 _out
-.git
-.idea

README.md

@@ -33,7 +33,7 @@ You can use Cozystack as Kubernetes distribution for Bare Metal
 
 ## Documentation
 
-The documentation is located on official [cozystack.io](https://cozystack.io) website.
+The documentation is located on official [cozystack.io](cozystack.io) website.
 
 Read [Get Started](https://cozystack.io/docs/get-started/) section for a quick start.
 
@@ -44,8 +44,6 @@ If you encounter any difficulties, start with the [troubleshooting guide](https:
 Versioning adheres to the [Semantic Versioning](http://semver.org/) principles.  
 A full list of the available releases is available in the GitHub repository's [Release](https://github.com/aenix-io/cozystack/releases) section.
 
-- [Roadmap](https://github.com/orgs/aenix-io/projects/2)
-
 ## Contributions
 
 Contributions are highly appreciated and very welcomed!

hack/gen_versions_map.sh

@@ -20,28 +20,9 @@ miss_map=$(echo "$new_map" | awk 'NR==FNR { new_map[$1 " " $2] = $3; next } { if
 resolved_miss_map=$(
   echo "$miss_map" | while read chart version commit; do
     if [ "$commit" = HEAD ]; then
-      line=$(awk '/^version:/ {print NR; exit}' "./$chart/Chart.yaml")
+      line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
-      change_commit=$(git --no-pager blame -L"$line",+1 -- "$chart/Chart.yaml" | awk '{print $1}')
+      change_commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
-       
+      commit=$(git describe --always "$change_commit~1")
-      if [ "$change_commit" = "00000000" ]; then
-        # Not commited yet, use previus commit
-        line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
-        commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
-        if [ $(echo $commit | cut -c1) = "^" ]; then
-          # Previus commit not exists
-          commit=$(echo $commit | cut -c2-)
-        fi
-      else
-        # Commited, but version_map wasn't updated
-        line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
-        change_commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
-        if [ $(echo $change_commit | cut -c1) = "^" ]; then
-          # Previus commit not exists
-          commit=$(echo $change_commit | cut -c2-)
-        else
-          commit=$(git describe --always "$change_commit~1")
-        fi
-      fi
     fi
     echo "$chart $version $commit"
   done

hack/prepare_release.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+set -e
+
+if [ -e $1 ]; then
+  echo "Please pass version in the first argument"
+  echo "Example: $0 v0.0.2"
+  exit 1
+fi
+
+version=$1
+talos_version=$(awk '/^version:/ {print $2}' packages/core/installer/images/talos/profiles/installer.yaml)
+
+set -x
+
+sed -i "/^TAG / s|=.*|= ${version}|" \
+  packages/apps/http-cache/Makefile \
+  packages/apps/kubernetes/Makefile \
+  packages/core/installer/Makefile \
+  packages/system/dashboard/Makefile

manifests/cozystack-installer.yaml

@@ -15,6 +15,13 @@ metadata:
   namespace: cozy-system
 ---
 # Source: cozy-installer/templates/cozystack.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cozystack
+  namespace: cozy-system
+---
+# Source: cozy-installer/templates/cozystack.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -63,7 +70,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.3.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.1.0"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -82,7 +89,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.3.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.1.0"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets
@@ -95,6 +102,3 @@ spec:
       - key: "node.kubernetes.io/not-ready"
         operator: "Exists"
         effect: "NoSchedule"
-      - key: "node.cilium.io/agent-not-ready"
-        operator: "Exists"
-        effect: "NoSchedule"

packages/apps/Makefile

@@ -7,7 +7,7 @@ repo:
 	awk '$$3 != "HEAD" {print "mkdir -p $(TMP)/" $$1 "-" $$2}' versions_map | sh -ex
 	awk '$$3 != "HEAD" {print "git archive " $$3 " " $$1 " | tar -xf- --strip-components=1 -C $(TMP)/" $$1 "-" $$2 }' versions_map | sh -ex
 	helm package -d "$(OUT)" $$(find . $(TMP) -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")' | sort -V)
-	cd "$(OUT)" && helm repo index . --url http://cozystack.cozy-system.svc/repos/apps
+	cd "$(OUT)" && helm repo index .
 	rm -rf "$(TMP)"
 
 fix-chartnames:

packages/apps/clickhouse/Chart.yaml

@@ -1,25 +0,0 @@
-apiVersion: v2
-name: clickhouse
-description: Managed ClickHouse service
-icon: https://cdn.worldvectorlogo.com/logos/clickhouse.svg
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "24.3.0"

packages/apps/clickhouse/templates/clickhouse.yaml

@@ -1,36 +0,0 @@
-apiVersion: "clickhouse.altinity.com/v1"
-kind: "ClickHouseInstallation"
-metadata:
-  name: "{{ .Release.Name }}"
-spec:
-  {{- with .Values.size }}
-  defaults:
-    templates:
-      dataVolumeClaimTemplate: data-volume-template
-  {{- end }}
-  configuration:
-    {{- with .Values.users }}
-    users:
-      {{- range $name, $u := . }}
-      {{ $name }}/password_sha256_hex: {{ sha256sum $u.password }}
-      {{ $name }}/profile: {{ ternary "readonly" "default" (index $u "readonly" | default false) }}
-      {{- end }}
-    {{- end }}
-    profiles:
-      readonly/readonly: "1"
-    clusters:
-      - name: "clickhouse"
-        layout:
-          shardsCount: {{ .Values.shards }}
-          replicasCount: {{ .Values.replicas }}
-  {{- with .Values.size }}
-  templates:
-    volumeClaimTemplates:
-      - name: data-volume-template
-        spec:
-          accessModes:
-            - ReadWriteOnce
-          resources:
-            requests:
-              storage: {{ . }}
-  {{- end }}

packages/apps/clickhouse/values.yaml

@@ -1,10 +0,0 @@
-size: 10Gi
-shards: 1
-replicas: 2
-
-users:
-  user1:
-    password: strongpassword
-  user2:
-    readonly: true
-    password: hackme

packages/apps/http-cache/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.25.3"
+appVersion: "1.16.0"

packages/apps/http-cache/Makefile

@@ -1,20 +1,22 @@
+PUSH := 1
+LOAD := 0
+REGISTRY := ghcr.io/aenix-io/cozystack
 NGINX_CACHE_TAG = v0.1.0
-
+TAG := v0.1.0
-include ../../../scripts/common-envs.mk
 
 image: image-nginx
 
 image-nginx:
 	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/nginx-cache \
 		--provenance false \
-		--tag $(REGISTRY)/nginx-cache:$(call settag,$(NGINX_CACHE_TAG)) \
+		--tag $(REGISTRY)/nginx-cache:$(NGINX_CACHE_TAG) \
-		--tag $(REGISTRY)/nginx-cache:$(call settag,$(NGINX_CACHE_TAG)-$(TAG)) \
+		--tag $(REGISTRY)/nginx-cache:$(NGINX_CACHE_TAG)-$(TAG) \
-		--cache-from type=registry,ref=$(REGISTRY)/nginx-cache:latest \
+		--cache-from type=registry,ref=$(REGISTRY)/nginx-cache:$(NGINX_CACHE_TAG) \
 		--cache-to type=inline \
 		--metadata-file images/nginx-cache.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/nginx-cache:$(call settag,$(NGINX_CACHE_TAG))" > images/nginx-cache.tag
+	echo "$(REGISTRY)/nginx-cache:$(NGINX_CACHE_TAG)" > images/nginx-cache.tag
 
 update:
 	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/chrislim2888/IP2Location-C-Library | awk -F'[/^]' 'END{print $$3}') && \

packages/apps/http-cache/images/nginx-cache.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:e406d5ac59cc06bbab51e16ae9a520143ad4f54952ef8f8cca982dc89454d616",
+  "containerimage.config.digest": "sha256:318fd8d0d6f6127387042f6ad150e87023d1961c7c5059dd5324188a54b0ab4e",
-  "containerimage.digest": "sha256:08e5063e65d2adc17278abee0ab43ce31cf37bc9bc7eb7988ef16f1f1c459862"
+  "containerimage.digest": "sha256:e3cf145238e6e45f7f13b9acaea445c94ff29f76a34ba9fa50828401a5a3cc68"
 }

packages/apps/http-cache/templates/haproxy/configmap.yaml

@@ -74,7 +74,7 @@ data:
         option redispatch 1
         default-server observe layer7 error-limit 10 on-error mark-down
 
-        {{- range $i, $e := until (int $.Values.nginx.replicas) }}
+        {{- range $i, $e := until (int $.Values.replicas) }}
         server cache{{ $i }} {{ $.Release.Name }}-nginx-cache-{{ $i }}:80 check
         {{- end }}
         {{- range $i, $e := $.Values.endpoints }} 

packages/apps/http-cache/templates/haproxy/deployment.yaml

@@ -7,7 +7,7 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
-  replicas: {{ .Values.haproxy.replicas }}
+  replicas: 2
   selector:
     matchLabels:
       app: {{ .Release.Name }}-haproxy

packages/apps/http-cache/templates/nginx/deployment.yaml

@@ -11,7 +11,7 @@ spec:
   selector:
     matchLabels:
       app: {{ $.Release.Name }}-nginx-cache
-{{- range $i := until (int $.Values.nginx.replicas) }}
+{{- range $i := until 3 }}
 ---
 apiVersion: apps/v1
 kind: Deployment

packages/apps/http-cache/values.yaml

@@ -1,10 +1,4 @@
 external: false
-
-haproxy:
-  replicas: 2
-nginx:
-  replicas: 2
-
 size: 10Gi
 endpoints:
   - 10.100.3.1:80

packages/apps/kafka/Chart.yaml

@@ -1,25 +0,0 @@
-apiVersion: v2
-name: kafka
-description: Managed Kafka service
-icon: https://upload.wikimedia.org/wikipedia/commons/0/05/Apache_kafka.svg
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "3.7.0"

packages/apps/kafka/templates/kafka.yaml

@@ -1,53 +0,0 @@
-apiVersion: kafka.strimzi.io/v1beta2
-kind: Kafka
-metadata:
-  name: {{ .Release.Name }}
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-spec:
-  kafka:
-    replicas: {{ .Values.replicas }}
-    listeners:
-      - name: plain
-        port: 9092
-        type: internal
-        tls: false
-      - name: tls
-        port: 9093
-        type: internal
-        tls: true
-      - name: external
-        port: 9094
-        {{- if .Values.external }}
-        type: loadbalancer
-        {{- else }}
-        type: internal
-        {{- end }}
-        tls: false
-    config:
-      offsets.topic.replication.factor: 3
-      transaction.state.log.replication.factor: 3
-      transaction.state.log.min.isr: 2
-      default.replication.factor: 3
-      min.insync.replicas: 2
-    storage:
-      type: jbod
-      volumes:
-      - id: 0
-        type: persistent-claim
-        {{- with .Values.kafka.size }}
-        size: {{ . }}
-        {{- end }}
-        deleteClaim: true
-  zookeeper:
-    replicas: {{ .Values.replicas }}
-    storage:
-      type: persistent-claim
-      {{- with .Values.zookeeper.size }}
-      size: {{ . }}
-      {{- end }}
-      deleteClaim: false
-  entityOperator:
-    topicOperator: {}
-    userOperator: {}

packages/apps/kafka/templates/topics.yaml

@@ -1,17 +0,0 @@
-{{- range $topic := .Values.topics }}
----
-apiVersion: kafka.strimzi.io/v1beta2
-kind: KafkaTopic
-metadata:
-  name: "{{ $.Release.Name }}-{{ kebabcase $topic.name }}"
-  labels:
-    strimzi.io/cluster: "{{ $.Release.Name }}"
-spec:
-  topicName: "{{ $topic.name }}"
-  partitions: 10
-  replicas: 3
-  {{- with $topic.config }}
-  config:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

packages/apps/kafka/values.yaml

@@ -1,22 +0,0 @@
-external: false
-kafka:
-  size: 10Gi
-  replicas: 3
-zookeeper:
-  size: 5Gi
-  replicas: 3
-
-topics:
-  - name: Results
-    partitions: 1
-    replicas: 3
-    config:
-      min.insync.replicas: 2
-  - name: Orders
-    config:
-      cleanup.policy: compact
-      segment.ms: 3600000
-      max.compaction.lag.ms: 5400000
-      min.insync.replicas: 2
-    partitions: 1
-    replicationFactor: 3

packages/apps/kubernetes/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.19.0"
+appVersion: "1.16.0"

packages/apps/kubernetes/Makefile

@@ -1,17 +1,19 @@
+PUSH := 1
+LOAD := 0
+REGISTRY := ghcr.io/aenix-io/cozystack
+TAG := v0.1.0
 UBUNTU_CONTAINER_DISK_TAG = v1.29.1
 
