Positioning Cozystack as framework for building clouds

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-05 08:17:59 +00:00 · 2024-03-05 09:32:12 +01:00
469 changed files with 14882 additions and 127961 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1 @@
 _out
 .git
 .idea
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ You can use Cozystack as Kubernetes distribution for Bare Metal
 ## Documentation
-The documentation is located on official [cozystack.io](https://cozystack.io) website.
+The documentation is located on official [cozystack.io](cozystack.io) website.
 Read [Get Started](https://cozystack.io/docs/get-started/) section for a quick start.
@@ -44,8 +44,6 @@ If you encounter any difficulties, start with the [troubleshooting guide](https:
 Versioning adheres to the [Semantic Versioning](http://semver.org/) principles.  
 A full list of the available releases is available in the GitHub repository's [Release](https://github.com/aenix-io/cozystack/releases) section.
 - [Roadmap](https://github.com/orgs/aenix-io/projects/2)
 ## Contributions
 Contributions are highly appreciated and very welcomed!
--- a/hack/gen_versions_map.sh
+++ b/hack/gen_versions_map.sh
@@ -20,29 +20,10 @@ miss_map=$(echo "$new_map" | awk 'NR==FNR { new_map[$1 " " $2] = $3; next } { if
 resolved_miss_map=$(
  echo "$miss_map" | while read chart version commit; do
    if [ "$commit" = HEAD ]; then
      line=$(awk '/^version:/ {print NR; exit}' "./$chart/Chart.yaml")
      change_commit=$(git --no-pager blame -L"$line",+1 -- "$chart/Chart.yaml" | awk '{print $1}')
      if [ "$change_commit" = "00000000" ]; then
        # Not commited yet, use previus commit
        line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
        commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
        if [ $(echo $commit | cut -c1) = "^" ]; then
          # Previus commit not exists
          commit=$(echo $commit | cut -c2-)
        fi
      else
        # Commited, but version_map wasn't updated
      line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
      change_commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
        if [ $(echo $change_commit | cut -c1) = "^" ]; then
          # Previus commit not exists
          commit=$(echo $change_commit | cut -c2-)
        else
      commit=$(git describe --always "$change_commit~1")
    fi
      fi
    fi
    echo "$chart $version $commit"
  done
 )
--- a/hack/prepare_release.sh
+++ b/hack/prepare_release.sh
@@ -0,0 +1,19 @@
 #!/bin/sh
 set -e
 if [ -e $1 ]; then
  echo "Please pass version in the first argument"
  echo "Example: $0 v0.0.2"
  exit 1
 fi
 version=$1
 talos_version=$(awk '/^version:/ {print $2}' packages/core/installer/images/talos/profiles/installer.yaml)
 set -x
 sed -i "/^TAG / s|=.*|= ${version}|" \
  packages/apps/http-cache/Makefile \
  packages/apps/kubernetes/Makefile \
  packages/core/installer/Makefile \
  packages/system/dashboard/Makefile
--- a/manifests/cozystack-installer.yaml
+++ b/manifests/cozystack-installer.yaml
@@ -15,6 +15,13 @@ metadata:
  namespace: cozy-system
 ---
 # Source: cozy-installer/templates/cozystack.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cozystack
  namespace: cozy-system
 ---
 # Source: cozy-installer/templates/cozystack.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -63,7 +70,7 @@ spec:
      serviceAccountName: cozystack
      containers:
      - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.4.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.1.0"
        env:
        - name: KUBERNETES_SERVICE_HOST
          value: localhost
@@ -82,7 +89,7 @@ spec:
            fieldRef:
              fieldPath: metadata.name
      - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.4.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.1.0"
        command:
        - /usr/bin/darkhttpd
        - /cozystack/assets
@@ -95,6 +102,3 @@ spec:
      - key: "node.kubernetes.io/not-ready"
        operator: "Exists"
        effect: "NoSchedule"
      - key: "node.cilium.io/agent-not-ready"
        operator: "Exists"
        effect: "NoSchedule"
--- a/packages/apps/Makefile
+++ b/packages/apps/Makefile
@@ -7,7 +7,7 @@ repo:
 	awk '$$3 != "HEAD" {print "mkdir -p $(TMP)/" $$1 "-" $$2}' versions_map | sh -ex
 	awk '$$3 != "HEAD" {print "git archive " $$3 " " $$1 " | tar -xf- --strip-components=1 -C $(TMP)/" $$1 "-" $$2 }' versions_map | sh -ex
 	helm package -d "$(OUT)" $$(find . $(TMP) -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")' | sort -V)
-	cd "$(OUT)" && helm repo index . --url http://cozystack.cozy-system.svc/repos/apps
+	cd "$(OUT)" && helm repo index .
 	rm -rf "$(TMP)"
 fix-chartnames:
--- a/packages/apps/clickhouse/Chart.yaml
+++ b/packages/apps/clickhouse/Chart.yaml
@@ -1,25 +0,0 @@
 apiVersion: v2
 name: clickhouse
 description: Managed ClickHouse service
 icon: https://cdn.worldvectorlogo.com/logos/clickhouse.svg
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
 # to be deployed.
 #
 # Library charts provide useful utilities or functions for the chart developer. They're included as
 # a dependency of application charts to inject those utilities and functions into the rendering
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 version: 0.2.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "24.3.0"
--- a/packages/apps/clickhouse/templates/clickhouse.yaml
+++ b/packages/apps/clickhouse/templates/clickhouse.yaml
@@ -1,36 +0,0 @@
 apiVersion: "clickhouse.altinity.com/v1"
 kind: "ClickHouseInstallation"
 metadata:
  name: "{{ .Release.Name }}"
 spec:
  {{- with .Values.size }}
  defaults:
    templates:
      dataVolumeClaimTemplate: data-volume-template
  {{- end }}
  configuration:
    {{- with .Values.users }}
    users:
      {{- range $name, $u := . }}
      {{ $name }}/password_sha256_hex: {{ sha256sum $u.password }}
      {{ $name }}/profile: {{ ternary "readonly" "default" (index $u "readonly" | default false) }}
      {{- end }}
    {{- end }}
    profiles:
      readonly/readonly: "1"
    clusters:
      - name: "clickhouse"
        layout:
          shardsCount: {{ .Values.shards }}
          replicasCount: {{ .Values.replicas }}
  {{- with .Values.size }}
  templates:
    volumeClaimTemplates:
      - name: data-volume-template
        spec:
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: {{ . }}
  {{- end }}
--- a/packages/apps/clickhouse/values.yaml
+++ b/packages/apps/clickhouse/values.yaml
@@ -1,10 +0,0 @@
 size: 10Gi
 shards: 1
 replicas: 2
 users:
  user1:
    password: strongpassword
  user2:
    readonly: true
    password: hackme
--- a/packages/apps/http-cache/Chart.yaml
+++ b/packages/apps/http-cache/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.25.3"
+appVersion: "1.16.0"
--- a/packages/apps/http-cache/Makefile
+++ b/packages/apps/http-cache/Makefile
@@ -1,20 +1,22 @@
 PUSH := 1
 LOAD := 0
 REGISTRY := ghcr.io/aenix-io/cozystack
 NGINX_CACHE_TAG = v0.1.0
-
+TAG := v0.1.0
 include ../../../scripts/common-envs.mk
 image: image-nginx
 image-nginx:
 	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/nginx-cache \
 		--provenance false \
-		--tag $(REGISTRY)/nginx-cache:$(call settag,$(NGINX_CACHE_TAG)) \
+		--tag $(REGISTRY)/nginx-cache:$(NGINX_CACHE_TAG) \
-		--tag $(REGISTRY)/nginx-cache:$(call settag,$(NGINX_CACHE_TAG)-$(TAG)) \
+		--tag $(REGISTRY)/nginx-cache:$(NGINX_CACHE_TAG)-$(TAG) \
-		--cache-from type=registry,ref=$(REGISTRY)/nginx-cache:latest \
+		--cache-from type=registry,ref=$(REGISTRY)/nginx-cache:$(NGINX_CACHE_TAG) \
 		--cache-to type=inline \
 		--metadata-file images/nginx-cache.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/nginx-cache:$(call settag,$(NGINX_CACHE_TAG))" > images/nginx-cache.tag
+	echo "$(REGISTRY)/nginx-cache:$(NGINX_CACHE_TAG)" > images/nginx-cache.tag
 update:
 	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/chrislim2888/IP2Location-C-Library | awk -F'[/^]' 'END{print $$3}') && \
--- a/packages/apps/http-cache/images/nginx-cache.json
+++ b/packages/apps/http-cache/images/nginx-cache.json
@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:78eeb62658dfd87ee845de9da02af1878f7a81c4830fb26c8c9741c46e4e3700",
+  "containerimage.config.digest": "sha256:318fd8d0d6f6127387042f6ad150e87023d1961c7c5059dd5324188a54b0ab4e",
-  "containerimage.digest": "sha256:c1d6e1568f334f7c171081630c3ba7b21b5088a655a9b05c7531683e2da48954"
+  "containerimage.digest": "sha256:e3cf145238e6e45f7f13b9acaea445c94ff29f76a34ba9fa50828401a5a3cc68"
 }
--- a/packages/apps/http-cache/templates/haproxy/configmap.yaml
+++ b/packages/apps/http-cache/templates/haproxy/configmap.yaml
@@ -74,7 +74,7 @@ data:
        option redispatch 1
        default-server observe layer7 error-limit 10 on-error mark-down
-        {{- range $i, $e := until (int $.Values.nginx.replicas) }}
+        {{- range $i, $e := until (int $.Values.replicas) }}
        server cache{{ $i }} {{ $.Release.Name }}-nginx-cache-{{ $i }}:80 check
        {{- end }}
        {{- range $i, $e := $.Values.endpoints }} 
--- a/packages/apps/http-cache/templates/haproxy/deployment.yaml
+++ b/packages/apps/http-cache/templates/haproxy/deployment.yaml
@@ -7,7 +7,7 @@ metadata:
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
-  replicas: {{ .Values.haproxy.replicas }}
+  replicas: 2
  selector:
    matchLabels:
      app: {{ .Release.Name }}-haproxy
--- a/packages/apps/http-cache/templates/nginx/deployment.yaml
+++ b/packages/apps/http-cache/templates/nginx/deployment.yaml
@@ -11,7 +11,7 @@ spec:
  selector:
    matchLabels:
      app: {{ $.Release.Name }}-nginx-cache
-{{- range $i := until (int $.Values.nginx.replicas) }}
+{{- range $i := until 3 }}
 ---
 apiVersion: apps/v1
 kind: Deployment
--- a/packages/apps/http-cache/values.yaml
+++ b/packages/apps/http-cache/values.yaml
@@ -1,10 +1,4 @@
 external: false
 haproxy:
  replicas: 2
 nginx:
  replicas: 2
 size: 10Gi
 endpoints:
  - 10.100.3.1:80
--- a/packages/apps/kafka/Chart.yaml
+++ b/packages/apps/kafka/Chart.yaml
@@ -1,25 +0,0 @@
 apiVersion: v2
 name: kafka
 description: Managed Kafka service
 icon: https://upload.wikimedia.org/wikipedia/commons/0/05/Apache_kafka.svg
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
 # to be deployed.
 #
 # Library charts provide useful utilities or functions for the chart developer. They're included as
 # a dependency of application charts to inject those utilities and functions into the rendering
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 version: 0.1.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "3.7.0"
--- a/packages/apps/kafka/templates/kafka.yaml
+++ b/packages/apps/kafka/templates/kafka.yaml
@@ -1,53 +0,0 @@
 apiVersion: kafka.strimzi.io/v1beta2
 kind: Kafka
 metadata:
  name: {{ .Release.Name }}
  labels:
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
  kafka:
    replicas: {{ .Values.replicas }}
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: tls
        port: 9093
        type: internal
        tls: true
      - name: external
        port: 9094
        {{- if .Values.external }}
        type: loadbalancer
        {{- else }}
        type: internal
        {{- end }}
        tls: false
    config:
      offsets.topic.replication.factor: 3
      transaction.state.log.replication.factor: 3
      transaction.state.log.min.isr: 2
      default.replication.factor: 3
      min.insync.replicas: 2
    storage:
      type: jbod
      volumes:
      - id: 0
        type: persistent-claim
        {{- with .Values.kafka.size }}
        size: {{ . }}
        {{- end }}
        deleteClaim: true
  zookeeper:
    replicas: {{ .Values.replicas }}
    storage:
      type: persistent-claim
      {{- with .Values.zookeeper.size }}
      size: {{ . }}
      {{- end }}
      deleteClaim: false
  entityOperator:
    topicOperator: {}
    userOperator: {}
--- a/packages/apps/kafka/templates/topics.yaml
+++ b/packages/apps/kafka/templates/topics.yaml
@@ -1,17 +0,0 @@
 {{- range $topic := .Values.topics }}
 ---
 apiVersion: kafka.strimzi.io/v1beta2
 kind: KafkaTopic
 metadata:
  name: "{{ $.Release.Name }}-{{ kebabcase $topic.name }}"
  labels:
    strimzi.io/cluster: "{{ $.Release.Name }}"
 spec:
  topicName: "{{ $topic.name }}"
  partitions: 10
  replicas: 3
  {{- with $topic.config }}
  config:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 {{- end }}
--- a/packages/apps/kafka/values.yaml
+++ b/packages/apps/kafka/values.yaml
@@ -1,22 +0,0 @@
 external: false
 kafka:
  size: 10Gi
  replicas: 3
 zookeeper:
  size: 5Gi
  replicas: 3
 topics:
  - name: Results
    partitions: 1
    replicas: 3
    config:
      min.insync.replicas: 2
  - name: Orders
    config:
      cleanup.policy: compact
      segment.ms: 3600000
      max.compaction.lag.ms: 5400000
      min.insync.replicas: 2
    partitions: 1
    replicationFactor: 3
--- a/packages/apps/kubernetes/Chart.yaml
+++ b/packages/apps/kubernetes/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.19.0"
+appVersion: "1.16.0"
--- a/packages/apps/kubernetes/Makefile
+++ b/packages/apps/kubernetes/Makefile
@@ -1,17 +1,19 @@
 PUSH := 1
 LOAD := 0
 REGISTRY := ghcr.io/aenix-io/cozystack
 TAG := v0.1.0
 UBUNTU_CONTAINER_DISK_TAG = v1.29.1
 include ../../../scripts/common-envs.mk
 image: image-ubuntu-container-disk
 image-ubuntu-container-disk:
 	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/ubuntu-container-disk \
 		--provenance false \
-		--tag $(REGISTRY)/ubuntu-container-disk:$(call settag,$(UBUNTU_CONTAINER_DISK_TAG)) \
+		--tag $(REGISTRY)/ubuntu-container-disk:$(UBUNTU_CONTAINER_DISK_TAG) \
-		--tag $(REGISTRY)/ubuntu-container-disk:$(call settag,$(UBUNTU_CONTAINER_DISK_TAG)-$(TAG)) \
+		--tag $(REGISTRY)/ubuntu-container-disk:$(UBUNTU_CONTAINER_DISK_TAG)-$(TAG) \
-		--cache-from type=registry,ref=$(REGISTRY)/ubuntu-container-disk:latest \
+		--cache-from type=registry,ref=$(REGISTRY)/ubuntu-container-disk:$(UBUNTU_CONTAINER_DISK_TAG) \
 		--cache-to type=inline \
 		--metadata-file images/ubuntu-container-disk.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/ubuntu-container-disk:$(call settag,$(UBUNTU_CONTAINER_DISK_TAG))" > images/ubuntu-container-disk.tag
+	echo "$(REGISTRY)/ubuntu-container-disk:$(UBUNTU_CONTAINER_DISK_TAG)" > images/ubuntu-container-disk.tag
--- a/packages/apps/kubernetes/images/ubuntu-container-disk.json
+++ b/packages/apps/kubernetes/images/ubuntu-container-disk.json
@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:b9897860df8312928ad9fe72e6d68d9043fa3f9842d2e90c88a11d6719a47e9c",
+  "containerimage.config.digest": "sha256:ee8968be63c7c45621ec45f3687211e0875acb24e8d9784e8d2ebcbf46a3538c",
-  "containerimage.digest": "sha256:4bb2f5b9a57dc2a0f8872605d032ee3aff3f151a3b642ed74862534436d93015"
+  "containerimage.digest": "sha256:16c3c07e74212585786dc1f1ae31d3ab90a575014806193e8e37d1d7751cb084"
 }
--- a/packages/apps/kubernetes/templates/cluster.yaml
+++ b/packages/apps/kubernetes/templates/cluster.yaml
@@ -64,13 +64,12 @@ metadata:
    cluster.x-k8s.io/managed-by: kamaji
  name: {{ .Release.Name }}
  namespace: {{ .Release.Namespace }}
 {{- range $groupName, $group := .Values.nodeGroups }}
 ---
 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
 kind: KubeadmConfigTemplate
 metadata:
-  name: {{ $.Release.Name }}-{{ $groupName }}
+  name: {{ .Release.Name }}-md-0
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
 spec:
  template:
    spec:
@@ -79,7 +78,7 @@ spec:
          kubeletExtraArgs: {}
        discovery:
          bootstrapToken:
-            apiServerEndpoint: {{ $.Release.Name }}.{{ $.Release.Namespace }}.svc:6443
+            apiServerEndpoint: {{ .Release.Name }}.{{ .Release.Namespace }}.svc:6443
      initConfiguration:
        skipPhases:
        - addon/kube-proxy
@@ -87,8 +86,8 @@ spec:
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
 kind: KubevirtMachineTemplate
 metadata:
-  name: {{ $.Release.Name }}-{{ $groupName }}
+  name: {{ .Release.Name }}-md-0
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
 spec:
  template:
    spec:
@@ -96,7 +95,7 @@ spec:
        checkStrategy: ssh
      virtualMachineTemplate:
        metadata:
-          namespace: {{ $.Release.Namespace }}
+          namespace: {{ .Release.Namespace }}
        spec:
          runStrategy: Always
          template:
@@ -104,7 +103,7 @@ spec:
              domain:
                cpu:
                  threads: 1
-                  cores: {{ $group.resources.cpu }}
+                  cores: 2
                  sockets: 1
                devices:
                  disks:
@@ -113,7 +112,7 @@ spec:
                    name: containervolume
                  networkInterfaceMultiqueue: true
                memory:
-                  guest: {{ $group.resources.memory }}
+                  guest: 1024Mi
              evictionStrategy: External
              volumes:
              - containerDisk:
@@ -123,28 +122,29 @@ spec:
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: MachineDeployment
 metadata:
-  name: {{ $.Release.Name }}-{{ $groupName }}
+  name: {{ .Release.Name }}-md-0
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
  annotations:
-    cluster.x-k8s.io/cluster-api-autoscaler-node-group-min-size: "{{ $group.minReplicas }}"
+    cluster.x-k8s.io/cluster-api-autoscaler-node-group-max-size: "2"
-    cluster.x-k8s.io/cluster-api-autoscaler-node-group-max-size: "{{ $group.maxReplicas }}"
+    cluster.x-k8s.io/cluster-api-autoscaler-node-group-min-size: "0"
-    capacity.cluster-autoscaler.kubernetes.io/memory: "{{ $group.resources.memory }}"
+    capacity.cluster-autoscaler.kubernetes.io/memory: "1024Mi"
-    capacity.cluster-autoscaler.kubernetes.io/cpu: "{{ $group.resources.cpu }}"
+    capacity.cluster-autoscaler.kubernetes.io/cpu: "2"
 spec:
-  clusterName: {{ $.Release.Name }}
+  clusterName: {{ .Release.Name }}
  selector:
    matchLabels: null
  template:
    spec:
      bootstrap:
        configRef:
          apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
          kind: KubeadmConfigTemplate
-          name: {{ $.Release.Name }}-{{ $groupName }}
+          name: {{ .Release.Name }}-md-0
          namespace: default
-      clusterName: {{ $.Release.Name }}
+      clusterName: {{ .Release.Name }}
      infrastructureRef:
        apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
        kind: KubevirtMachineTemplate
-        name: {{ $.Release.Name }}-{{ $groupName }}
+        name: {{ .Release.Name }}-md-0
        namespace: default
-      version: v1.29.0
+      version: v1.23.10
 {{- end }}
--- a/packages/apps/kubernetes/values.schema.json
+++ b/packages/apps/kubernetes/values.schema.json
@@ -0,0 +1,11 @@
 {
  "$schema": "http://json-schema.org/schema#",
  "type": "object",
  "properties": {
    "host": {
      "type": "string",
      "title": "Domain name for this kubernetes cluster",
      "description": "This host will be used for all apps deployed in this tenant"
    }
  }
 }
--- a/packages/apps/kubernetes/values.yaml