-include ../../../scripts/common-envs.mk
-
 image: image-ubuntu-container-disk
 
 image-ubuntu-container-disk:
 	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/ubuntu-container-disk \
 		--provenance false \
-		--tag $(REGISTRY)/ubuntu-container-disk:$(call settag,$(UBUNTU_CONTAINER_DISK_TAG)) \
+		--tag $(REGISTRY)/ubuntu-container-disk:$(UBUNTU_CONTAINER_DISK_TAG) \
-		--tag $(REGISTRY)/ubuntu-container-disk:$(call settag,$(UBUNTU_CONTAINER_DISK_TAG)-$(TAG)) \
+		--tag $(REGISTRY)/ubuntu-container-disk:$(UBUNTU_CONTAINER_DISK_TAG)-$(TAG) \
-		--cache-from type=registry,ref=$(REGISTRY)/ubuntu-container-disk:latest \
+		--cache-from type=registry,ref=$(REGISTRY)/ubuntu-container-disk:$(UBUNTU_CONTAINER_DISK_TAG) \
 		--cache-to type=inline \
 		--metadata-file images/ubuntu-container-disk.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/ubuntu-container-disk:$(call settag,$(UBUNTU_CONTAINER_DISK_TAG))" > images/ubuntu-container-disk.tag
+	echo "$(REGISTRY)/ubuntu-container-disk:$(UBUNTU_CONTAINER_DISK_TAG)" > images/ubuntu-container-disk.tag

packages/apps/kubernetes/images/ubuntu-container-disk.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:62baab666445d76498fb14cc1d0865fc82e4bdd5cb1d7ba80475dc5024184622",
+  "containerimage.config.digest": "sha256:ee8968be63c7c45621ec45f3687211e0875acb24e8d9784e8d2ebcbf46a3538c",
-  "containerimage.digest": "sha256:9363d717f966f4e7927da332eaaf17401b42203a2fcb493b428f94d096dae3a5"
+  "containerimage.digest": "sha256:16c3c07e74212585786dc1f1ae31d3ab90a575014806193e8e37d1d7751cb084"
 }

packages/apps/kubernetes/templates/cluster.yaml

@@ -64,13 +64,12 @@ metadata:
     cluster.x-k8s.io/managed-by: kamaji
   name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
-{{- range $groupName, $group := .Values.nodeGroups }}
 ---
 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
 kind: KubeadmConfigTemplate
 metadata:
-  name: {{ $.Release.Name }}-{{ $groupName }}
+  name: {{ .Release.Name }}-md-0
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
 spec:
   template:
     spec:
@@ -79,7 +78,7 @@ spec:
           kubeletExtraArgs: {}
         discovery:
           bootstrapToken:
-            apiServerEndpoint: {{ $.Release.Name }}.{{ $.Release.Namespace }}.svc:6443
+            apiServerEndpoint: {{ .Release.Name }}.{{ .Release.Namespace }}.svc:6443
       initConfiguration:
         skipPhases:
         - addon/kube-proxy
@@ -87,8 +86,8 @@ spec:
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
 kind: KubevirtMachineTemplate
 metadata:
-  name: {{ $.Release.Name }}-{{ $groupName }}
+  name: {{ .Release.Name }}-md-0
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
 spec:
   template:
     spec:
@@ -96,7 +95,7 @@ spec:
         checkStrategy: ssh
       virtualMachineTemplate:
         metadata:
-          namespace: {{ $.Release.Namespace }}
+          namespace: {{ .Release.Namespace }}
         spec:
           runStrategy: Always
           template:
@@ -104,7 +103,7 @@ spec:
               domain:
                 cpu:
                   threads: 1
-                  cores: {{ $group.resources.cpu }}
+                  cores: 2
                   sockets: 1
                 devices:
                   disks:
@@ -113,7 +112,7 @@ spec:
                     name: containervolume
                   networkInterfaceMultiqueue: true
                 memory:
-                  guest: {{ $group.resources.memory }}
+                  guest: 1024Mi
               evictionStrategy: External
               volumes:
               - containerDisk:
@@ -123,28 +122,29 @@ spec:
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: MachineDeployment
 metadata:
-  name: {{ $.Release.Name }}-{{ $groupName }}
+  name: {{ .Release.Name }}-md-0
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
   annotations:
-    cluster.x-k8s.io/cluster-api-autoscaler-node-group-min-size: "{{ $group.minReplicas }}"
+    cluster.x-k8s.io/cluster-api-autoscaler-node-group-max-size: "2"
-    cluster.x-k8s.io/cluster-api-autoscaler-node-group-max-size: "{{ $group.maxReplicas }}"
+    cluster.x-k8s.io/cluster-api-autoscaler-node-group-min-size: "0"
-    capacity.cluster-autoscaler.kubernetes.io/memory: "{{ $group.resources.memory }}"
+    capacity.cluster-autoscaler.kubernetes.io/memory: "1024Mi"
-    capacity.cluster-autoscaler.kubernetes.io/cpu: "{{ $group.resources.cpu }}"
+    capacity.cluster-autoscaler.kubernetes.io/cpu: "2"
 spec:
-  clusterName: {{ $.Release.Name }}
+  clusterName: {{ .Release.Name }}
+  selector:
+    matchLabels: null
   template:
     spec:
       bootstrap:
         configRef:
           apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
           kind: KubeadmConfigTemplate
-          name: {{ $.Release.Name }}-{{ $groupName }}
+          name: {{ .Release.Name }}-md-0
           namespace: default
-      clusterName: {{ $.Release.Name }}
+      clusterName: {{ .Release.Name }}
       infrastructureRef:
         apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
         kind: KubevirtMachineTemplate
-        name: {{ $.Release.Name }}-{{ $groupName }}
+        name: {{ .Release.Name }}-md-0
         namespace: default
-      version: v1.29.0
+      version: v1.23.10
-{{- end }}

packages/apps/kubernetes/values.schema.json

@@ -0,0 +1,11 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "type": "object",
+  "properties": {
+    "host": {
+      "type": "string",
+      "title": "Domain name for this kubernetes cluster",
+      "description": "This host will be used for all apps deployed in this tenant"
+    }
+  }
+}

packages/apps/kubernetes/values.yaml

@@ -1,10 +1 @@
 host: ""
-controlPlane:
-  replicas: 2
-nodeGroups:
-  md0:
-    minReplicas: 0
-    maxReplicas: 10
-    resources:
-      cpu: 2
-      memory: 1024Mi

packages/apps/mysql/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "11.0.2"
+appVersion: "1.16.0"

packages/apps/mysql/templates/db.yaml

@@ -1,7 +1,7 @@
 {{- range $name := .Values.databases }}
 {{ $dnsName := replace "_" "-" $name }}
 ---
-apiVersion: k8s.mariadb.com/v1alpha1
+apiVersion: mariadb.mmontes.io/v1alpha1
 kind: Database
 metadata:
   name: {{ $.Release.Name }}-{{ $dnsName }}

packages/apps/mysql/templates/mariadb.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: k8s.mariadb.com/v1alpha1
+apiVersion: mariadb.mmontes.io/v1alpha1
 kind: MariaDB
 metadata:
   name: {{ .Release.Name }}
@@ -12,7 +12,7 @@ spec:
 
   port: 3306
 
-  replicas: {{ .Values.replicas }}
+  replicas: 2
   affinity:
     podAntiAffinity:
       requiredDuringSchedulingIgnoredDuringExecution:
@@ -28,18 +28,15 @@ spec:
             - {{ .Release.Name }}
         topologyKey: "kubernetes.io/hostname"
 
-  {{- if gt (int .Values.replicas) 1 }}
   replication:
     enabled: true
     #primary:
     #  podIndex: 0
     #  automaticFailover: true
-  {{- end }}
 
   metrics:
-    enabled: true
     exporter:
-      image: prom/mysqld-exporter:v0.15.1
+      image: prom/mysqld-exporter:v0.14.0
       resources:
         requests:
           cpu: 50m
@@ -56,10 +53,14 @@ spec:
     name: {{ .Release.Name }}-my-cnf
     key: config
 
-  storage:
+  volumeClaimTemplate:
-    size: {{ .Values.size }}
+    resources:
-    resizeInUseVolumes: true
+      requests:
-    waitForVolumeResize: true
+        storage: {{ .Values.size }}
+    accessModes:
+      - ReadWriteOnce
+
+
 
   {{- if .Values.external }}
   primaryService:

packages/apps/mysql/templates/user.yaml

@@ -2,7 +2,7 @@
 {{ if not (eq $name "root") }}
 {{ $dnsName := replace "_" "-" $name }}
 ---
-apiVersion: k8s.mariadb.com/v1alpha1
+apiVersion: mariadb.mmontes.io/v1alpha1
 kind: User
 metadata:
   name: {{ $.Release.Name }}-{{ $dnsName }}
@@ -15,7 +15,7 @@ spec:
     key: {{ $name }}-password
   maxUserConnections: {{ $u.maxUserConnections }}
 ---
-apiVersion: k8s.mariadb.com/v1alpha1
+apiVersion: mariadb.mmontes.io/v1alpha1
 kind: Grant
 metadata:
   name: {{ $.Release.Name }}-{{ $dnsName }}

packages/apps/mysql/values.yaml

@@ -1,8 +1,6 @@
 external: false
 size: 10Gi
 
-replicas: 2
-
 users:
   root:
     password: strongpassword

packages/apps/postgres/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "16.2"
+appVersion: "1.16.0"

packages/apps/postgres/templates/db.yaml

@@ -4,7 +4,7 @@ kind: Cluster
 metadata:
   name: {{ .Release.Name }}
 spec:
-  instances: {{ .Values.replicas }}
+  instances: 2
   enableSuperuserAccess: true
 
   postgresql:

packages/apps/postgres/values.yaml

@@ -1,6 +1,5 @@
 external: false
 size: 10Gi
-replicas: 2
 
 users:
   user1:

packages/apps/rabbitmq/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "3.12.2"
+appVersion: "1.16.0"

packages/apps/rabbitmq/templates/rabbitmq.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
-  replicas: {{ .Values.replicas }}
+  replicas: 3
   {{- if .Values.external }}
   service:
     type: LoadBalancer

packages/apps/rabbitmq/values.schema.json

@@ -5,10 +5,6 @@
     "external": {
       "type": "boolean",
       "title": "Enable external Access"
-    },
-    "replicas": {
-      "type": "integer",
-      "title": "Replicas"
     }
   }
 }

packages/apps/rabbitmq/values.yaml

@@ -1,2 +1 @@
-replicas: 3
 external: false

packages/apps/redis/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "6.2.6"
+appVersion: "1.16.0"

packages/apps/redis/templates/redisfailover.yaml

@@ -14,7 +14,7 @@ spec:
       limits:
         memory: 100Mi
   redis:
-    replicas: {{ .Values.replicas }}
+    replicas: 3
     resources:
       requests:
         cpu: 150m

packages/apps/redis/values.schema.json

@@ -9,10 +9,6 @@
     "size": {
       "type": "string",
       "title": "Disk Size"
-    },
-    "replicas": {
-      "type": "integer",
-      "title": "Replicas"
     }
   }
 }

packages/apps/redis/values.yaml

@@ -1,3 +1,2 @@
-replicas: 2
 external: false
 size: 5Gi

packages/apps/tcp-balancer/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2.9.7"
+appVersion: "1.16.0"

packages/apps/tcp-balancer/templates/deployment.yaml

@@ -7,7 +7,7 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
-  replicas: {{ .Values.replicas }}
+  replicas: 2
   selector:
     matchLabels:
       app: {{ .Release.Name }}-haproxy

packages/apps/tcp-balancer/values.yaml

@@ -1,5 +1,4 @@
 external: false
-replicas: 2
 httpAndHttps:
   mode: tcp
   targetPorts:

packages/apps/versions_map

@@ -1,26 +1,14 @@
-clickhouse 0.1.0 ca79f72
+http-cache 0.1.0 HEAD
-clickhouse 0.2.0 HEAD
+kubernetes 0.1.0 HEAD
-http-cache 0.1.0 a956713
+mysql 0.1.0 HEAD
-http-cache 0.2.0 HEAD
+postgres 0.1.0 HEAD
-kafka 0.1.0 HEAD
+rabbitmq 0.1.0 HEAD
-kubernetes 0.1.0 f642698
+redis 0.1.1 HEAD
-kubernetes 0.2.0 HEAD
+tcp-balancer 0.1.0 HEAD
-mysql 0.1.0 f642698
-mysql 0.2.0 8b975ff0
-mysql 0.3.0 HEAD
-postgres 0.1.0 f642698
-postgres 0.2.0 HEAD
-rabbitmq 0.1.0 f642698
-rabbitmq 0.2.0 HEAD
-redis 0.1.1 f642698
-redis 0.2.0 HEAD
-tcp-balancer 0.1.0 f642698
-tcp-balancer 0.2.0 HEAD
 tenant 0.1.3 3d1b86c
 tenant 0.1.4 d200480
 tenant 0.1.5 e3ab858
 tenant 1.0.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 HEAD
-vpn 0.1.0 f642698
+vpn 0.1.0 HEAD
-vpn 0.2.0 HEAD

packages/apps/vpn/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: vpn
-description: Managed VPN service
+description: Establish a connection from your computer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/6/60/Outline_VPN_icon.png/600px-Outline_VPN_icon.png
 
 # A chart can be either an 'application' or a 'library' chart.
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.8.1"
+appVersion: "1.16.0"

packages/apps/vpn/templates/deployment.yaml

@@ -4,7 +4,7 @@ kind: Deployment
 metadata:
   name: {{ .Release.Name }}-vpn
 spec:
-  replicas: {{ .Values.replicas }}
+  replicas: 2
   selector:
     matchLabels:
       app: {{ .Release.Name }}-vpn

packages/apps/vpn/values.yaml

@@ -1,5 +1,4 @@
 external: false
-replicas: 2
 
 users:
   user1:

packages/core/Makefile

@@ -0,0 +1,4 @@
+gen: fix-chartnames
+	
+fix-chartnames:
+	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do printf "name: cozy-%s\nversion: 1.0.0\n" "$$i" > "$$i/Chart.yaml"; done

packages/core/fluxcd/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-name: cozy-fluxcd
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/core/fluxcd/Makefile

@@ -1,13 +0,0 @@
-NAME=fluxcd
-NAMESPACE=cozy-$(NAME)
-
-API_VERSIONS_FLAGS=$(addprefix -a ,$(shell kubectl api-versions))
-
-show:
-	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS)
-
-apply:
-	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl apply -n $(NAMESPACE) -f-
-
-diff:
-	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f-

packages/core/installer/Chart.yaml

@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-installer
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 1.0.0

packages/core/installer/Makefile

@@ -1,10 +1,11 @@
+NAMESPACE=cozy-installer
 NAME=installer
-NAMESPACE=cozy-system
+PUSH := 1
-
+LOAD := 0
+REGISTRY := ghcr.io/aenix-io/cozystack
+TAG := v0.1.0
 TALOS_VERSION=$(shell awk '/^version:/ {print $$2}' images/talos/profiles/installer.yaml)
 
-include ../../../scripts/common-envs.mk
-
 show:
 	helm template -n $(NAMESPACE) $(NAME) .
 
@@ -20,40 +21,39 @@ update:
 image: image-cozystack image-talos image-matchbox
 
 image-cozystack:
-	make -C ../../.. repos
 	docker buildx build -f images/cozystack/Dockerfile ../../.. \
 		--provenance false \
-		--tag $(REGISTRY)/cozystack:$(call settag,$(TAG)) \
+		--tag $(REGISTRY)/cozystack:$(TAG) \
-		--cache-from type=registry,ref=$(REGISTRY)/cozystack:latest \
+		--cache-from type=registry,ref=$(REGISTRY)/cozystack:$(TAG) \
 		--cache-to type=inline \
 		--metadata-file images/cozystack.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/cozystack:$(call settag,$(TAG))" > images/cozystack.tag
+	echo "$(REGISTRY)/cozystack:$(TAG)" > images/cozystack.tag
 
 image-talos:
 	test -f ../../../_out/assets/installer-amd64.tar || make talos-installer
 	docker load -i ../../../_out/assets/installer-amd64.tar
-	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) ghcr.io/aenix-io/cozystack/talos:$(call settag,$(TALOS_VERSION))
+	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) ghcr.io/aenix-io/cozystack/talos:$(TALOS_VERSION)
-	docker push ghcr.io/aenix-io/cozystack/talos:$(call settag,$(TALOS_VERSION))
+	docker push ghcr.io/aenix-io/cozystack/talos:$(TALOS_VERSION)
 
 image-matchbox:
 	test -f ../../../_out/assets/kernel-amd64 || make talos-kernel
 	test -f ../../../_out/assets/initramfs-metal-amd64.xz || make talos-initramfs
 	docker buildx build -f images/matchbox/Dockerfile ../../.. \
 		--provenance false \
-		--tag $(REGISTRY)/matchbox:$(call settag,$(TAG)) \
+		--tag $(REGISTRY)/matchbox:$(TAG) \
-		--tag $(REGISTRY)/matchbox:$(call settag,$(TALOS_VERSION)-$(TAG)) \
+		--tag $(REGISTRY)/matchbox:$(TALOS_VERSION)-$(TAG) \
-		--cache-from type=registry,ref=$(REGISTRY)/matchbox:latest \
+		--cache-from type=registry,ref=$(REGISTRY)/matchbox:$(TALOS_VERSION) \
 		--cache-to type=inline \
 		--metadata-file images/matchbox.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/matchbox:$(call settag,$(TALOS_VERSION))" > images/matchbox.tag
+	echo "$(REGISTRY)/matchbox:$(TALOS_VERSION)" > images/matchbox.tag
 
-assets: talos-iso talos-nocloud
+assets: talos-iso
 
-talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud:
+talos-initramfs talos-kernel talos-installer talos-iso:
 	mkdir -p ../../../_out/assets
 	cat images/talos/profiles/$(subst talos-,,$@).yaml | \
 		docker run --rm -i -v /dev:/dev --privileged "ghcr.io/siderolabs/imager:$(TALOS_VERSION)" --tar-to-stdout - | \

packages/core/installer/hack/gen-profiles.sh

@@ -2,7 +2,7 @@
 set -e
 set -u
 
-PROFILES="initramfs kernel iso installer nocloud"
+PROFILES="initramfs kernel iso installer"
 FIRMWARES="amd-ucode amdgpu-firmware bnx2-bnx2x i915-ucode intel-ice-firmware intel-ucode qlogic-firmware"
 EXTENSIONS="drbd zfs"
 
@@ -32,14 +32,6 @@ done
 
 for profile in $PROFILES; do
   echo "writing profile images/talos/profiles/$profile.yaml"
-  if [ "$profile" = "nocloud" ]; then
-    image_options="{ diskSize: 1306525696, diskFormat: raw }"
-    out_format=".xz"
-  else
-    image_options="{}"
-    out_format="raw"
-  fi
-
   cat > images/talos/profiles/$profile.yaml <<EOT
 # this file generated by hack/gen-profiles.sh
 # do not edit it
@@ -66,7 +58,6 @@ input:
     - imageRef: ghcr.io/siderolabs/zfs:${ZFS_VERSION}
 output:
   kind: ${profile}
-  imageOptions: ${image_options}
+  outFormat: raw
-  outFormat: ${out_format}
 EOT
 done

packages/core/installer/images/cozystack.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:29b11ecbb92bae830f2e55cd4b6f7f3ada09b2f5514c0eeee395bd2dbd12fb81",
+  "containerimage.config.digest": "sha256:ec8a4983a663f06a1503507482667a206e83e0d8d3663dff60ced9221855d6b0",
-  "containerimage.digest": "sha256:791df989ff37a76062c7c638dbfc93435df9ee0db48797f2045c80b6d6b937c0"
+  "containerimage.digest": "sha256:abb7b2fbc1f143c922f2a35afc4423a74b2b63c0bddfe620750613ed835aa861"
 }

packages/core/installer/images/cozystack.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cozystack:v0.3.1
+ghcr.io/aenix-io/cozystack/cozystack:v0.1.0

packages/core/installer/images/matchbox.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:d63ac434876b4e47c130e6b99f0c9657e718f9d97f522f5ccd878eab75844122",
+  "containerimage.config.digest": "sha256:b869a6324f9c0e6d1dd48eee67cbe3842ee14efd59bdde477736ad2f90568ff7",
-  "containerimage.digest": "sha256:9963580a02ac4ddccafb60f2411365910bcadd73f92d1c9187a278221306a4ed"
+  "containerimage.digest": "sha256:c30b237c5fa4fbbe47e1aba56e8f99569fe865620aa1953f31fc373794123cd7"
 }

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -1,27 +0,0 @@
-# this file generated by hack/gen-profiles.sh
-# do not edit it
-arch: amd64
-platform: metal
-secureboot: false
-version: v1.6.4
-input:
-  kernel:
-    path: /usr/install/amd64/vmlinuz
-  initramfs:
-    path: /usr/install/amd64/initramfs.xz
-  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.6.4
-  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240115
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240115
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240115
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20231114
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.6-v1.6.4
-    - imageRef: ghcr.io/siderolabs/zfs:2.1.14-v1.6.4
-output:
-  kind: image
-  imageOptions: { diskSize: 1306525696, diskFormat: raw }
-  outFormat: .xz

packages/core/installer/templates/cozystack.yaml

@@ -12,6 +12,12 @@ metadata:
   name: cozystack
   namespace: cozy-system
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cozystack
+  namespace: cozy-system
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -76,9 +82,6 @@ spec:
       - key: "node.kubernetes.io/not-ready"
         operator: "Exists"
         effect: "NoSchedule"
-      - key: "node.cilium.io/agent-not-ready"
-        operator: "Exists"
-        effect: "NoSchedule"
 ---
 apiVersion: v1
 kind: Service

packages/core/platform/Chart.yaml

@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-platform
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 1.0.0

packages/core/platform/Makefile

@@ -1,5 +1,5 @@
-NAME=platform
 NAMESPACE=cozy-system
+NAME=platform
 
 API_VERSIONS_FLAGS=$(addprefix -a ,$(shell kubectl api-versions))
 