+++ b/packages/apps/kubernetes/values.yaml
@@ -1,10 +1 @@
 host: ""
 controlPlane:
  replicas: 2
 nodeGroups:
  md0:
    minReplicas: 0
    maxReplicas: 10
    resources:
      cpu: 2
      memory: 1024Mi
--- a/packages/apps/mysql/Chart.yaml
+++ b/packages/apps/mysql/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.1.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "11.0.2"
+appVersion: "1.16.0"
--- a/packages/apps/mysql/templates/db.yaml
+++ b/packages/apps/mysql/templates/db.yaml
@@ -1,7 +1,7 @@
 {{- range $name := .Values.databases }}
 {{ $dnsName := replace "_" "-" $name }}
 ---
-apiVersion: k8s.mariadb.com/v1alpha1
+apiVersion: mariadb.mmontes.io/v1alpha1
 kind: Database
 metadata:
  name: {{ $.Release.Name }}-{{ $dnsName }}
--- a/packages/apps/mysql/templates/mariadb.yaml
+++ b/packages/apps/mysql/templates/mariadb.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: k8s.mariadb.com/v1alpha1
+apiVersion: mariadb.mmontes.io/v1alpha1
 kind: MariaDB
 metadata:
  name: {{ .Release.Name }}
@@ -12,7 +12,7 @@ spec:
  port: 3306
-  replicas: {{ .Values.replicas }}
+  replicas: 2
  affinity:
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
@@ -28,18 +28,15 @@ spec:
            - {{ .Release.Name }}
        topologyKey: "kubernetes.io/hostname"
  {{- if gt (int .Values.replicas) 1 }}
  replication:
    enabled: true
    #primary:
    #  podIndex: 0
    #  automaticFailover: true
  {{- end }}
  metrics:
    enabled: true
    exporter:
-      image: prom/mysqld-exporter:v0.15.1
+      image: prom/mysqld-exporter:v0.14.0
      resources:
        requests:
          cpu: 50m
@@ -56,10 +53,14 @@ spec:
    name: {{ .Release.Name }}-my-cnf
    key: config
-  storage:
+  volumeClaimTemplate:
-    size: {{ .Values.size }}
+    resources:
-    resizeInUseVolumes: true
+      requests:
-    waitForVolumeResize: true
+        storage: {{ .Values.size }}
    accessModes:
      - ReadWriteOnce
  {{- if .Values.external }}
  primaryService:
--- a/packages/apps/mysql/templates/user.yaml
+++ b/packages/apps/mysql/templates/user.yaml
@@ -2,7 +2,7 @@
 {{ if not (eq $name "root") }}
 {{ $dnsName := replace "_" "-" $name }}
 ---
-apiVersion: k8s.mariadb.com/v1alpha1
+apiVersion: mariadb.mmontes.io/v1alpha1
 kind: User
 metadata:
  name: {{ $.Release.Name }}-{{ $dnsName }}
@@ -15,7 +15,7 @@ spec:
    key: {{ $name }}-password
  maxUserConnections: {{ $u.maxUserConnections }}
 ---
-apiVersion: k8s.mariadb.com/v1alpha1
+apiVersion: mariadb.mmontes.io/v1alpha1
 kind: Grant
 metadata:
  name: {{ $.Release.Name }}-{{ $dnsName }}
--- a/packages/apps/mysql/values.yaml
+++ b/packages/apps/mysql/values.yaml
@@ -1,8 +1,6 @@
 external: false
 size: 10Gi
 replicas: 2
 users:
  root:
    password: strongpassword
--- a/packages/apps/postgres/Chart.yaml
+++ b/packages/apps/postgres/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "16.2"
+appVersion: "1.16.0"
--- a/packages/apps/postgres/templates/db.yaml
+++ b/packages/apps/postgres/templates/db.yaml
@@ -4,7 +4,7 @@ kind: Cluster
 metadata:
  name: {{ .Release.Name }}
 spec:
-  instances: {{ .Values.replicas }}
+  instances: 2
  enableSuperuserAccess: true
  postgresql:
--- a/packages/apps/postgres/values.yaml
+++ b/packages/apps/postgres/values.yaml
@@ -1,6 +1,5 @@
 external: false
 size: 10Gi
 replicas: 2
 users:
  user1:
--- a/packages/apps/rabbitmq/Chart.yaml
+++ b/packages/apps/rabbitmq/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "3.12.2"
+appVersion: "1.16.0"
--- a/packages/apps/rabbitmq/templates/rabbitmq.yaml
+++ b/packages/apps/rabbitmq/templates/rabbitmq.yaml
@@ -6,7 +6,7 @@ metadata:
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
-  replicas: {{ .Values.replicas }}
+  replicas: 3
  {{- if .Values.external }}
  service:
    type: LoadBalancer
--- a/packages/apps/rabbitmq/values.schema.json
+++ b/packages/apps/rabbitmq/values.schema.json
@@ -5,10 +5,6 @@
    "external": {
      "type": "boolean",
      "title": "Enable external Access"
    },
    "replicas": {
      "type": "integer",
      "title": "Replicas"
    }
  }
 }
--- a/packages/apps/rabbitmq/values.yaml
+++ b/packages/apps/rabbitmq/values.yaml
@@ -1,2 +1 @@
 replicas: 3
 external: false
--- a/packages/apps/redis/Chart.yaml
+++ b/packages/apps/redis/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "6.2.6"
+appVersion: "1.16.0"
--- a/packages/apps/redis/templates/redisfailover.yaml
+++ b/packages/apps/redis/templates/redisfailover.yaml
@@ -14,7 +14,7 @@ spec:
      limits:
        memory: 100Mi
  redis:
-    replicas: {{ .Values.replicas }}
+    replicas: 3
    resources:
      requests:
        cpu: 150m
--- a/packages/apps/redis/values.schema.json
+++ b/packages/apps/redis/values.schema.json
@@ -9,10 +9,6 @@
    "size": {
      "type": "string",
      "title": "Disk Size"
    },
    "replicas": {
      "type": "integer",
      "title": "Replicas"
    }
  }
 }
--- a/packages/apps/redis/values.yaml
+++ b/packages/apps/redis/values.yaml
@@ -1,3 +1,2 @@
 replicas: 2
 external: false
 size: 5Gi
--- a/packages/apps/tcp-balancer/Chart.yaml
+++ b/packages/apps/tcp-balancer/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2.9.7"
+appVersion: "1.16.0"
--- a/packages/apps/tcp-balancer/templates/deployment.yaml
+++ b/packages/apps/tcp-balancer/templates/deployment.yaml
@@ -7,7 +7,7 @@ metadata:
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
-  replicas: {{ .Values.replicas }}
+  replicas: 2
  selector:
    matchLabels:
      app: {{ .Release.Name }}-haproxy
--- a/packages/apps/tcp-balancer/values.yaml
+++ b/packages/apps/tcp-balancer/values.yaml
@@ -1,5 +1,4 @@
 external: false
 replicas: 2
 httpAndHttps:
  mode: tcp
  targetPorts:
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -1,26 +1,14 @@
-clickhouse 0.1.0 ca79f72
+http-cache 0.1.0 HEAD
-clickhouse 0.2.0 HEAD
+kubernetes 0.1.0 HEAD
-http-cache 0.1.0 a956713
+mysql 0.1.0 HEAD
-http-cache 0.2.0 HEAD
+postgres 0.1.0 HEAD
-kafka 0.1.0 HEAD
+rabbitmq 0.1.0 HEAD
-kubernetes 0.1.0 f642698
+redis 0.1.1 HEAD
-kubernetes 0.2.0 HEAD
+tcp-balancer 0.1.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 HEAD
 postgres 0.1.0 f642698
 postgres 0.2.0 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 HEAD
 redis 0.1.1 f642698
 redis 0.2.0 HEAD
 tcp-balancer 0.1.0 f642698
 tcp-balancer 0.2.0 HEAD
 tenant 0.1.3 3d1b86c
 tenant 0.1.4 d200480
 tenant 0.1.5 e3ab858
 tenant 1.0.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 HEAD
-vpn 0.1.0 f642698
+vpn 0.1.0 HEAD
 vpn 0.2.0 HEAD
--- a/packages/apps/vpn/Chart.yaml
+++ b/packages/apps/vpn/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: vpn
-description: Managed VPN service
+description: Establish a connection from your computer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/6/60/Outline_VPN_icon.png/600px-Outline_VPN_icon.png
 # A chart can be either an 'application' or a 'library' chart.
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.1.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.8.1"
+appVersion: "1.16.0"
--- a/packages/apps/vpn/templates/deployment.yaml
+++ b/packages/apps/vpn/templates/deployment.yaml
@@ -4,7 +4,7 @@ kind: Deployment
 metadata:
  name: {{ .Release.Name }}-vpn
 spec:
-  replicas: {{ .Values.replicas }}
+  replicas: 2
  selector:
    matchLabels:
      app: {{ .Release.Name }}-vpn
--- a/packages/apps/vpn/values.yaml
+++ b/packages/apps/vpn/values.yaml
@@ -1,5 +1,4 @@
 external: false
 replicas: 2
 users:
  user1:
--- a/packages/core/Makefile
+++ b/packages/core/Makefile
@@ -0,0 +1,4 @@
 gen: fix-chartnames
 fix-chartnames:
 	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do printf "name: cozy-%s\nversion: 1.0.0\n" "$$i" > "$$i/Chart.yaml"; done
--- a/packages/core/fluxcd/Chart.yaml
+++ b/packages/core/fluxcd/Chart.yaml
@@ -1,3 +0,0 @@
 apiVersion: v2
 name: cozy-fluxcd
 version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
--- a/packages/core/fluxcd/Makefile
+++ b/packages/core/fluxcd/Makefile
@@ -1,13 +0,0 @@
 NAME=fluxcd
 NAMESPACE=cozy-$(NAME)
 API_VERSIONS_FLAGS=$(addprefix -a ,$(shell kubectl api-versions))
 show:
 	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS)
 apply:
 	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl apply -n $(NAMESPACE) -f-
 diff:
 	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f-
--- a/packages/core/fluxcd/charts/flux2/templates/helm-controller.crds.yaml
+++ b/packages/core/fluxcd/charts/flux2/templates/helm-controller.crds.yaml
--- a/packages/core/installer/Chart.yaml
+++ b/packages/core/installer/Chart.yaml
@@ -1,3 +1,2 @@
 apiVersion: v2
 name: cozy-installer
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 1.0.0
--- a/packages/core/installer/Makefile
+++ b/packages/core/installer/Makefile
@@ -1,10 +1,11 @@
 NAMESPACE=cozy-installer
 NAME=installer
-NAMESPACE=cozy-system
+PUSH := 1
-
+LOAD := 0
 REGISTRY := ghcr.io/aenix-io/cozystack
 TAG := v0.1.0
 TALOS_VERSION=$(shell awk '/^version:/ {print $$2}' images/talos/profiles/installer.yaml)
 include ../../../scripts/common-envs.mk
 show:
 	helm template -n $(NAMESPACE) $(NAME) .
@@ -20,40 +21,39 @@ update:
 image: image-cozystack image-talos image-matchbox
 image-cozystack:
 	make -C ../../.. repos
 	docker buildx build -f images/cozystack/Dockerfile ../../.. \
 		--provenance false \
-		--tag $(REGISTRY)/cozystack:$(call settag,$(TAG)) \
+		--tag $(REGISTRY)/cozystack:$(TAG) \
-		--cache-from type=registry,ref=$(REGISTRY)/cozystack:latest \
+		--cache-from type=registry,ref=$(REGISTRY)/cozystack:$(TAG) \
 		--cache-to type=inline \
 		--metadata-file images/cozystack.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/cozystack:$(call settag,$(TAG))" > images/cozystack.tag
+	echo "$(REGISTRY)/cozystack:$(TAG)" > images/cozystack.tag
 image-talos:
 	test -f ../../../_out/assets/installer-amd64.tar || make talos-installer
 	docker load -i ../../../_out/assets/installer-amd64.tar
-	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) ghcr.io/aenix-io/cozystack/talos:$(call settag,$(TALOS_VERSION))
+	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) ghcr.io/aenix-io/cozystack/talos:$(TALOS_VERSION)
-	docker push ghcr.io/aenix-io/cozystack/talos:$(call settag,$(TALOS_VERSION))
+	docker push ghcr.io/aenix-io/cozystack/talos:$(TALOS_VERSION)
 image-matchbox:
 	test -f ../../../_out/assets/kernel-amd64 || make talos-kernel
 	test -f ../../../_out/assets/initramfs-metal-amd64.xz || make talos-initramfs
 	docker buildx build -f images/matchbox/Dockerfile ../../.. \
 		--provenance false \
-		--tag $(REGISTRY)/matchbox:$(call settag,$(TAG)) \
+		--tag $(REGISTRY)/matchbox:$(TAG) \
-		--tag $(REGISTRY)/matchbox:$(call settag,$(TALOS_VERSION)-$(TAG)) \
+		--tag $(REGISTRY)/matchbox:$(TALOS_VERSION)-$(TAG) \
-		--cache-from type=registry,ref=$(REGISTRY)/matchbox:latest \
+		--cache-from type=registry,ref=$(REGISTRY)/matchbox:$(TALOS_VERSION) \
 		--cache-to type=inline \
 		--metadata-file images/matchbox.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/matchbox:$(call settag,$(TALOS_VERSION))" > images/matchbox.tag
+	echo "$(REGISTRY)/matchbox:$(TALOS_VERSION)" > images/matchbox.tag
-assets: talos-iso talos-nocloud
+assets: talos-iso
-talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud:
+talos-initramfs talos-kernel talos-installer talos-iso:
 	mkdir -p ../../../_out/assets
 	cat images/talos/profiles/$(subst talos-,,$@).yaml | \
 		docker run --rm -i -v /dev:/dev --privileged "ghcr.io/siderolabs/imager:$(TALOS_VERSION)" --tar-to-stdout - | \
--- a/packages/core/installer/hack/gen-profiles.sh
+++ b/packages/core/installer/hack/gen-profiles.sh
@@ -2,7 +2,7 @@
 set -e
 set -u
-PROFILES="initramfs kernel iso installer nocloud"
+PROFILES="initramfs kernel iso installer"
 FIRMWARES="amd-ucode amdgpu-firmware bnx2-bnx2x i915-ucode intel-ice-firmware intel-ucode qlogic-firmware"
 EXTENSIONS="drbd zfs"
@@ -32,14 +32,6 @@ done
 for profile in $PROFILES; do
  echo "writing profile images/talos/profiles/$profile.yaml"
  if [ "$profile" = "nocloud" ]; then
    image_options="{ diskSize: 1306525696, diskFormat: raw }"
    out_format=".xz"
  else
    image_options="{}"
    out_format="raw"
  fi
  cat > images/talos/profiles/$profile.yaml <<EOT
 # this file generated by hack/gen-profiles.sh
 # do not edit it
@@ -66,7 +58,6 @@ input:
    - imageRef: ghcr.io/siderolabs/zfs:${ZFS_VERSION}
 output:
  kind: ${profile}
-  imageOptions: ${image_options}
+  outFormat: raw
  outFormat: ${out_format}
 EOT
 done
--- a/packages/core/installer/images/cozystack.json
+++ b/packages/core/installer/images/cozystack.json
@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:cdc933718b278fcbd123895797e007dc841ccbb577069a4df410f51040ef5a4d",
+  "containerimage.config.digest": "sha256:ec8a4983a663f06a1503507482667a206e83e0d8d3663dff60ced9221855d6b0",
-  "containerimage.digest": "sha256:1fa036a246fd229fc9f8ce5a98d0f9770551d8cfba5632e028b855149112d5db"
+  "containerimage.digest": "sha256:abb7b2fbc1f143c922f2a35afc4423a74b2b63c0bddfe620750613ed835aa861"
 }
--- a/packages/core/installer/images/cozystack.tag
+++ b/packages/core/installer/images/cozystack.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cozystack:v0.4.0
+ghcr.io/aenix-io/cozystack/cozystack:v0.1.0
--- a/packages/core/installer/images/matchbox.json
+++ b/packages/core/installer/images/matchbox.json
@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:95dd75e173744fb8665e4633a52d9386d976b50a646657b94e223495c1fab015",
+  "containerimage.config.digest": "sha256:b869a6324f9c0e6d1dd48eee67cbe3842ee14efd59bdde477736ad2f90568ff7",
-  "containerimage.digest": "sha256:a965c907707162bd4ce8b1bf0478217640a97a14d58cd54a43f8517a2601a16e"
+  "containerimage.digest": "sha256:c30b237c5fa4fbbe47e1aba56e8f99569fe865620aa1953f31fc373794123cd7"
 }
--- a/packages/core/installer/images/talos/profiles/nocloud.yaml
+++ b/packages/core/installer/images/talos/profiles/nocloud.yaml
@@ -1,27 +0,0 @@
 # this file generated by hack/gen-profiles.sh
 # do not edit it
 arch: amd64
 platform: metal
 secureboot: false
 version: v1.6.4
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
    imageRef: ghcr.io/siderolabs/installer:v1.6.4
  systemExtensions:
    - imageRef: ghcr.io/siderolabs/amd-ucode:20240115
    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240115
    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240115
    - imageRef: ghcr.io/siderolabs/i915-ucode:20240115
    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240115
    - imageRef: ghcr.io/siderolabs/intel-ucode:20231114
    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240115
    - imageRef: ghcr.io/siderolabs/drbd:9.2.6-v1.6.4
    - imageRef: ghcr.io/siderolabs/zfs:2.1.14-v1.6.4
 output:
  kind: image
  imageOptions: { diskSize: 1306525696, diskFormat: raw }
  outFormat: .xz
--- a/packages/core/installer/templates/cozystack.yaml
+++ b/packages/core/installer/templates/cozystack.yaml
@@ -12,6 +12,12 @@ metadata:
  name: cozystack
  namespace: cozy-system
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cozystack
  namespace: cozy-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -76,9 +82,6 @@ spec:
      - key: "node.kubernetes.io/not-ready"
        operator: "Exists"
        effect: "NoSchedule"
      - key: "node.cilium.io/agent-not-ready"
        operator: "Exists"
        effect: "NoSchedule"
 ---
 apiVersion: v1
 kind: Service
--- a/packages/core/platform/Chart.yaml
+++ b/packages/core/platform/Chart.yaml
@@ -1,3 +1,2 @@
 apiVersion: v2
 name: cozy-platform
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 1.0.0
--- a/packages/core/platform/Makefile
+++ b/packages/core/platform/Makefile
@@ -1,5 +1,5 @@
 NAME=platform
 NAMESPACE=cozy-system
 NAME=platform
 API_VERSIONS_FLAGS=$(addprefix -a ,$(shell kubectl api-versions))
@@ -13,7 +13,7 @@ namespaces-show:
 	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) -s templates/namespaces.yaml
 namespaces-apply:
-	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) -s templates/namespaces.yaml | kubectl apply -n $(NAMESPACE) -f-
+	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) -s templates/namespaces.yaml | kubectl apply -f-
 diff:
-	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -f-
+	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) -s templates/namespaces.yaml | kubectl diff -f-
--- a/packages/core/platform/bundles/distro-full.yaml
+++ b/packages/core/platform/bundles/distro-full.yaml
@@ -1,120 +0,0 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 releases:
 - name: cilium
  releaseName: cilium
  chart: cozy-cilium
  namespace: cozy-cilium
  privileged: true
  dependsOn: []
  values:
    cilium:
      bpf:
        masquerade: true
      cni:
        chainingMode: ~
        customConf: false
        configMap: ""
      enableIPv4Masquerade: true
      enableIdentityMark: true
      ipv4NativeRoutingCIDR: "{{ index $cozyConfig.data "ipv4-pod-cidr" }}"
      autoDirectNodeRoutes: true
 - name: cert-manager
  releaseName: cert-manager
  chart: cozy-cert-manager
  namespace: cozy-cert-manager
  dependsOn: [cilium]
 - name: cert-manager-issuers
  releaseName: cert-manager-issuers
  chart: cozy-cert-manager-issuers
  namespace: cozy-cert-manager
  dependsOn: [cilium,cert-manager]
 - name: victoria-metrics-operator
  releaseName: victoria-metrics-operator
  chart: cozy-victoria-metrics-operator
  namespace: cozy-victoria-metrics-operator
  dependsOn: [cilium,cert-manager]
 - name: monitoring
  releaseName: monitoring
  chart: cozy-monitoring
  namespace: cozy-monitoring
  privileged: true
  dependsOn: [cilium,victoria-metrics-operator]
 - name: metallb
  releaseName: metallb
  chart: cozy-metallb
  namespace: cozy-metallb
  privileged: true
  dependsOn: [cilium]
 - name: etcd-operator
  releaseName: etcd-operator
  chart: cozy-etcd-operator
  namespace: cozy-etcd-operator
  dependsOn: [cilium,cert-manager]
 - name: grafana-operator
  releaseName: grafana-operator
  chart: cozy-grafana-operator
  namespace: cozy-grafana-operator
  dependsOn: [cilium]
 - name: mariadb-operator
  releaseName: mariadb-operator
  chart: cozy-mariadb-operator
  namespace: cozy-mariadb-operator
  dependsOn: [cilium,cert-manager,victoria-metrics-operator]
 - name: postgres-operator
  releaseName: postgres-operator
  chart: cozy-postgres-operator
  namespace: cozy-postgres-operator
  dependsOn: [cilium,cert-manager]
 - name: kafka-operator
  releaseName: kafka-operator
  chart: cozy-kafka-operator
  namespace: cozy-kafka-operator
  dependsOn: [cilium,kubeovn]
 - name: clickhouse-operator
  releaseName: clickhouse-operator
  chart: cozy-clickhouse-operator
  namespace: cozy-clickhouse-operator
  dependsOn: [cilium,kubeovn]
 - name: rabbitmq-operator
  releaseName: rabbitmq-operator
  chart: cozy-rabbitmq-operator
  namespace: cozy-rabbitmq-operator
  dependsOn: [cilium]
 - name: redis-operator
  releaseName: redis-operator
  chart: cozy-redis-operator
  namespace: cozy-redis-operator
  dependsOn: [cilium]
 - name: piraeus-operator
  releaseName: piraeus-operator
  chart: cozy-piraeus-operator
  namespace: cozy-linstor
  dependsOn: [cilium,cert-manager]
 - name: linstor
  releaseName: linstor
  chart: cozy-linstor
  namespace: cozy-linstor
  privileged: true
  dependsOn: [piraeus-operator,cilium,cert-manager]
 - name: telepresence
  releaseName: traffic-manager
  chart: cozy-telepresence
  namespace: cozy-telepresence
  dependsOn: []
--- a/packages/core/platform/bundles/distro-hosted.yaml
+++ b/packages/core/platform/bundles/distro-hosted.yaml
@@ -1,81 +0,0 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 releases:
 - name: cert-manager
  releaseName: cert-manager
  chart: cozy-cert-manager
  namespace: cozy-cert-manager
  dependsOn: []
 - name: cert-manager-issuers
  releaseName: cert-manager-issuers
  chart: cozy-cert-manager-issuers
  namespace: cozy-cert-manager
  dependsOn: [cert-manager]
 - name: victoria-metrics-operator
  releaseName: victoria-metrics-operator
  chart: cozy-victoria-metrics-operator
  namespace: cozy-victoria-metrics-operator
  dependsOn: [cert-manager]
 - name: monitoring
  releaseName: monitoring
  chart: cozy-monitoring
  namespace: cozy-monitoring
  privileged: true
  dependsOn: [victoria-metrics-operator]
 - name: etcd-operator
  releaseName: etcd-operator
  chart: cozy-etcd-operator
  namespace: cozy-etcd-operator
  dependsOn: [cert-manager]
 - name: grafana-operator
  releaseName: grafana-operator
  chart: cozy-grafana-operator
  namespace: cozy-grafana-operator
  dependsOn: []
 - name: mariadb-operator
  releaseName: mariadb-operator
  chart: cozy-mariadb-operator
  namespace: cozy-mariadb-operator
  dependsOn: [victoria-metrics-operator]
 - name: postgres-operator
  releaseName: postgres-operator
  chart: cozy-postgres-operator
  namespace: cozy-postgres-operator
  dependsOn: [cert-manager]
 - name: kafka-operator
  releaseName: kafka-operator
  chart: cozy-kafka-operator
  namespace: cozy-kafka-operator
  dependsOn: [cilium,kubeovn]
 - name: clickhouse-operator
  releaseName: clickhouse-operator
  chart: cozy-clickhouse-operator
  namespace: cozy-clickhouse-operator