@@ -13,7 +13,7 @@ namespaces-show:
 	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) -s templates/namespaces.yaml
 
 namespaces-apply:
-	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) -s templates/namespaces.yaml | kubectl apply -n $(NAMESPACE) -f-
+	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) -s templates/namespaces.yaml | kubectl apply -f-
 
 diff:
-	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -f-
+	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) -s templates/namespaces.yaml | kubectl diff -f-

packages/core/platform/bundles/distro-full.yaml

@@ -1,114 +0,0 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
-
-releases:
-- name: cilium
-  releaseName: cilium
-  chart: cozy-cilium
-  namespace: cozy-cilium
-  privileged: true
-  dependsOn: []
-  values:
-    cilium:
-      bpf:
-        masquerade: true
-      cni:
-        chainingMode: ~
-        customConf: false
-        configMap: ""
-      enableIPv4Masquerade: true
-      enableIdentityMark: true
-      ipv4NativeRoutingCIDR: "{{ index $cozyConfig.data "ipv4-pod-cidr" }}"
-      autoDirectNodeRoutes: true
-
-- name: cert-manager
-  releaseName: cert-manager
-  chart: cozy-cert-manager
-  namespace: cozy-cert-manager
-  dependsOn: [cilium]
-
-- name: cert-manager-issuers
-  releaseName: cert-manager-issuers
-  chart: cozy-cert-manager-issuers
-  namespace: cozy-cert-manager
-  dependsOn: [cilium,cert-manager]
-
-- name: victoria-metrics-operator
-  releaseName: victoria-metrics-operator
-  chart: cozy-victoria-metrics-operator
-  namespace: cozy-victoria-metrics-operator
-  dependsOn: [cilium,cert-manager]
-
-- name: monitoring
-  releaseName: monitoring
-  chart: cozy-monitoring
-  namespace: cozy-monitoring
-  privileged: true
-  dependsOn: [cilium,victoria-metrics-operator]
-
-- name: metallb
-  releaseName: metallb
-  chart: cozy-metallb
-  namespace: cozy-metallb
-  privileged: true
-  dependsOn: [cilium]
-
-- name: grafana-operator
-  releaseName: grafana-operator
-  chart: cozy-grafana-operator
-  namespace: cozy-grafana-operator
-  dependsOn: [cilium]
-
-- name: mariadb-operator
-  releaseName: mariadb-operator
-  chart: cozy-mariadb-operator
-  namespace: cozy-mariadb-operator
-  dependsOn: [cilium,cert-manager,victoria-metrics-operator]
-
-- name: postgres-operator
-  releaseName: postgres-operator
-  chart: cozy-postgres-operator
-  namespace: cozy-postgres-operator
-  dependsOn: [cilium,cert-manager]
-
-- name: kafka-operator
-  releaseName: kafka-operator
-  chart: cozy-kafka-operator
-  namespace: cozy-kafka-operator
-  dependsOn: [cilium,kubeovn]
-
-- name: clickhouse-operator
-  releaseName: clickhouse-operator
-  chart: cozy-clickhouse-operator
-  namespace: cozy-clickhouse-operator
-  dependsOn: [cilium,kubeovn]
-
-- name: rabbitmq-operator
-  releaseName: rabbitmq-operator
-  chart: cozy-rabbitmq-operator
-  namespace: cozy-rabbitmq-operator
-  dependsOn: [cilium]
-
-- name: redis-operator
-  releaseName: redis-operator
-  chart: cozy-redis-operator
-  namespace: cozy-redis-operator
-  dependsOn: [cilium]
-
-- name: piraeus-operator
-  releaseName: piraeus-operator
-  chart: cozy-piraeus-operator
-  namespace: cozy-linstor
-  dependsOn: [cilium,cert-manager]
-
-- name: linstor
-  releaseName: linstor
-  chart: cozy-linstor
-  namespace: cozy-linstor
-  privileged: true
-  dependsOn: [piraeus-operator,cilium,cert-manager]
-
-- name: telepresence
-  releaseName: traffic-manager
-  chart: cozy-telepresence
-  namespace: cozy-telepresence
-  dependsOn: []

packages/core/platform/bundles/distro-hosted.yaml

@@ -1,75 +0,0 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
-
-releases:
-- name: cert-manager
-  releaseName: cert-manager
-  chart: cozy-cert-manager
-  namespace: cozy-cert-manager
-  dependsOn: []
-
-- name: cert-manager-issuers
-  releaseName: cert-manager-issuers
-  chart: cozy-cert-manager-issuers
-  namespace: cozy-cert-manager
-  dependsOn: [cert-manager]
-
-- name: victoria-metrics-operator
-  releaseName: victoria-metrics-operator
-  chart: cozy-victoria-metrics-operator
-  namespace: cozy-victoria-metrics-operator
-  dependsOn: [cert-manager]
-
-- name: monitoring
-  releaseName: monitoring
-  chart: cozy-monitoring
-  namespace: cozy-monitoring
-  privileged: true
-  dependsOn: [victoria-metrics-operator]
-
-- name: grafana-operator
-  releaseName: grafana-operator
-  chart: cozy-grafana-operator
-  namespace: cozy-grafana-operator
-  dependsOn: []
-
-- name: mariadb-operator
-  releaseName: mariadb-operator
-  chart: cozy-mariadb-operator
-  namespace: cozy-mariadb-operator
-  dependsOn: [victoria-metrics-operator]
-
-- name: postgres-operator
-  releaseName: postgres-operator
-  chart: cozy-postgres-operator
-  namespace: cozy-postgres-operator
-  dependsOn: [cert-manager]
-
-- name: kafka-operator
-  releaseName: kafka-operator
-  chart: cozy-kafka-operator
-  namespace: cozy-kafka-operator
-  dependsOn: [cilium,kubeovn]
-
-- name: clickhouse-operator
-  releaseName: clickhouse-operator
-  chart: cozy-clickhouse-operator
-  namespace: cozy-clickhouse-operator
-  dependsOn: [cilium,kubeovn]
-
-- name: rabbitmq-operator
-  releaseName: rabbitmq-operator
-  chart: cozy-rabbitmq-operator
-  namespace: cozy-rabbitmq-operator
-  dependsOn: []
-
-- name: redis-operator
-  releaseName: redis-operator
-  chart: cozy-redis-operator
-  namespace: cozy-redis-operator
-  dependsOn: []
-
-- name: telepresence
-  releaseName: traffic-manager
-  chart: cozy-telepresence
-  namespace: cozy-telepresence
-  dependsOn: []

packages/core/platform/bundles/paas-full.yaml

@@ -1,183 +0,0 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
-
-releases:
-- name: cilium
-  releaseName: cilium
-  chart: cozy-cilium
-  namespace: cozy-cilium
-  privileged: true
-  dependsOn: []
-
-- name: kubeovn
-  releaseName: kubeovn
-  chart: cozy-kubeovn
-  namespace: cozy-kubeovn
-  privileged: true
-  dependsOn: [cilium]
-  values:
-    cozystack:
-      nodesHash: {{ include "cozystack.master-node-ips" . | sha256sum }}
-    kube-ovn:
-      ipv4:
-        POD_CIDR: "{{ index $cozyConfig.data "ipv4-pod-cidr" }}"
-        POD_GATEWAY: "{{ index $cozyConfig.data "ipv4-pod-gateway" }}"
-        SVC_CIDR: "{{ index $cozyConfig.data "ipv4-svc-cidr" }}"
-        JOIN_CIDR: "{{ index $cozyConfig.data "ipv4-join-cidr" }}"
-
-- name: cert-manager
-  releaseName: cert-manager
-  chart: cozy-cert-manager
-  namespace: cozy-cert-manager
-  dependsOn: [cilium,kubeovn]
-
-- name: cert-manager-issuers
-  releaseName: cert-manager-issuers
-  chart: cozy-cert-manager-issuers
-  namespace: cozy-cert-manager
-  dependsOn: [cilium,kubeovn,cert-manager]
-
-- name: victoria-metrics-operator
-  releaseName: victoria-metrics-operator
-  chart: cozy-victoria-metrics-operator
-  namespace: cozy-victoria-metrics-operator
-  dependsOn: [cilium,kubeovn,cert-manager]
-
-- name: monitoring
-  releaseName: monitoring
-  chart: cozy-monitoring
-  namespace: cozy-monitoring
-  privileged: true
-  dependsOn: [cilium,kubeovn,victoria-metrics-operator]
-
-- name: kubevirt-operator
-  releaseName: kubevirt-operator
-  chart: cozy-kubevirt-operator
-  namespace: cozy-kubevirt
-  dependsOn: [cilium,kubeovn]
-
-- name: kubevirt
-  releaseName: kubevirt
-  chart: cozy-kubevirt
-  namespace: cozy-kubevirt
-  privileged: true
-  dependsOn: [cilium,kubeovn,kubevirt-operator]
-
-- name: kubevirt-cdi-operator
-  releaseName: kubevirt-cdi-operator
-  chart: cozy-kubevirt-cdi-operator
-  namespace: cozy-kubevirt-cdi
-  dependsOn: [cilium,kubeovn]
-
-- name: kubevirt-cdi
-  releaseName: kubevirt-cdi
-  chart: cozy-kubevirt-cdi
-  namespace: cozy-kubevirt-cdi
-  dependsOn: [cilium,kubeovn,kubevirt-cdi-operator]
-
-- name: metallb
-  releaseName: metallb
-  chart: cozy-metallb
-  namespace: cozy-metallb
-  privileged: true
-  dependsOn: [cilium,kubeovn]
-
-- name: grafana-operator
-  releaseName: grafana-operator
-  chart: cozy-grafana-operator
-  namespace: cozy-grafana-operator
-  dependsOn: [cilium,kubeovn]
-
-- name: mariadb-operator
-  releaseName: mariadb-operator
-  chart: cozy-mariadb-operator
-  namespace: cozy-mariadb-operator
-  dependsOn: [cilium,kubeovn,cert-manager,victoria-metrics-operator]
-
-- name: postgres-operator
-  releaseName: postgres-operator
-  chart: cozy-postgres-operator
-  namespace: cozy-postgres-operator
-  dependsOn: [cilium,kubeovn,cert-manager]
-
-- name: kafka-operator
-  releaseName: kafka-operator
-  chart: cozy-kafka-operator
-  namespace: cozy-kafka-operator
-  dependsOn: [cilium,kubeovn]
-
-- name: clickhouse-operator
-  releaseName: clickhouse-operator
-  chart: cozy-clickhouse-operator
-  namespace: cozy-clickhouse-operator
-  dependsOn: [cilium,kubeovn]
-
-- name: rabbitmq-operator
-  releaseName: rabbitmq-operator
-  chart: cozy-rabbitmq-operator
-  namespace: cozy-rabbitmq-operator
-  dependsOn: [cilium,kubeovn]
-
-- name: redis-operator
-  releaseName: redis-operator
-  chart: cozy-redis-operator
-  namespace: cozy-redis-operator
-  dependsOn: [cilium,kubeovn]
-
-- name: piraeus-operator
-  releaseName: piraeus-operator
-  chart: cozy-piraeus-operator
-  namespace: cozy-linstor
-  dependsOn: [cilium,kubeovn,cert-manager]
-
-- name: linstor
-  releaseName: linstor
-  chart: cozy-linstor
-  namespace: cozy-linstor
-  privileged: true
-  dependsOn: [piraeus-operator,cilium,kubeovn,cert-manager]
-
-- name: telepresence
-  releaseName: traffic-manager
-  chart: cozy-telepresence
-  namespace: cozy-telepresence
-  dependsOn: [cilium,kubeovn]
-
-- name: dashboard
-  releaseName: dashboard
-  chart: cozy-dashboard
-  namespace: cozy-dashboard
-  dependsOn: [cilium,kubeovn]
-  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }}
-  {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }}
-  values:
-    kubeapps:
-      redis:
-        master:
-          podAnnotations:
-            {{- range $index, $repo := . }}
-            {{- with (($repo.status).artifact).revision }}
-            repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
-            {{- end }}
-            {{- end }}
-  {{- end }}
-  {{- end }}
-
-- name: kamaji
-  releaseName: kamaji
-  chart: cozy-kamaji
-  namespace: cozy-kamaji
-  dependsOn: [cilium,kubeovn,cert-manager]
-
-- name: capi-operator
-  releaseName: capi-operator
-  chart: cozy-capi-operator
-  namespace: cozy-cluster-api
-  privileged: true
-  dependsOn: [cilium,kubeovn,cert-manager]
-
-- name: capi-providers
-  releaseName: capi-providers
-  chart: cozy-capi-providers
-  namespace: cozy-cluster-api
-  privileged: true
-  dependsOn: [cilium,kubeovn,capi-operator]