  dependsOn: [cilium,kubeovn]
 - name: rabbitmq-operator
  releaseName: rabbitmq-operator
  chart: cozy-rabbitmq-operator
  namespace: cozy-rabbitmq-operator
  dependsOn: []
 - name: redis-operator
  releaseName: redis-operator
  chart: cozy-redis-operator
  namespace: cozy-redis-operator
  dependsOn: []
 - name: telepresence
  releaseName: traffic-manager
  chart: cozy-telepresence
  namespace: cozy-telepresence
  dependsOn: []
--- a/packages/core/platform/bundles/paas-full.yaml
+++ b/packages/core/platform/bundles/paas-full.yaml
@@ -1,189 +0,0 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 releases:
 - name: cilium
  releaseName: cilium
  chart: cozy-cilium
  namespace: cozy-cilium
  privileged: true
  dependsOn: []
 - name: kubeovn
  releaseName: kubeovn
  chart: cozy-kubeovn
  namespace: cozy-kubeovn
  privileged: true
  dependsOn: [cilium]
  values:
    cozystack:
      nodesHash: {{ include "cozystack.master-node-ips" . | sha256sum }}
    kube-ovn:
      ipv4:
        POD_CIDR: "{{ index $cozyConfig.data "ipv4-pod-cidr" }}"
        POD_GATEWAY: "{{ index $cozyConfig.data "ipv4-pod-gateway" }}"
        SVC_CIDR: "{{ index $cozyConfig.data "ipv4-svc-cidr" }}"
        JOIN_CIDR: "{{ index $cozyConfig.data "ipv4-join-cidr" }}"
 - name: cert-manager
  releaseName: cert-manager
  chart: cozy-cert-manager
  namespace: cozy-cert-manager
  dependsOn: [cilium,kubeovn]
 - name: cert-manager-issuers
  releaseName: cert-manager-issuers
  chart: cozy-cert-manager-issuers
  namespace: cozy-cert-manager
  dependsOn: [cilium,kubeovn,cert-manager]
 - name: victoria-metrics-operator
  releaseName: victoria-metrics-operator
  chart: cozy-victoria-metrics-operator
  namespace: cozy-victoria-metrics-operator
  dependsOn: [cilium,kubeovn,cert-manager]
 - name: monitoring
  releaseName: monitoring
  chart: cozy-monitoring
  namespace: cozy-monitoring
  privileged: true
  dependsOn: [cilium,kubeovn,victoria-metrics-operator]
 - name: kubevirt-operator
  releaseName: kubevirt-operator
  chart: cozy-kubevirt-operator
  namespace: cozy-kubevirt
  dependsOn: [cilium,kubeovn]
 - name: kubevirt
  releaseName: kubevirt
  chart: cozy-kubevirt
  namespace: cozy-kubevirt
  privileged: true
  dependsOn: [cilium,kubeovn,kubevirt-operator]
 - name: kubevirt-cdi-operator
  releaseName: kubevirt-cdi-operator
  chart: cozy-kubevirt-cdi-operator
  namespace: cozy-kubevirt-cdi
  dependsOn: [cilium,kubeovn]
 - name: kubevirt-cdi
  releaseName: kubevirt-cdi
  chart: cozy-kubevirt-cdi
  namespace: cozy-kubevirt-cdi
  dependsOn: [cilium,kubeovn,kubevirt-cdi-operator]
 - name: metallb
  releaseName: metallb
  chart: cozy-metallb
  namespace: cozy-metallb
  privileged: true
  dependsOn: [cilium,kubeovn]
 - name: etcd-operator
  releaseName: etcd-operator
  chart: cozy-etcd-operator
  namespace: cozy-etcd-operator
  dependsOn: [cilium,kubeovn,cert-manager]
 - name: grafana-operator
  releaseName: grafana-operator
  chart: cozy-grafana-operator
  namespace: cozy-grafana-operator
  dependsOn: [cilium,kubeovn]
 - name: mariadb-operator
  releaseName: mariadb-operator
  chart: cozy-mariadb-operator
  namespace: cozy-mariadb-operator
  dependsOn: [cilium,kubeovn,cert-manager,victoria-metrics-operator]
 - name: postgres-operator
  releaseName: postgres-operator
  chart: cozy-postgres-operator
  namespace: cozy-postgres-operator
  dependsOn: [cilium,kubeovn,cert-manager]
 - name: kafka-operator
  releaseName: kafka-operator
  chart: cozy-kafka-operator
  namespace: cozy-kafka-operator
  dependsOn: [cilium,kubeovn]
 - name: clickhouse-operator
  releaseName: clickhouse-operator
  chart: cozy-clickhouse-operator
  namespace: cozy-clickhouse-operator
  dependsOn: [cilium,kubeovn]
 - name: rabbitmq-operator
  releaseName: rabbitmq-operator
  chart: cozy-rabbitmq-operator
  namespace: cozy-rabbitmq-operator
  dependsOn: [cilium,kubeovn]
 - name: redis-operator
  releaseName: redis-operator
  chart: cozy-redis-operator
  namespace: cozy-redis-operator
  dependsOn: [cilium,kubeovn]
 - name: piraeus-operator
  releaseName: piraeus-operator
  chart: cozy-piraeus-operator
  namespace: cozy-linstor
  dependsOn: [cilium,kubeovn,cert-manager]
 - name: linstor
  releaseName: linstor
  chart: cozy-linstor
  namespace: cozy-linstor
  privileged: true
  dependsOn: [piraeus-operator,cilium,kubeovn,cert-manager]
 - name: telepresence
  releaseName: traffic-manager
  chart: cozy-telepresence
  namespace: cozy-telepresence
  dependsOn: [cilium,kubeovn]
 - name: dashboard
  releaseName: dashboard
  chart: cozy-dashboard
  namespace: cozy-dashboard
  dependsOn: [cilium,kubeovn]
  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }}
  {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }}
  values:
    kubeapps:
      redis:
        master:
          podAnnotations:
            {{- range $index, $repo := . }}
            {{- with (($repo.status).artifact).revision }}
            repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
            {{- end }}
            {{- end }}
  {{- end }}
  {{- end }}
 - name: kamaji
  releaseName: kamaji
  chart: cozy-kamaji
  namespace: cozy-kamaji
  dependsOn: [cilium,kubeovn,cert-manager]
 - name: capi-operator
  releaseName: capi-operator
  chart: cozy-capi-operator
  namespace: cozy-cluster-api
  privileged: true
  dependsOn: [cilium,kubeovn,cert-manager]
 - name: capi-providers
  releaseName: capi-providers
  chart: cozy-capi-providers
  namespace: cozy-cluster-api
  privileged: true
  dependsOn: [cilium,kubeovn,capi-operator]
--- a/packages/core/platform/bundles/paas-hosted.yaml
+++ b/packages/core/platform/bundles/paas-hosted.yaml
@@ -1,107 +0,0 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 releases:
 - name: cert-manager
  releaseName: cert-manager
  chart: cozy-cert-manager
  namespace: cozy-cert-manager
  dependsOn: []
 - name: cert-manager-issuers
  releaseName: cert-manager-issuers
  chart: cozy-cert-manager-issuers
  namespace: cozy-cert-manager
  dependsOn: [cert-manager]
 - name: victoria-metrics-operator
  releaseName: victoria-metrics-operator
  chart: cozy-victoria-metrics-operator
  namespace: cozy-victoria-metrics-operator
  dependsOn: [cert-manager]
 - name: monitoring
  releaseName: monitoring
  chart: cozy-monitoring
  namespace: cozy-monitoring
  privileged: true
  dependsOn: [victoria-metrics-operator]
 - name: etcd-operator
  releaseName: etcd-operator
  chart: cozy-etcd-operator
  namespace: cozy-etcd-operator
  dependsOn: [cert-manager]
 - name: grafana-operator
  releaseName: grafana-operator
  chart: cozy-grafana-operator
  namespace: cozy-grafana-operator
  dependsOn: []
 - name: mariadb-operator
  releaseName: mariadb-operator
  chart: cozy-mariadb-operator
  namespace: cozy-mariadb-operator
  dependsOn: [cert-manager,victoria-metrics-operator]
 - name: postgres-operator
  releaseName: postgres-operator
  chart: cozy-postgres-operator
  namespace: cozy-postgres-operator
  dependsOn: [cert-manager]
 - name: kafka-operator
  releaseName: kafka-operator
  chart: cozy-kafka-operator
  namespace: cozy-kafka-operator
  dependsOn: [cilium,kubeovn]
 - name: clickhouse-operator
  releaseName: clickhouse-operator
  chart: cozy-clickhouse-operator
  namespace: cozy-clickhouse-operator
  dependsOn: [cilium,kubeovn]
 - name: rabbitmq-operator
  releaseName: rabbitmq-operator
  chart: cozy-rabbitmq-operator
  namespace: cozy-rabbitmq-operator
  dependsOn: []
 - name: redis-operator
  releaseName: redis-operator
  chart: cozy-redis-operator
  namespace: cozy-redis-operator
  dependsOn: []
 - name: piraeus-operator
  releaseName: piraeus-operator
  chart: cozy-piraeus-operator
  namespace: cozy-linstor
  dependsOn: [cert-manager]
 - name: telepresence
  releaseName: traffic-manager
  chart: cozy-telepresence
  namespace: cozy-telepresence
  dependsOn: []
 - name: dashboard
  releaseName: dashboard
  chart: cozy-dashboard
  namespace: cozy-dashboard
  dependsOn: []
  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }}
  {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }}
  values:
    kubeapps:
      redis:
        master:
          podAnnotations:
            {{- range $index, $repo := . }}
            {{- with (($repo.status).artifact).revision }}
            repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
            {{- end }}
            {{- end }}
  {{- end }}
  {{- end }}
--- a/packages/core/platform/templates/_helpers.tpl
+++ b/packages/core/platform/templates/_helpers.tpl
@@ -1,7 +1,7 @@
 {{/*
 Get IP-addresses of master nodes
 */}}
-{{- define "cozystack.master-node-ips" -}}
+{{- define "master.nodeIPs" -}}
 {{- $nodes := lookup "v1" "Node" "" "" -}}
 {{- $ips := list -}}
 {{- range $node := $nodes.items -}}
--- a/packages/core/platform/templates/apps.yaml
+++ b/packages/core/platform/templates/apps.yaml
@@ -1,10 +1,7 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $bundleName := index $cozyConfig.data "bundle-name" }}
 {{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
 {{- $host := "example.org" }}
 {{- $tenantRoot := list }}
-{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2beta2" }}
+{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2beta1" }}
-{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2beta2" "HelmRelease" "tenant-root" "tenant-root" }}
+{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2beta1" "HelmRelease" "tenant-root" "tenant-root" }}
 {{- end }}
 {{- if and $tenantRoot $tenantRoot.spec $tenantRoot.spec.values $tenantRoot.spec.values.host }}
 {{- $host = $tenantRoot.spec.values.host }}
@@ -22,7 +19,7 @@ metadata:
    namespace.cozystack.io/host: "{{ $host }}"
  name: tenant-root
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: tenant-root
@@ -48,9 +45,7 @@ spec:
  values:
    host: "{{ $host }}"
  dependsOn:
-  {{- range $x := $bundle.releases }}
+  - name: cilium
-  {{- if has $x.name (list "cilium" "kubeovn") }}
+    namespace: cozy-cilium
-  - name: {{ $x.name }}
+  - name: kubeovn
-    namespace: {{ $x.namespace }}
+    namespace: cozy-kubeovn
  {{- end }}
  {{- end }}
--- a/packages/core/platform/templates/helmreleases.yaml
+++ b/packages/core/platform/templates/helmreleases.yaml
@@ -1,62 +1,758 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
 {{- $bundleName := index $cozyConfig.data "bundle-name" }}
 {{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
 {{- $dependencyNamespaces := dict }}
 {{- $disabledComponents := splitList "," ((index $cozyConfig.data "bundle-disable") | default "") }}
 {{/* collect dependency namespaces from releases */}}
 {{- range $x := $bundle.releases }}
 {{- $_ := set $dependencyNamespaces $x.name $x.namespace }}
 {{- end }}
 {{- range $x := $bundle.releases }}
 {{- if not (has $x.name $disabledComponents) }}
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
-  name: {{ $x.name }}
+  name: cilium
-  namespace: {{ $x.namespace }}
+  namespace: cozy-cilium
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
-  releaseName: {{ $x.releaseName | default $x.name }}
+  releaseName: cilium
  install:
    crds: CreateReplace
    remediation:
      retries: -1
  upgrade:
    crds: CreateReplace
    remediation:
      retries: -1
  chart:
    spec:
-      chart: {{ $x.chart }}
+      chart: cozy-cilium
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: kubeovn
  namespace: cozy-kubeovn
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: kubeovn
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-kubeovn
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  {{- $values := dict }}
  {{- with $x.values }}
  {{- $values = merge . $values }}
  {{- end }}
  {{- with index $cozyConfig.data (printf "values-%s" $x.name) }}
  {{- $values = merge (fromYaml .) $values }}
  {{- end }}
  {{- with $values }}
  values:
-    {{- toYaml . | nindent 4}}
+    cozystack:
-  {{- end }}
+      configHash: {{ index (lookup "v1" "ConfigMap" "cozy-system" "cozystack") "data" | toJson | sha256sum }}
-  {{- with $x.dependsOn }}
+      nodesHash: {{ include "master.nodeIPs" . | sha256sum }}
  dependsOn:
-  {{- range $dep := . }}
+  - name: cilium
-  {{- if not (has $dep $disabledComponents) }}
+    namespace: cozy-cilium
-  - name: {{ $dep }}
+---
-    namespace: {{ index $dependencyNamespaces $dep }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: cozy-fluxcd
  namespace: cozy-fluxcd
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: fluxcd
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-fluxcd
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: cert-manager
  namespace: cozy-cert-manager
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: cert-manager
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-cert-manager
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: cert-manager-issuers
  namespace: cozy-cert-manager
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: cert-manager-issuers
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-cert-manager-issuers
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: cert-manager
    namespace: cozy-cert-manager
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: victoria-metrics-operator
  namespace: cozy-victoria-metrics-operator
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: victoria-metrics-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-victoria-metrics-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: cert-manager
    namespace: cozy-cert-manager
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: monitoring
  namespace: cozy-monitoring
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: monitoring
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-monitoring
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: victoria-metrics-operator
    namespace: cozy-victoria-metrics-operator
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: kubevirt-operator
  namespace: cozy-kubevirt
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: kubevirt-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-kubevirt-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: kubevirt
  namespace: cozy-kubevirt
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: kubevirt
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-kubevirt
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: kubevirt-operator
    namespace: cozy-kubevirt
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: kubevirt-cdi-operator
  namespace: cozy-kubevirt-cdi
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: kubevirt-cdi-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-kubevirt-cdi-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: kubevirt-cdi
  namespace: cozy-kubevirt-cdi
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: kubevirt-cdi
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-kubevirt-cdi
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: kubevirt-cdi-operator
    namespace: cozy-kubevirt-cdi
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: metallb
  namespace: cozy-metallb
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: metallb
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-metallb
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: grafana-operator
  namespace: cozy-grafana-operator
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: grafana-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-grafana-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: mariadb-operator
  namespace: cozy-mariadb-operator
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: mariadb-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-mariadb-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: cert-manager
    namespace: cozy-cert-manager
  - name: victoria-metrics-operator
    namespace: cozy-victoria-metrics-operator
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: postgres-operator
  namespace: cozy-postgres-operator
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: postgres-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-postgres-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: cert-manager
    namespace: cozy-cert-manager
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: rabbitmq-operator
  namespace: cozy-rabbitmq-operator
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: rabbitmq-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-rabbitmq-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: redis-operator
  namespace: cozy-redis-operator
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: redis-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-redis-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: piraeus-operator
  namespace: cozy-linstor
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: piraeus-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-piraeus-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: cert-manager
    namespace: cozy-cert-manager
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: linstor
  namespace: cozy-linstor
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: linstor
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-linstor
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: piraeus-operator
    namespace: cozy-linstor
  - name: cert-manager
    namespace: cozy-cert-manager
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: telepresence
  namespace: cozy-telepresence
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: traffic-manager
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-telepresence
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: dashboard
  namespace: cozy-dashboard
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: dashboard
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-dashboard
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }}
  {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }}
  values:
    kubeapps:
      redis:
        master:
          podAnnotations:
            {{- range $index, $repo := . }}
            {{- with (($repo.status).artifact).revision }}
            repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
            {{- end }}
            {{- end }}
  {{- end }}
-{{- end }}
+  {{- end }}
-{{- end }}
+---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: kamaji
  namespace: cozy-kamaji
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: kamaji
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-kamaji
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: cert-manager
    namespace: cozy-cert-manager
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: capi-operator
  namespace: cozy-cluster-api
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: capi-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-capi-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: cert-manager
    namespace: cozy-cert-manager
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: capi-providers
  namespace: cozy-cluster-api
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: capi-providers
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-capi-providers
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: capi-operator
    namespace: cozy-cluster-api
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
--- a/packages/core/platform/templates/namespaces.yaml
+++ b/packages/core/platform/templates/namespaces.yaml
@@ -1,33 +1,13 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- range $ns := .Values.namespaces }}
 {{- $bundleName := index $cozyConfig.data "bundle-name" }}
 {{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
 {{- $namespaces := dict }}
 {{/* collect namespaces from releases */}}
 {{- range $x := $bundle.releases }}
 {{- if not (hasKey $namespaces $x.namespace) }}
 {{- $_ := set $namespaces $x.namespace false }}
 {{- end }}
 {{/* if at least one release requires a privileged namespace, then it should be privileged */}}
 {{- if or $x.privileged (index $namespaces $x.namespace) }}
 {{- $_ := set $namespaces $x.namespace true }}
 {{- end }}
 {{- end }}
 {{/* Add extra namespaces */}}
 {{- $_ := set $namespaces "cozy-public" false }}
 {{- $_ := set $namespaces "cozy-fluxcd" false }}
 {{- range $namespace, $privileged := $namespaces }}
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  annotations:
    "helm.sh/resource-policy": keep
-  {{- if $privileged }}
+  {{- if $ns.privileged }}
  labels:
    pod-security.kubernetes.io/enforce: privileged
  {{- end }}
-  name: {{ $namespace }}
+  name: {{ $ns.name }}
 {{- end }}
--- a/packages/core/platform/values.yaml
+++ b/packages/core/platform/values.yaml
@@ -0,0 +1,30 @@
 namespaces:
 - name: cozy-public
 - name: cozy-system
  privileged: true
 - name: cozy-cert-manager
 - name: cozy-cilium
  privileged: true
 - name: cozy-fluxcd
 - name: cozy-grafana-operator
 - name: cozy-kamaji
 - name: cozy-cluster-api
  privileged: true # for capk only
 - name: cozy-dashboard
 - name: cozy-kubeovn
  privileged: true
 - name: cozy-kubevirt
  privileged: true
 - name: cozy-kubevirt-cdi
 - name: cozy-linstor
  privileged: true
 - name: cozy-mariadb-operator
 - name: cozy-metallb
  privileged: true
 - name: cozy-monitoring
  privileged: true
 - name: cozy-postgres-operator
 - name: cozy-rabbitmq-operator
 - name: cozy-redis-operator
 - name: cozy-telepresence
 - name: cozy-victoria-metrics-operator
--- a/packages/extra/Makefile
+++ b/packages/extra/Makefile
@@ -7,7 +7,7 @@ repo:
 	awk '$$3 != "HEAD" {print "mkdir -p $(TMP)/" $$1 "-" $$2}' versions_map | sh -ex
 	awk '$$3 != "HEAD" {print "git archive " $$3 " " $$1 " | tar -xf- --strip-components=1 -C $(TMP)/" $$1 "-" $$2 }' versions_map | sh -ex
 	helm package -d "$(OUT)" $$(find . $(TMP) -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")' | sort -V)
-	cd "$(OUT)" && helm repo index . --url http://cozystack.cozy-system.svc/repos/extra
+	cd "$(OUT)" && helm repo index .
 	rm -rf "$(TMP)"
 fix-chartnames:
--- a/packages/extra/etcd/Chart.yaml
+++ b/packages/extra/etcd/Chart.yaml
@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: https://www.svgrepo.com/show/353714/etcd.svg
 type: application
-version: 2.0.0
+version: 1.0.0
--- a/packages/extra/etcd/templates/datastore.yaml
+++ b/packages/extra/etcd/templates/datastore.yaml
@@ -1,36 +0,0 @@
 ---
 apiVersion: kamaji.clastix.io/v1alpha1
 kind: DataStore
 metadata:
  name: {{ .Release.Namespace }}
  annotations:
    helm.sh/hook: post-install,post-upgrade
 spec:
  driver: etcd
  endpoints:
  - etcd-0.etcd-headless.{{ .Release.Namespace }}.svc:2379
  - etcd-1.etcd-headless.{{ .Release.Namespace }}.svc:2379
  - etcd-2.etcd-headless.{{ .Release.Namespace }}.svc:2379
  tlsConfig:
    certificateAuthority:
      certificate:
        secretReference:
          keyPath: tls.crt
          name: etcd-ca-tls
          namespace: {{ .Release.Namespace }}
      privateKey:
        secretReference:
          keyPath: tls.key
          name: etcd-ca-tls
          namespace: {{ .Release.Namespace }}
    clientCertificate:
      certificate:
        secretReference:
          keyPath: tls.crt
          name: etcd-client-tls
          namespace: {{ .Release.Namespace }}
      privateKey:
        secretReference:
          keyPath: tls.key
          name: etcd-client-tls
          namespace: {{ .Release.Namespace }}
--- a/packages/extra/etcd/templates/etcd-cluster.yaml
+++ b/packages/extra/etcd/templates/etcd-cluster.yaml
@@ -1,167 +0,0 @@
 ---
 apiVersion: etcd.aenix.io/v1alpha1
 kind: EtcdCluster
 metadata:
  name: etcd
 spec:
  storage: {}
  security:
    tls:
      peerTrustedCASecret: etcd-peer-ca-tls
      peerSecret: etcd-peer-tls
      serverSecret: etcd-server-tls
      clientTrustedCASecret: etcd-ca-tls
      clientSecret: etcd-client-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: etcd-selfsigning-issuer
 spec:
  selfSigned: {}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: etcd-peer-ca
 spec:
  isCA: true
  usages:
  - "signing"
  - "key encipherment"
  - "cert sign"
  commonName: etcd-peer-ca
  subject:
    organizations:
      - ACME Inc.