packages/core/platform/bundles/paas-hosted.yaml

@@ -1,101 +0,0 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
-
-releases:
-- name: cert-manager
-  releaseName: cert-manager
-  chart: cozy-cert-manager
-  namespace: cozy-cert-manager
-  dependsOn: []
-
-- name: cert-manager-issuers
-  releaseName: cert-manager-issuers
-  chart: cozy-cert-manager-issuers
-  namespace: cozy-cert-manager
-  dependsOn: [cert-manager]
-
-- name: victoria-metrics-operator
-  releaseName: victoria-metrics-operator
-  chart: cozy-victoria-metrics-operator
-  namespace: cozy-victoria-metrics-operator
-  dependsOn: [cert-manager]
-
-- name: monitoring
-  releaseName: monitoring
-  chart: cozy-monitoring
-  namespace: cozy-monitoring
-  privileged: true
-  dependsOn: [victoria-metrics-operator]
-
-- name: grafana-operator
-  releaseName: grafana-operator
-  chart: cozy-grafana-operator
-  namespace: cozy-grafana-operator
-  dependsOn: []
-
-- name: mariadb-operator
-  releaseName: mariadb-operator
-  chart: cozy-mariadb-operator
-  namespace: cozy-mariadb-operator
-  dependsOn: [cert-manager,victoria-metrics-operator]
-
-- name: postgres-operator
-  releaseName: postgres-operator
-  chart: cozy-postgres-operator
-  namespace: cozy-postgres-operator
-  dependsOn: [cert-manager]
-
-- name: kafka-operator
-  releaseName: kafka-operator
-  chart: cozy-kafka-operator
-  namespace: cozy-kafka-operator
-  dependsOn: [cilium,kubeovn]
-
-- name: clickhouse-operator
-  releaseName: clickhouse-operator
-  chart: cozy-clickhouse-operator
-  namespace: cozy-clickhouse-operator
-  dependsOn: [cilium,kubeovn]
-
-- name: rabbitmq-operator
-  releaseName: rabbitmq-operator
-  chart: cozy-rabbitmq-operator
-  namespace: cozy-rabbitmq-operator
-  dependsOn: []
-
-- name: redis-operator
-  releaseName: redis-operator
-  chart: cozy-redis-operator
-  namespace: cozy-redis-operator
-  dependsOn: []
-
-- name: piraeus-operator
-  releaseName: piraeus-operator
-  chart: cozy-piraeus-operator
-  namespace: cozy-linstor
-  dependsOn: [cert-manager]
-
-- name: telepresence
-  releaseName: traffic-manager
-  chart: cozy-telepresence
-  namespace: cozy-telepresence
-  dependsOn: []
-
-- name: dashboard
-  releaseName: dashboard
-  chart: cozy-dashboard
-  namespace: cozy-dashboard
-  dependsOn: []
-  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }}
-  {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }}
-  values:
-    kubeapps:
-      redis:
-        master:
-          podAnnotations:
-            {{- range $index, $repo := . }}
-            {{- with (($repo.status).artifact).revision }}
-            repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
-            {{- end }}
-            {{- end }}
-  {{- end }}
-  {{- end }}

packages/core/platform/templates/_helpers.tpl

@@ -1,7 +1,7 @@
 {{/*
 Get IP-addresses of master nodes
 */}}
-{{- define "cozystack.master-node-ips" -}}
+{{- define "master.nodeIPs" -}}
 {{- $nodes := lookup "v1" "Node" "" "" -}}
 {{- $ips := list -}}
 {{- range $node := $nodes.items -}}

packages/core/platform/templates/apps.yaml

@@ -1,10 +1,7 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
-{{- $bundleName := index $cozyConfig.data "bundle-name" }}
-{{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
 {{- $host := "example.org" }}
 {{- $tenantRoot := list }}
-{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2beta2" }}
+{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2beta1" }}
-{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2beta2" "HelmRelease" "tenant-root" "tenant-root" }}
+{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2beta1" "HelmRelease" "tenant-root" "tenant-root" }}
 {{- end }}
 {{- if and $tenantRoot $tenantRoot.spec $tenantRoot.spec.values $tenantRoot.spec.values.host }}
 {{- $host = $tenantRoot.spec.values.host }}
@@ -22,7 +19,7 @@ metadata:
     namespace.cozystack.io/host: "{{ $host }}"
   name: tenant-root
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: tenant-root
@@ -48,9 +45,7 @@ spec:
   values:
     host: "{{ $host }}"
   dependsOn:
-  {{- range $x := $bundle.releases }}
+  - name: cilium
-  {{- if has $x.name (list "cilium" "kubeovn") }}
+    namespace: cozy-cilium
-  - name: {{ $x.name }}
+  - name: kubeovn
-    namespace: {{ $x.namespace }}
+    namespace: cozy-kubeovn
-  {{- end }}
-  {{- end }}

packages/core/platform/templates/helmreleases.yaml

@@ -1,27 +1,13 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
-{{- $bundleName := index $cozyConfig.data "bundle-name" }}
-{{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
-{{- $dependencyNamespaces := dict }}
-{{- $disabledComponents := splitList "," ((index $cozyConfig.data "bundle-disable") | default "") }}
-
-{{/* collect dependency namespaces from releases */}}
-{{- range $x := $bundle.releases }}
-{{- $_ := set $dependencyNamespaces $x.name $x.namespace }}
-{{- end }}
-
-{{- range $x := $bundle.releases }}
-{{- if not (has $x.name $disabledComponents) }}
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
-  name: {{ $x.name }}
+  name: cilium
-  namespace: {{ $x.namespace }}
+  namespace: cozy-cilium
   labels:
     cozystack.io/repository: system
 spec:
   interval: 1m
-  releaseName: {{ $x.releaseName | default $x.name }}
+  releaseName: cilium
   install:
     remediation:
       retries: -1
@@ -30,31 +16,743 @@ spec:
       retries: -1
   chart:
     spec:
-      chart: {{ $x.chart }}
+      chart: cozy-cilium
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kubeovn
+  namespace: cozy-kubeovn
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: kubeovn
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-kubeovn
       reconcileStrategy: Revision
       sourceRef:
         kind: HelmRepository
         name: cozystack-system
         namespace: cozy-system
-  {{- $values := dict }}
-  {{- with $x.values }}
-  {{- $values = merge . $values }}
-  {{- end }}
-  {{- with index $cozyConfig.data (printf "values-%s" $x.name) }}
-  {{- $values = merge (fromYaml .) $values }}
-  {{- end }}
-  {{- with $values }}
   values:
-    {{- toYaml . | nindent 4}}
+    cozystack:
-  {{- end }}
+      configHash: {{ index (lookup "v1" "ConfigMap" "cozy-system" "cozystack") "data" | toJson | sha256sum }}
-  {{- with $x.dependsOn }}
+      nodesHash: {{ include "master.nodeIPs" . | sha256sum }}
   dependsOn:
-  {{- range $dep := . }}
+  - name: cilium
-  {{- if not (has $dep $disabledComponents) }}
+    namespace: cozy-cilium
-  - name: {{ $dep }}
+---
-    namespace: {{ index $dependencyNamespaces $dep }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cozy-fluxcd
+  namespace: cozy-fluxcd
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: fluxcd
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-fluxcd
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cozy-cert-manager
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: cert-manager
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-cert-manager
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cert-manager-issuers
+  namespace: cozy-cert-manager
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: cert-manager-issuers
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-cert-manager-issuers
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+  - name: cert-manager
+    namespace: cozy-cert-manager
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: victoria-metrics-operator
+  namespace: cozy-victoria-metrics-operator
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: victoria-metrics-operator
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-victoria-metrics-operator
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+  - name: cert-manager
+    namespace: cozy-cert-manager
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: monitoring
+  namespace: cozy-monitoring
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: monitoring
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-monitoring
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+  - name: victoria-metrics-operator
+    namespace: cozy-victoria-metrics-operator
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kubevirt-operator
+  namespace: cozy-kubevirt
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: kubevirt-operator
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-kubevirt-operator
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kubevirt
+  namespace: cozy-kubevirt
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: kubevirt
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-kubevirt
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+  - name: kubevirt-operator
+    namespace: cozy-kubevirt
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kubevirt-cdi-operator
+  namespace: cozy-kubevirt-cdi
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: kubevirt-cdi-operator
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-kubevirt-cdi-operator
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kubevirt-cdi
+  namespace: cozy-kubevirt-cdi
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: kubevirt-cdi
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-kubevirt-cdi
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+  - name: kubevirt-cdi-operator
+    namespace: cozy-kubevirt-cdi
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: metallb
+  namespace: cozy-metallb
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: metallb
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-metallb
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: grafana-operator
+  namespace: cozy-grafana-operator
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: grafana-operator
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-grafana-operator
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: mariadb-operator
+  namespace: cozy-mariadb-operator
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: mariadb-operator
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-mariadb-operator
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+  - name: cert-manager
+    namespace: cozy-cert-manager
+  - name: victoria-metrics-operator
+    namespace: cozy-victoria-metrics-operator
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: postgres-operator
+  namespace: cozy-postgres-operator
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: postgres-operator
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-postgres-operator
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+  - name: cert-manager
+    namespace: cozy-cert-manager
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: rabbitmq-operator
+  namespace: cozy-rabbitmq-operator
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: rabbitmq-operator
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-rabbitmq-operator
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: redis-operator
+  namespace: cozy-redis-operator
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: redis-operator
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-redis-operator
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: piraeus-operator
+  namespace: cozy-linstor
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: piraeus-operator
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-piraeus-operator
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+  - name: cert-manager
+    namespace: cozy-cert-manager
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: linstor
+  namespace: cozy-linstor
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: linstor
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-linstor
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+  - name: piraeus-operator
+    namespace: cozy-linstor
+  - name: cert-manager
+    namespace: cozy-cert-manager
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: telepresence
+  namespace: cozy-telepresence
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: traffic-manager
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-telepresence
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: dashboard
+  namespace: cozy-dashboard
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: dashboard
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-dashboard
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }}
+  {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }}
+  values:
+    kubeapps:
+      redis:
+        master:
+          podAnnotations:
+            {{- range $index, $repo := . }}
+            {{- with (($repo.status).artifact).revision }}
+            repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
+            {{- end }}
+            {{- end }}
   {{- end }}
   {{- end }}
-  {{- end }}
+---
-{{- end }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
-{{- end }}
+kind: HelmRelease
+metadata:
+  name: kamaji
+  namespace: cozy-kamaji
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: kamaji
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-kamaji
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+  - name: cert-manager
+    namespace: cozy-cert-manager
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: capi-operator
+  namespace: cozy-cluster-api
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: capi-operator
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-capi-operator
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn
+  - name: cert-manager
+    namespace: cozy-cert-manager
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: capi-providers
+  namespace: cozy-cluster-api
+  labels:
+    cozystack.io/repository: system
+spec:
+  interval: 1m
+  releaseName: capi-providers
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: cozy-capi-providers
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  dependsOn:
+  - name: capi-operator
+    namespace: cozy-cluster-api
+  - name: cilium
+    namespace: cozy-cilium
+  - name: kubeovn
+    namespace: cozy-kubeovn