    organizationalUnits:
      - Widgets
  secretName: etcd-peer-ca-tls
  privateKey:
    algorithm: RSA
    size: 4096
  issuerRef:
    name: etcd-selfsigning-issuer
    kind: Issuer
    group: cert-manager.io
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: etcd-ca
 spec:
  isCA: true
  usages:
  - "signing"
  - "key encipherment"
  - "cert sign"
  commonName: etcd-ca
  subject:
    organizations:
      - ACME Inc.
    organizationalUnits:
      - Widgets
  secretName: etcd-ca-tls
  privateKey:
    algorithm: RSA
    size: 4096
  issuerRef:
    name: etcd-selfsigning-issuer
    kind: Issuer
    group: cert-manager.io
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: etcd-peer-issuer
 spec:
  ca:
    secretName: etcd-peer-ca-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: etcd-issuer
 spec:
  ca:
    secretName: etcd-ca-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: etcd-server
 spec:
  secretName: etcd-server-tls
  isCA: false
  usages:
    - "server auth"
    - "signing"
    - "key encipherment"
  dnsNames:
  - etcd-0
  - etcd-0.etcd-headless
  - etcd-0.etcd-headless.{{ .Release.Namespace }}.svc
  - etcd-1
  - etcd-1.etcd-headless
  - etcd-1.etcd-headless.{{ .Release.Namespace }}.svc
  - etcd-2
  - etcd-2.etcd-headless
  - etcd-2.etcd-headless.{{ .Release.Namespace }}.svc
  - localhost
  - "127.0.0.1"
  privateKey:
    rotationPolicy: Always
    algorithm: RSA
    size: 4096
  issuerRef:
    name: etcd-issuer
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: etcd-peer
 spec:
  secretName: etcd-peer-tls
  isCA: false
  usages:
    - "server auth"
    - "client auth"
    - "signing"
    - "key encipherment"
  dnsNames:
  - etcd-0
  - etcd-0.etcd-headless
  - etcd-0.etcd-headless.{{ .Release.Namespace }}.svc
  - etcd-1
  - etcd-1.etcd-headless
  - etcd-1.etcd-headless.{{ .Release.Namespace }}.svc
  - etcd-2
  - etcd-2.etcd-headless
  - etcd-2.etcd-headless.{{ .Release.Namespace }}.svc
  - localhost
  - "127.0.0.1"
  privateKey:
    rotationPolicy: Always
    algorithm: RSA
    size: 4096
  issuerRef:
    name: etcd-peer-issuer
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: etcd-client
 spec:
  commonName: root
  secretName: etcd-client-tls
  usages:
  - "signing"
  - "key encipherment"
  - "client auth"
  privateKey:
    rotationPolicy: Always
    algorithm: RSA
    size: 4096
  issuerRef:
    name: etcd-issuer
    kind: Issuer
--- a/packages/extra/etcd/templates/kamaji-etcd.yaml
+++ b/packages/extra/etcd/templates/kamaji-etcd.yaml
@@ -0,0 +1,19 @@
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: kamaji-etcd
 spec:
  chart:
    spec:
      chart: cozy-kamaji-etcd
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
      version: '*'
  interval: 1m0s
  timeout: 5m0s
  values:
    kamaji-etcd:
      fullnameOverride: etcd
--- a/packages/extra/monitoring/templates/grafana/grafana.yaml
+++ b/packages/extra/monitoring/templates/grafana/grafana.yaml
@@ -67,7 +67,7 @@ spec:
  ingress:
    metadata:
      annotations:
-        acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}"
+        kubernetes.io/ingress.class: "{{ $ingress }}"
        cert-manager.io/cluster-issuer: letsencrypt-prod
    spec:
      ingressClassName: "{{ $ingress }}"
--- a/packages/extra/versions_map
+++ b/packages/extra/versions_map
@@ -1,4 +1,3 @@
-etcd 1.0.0 f7eaab0
+etcd 1.0.0 HEAD
 etcd 2.0.0 HEAD
 ingress 1.0.0 HEAD
 monitoring 1.0.0 HEAD
--- a/packages/system/Makefile
+++ b/packages/system/Makefile
@@ -1,12 +1,12 @@
 OUT=../../_out/repos/system
-include ../../scripts/common-envs.mk
+gen: fix-chartnames
-repo:
+repo: fix-chartnames
 	rm -rf "$(OUT)"
 	mkdir -p "$(OUT)"
-	helm package -d "$(OUT)" $$(find . -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")') --version $(VERSION)
+	helm package -d "$(OUT)" $$(find . -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")')
 	cd "$(OUT)" && helm repo index .
 fix-chartnames:
-	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: cozy-$$i/" "$$i/Chart.yaml"; done
+	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do printf "name: cozy-%s\nversion: 1.0.0\n" "$$i" > "$$i/Chart.yaml"; done
--- a/packages/system/capi-operator/Chart.yaml
+++ b/packages/system/capi-operator/Chart.yaml
@@ -1,3 +1,2 @@
 apiVersion: v2
 name: cozy-capi-operator
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 1.0.0
--- a/packages/system/capi-operator/Makefile
+++ b/packages/system/capi-operator/Makefile
@@ -1,7 +1,14 @@
 NAME=capi-operator
 NAMESPACE=cozy-cluster-api
-include ../../../scripts/package-system.mk
+show:
 	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
 apply:
 	helm upgrade -i -n $(NAMESPACE) $(NAME) .
 diff:
 	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .
 update:
 	rm -rf charts
--- a/packages/system/capi-providers/Chart.yaml
+++ b/packages/system/capi-providers/Chart.yaml
@@ -1,3 +1,2 @@
 apiVersion: v2
 name: cozy-capi-providers
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 1.0.0
--- a/packages/system/capi-providers/Makefile
+++ b/packages/system/capi-providers/Makefile
@@ -1,4 +1,11 @@
 NAME=capi-providers
 NAMESPACE=cozy-cluster-api
-include ../../../scripts/package-system.mk
+show:
 	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
 apply:
 	helm upgrade -i -n $(NAMESPACE) $(NAME) .
 diff:
 	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .
--- a/packages/system/capi-providers/templates/providers.yaml
+++ b/packages/system/capi-providers/templates/providers.yaml
@@ -13,7 +13,7 @@ spec:
  deployment:
    containers:
    - name: manager
-      imageUrl: ghcr.io/kvaps/test:cluster-api-control-plane-provider-kamaji-v0.7.1-fix
+      imageUrl: ghcr.io/kvaps/test:cluster-api-control-plane-provider-kamaji-v0.6.0-fix7
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
 kind: BootstrapProvider
--- a/packages/system/cert-manager-issuers/Chart.yaml
+++ b/packages/system/cert-manager-issuers/Chart.yaml
@@ -1,3 +1,2 @@
 apiVersion: v2
 name: cozy-cert-manager-issuers
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 1.0.0
--- a/packages/system/cert-manager-issuers/Makefile
+++ b/packages/system/cert-manager-issuers/Makefile
@@ -1,4 +1,11 @@
 NAME=cert-manager-issuers
 NAMESPACE=cozy-cert-manager
-include ../../../scripts/package-system.mk
+show:
 	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
 apply:
 	helm upgrade -i -n $(NAMESPACE) $(NAME) .
 diff:
 	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .
--- a/packages/system/cert-manager/Chart.yaml
+++ b/packages/system/cert-manager/Chart.yaml
@@ -1,3 +1,2 @@
 apiVersion: v2
 name: cozy-cert-manager
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 1.0.0
--- a/packages/system/cert-manager/Makefile
+++ b/packages/system/cert-manager/Makefile
@@ -1,7 +1,14 @@
 NAME=cert-manager
-NAMESPACE=cozy-$(NAME)
+NAMESPACE=cozy-cert-manager
-include ../../../scripts/package-system.mk
+show:
 	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
 apply:
 	helm upgrade -i -n $(NAMESPACE) $(NAME) .
 diff:
 	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .
 update:
 	rm -rf charts
--- a/packages/system/cilium/Chart.yaml
+++ b/packages/system/cilium/Chart.yaml
@@ -1,3 +1,2 @@
 apiVersion: v2
 name: cozy-cilium
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
+version: 1.0.0
--- a/packages/system/cilium/Makefile
+++ b/packages/system/cilium/Makefile
@@ -1,12 +1,19 @@
 NAMESPACE=cozy-cilium
 NAME=cilium
 NAMESPACE=cozy-$(NAME)
-include ../../../scripts/package-system.mk
+show:
 	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
 apply:
 	helm upgrade -i -n $(NAMESPACE) $(NAME) .
 diff:
 	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .
 update:
 	rm -rf charts
 	helm repo add cilium https://helm.cilium.io/
 	helm repo update cilium
-	helm pull cilium/cilium --untar --untardir charts --version 1.14
+	helm pull cilium/cilium --untar --untardir charts
 	sed -i -e '/Used in iptables/d' -e '/SYS_MODULE/d' charts/cilium/values.yaml
-	patch -p3 --no-backup-if-mismatch < patches/fix-cgroups.patch
+	patch -p3 < patches/fix-cgroups.patch
--- a/packages/system/cilium/charts/cilium/Chart.yaml
+++ b/packages/system/cilium/charts/cilium/Chart.yaml
@@ -122,7 +122,7 @@ annotations:
      description: |
        CiliumPodIPPool defines an IP pool that can be used for pooled IPAM (i.e. the multi-pool IPAM mode).
 apiVersion: v2
-appVersion: 1.14.9
+appVersion: 1.14.5
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.14/Documentation/images/logo-solo.svg
@@ -138,4 +138,4 @@ kubeVersion: '>= 1.16.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.14.9
+version: 1.14.5
--- a/packages/system/cilium/charts/cilium/README.md
+++ b/packages/system/cilium/charts/cilium/README.md
@@ -1,6 +1,6 @@
 # cilium
-![Version: 1.14.9](https://img.shields.io/badge/Version-1.14.9-informational?style=flat-square) ![AppVersion: 1.14.9](https://img.shields.io/badge/AppVersion-1.14.9-informational?style=flat-square)
+![Version: 1.14.5](https://img.shields.io/badge/Version-1.14.5-informational?style=flat-square) ![AppVersion: 1.14.5](https://img.shields.io/badge/AppVersion-1.14.5-informational?style=flat-square)
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -76,7 +76,7 @@ contributors across the globe, there is almost always someone available to help.