packages/core/platform/templates/namespaces.yaml

@@ -1,33 +1,13 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- range $ns := .Values.namespaces }}
-{{- $bundleName := index $cozyConfig.data "bundle-name" }}
-{{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
-{{- $namespaces := dict }}
-
-{{/* collect namespaces from releases */}}
-{{- range $x := $bundle.releases }}
-{{- if not (hasKey $namespaces $x.namespace) }}
-{{- $_ := set $namespaces $x.namespace false }}
-{{- end }}
-{{/* if at least one release requires a privileged namespace, then it should be privileged */}}
-{{- if or $x.privileged (index $namespaces $x.namespace) }}
-{{- $_ := set $namespaces $x.namespace true }}
-{{- end }}
-{{- end }}
-
-{{/* Add extra namespaces */}}
-{{- $_ := set $namespaces "cozy-public" false }}
-{{- $_ := set $namespaces "cozy-fluxcd" false }}
-
-{{- range $namespace, $privileged := $namespaces }}
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
     "helm.sh/resource-policy": keep
-  {{- if $privileged }}
+  {{- if $ns.privileged }}
   labels:
     pod-security.kubernetes.io/enforce: privileged
   {{- end }}
-  name: {{ $namespace }}
+  name: {{ $ns.name }}
 {{- end }}

packages/core/platform/values.yaml

@@ -0,0 +1,30 @@
+namespaces:
+- name: cozy-public
+- name: cozy-system
+  privileged: true
+- name: cozy-cert-manager
+- name: cozy-cilium
+  privileged: true
+- name: cozy-fluxcd
+- name: cozy-grafana-operator
+- name: cozy-kamaji
+- name: cozy-cluster-api
+  privileged: true # for capk only
+- name: cozy-dashboard
+- name: cozy-kubeovn
+  privileged: true
+- name: cozy-kubevirt
+  privileged: true
+- name: cozy-kubevirt-cdi
+- name: cozy-linstor
+  privileged: true
+- name: cozy-mariadb-operator
+- name: cozy-metallb
+  privileged: true
+- name: cozy-monitoring
+  privileged: true
+- name: cozy-postgres-operator
+- name: cozy-rabbitmq-operator
+- name: cozy-redis-operator
+- name: cozy-telepresence
+- name: cozy-victoria-metrics-operator

packages/extra/Makefile

@@ -7,7 +7,7 @@ repo:
 	awk '$$3 != "HEAD" {print "mkdir -p $(TMP)/" $$1 "-" $$2}' versions_map | sh -ex
 	awk '$$3 != "HEAD" {print "git archive " $$3 " " $$1 " | tar -xf- --strip-components=1 -C $(TMP)/" $$1 "-" $$2 }' versions_map | sh -ex
 	helm package -d "$(OUT)" $$(find . $(TMP) -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")' | sort -V)
-	cd "$(OUT)" && helm repo index . --url http://cozystack.cozy-system.svc/repos/extra
+	cd "$(OUT)" && helm repo index .
 	rm -rf "$(TMP)"
 
 fix-chartnames:

packages/extra/monitoring/templates/grafana/grafana.yaml

@@ -67,7 +67,7 @@ spec:
   ingress:
     metadata:
       annotations:
-        acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}"
+        kubernetes.io/ingress.class: "{{ $ingress }}"
         cert-manager.io/cluster-issuer: letsencrypt-prod
     spec:
       ingressClassName: "{{ $ingress }}"

packages/system/Makefile

@@ -1,12 +1,12 @@
 OUT=../../_out/repos/system
 
-include ../../scripts/common-envs.mk
+gen: fix-chartnames
 
-repo:
+repo: fix-chartnames
 	rm -rf "$(OUT)"
 	mkdir -p "$(OUT)"
-	helm package -d "$(OUT)" $$(find . -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")') --version $(VERSION)
+	helm package -d "$(OUT)" $$(find . -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")')
 	cd "$(OUT)" && helm repo index .
 
 fix-chartnames:
-	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: cozy-$$i/" "$$i/Chart.yaml"; done
+	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do printf "name: cozy-%s\nversion: 1.0.0\n" "$$i" > "$$i/Chart.yaml"; done

packages/system/capi-operator/Chart.yaml

@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-capi-operator
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 1.0.0

packages/system/capi-operator/Makefile

@@ -1,7 +1,14 @@
 NAME=capi-operator
 NAMESPACE=cozy-cluster-api
 
-include ../../../scripts/package-system.mk
+show:
+	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
+
+apply:
+	helm upgrade -i -n $(NAMESPACE) $(NAME) .
+
+diff:
+	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .
 
 update:
 	rm -rf charts

packages/system/capi-providers/Chart.yaml

@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-capi-providers
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 1.0.0

packages/system/capi-providers/Makefile

@@ -1,4 +1,11 @@
 NAME=capi-providers
 NAMESPACE=cozy-cluster-api
 
-include ../../../scripts/package-system.mk
+show:
+	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
+
+apply:
+	helm upgrade -i -n $(NAMESPACE) $(NAME) .
+
+diff:
+	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .

packages/system/capi-providers/templates/providers.yaml

@@ -13,7 +13,7 @@ spec:
   deployment:
     containers:
     - name: manager
-      imageUrl: ghcr.io/kvaps/test:cluster-api-control-plane-provider-kamaji-v0.7.1-fix
+      imageUrl: ghcr.io/kvaps/test:cluster-api-control-plane-provider-kamaji-v0.6.0-fix7
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
 kind: BootstrapProvider

packages/system/cert-manager-issuers/Chart.yaml

@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-cert-manager-issuers
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 1.0.0

packages/system/cert-manager-issuers/Makefile

@@ -1,4 +1,11 @@
 NAME=cert-manager-issuers
 NAMESPACE=cozy-cert-manager
 
-include ../../../scripts/package-system.mk
+show:
+	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
+
+apply:
+	helm upgrade -i -n $(NAMESPACE) $(NAME) .
+
+diff:
+	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .

packages/system/cert-manager/Chart.yaml

@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-cert-manager
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 1.0.0

packages/system/cert-manager/Makefile

@@ -1,7 +1,14 @@
 NAME=cert-manager
-NAMESPACE=cozy-$(NAME)
+NAMESPACE=cozy-cert-manager
 
-include ../../../scripts/package-system.mk
+show:
+	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
+
+apply:
+	helm upgrade -i -n $(NAMESPACE) $(NAME) .
+
+diff:
+	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .
 
 update:
 	rm -rf charts

packages/system/cilium/Chart.yaml

@@ -1,3 +1,2 @@
-apiVersion: v2
 name: cozy-cilium
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 1.0.0

packages/system/cilium/Makefile

@@ -1,12 +1,19 @@
+NAMESPACE=cozy-cilium
 NAME=cilium
-NAMESPACE=cozy-$(NAME)
 
-include ../../../scripts/package-system.mk
+show:
+	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
+
+apply:
+	helm upgrade -i -n $(NAMESPACE) $(NAME) .
+
+diff:
+	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .
 
 update:
 	rm -rf charts
 	helm repo add cilium https://helm.cilium.io/
 	helm repo update cilium
-	helm pull cilium/cilium --untar --untardir charts --version 1.14
+	helm pull cilium/cilium --untar --untardir charts
 	sed -i -e '/Used in iptables/d' -e '/SYS_MODULE/d' charts/cilium/values.yaml
-	patch -p3 --no-backup-if-mismatch < patches/fix-cgroups.patch
+	patch -p3 < patches/fix-cgroups.patch

packages/system/cilium/charts/cilium/Chart.yaml

@@ -122,7 +122,7 @@ annotations:
       description: |
         CiliumPodIPPool defines an IP pool that can be used for pooled IPAM (i.e. the multi-pool IPAM mode).
 apiVersion: v2
-appVersion: 1.14.9
+appVersion: 1.14.5
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.14/Documentation/images/logo-solo.svg
@@ -138,4 +138,4 @@ kubeVersion: '>= 1.16.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.14.9
+version: 1.14.5

packages/system/cilium/charts/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.14.9](https://img.shields.io/badge/Version-1.14.9-informational?style=flat-square) ![AppVersion: 1.14.9](https://img.shields.io/badge/AppVersion-1.14.9-informational?style=flat-square)
+![Version: 1.14.5](https://img.shields.io/badge/Version-1.14.5-informational?style=flat-square) ![AppVersion: 1.14.5](https://img.shields.io/badge/AppVersion-1.14.5-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -76,7 +76,7 @@ contributors across the globe, there is almost always someone available to help.
 | authentication.mutual.spire.install.agent.securityContext | object | `{}` | Security context to be added to spire agent containers. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container |
 | authentication.mutual.spire.install.agent.serviceAccount | object | `{"create":true,"name":"spire-agent"}` | SPIRE agent service account |
 | authentication.mutual.spire.install.agent.skipKubeletVerification | bool | `true` | SPIRE Workload Attestor kubelet verification. |
-| authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
+| authentication.mutual.spire.install.agent.tolerations | list | `[]` | SPIRE agent tolerations configuration ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
 | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true |
 | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into |
 | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration |
@@ -155,12 +155,12 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:5c16f8b8e22ce41e11998e70846fbcecea3a6b683a38253809ead8d871f6d8a3","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.9","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:7eaa35cf5452c43b1f7d0cde0d707823ae7e49965bcb54c053e31ea4e04c3d96","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.5","useDigest":true}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
 | clustermesh.apiserver.kvstoremesh.extraVolumeMounts | list | `[]` | Additional KVStoreMesh volumeMounts. |
-| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:9d9efb25806660f3663b9cd803fb8679f2b115763470002a9770e2c1eb1e5b22","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.9","useDigest":true}` | KVStoreMesh image. |
+| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:d7137edd0efa2b1407b20088af3980a9993bb616d85bf9b55ea2891d1b99023a","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.5","useDigest":true}` | KVStoreMesh image. |
 | clustermesh.apiserver.kvstoremesh.resources | object | `{}` | Resource requests and limits for the KVStoreMesh container |
 | clustermesh.apiserver.kvstoremesh.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | KVStoreMesh Security context |
 | clustermesh.apiserver.metrics.enabled | bool | `true` | Enables exporting apiserver metrics in OpenMetrics format. |
@@ -300,7 +300,7 @@ contributors across the globe, there is almost always someone available to help.
 | eni.subnetIDsFilter | list | `[]` | Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. |
 | eni.subnetTagsFilter | list | `[]` | Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. |
 | eni.updateEC2AdapterLimitViaAPI | bool | `true` | Update ENI Adapter limits from the EC2 API |
-| envoy.affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"cilium.io/no-schedule","operator":"NotIn","values":["true"]}]}]}},"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-envoy. |
+| envoy.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-envoy. |
 | envoy.connectTimeoutSeconds | int | `2` | Time in seconds after which a TCP connection attempt times out |
 | envoy.dnsPolicy | string | `nil` | DNS policy for Cilium envoy pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy |
 | envoy.enabled | bool | `false` | Enable Envoy Proxy in standalone DaemonSet. |
@@ -312,7 +312,7 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:39b75548447978230dedcf25da8940e4d3540c741045ef391a8e74dbb9661a86","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.7-bbde4095997ea57ead209f56158790d47224a0f5","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:992998398dadfff7117bfa9fdb7c9474fefab7f0237263f7c8114e106c67baca","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.6-ad82c7c56e88989992fd25d8d67747de865c823b","useDigest":true}` | Envoy container image. |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
 | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
@@ -324,15 +324,14 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.podLabels | object | `{}` | Labels to be added to envoy pods |
 | envoy.podSecurityContext | object | `{}` | Security Context for cilium-envoy pods. |
 | envoy.priorityClassName | string | `nil` | The priority class to use for cilium-envoy. |
-| envoy.prometheus | object | `{"enabled":true,"port":"9964","serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]}}` | Configure Cilium Envoy Prometheus options. Note that some of these apply to either cilium-agent or cilium-envoy. |
 | envoy.prometheus.enabled | bool | `true` | Enable prometheus metrics for cilium-envoy |
 | envoy.prometheus.port | string | `"9964"` | Serve prometheus metrics for cilium-envoy on the configured port |
 | envoy.prometheus.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor cilium-envoy |
-| envoy.prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) Note that this setting applies to both cilium-envoy _and_ cilium-agent with Envoy enabled. |
+| envoy.prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) |
 | envoy.prometheus.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics. |
 | envoy.prometheus.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor cilium-envoy |
-| envoy.prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor cilium-envoy or for cilium-agent with Envoy configured. |
+| envoy.prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor cilium-envoy |
-| envoy.prometheus.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor cilium-envoy or for cilium-agent with Envoy configured. |
+| envoy.prometheus.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor cilium-envoy |
 | envoy.readinessProbe.failureThreshold | int | `3` | failure threshold of readiness probe |
 | envoy.readinessProbe.periodSeconds | int | `30` | interval between checks of the readiness probe |
 | envoy.resources | object | `{}` | Envoy resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
@@ -419,7 +418,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:f506f3c6e0a979437cde79eb781654fda4f10ddb5642cebc4dc81254cfb7eeaa","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.9","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:dbef89f924a927043d02b40c18e417c1ea0e8f58b44523b80fef7e3652db24d4","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.5","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -476,7 +475,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. |
 | hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. |
 | hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. |
-| hubble.ui.backend.image | object | `{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}` | Hubble-ui backend image. |
+| hubble.ui.backend.image | object | `{"digest":"sha256:1f86f3400827a0451e6332262467f894eeb7caf0eb8779bd951e2caa9d027cbe","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.12.1","useDigest":true}` | Hubble-ui backend image. |
 | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. |
 | hubble.ui.backend.securityContext | object | `{}` | Hubble-ui backend security context. |
 | hubble.ui.baseUrl | string | `"/"` | Defines base url prefix for all hubble-ui http requests. It needs to be changed in case if ingress for hubble-ui is configured under some sub-path. Trailing `/` is required for custom path, ex. `/service-map/` |
@@ -484,7 +483,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. |
 | hubble.ui.frontend.extraVolumeMounts | list | `[]` | Additional hubble-ui frontend volumeMounts. |
 | hubble.ui.frontend.extraVolumes | list | `[]` | Additional hubble-ui frontend volumes. |
-| hubble.ui.frontend.image | object | `{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}` | Hubble-ui frontend image. |
+| hubble.ui.frontend.image | object | `{"digest":"sha256:9e5f81ee747866480ea1ac4630eb6975ff9227f9782b7c93919c081c33f38267","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.12.1","useDigest":true}` | Hubble-ui frontend image. |
 | hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. |
 | hubble.ui.frontend.securityContext | object | `{}` | Hubble-ui frontend security context. |
 | hubble.ui.frontend.server.ipv6 | object | `{"enabled":true}` | Controls server listener for ipv6 |
@@ -511,7 +510,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.9","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.5","useDigest":true}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -619,7 +618,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:765314779093b54750f83280f009229f20fe1f28466a633d9bb4143d2ad669c5","awsDigest":"sha256:041ad5b49ae63ba0f1974e1a1d9ebf9f52541cd2813088fa687f9d544125a1ec","azureDigest":"sha256:2d3b9d868eb03fa9256d34192a734a2abab283f527a9c97b7cefcd3401649d17","genericDigest":"sha256:1552d653870dd8ebbd16ee985a5497dd78a2097370978b0cfbd2da2072f30712","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.9","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:e0152c498ba73c56a82eee2a706c8f400e9a6999c665af31a935bdf08e659bc3","awsDigest":"sha256:785ccf1267d0ed3ba9e4bd8166577cb4f9e4ce996af26b27c9d5c554a0d5b09a","azureDigest":"sha256:9203f5583aa34e716d7a6588ebd144e43ce3b77873f578fc12b2679e33591353","genericDigest":"sha256:303f9076bdc73b3fc32aaedee64a14f6f44c8bb08ee9e3956d443021103ebe7a","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.5","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -666,7 +665,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.9","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.5","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |

packages/system/cilium/charts/cilium/files/agent/poststart-eni.bash

@@ -11,9 +11,9 @@ set -o nounset
 # dependencies on anything that is part of the startup script
 # itself, and can be safely run multiple times per node (e.g. in
 # case of a restart).
-if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];
+if [[ "$(iptables-save | grep -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];
 then
     echo 'Deleting iptables rules created by the AWS CNI VPC plugin'
-    iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore
+    iptables-save | grep -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore
 fi
 echo 'Done!'

packages/system/cilium/charts/cilium/files/nodeinit/startup.bash

@@ -100,7 +100,7 @@ then
     # Since that version containerd no longer allows missing configuration for the CNI,
     # not even for pods with hostNetwork set to true. Thus, we add a temporary one.
     # This will be replaced with the real config by the agent pod.
-    echo -e '{\n\t"cniVersion": "0.3.1",\n\t"name": "cilium",\n\t"type": "cilium-cni"\n}' > /etc/cni/net.d/05-cilium.conf
+    echo -e "{\n\t"cniVersion": "0.3.1",\n\t"name": "cilium",\n\t"type": "cilium-cni"\n}" > /etc/cni/net.d/05-cilium.conf
   fi
 
   # Start containerd. It won't create it's CNI configuration file anymore.

packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml

@@ -447,9 +447,6 @@ spec:
         volumeMounts:
         - name: tmp
           mountPath: /tmp
-        {{- with .Values.extraVolumeMounts }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
         terminationMessagePolicy: FallbackToLogsOnError
       {{- if .Values.cgroup.autoMount.enabled }}
       # Required to mount cgroup2 filesystem on the underlying Kubernetes node.

packages/system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml

@@ -34,20 +34,6 @@ spec:
     metricRelabelings:
     {{- toYaml . | nindent 4 }}
     {{- end }}
-  {{- if .Values.envoy.prometheus.serviceMonitor.enabled }}
-  - port: envoy-metrics
-    interval: {{ .Values.envoy.prometheus.serviceMonitor.interval | quote }}
-    honorLabels: true
-    path: /metrics
-    {{- with .Values.envoy.prometheus.serviceMonitor.relabelings }}
-    relabelings:
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-    {{- with .Values.envoy.prometheus.serviceMonitor.metricRelabelings }}
-    metricRelabelings:
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  {{- end }}
   targetLabels:
   - k8s-app
 {{- end }}

packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml

@@ -13,7 +13,6 @@
 {{- $fragmentTracking := "true" -}}
 {{- $defaultKubeProxyReplacement := "false" -}}
 {{- $azureUsePrimaryAddress := "true" -}}
-{{- $defaultDNSProxyEnableTransparentMode := "false" -}}
 
 {{- /* Default values when 1.8 was initially deployed */ -}}
 {{- if semverCompare ">=1.8" (default "1.8" .Values.upgradeCompatibility) -}}
@@ -49,7 +48,6 @@
       {{- $azureUsePrimaryAddress = "false" -}}
   {{- end }}
   {{- $defaultKubeProxyReplacement = "disabled" -}}
-  {{- $defaultDNSProxyEnableTransparentMode = "true" -}}
 {{- end -}}
 
 {{- /* Default values when 1.14 was initially deployed */ -}}
@@ -432,16 +430,10 @@ data:
   #   - vxlan (default)
   #   - geneve
 {{- if .Values.gke.enabled }}
-  {{- if ne (.Values.routingMode | default "native") "native" }}
-    {{- fail (printf "RoutingMode must be set to native when gke.enabled=true" )}}
-  {{- end }}
   routing-mode: "native"
   enable-endpoint-routes: "true"
   enable-local-node-route: "false"
 {{- else if .Values.aksbyocni.enabled }}
-  {{- if ne (.Values.routingMode | default "tunnel") "tunnel" }}
-    {{- fail (printf "RoutingMode must be set to tunnel when aksbyocni.enabled=true" )}}
-  {{- end }}
   routing-mode: "tunnel"
   tunnel-protocol: "vxlan"
 {{- else if .Values.routingMode }}
@@ -1100,13 +1092,6 @@ data:
 {{- end }}
 
 {{- if .Values.dnsProxy }}
-  {{- if hasKey .Values.dnsProxy "enableTransparentMode" }}
-  # explicit setting gets precedence
-  dnsproxy-enable-transparent-mode: {{ .Values.dnsProxy.enableTransparentMode | quote }}
-  {{- else if eq $cniChainingMode "none" }}
-  # default DNS proxy to transparent mode in non-chaining modes
-  dnsproxy-enable-transparent-mode: {{ $defaultDNSProxyEnableTransparentMode | quote }}
-  {{- end }}
   {{- if .Values.dnsProxy.dnsRejectResponseCode }}
   tofqdns-dns-reject-response-code: {{ .Values.dnsProxy.dnsRejectResponseCode | quote }}
   {{- end }}

packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml

@@ -82,7 +82,7 @@ spec:
         {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }}
         startupProbe:
           httpGet:
-            host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
+            host: "localhost"
             path: /healthz
             port: {{ .Values.envoy.healthPort }}
             scheme: HTTP
@@ -92,7 +92,7 @@ spec:
         {{- end }}
         livenessProbe:
           httpGet:
-            host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
+            host: "localhost"
             path: /healthz
             port: {{ .Values.envoy.healthPort }}
             scheme: HTTP
@@ -110,7 +110,7 @@ spec:
           timeoutSeconds: 5
         readinessProbe:
           httpGet:
-            host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
+            host: "localhost"
             path: /healthz
             port: {{ .Values.envoy.healthPort }}
             scheme: HTTP

packages/system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml

@@ -7,7 +7,6 @@ metadata:
   namespace: {{ .Values.envoy.prometheus.serviceMonitor.namespace | default .Release.Namespace }}
   labels:
     app.kubernetes.io/part-of: cilium
-    app.kubernetes.io/name: cilium-envoy
     {{- with .Values.envoy.prometheus.serviceMonitor.labels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
@@ -23,7 +22,7 @@ spec:
     matchNames:
     - {{ .Release.Namespace }}
   endpoints:
-  - port: envoy-metrics
+  - port: metrics
     interval: {{ .Values.envoy.prometheus.serviceMonitor.interval | quote }}
     honorLabels: true
     path: /metrics

packages/system/cilium/charts/cilium/templates/cilium-preflight/daemonset.yaml

@@ -66,13 +66,8 @@ spec:
               - /tmp/ready
             initialDelaySeconds: 5
             periodSeconds: 5
-          env:
-          - name: K8S_NODE_NAME
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: spec.nodeName
           {{- with .Values.preflight.extraEnv }}
+          env:
             {{- toYaml . | trim | nindent 12 }}
           {{- end }}
           volumeMounts:

packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml

@@ -88,12 +88,10 @@ spec:
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.authentication.mutual.spire.install.agent.tolerations }}
       tolerations:
-        {{- with .Values.authentication.mutual.spire.install.agent.tolerations }}
+        {{- toYaml . | trim | nindent 8 }}
-          {{- toYaml . | trim | nindent 8 }}
+      {{- end }}
-        {{- end }}
-        - key:  {{ .Values.agentNotReadyTaintKey | default "node.cilium.io/agent-not-ready" }}
-          effect: NoSchedule
       volumes:
         - name: spire-config
           configMap:

packages/system/cilium/charts/cilium/values.yaml

@@ -143,10 +143,10 @@ rollOutCiliumPods: false
 image:
   override: ~
   repository: "quay.io/cilium/cilium"
-  tag: "v1.14.9"
+  tag: "v1.14.5"
   pullPolicy: "IfNotPresent"
   # cilium-digest
-  digest: "sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301"
+  digest: "sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b"
   useDigest: true
 
 # -- Affinity for cilium-agent.
@@ -1109,9 +1109,9 @@ hubble:
     image:
       override: ~
       repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.14.9"
+      tag: "v1.14.5"
        # hubble-relay-digest
-      digest: "sha256:f506f3c6e0a979437cde79eb781654fda4f10ddb5642cebc4dc81254cfb7eeaa"
+      digest: "sha256:dbef89f924a927043d02b40c18e417c1ea0e8f58b44523b80fef7e3652db24d4"
       useDigest: true
       pullPolicy: "IfNotPresent"
 
@@ -1337,8 +1337,8 @@ hubble:
       image:
         override: ~
         repository: "quay.io/cilium/hubble-ui-backend"
-        tag: "v0.13.0"
+        tag: "v0.12.1"
-        digest: "sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803"
+        digest: "sha256:1f86f3400827a0451e6332262467f894eeb7caf0eb8779bd951e2caa9d027cbe"
         useDigest: true
         pullPolicy: "IfNotPresent"
 
@@ -1368,8 +1368,8 @@ hubble:
       image:
         override: ~
         repository: "quay.io/cilium/hubble-ui"
-        tag: "v0.13.0"
+        tag: "v0.12.1"
-        digest: "sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666"
+        digest: "sha256:9e5f81ee747866480ea1ac4630eb6975ff9227f9782b7c93919c081c33f38267"
         useDigest: true
         pullPolicy: "IfNotPresent"
 
@@ -1853,9 +1853,9 @@ envoy:
   image:
     override: ~
     repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.26.7-bbde4095997ea57ead209f56158790d47224a0f5"
+    tag: "v1.26.6-ad82c7c56e88989992fd25d8d67747de865c823b"
     pullPolicy: "IfNotPresent"
-    digest: "sha256:39b75548447978230dedcf25da8940e4d3540c741045ef391a8e74dbb9661a86"
+    digest: "sha256:992998398dadfff7117bfa9fdb7c9474fefab7f0237263f7c8114e106c67baca"
     useDigest: true
 
   # -- Additional containers added to the cilium Envoy DaemonSet.
@@ -1968,20 +1968,7 @@ envoy:
         labelSelector:
           matchLabels:
             k8s-app: cilium-envoy
-    podAffinity:
+
-      requiredDuringSchedulingIgnoredDuringExecution:
-      - topologyKey: kubernetes.io/hostname
-        labelSelector:
-          matchLabels:
-            k8s-app: cilium
-    nodeAffinity:
-      requiredDuringSchedulingIgnoredDuringExecution:
-        nodeSelectorTerms:
-          - matchExpressions:
-            - key: cilium.io/no-schedule
-              operator: NotIn
-              values:
-              - "true"
   # -- Node selector for cilium-envoy.
   nodeSelector:
     kubernetes.io/os: linux
@@ -2002,16 +1989,12 @@ envoy:
   # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
   dnsPolicy: ~
 
-  # -- Configure Cilium Envoy Prometheus options.
-  # Note that some of these apply to either cilium-agent or cilium-envoy.
   prometheus:
     # -- Enable prometheus metrics for cilium-envoy
     enabled: true
     serviceMonitor:
       # -- Enable service monitors.
       # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
-      # Note that this setting applies to both cilium-envoy _and_ cilium-agent
-      # with Envoy enabled.
       enabled: false
       # -- Labels to add to ServiceMonitor cilium-envoy
       labels: {}
@@ -2023,14 +2006,12 @@ envoy:
       # service monitors configured.
       # namespace: ""
       # -- Relabeling configs for the ServiceMonitor cilium-envoy
-      # or for cilium-agent with Envoy configured.
       relabelings:
         - sourceLabels:
             - __meta_kubernetes_pod_node_name
           targetLabel: node
           replacement: ${1}
       # -- Metrics relabeling configs for the ServiceMonitor cilium-envoy
-      # or for cilium-agent with Envoy configured.
       metricRelabelings: ~
     # -- Serve prometheus metrics for cilium-envoy on the configured port
     port: "9964"
@@ -2269,15 +2250,15 @@ operator:
   image:
     override: ~
     repository: "quay.io/cilium/operator"
-    tag: "v1.14.9"
+    tag: "v1.14.5"
     # operator-generic-digest
-    genericDigest: "sha256:1552d653870dd8ebbd16ee985a5497dd78a2097370978b0cfbd2da2072f30712"
+    genericDigest: "sha256:303f9076bdc73b3fc32aaedee64a14f6f44c8bb08ee9e3956d443021103ebe7a"
     # operator-azure-digest
-    azureDigest: "sha256:2d3b9d868eb03fa9256d34192a734a2abab283f527a9c97b7cefcd3401649d17"
+    azureDigest: "sha256:9203f5583aa34e716d7a6588ebd144e43ce3b77873f578fc12b2679e33591353"
     # operator-aws-digest
-    awsDigest: "sha256:041ad5b49ae63ba0f1974e1a1d9ebf9f52541cd2813088fa687f9d544125a1ec"
+    awsDigest: "sha256:785ccf1267d0ed3ba9e4bd8166577cb4f9e4ce996af26b27c9d5c554a0d5b09a"
     # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:765314779093b54750f83280f009229f20fe1f28466a633d9bb4143d2ad669c5"
+    alibabacloudDigest: "sha256:e0152c498ba73c56a82eee2a706c8f400e9a6999c665af31a935bdf08e659bc3"
     useDigest: true
     pullPolicy: "IfNotPresent"
     suffix: ""
@@ -2554,9 +2535,9 @@ preflight:
   image:
     override: ~
     repository: "quay.io/cilium/cilium"
-    tag: "v1.14.9"
+    tag: "v1.14.5"
     # cilium-digest
-    digest: "sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301"
+    digest: "sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b"
     useDigest: true
     pullPolicy: "IfNotPresent"
 
@@ -2704,9 +2685,9 @@ clustermesh:
     image:
       override: ~
       repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.14.9"
+      tag: "v1.14.5"
       # clustermesh-apiserver-digest
-      digest: "sha256:5c16f8b8e22ce41e11998e70846fbcecea3a6b683a38253809ead8d871f6d8a3"
+      digest: "sha256:7eaa35cf5452c43b1f7d0cde0d707823ae7e49965bcb54c053e31ea4e04c3d96"
       useDigest: true
       pullPolicy: "IfNotPresent"
 
@@ -2751,9 +2732,9 @@ clustermesh:
       image:
         override: ~
         repository: "quay.io/cilium/kvstoremesh"
-        tag: "v1.14.9"
+        tag: "v1.14.5"
         # kvstoremesh-digest
-        digest: "sha256:9d9efb25806660f3663b9cd803fb8679f2b115763470002a9770e2c1eb1e5b22"
+        digest: "sha256:d7137edd0efa2b1407b20088af3980a9993bb616d85bf9b55ea2891d1b99023a"
         useDigest: true
         pullPolicy: "IfNotPresent"
 
@@ -3105,8 +3086,6 @@ dnsProxy:
   proxyPort: 0
   # -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information.
   proxyResponseMaxDelay: 100ms
-  # -- DNS proxy operation mode (true/false, or unset to use version dependent defaults)
-  # enableTransparentMode: true
 
 # -- SCTP Configuration Values
 sctp:
@@ -3157,21 +3136,8 @@ authentication:
           # -- SPIRE Workload Attestor kubelet verification.
           skipKubeletVerification: true
           # -- SPIRE agent tolerations configuration
-          # By default it follows the same tolerations as the agent itself
-          # to allow the Cilium agent on this node to connect to SPIRE.
           # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
-          tolerations:
+          tolerations: []
-          - key: node.kubernetes.io/not-ready
-            effect: NoSchedule
-          - key: node-role.kubernetes.io/master
-            effect: NoSchedule
-          - key: node-role.kubernetes.io/control-plane
-            effect: NoSchedule
-          - key: node.cloudprovider.kubernetes.io/uninitialized
-            effect: NoSchedule
-            value: "true"
-          - key: CriticalAddonsOnly
-            operator: "Exists"
           # -- SPIRE agent affinity configuration
           affinity: {}
           # -- SPIRE agent nodeSelector configuration

packages/system/cilium/charts/cilium/values.yaml.tmpl

@@ -1854,9 +1854,9 @@ envoy:
   image:
     override: ~
     repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.26.7-bbde4095997ea57ead209f56158790d47224a0f5"
+    tag: "v1.26.6-ad82c7c56e88989992fd25d8d67747de865c823b"
     pullPolicy: "${PULL_POLICY}"
-    digest: "sha256:39b75548447978230dedcf25da8940e4d3540c741045ef391a8e74dbb9661a86"
+    digest: "sha256:992998398dadfff7117bfa9fdb7c9474fefab7f0237263f7c8114e106c67baca"
     useDigest: true
 
   # -- Additional containers added to the cilium Envoy DaemonSet.
@@ -1969,20 +1969,7 @@ envoy:
         labelSelector:
           matchLabels:
             k8s-app: cilium-envoy
-    podAffinity:
+
-      requiredDuringSchedulingIgnoredDuringExecution:
-      - topologyKey: kubernetes.io/hostname
-        labelSelector:
-          matchLabels:
-            k8s-app: cilium
-    nodeAffinity:
-      requiredDuringSchedulingIgnoredDuringExecution:
-        nodeSelectorTerms:
-          - matchExpressions:
-            - key: cilium.io/no-schedule
-              operator: NotIn
-              values:
-              - "true"
   # -- Node selector for cilium-envoy.
   nodeSelector:
     kubernetes.io/os: linux
@@ -2003,16 +1990,12 @@ envoy:
   # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
   dnsPolicy: ~
 
-  # -- Configure Cilium Envoy Prometheus options.
-  # Note that some of these apply to either cilium-agent or cilium-envoy.
   prometheus:
     # -- Enable prometheus metrics for cilium-envoy
     enabled: true
     serviceMonitor:
       # -- Enable service monitors.
       # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
-      # Note that this setting applies to both cilium-envoy _and_ cilium-agent
-      # with Envoy enabled.
       enabled: false
       # -- Labels to add to ServiceMonitor cilium-envoy
       labels: {}
@@ -2024,14 +2007,12 @@ envoy:
       # service monitors configured.
       # namespace: ""
       # -- Relabeling configs for the ServiceMonitor cilium-envoy
-      # or for cilium-agent with Envoy configured.
       relabelings:
         - sourceLabels:
             - __meta_kubernetes_pod_node_name
           targetLabel: node
           replacement: ${1}
       # -- Metrics relabeling configs for the ServiceMonitor cilium-envoy
-      # or for cilium-agent with Envoy configured.
       metricRelabelings: ~
     # -- Serve prometheus metrics for cilium-envoy on the configured port
     port: "9964"
@@ -3108,8 +3089,6 @@ dnsProxy:
   proxyPort: 0
   # -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information.
   proxyResponseMaxDelay: 100ms
-  # -- DNS proxy operation mode (true/false, or unset to use version dependent defaults)
-  # enableTransparentMode: true
 
 # -- SCTP Configuration Values
 sctp:
@@ -3160,21 +3139,8 @@ authentication:
           # -- SPIRE Workload Attestor kubelet verification.
           skipKubeletVerification: true
           # -- SPIRE agent tolerations configuration
-          # By default it follows the same tolerations as the agent itself
-          # to allow the Cilium agent on this node to connect to SPIRE.
           # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
-          tolerations:
+          tolerations: []
-          - key: node.kubernetes.io/not-ready
-            effect: NoSchedule
-          - key: node-role.kubernetes.io/master
-            effect: NoSchedule
-          - key: node-role.kubernetes.io/control-plane
-            effect: NoSchedule
-          - key: node.cloudprovider.kubernetes.io/uninitialized
-            effect: NoSchedule
-            value: "true"
-          - key: CriticalAddonsOnly
-            operator: "Exists"
           # -- SPIRE agent affinity configuration
           affinity: {}
           # -- SPIRE agent nodeSelector configuration

packages/system/cilium/values.yaml

@@ -3,10 +3,11 @@ cilium:
     enabled: false
   externalIPs:
     enabled: true
+  tunnel: disabled
   autoDirectNodeRoutes: false
   kubeProxyReplacement: strict
   bpf:
-    masquerade: false
+    masquerade: true
   loadBalancer:
     algorithm: maglev
   cgroup:
@@ -24,4 +25,3 @@ cilium:
     configMap: cni-configuration
   routingMode: native
   enableIPv4Masquerade: false
-  enableIdentityMark: false