 | authentication.mutual.spire.install.agent.securityContext | object | `{}` | Security context to be added to spire agent containers. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container |
 | authentication.mutual.spire.install.agent.serviceAccount | object | `{"create":true,"name":"spire-agent"}` | SPIRE agent service account |
 | authentication.mutual.spire.install.agent.skipKubeletVerification | bool | `true` | SPIRE Workload Attestor kubelet verification. |
-| authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
+| authentication.mutual.spire.install.agent.tolerations | list | `[]` | SPIRE agent tolerations configuration ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
 | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true |
 | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into |
 | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration |
@@ -155,12 +155,12 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:5c16f8b8e22ce41e11998e70846fbcecea3a6b683a38253809ead8d871f6d8a3","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.9","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:7eaa35cf5452c43b1f7d0cde0d707823ae7e49965bcb54c053e31ea4e04c3d96","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.5","useDigest":true}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
 | clustermesh.apiserver.kvstoremesh.extraVolumeMounts | list | `[]` | Additional KVStoreMesh volumeMounts. |
-| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:9d9efb25806660f3663b9cd803fb8679f2b115763470002a9770e2c1eb1e5b22","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.9","useDigest":true}` | KVStoreMesh image. |
+| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:d7137edd0efa2b1407b20088af3980a9993bb616d85bf9b55ea2891d1b99023a","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.5","useDigest":true}` | KVStoreMesh image. |
 | clustermesh.apiserver.kvstoremesh.resources | object | `{}` | Resource requests and limits for the KVStoreMesh container |
 | clustermesh.apiserver.kvstoremesh.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | KVStoreMesh Security context |
 | clustermesh.apiserver.metrics.enabled | bool | `true` | Enables exporting apiserver metrics in OpenMetrics format. |
@@ -300,7 +300,7 @@ contributors across the globe, there is almost always someone available to help.
 | eni.subnetIDsFilter | list | `[]` | Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. |
 | eni.subnetTagsFilter | list | `[]` | Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. |
 | eni.updateEC2AdapterLimitViaAPI | bool | `true` | Update ENI Adapter limits from the EC2 API |
-| envoy.affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"cilium.io/no-schedule","operator":"NotIn","values":["true"]}]}]}},"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-envoy. |
+| envoy.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-envoy. |
 | envoy.connectTimeoutSeconds | int | `2` | Time in seconds after which a TCP connection attempt times out |
 | envoy.dnsPolicy | string | `nil` | DNS policy for Cilium envoy pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy |
 | envoy.enabled | bool | `false` | Enable Envoy Proxy in standalone DaemonSet. |
@@ -312,7 +312,7 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:39b75548447978230dedcf25da8940e4d3540c741045ef391a8e74dbb9661a86","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.7-bbde4095997ea57ead209f56158790d47224a0f5","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:992998398dadfff7117bfa9fdb7c9474fefab7f0237263f7c8114e106c67baca","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.6-ad82c7c56e88989992fd25d8d67747de865c823b","useDigest":true}` | Envoy container image. |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
 | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
@@ -324,15 +324,14 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.podLabels | object | `{}` | Labels to be added to envoy pods |
 | envoy.podSecurityContext | object | `{}` | Security Context for cilium-envoy pods. |
 | envoy.priorityClassName | string | `nil` | The priority class to use for cilium-envoy. |
 | envoy.prometheus | object | `{"enabled":true,"port":"9964","serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]}}` | Configure Cilium Envoy Prometheus options. Note that some of these apply to either cilium-agent or cilium-envoy. |
 | envoy.prometheus.enabled | bool | `true` | Enable prometheus metrics for cilium-envoy |
 | envoy.prometheus.port | string | `"9964"` | Serve prometheus metrics for cilium-envoy on the configured port |
 | envoy.prometheus.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor cilium-envoy |
-| envoy.prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) Note that this setting applies to both cilium-envoy _and_ cilium-agent with Envoy enabled. |
+| envoy.prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) |
 | envoy.prometheus.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics. |
 | envoy.prometheus.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor cilium-envoy |
-| envoy.prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor cilium-envoy or for cilium-agent with Envoy configured. |
+| envoy.prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor cilium-envoy |
-| envoy.prometheus.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor cilium-envoy or for cilium-agent with Envoy configured. |
+| envoy.prometheus.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor cilium-envoy |
 | envoy.readinessProbe.failureThreshold | int | `3` | failure threshold of readiness probe |
 | envoy.readinessProbe.periodSeconds | int | `30` | interval between checks of the readiness probe |
 | envoy.resources | object | `{}` | Envoy resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
@@ -419,7 +418,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:f506f3c6e0a979437cde79eb781654fda4f10ddb5642cebc4dc81254cfb7eeaa","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.9","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:dbef89f924a927043d02b40c18e417c1ea0e8f58b44523b80fef7e3652db24d4","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.5","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -476,7 +475,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. |
 | hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. |
 | hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. |
-| hubble.ui.backend.image | object | `{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}` | Hubble-ui backend image. |
+| hubble.ui.backend.image | object | `{"digest":"sha256:1f86f3400827a0451e6332262467f894eeb7caf0eb8779bd951e2caa9d027cbe","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.12.1","useDigest":true}` | Hubble-ui backend image. |
 | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. |
 | hubble.ui.backend.securityContext | object | `{}` | Hubble-ui backend security context. |
 | hubble.ui.baseUrl | string | `"/"` | Defines base url prefix for all hubble-ui http requests. It needs to be changed in case if ingress for hubble-ui is configured under some sub-path. Trailing `/` is required for custom path, ex. `/service-map/` |
@@ -484,7 +483,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. |
 | hubble.ui.frontend.extraVolumeMounts | list | `[]` | Additional hubble-ui frontend volumeMounts. |
 | hubble.ui.frontend.extraVolumes | list | `[]` | Additional hubble-ui frontend volumes. |
-| hubble.ui.frontend.image | object | `{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}` | Hubble-ui frontend image. |
+| hubble.ui.frontend.image | object | `{"digest":"sha256:9e5f81ee747866480ea1ac4630eb6975ff9227f9782b7c93919c081c33f38267","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.12.1","useDigest":true}` | Hubble-ui frontend image. |
 | hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. |
 | hubble.ui.frontend.securityContext | object | `{}` | Hubble-ui frontend security context. |
 | hubble.ui.frontend.server.ipv6 | object | `{"enabled":true}` | Controls server listener for ipv6 |
@@ -511,7 +510,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.9","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.5","useDigest":true}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -619,7 +618,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:765314779093b54750f83280f009229f20fe1f28466a633d9bb4143d2ad669c5","awsDigest":"sha256:041ad5b49ae63ba0f1974e1a1d9ebf9f52541cd2813088fa687f9d544125a1ec","azureDigest":"sha256:2d3b9d868eb03fa9256d34192a734a2abab283f527a9c97b7cefcd3401649d17","genericDigest":"sha256:1552d653870dd8ebbd16ee985a5497dd78a2097370978b0cfbd2da2072f30712","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.9","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:e0152c498ba73c56a82eee2a706c8f400e9a6999c665af31a935bdf08e659bc3","awsDigest":"sha256:785ccf1267d0ed3ba9e4bd8166577cb4f9e4ce996af26b27c9d5c554a0d5b09a","azureDigest":"sha256:9203f5583aa34e716d7a6588ebd144e43ce3b77873f578fc12b2679e33591353","genericDigest":"sha256:303f9076bdc73b3fc32aaedee64a14f6f44c8bb08ee9e3956d443021103ebe7a","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.5","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -666,7 +665,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.9","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.5","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
--- a/packages/system/cilium/charts/cilium/files/agent/poststart-eni.bash
+++ b/packages/system/cilium/charts/cilium/files/agent/poststart-eni.bash
@@ -11,9 +11,9 @@ set -o nounset
 # dependencies on anything that is part of the startup script
 # itself, and can be safely run multiple times per node (e.g. in
 # case of a restart).
-if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];
+if [[ "$(iptables-save | grep -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];
 then
    echo 'Deleting iptables rules created by the AWS CNI VPC plugin'
-    iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore
+    iptables-save | grep -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore
 fi
 echo 'Done!'
--- a/packages/system/cilium/charts/cilium/files/nodeinit/startup.bash
+++ b/packages/system/cilium/charts/cilium/files/nodeinit/startup.bash
@@ -100,7 +100,7 @@ then
    # Since that version containerd no longer allows missing configuration for the CNI,
    # not even for pods with hostNetwork set to true. Thus, we add a temporary one.
    # This will be replaced with the real config by the agent pod.
-    echo -e '{\n\t"cniVersion": "0.3.1",\n\t"name": "cilium",\n\t"type": "cilium-cni"\n}' > /etc/cni/net.d/05-cilium.conf
+    echo -e "{\n\t"cniVersion": "0.3.1",\n\t"name": "cilium",\n\t"type": "cilium-cni"\n}" > /etc/cni/net.d/05-cilium.conf
  fi
  # Start containerd. It won't create it's CNI configuration file anymore.
--- a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml
+++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml
@@ -447,9 +447,6 @@ spec:
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        {{- with .Values.extraVolumeMounts }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
        terminationMessagePolicy: FallbackToLogsOnError
      {{- if .Values.cgroup.autoMount.enabled }}
      # Required to mount cgroup2 filesystem on the underlying Kubernetes node.
--- a/packages/system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml
+++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml
@@ -34,20 +34,6 @@ spec:
    metricRelabelings:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- if .Values.envoy.prometheus.serviceMonitor.enabled }}
  - port: envoy-metrics
    interval: {{ .Values.envoy.prometheus.serviceMonitor.interval | quote }}
    honorLabels: true
    path: /metrics
    {{- with .Values.envoy.prometheus.serviceMonitor.relabelings }}
    relabelings:
    {{- toYaml . | nindent 4 }}
    {{- end }}
    {{- with .Values.envoy.prometheus.serviceMonitor.metricRelabelings }}
    metricRelabelings:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- end }}
  targetLabels:
  - k8s-app
 {{- end }}
--- a/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml
+++ b/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml
@@ -13,7 +13,6 @@
 {{- $fragmentTracking := "true" -}}
 {{- $defaultKubeProxyReplacement := "false" -}}
 {{- $azureUsePrimaryAddress := "true" -}}
 {{- $defaultDNSProxyEnableTransparentMode := "false" -}}
 {{- /* Default values when 1.8 was initially deployed */ -}}
 {{- if semverCompare ">=1.8" (default "1.8" .Values.upgradeCompatibility) -}}
@@ -49,7 +48,6 @@
      {{- $azureUsePrimaryAddress = "false" -}}
  {{- end }}
  {{- $defaultKubeProxyReplacement = "disabled" -}}
  {{- $defaultDNSProxyEnableTransparentMode = "true" -}}
 {{- end -}}
 {{- /* Default values when 1.14 was initially deployed */ -}}
@@ -432,16 +430,10 @@ data:
  #   - vxlan (default)
  #   - geneve
 {{- if .Values.gke.enabled }}
  {{- if ne (.Values.routingMode | default "native") "native" }}
    {{- fail (printf "RoutingMode must be set to native when gke.enabled=true" )}}
  {{- end }}
  routing-mode: "native"
  enable-endpoint-routes: "true"
  enable-local-node-route: "false"
 {{- else if .Values.aksbyocni.enabled }}
  {{- if ne (.Values.routingMode | default "tunnel") "tunnel" }}
    {{- fail (printf "RoutingMode must be set to tunnel when aksbyocni.enabled=true" )}}
  {{- end }}
  routing-mode: "tunnel"
  tunnel-protocol: "vxlan"
 {{- else if .Values.routingMode }}
@@ -1100,13 +1092,6 @@ data:
 {{- end }}
 {{- if .Values.dnsProxy }}
  {{- if hasKey .Values.dnsProxy "enableTransparentMode" }}
  # explicit setting gets precedence
  dnsproxy-enable-transparent-mode: {{ .Values.dnsProxy.enableTransparentMode | quote }}
  {{- else if eq $cniChainingMode "none" }}
  # default DNS proxy to transparent mode in non-chaining modes
  dnsproxy-enable-transparent-mode: {{ $defaultDNSProxyEnableTransparentMode | quote }}
  {{- end }}
  {{- if .Values.dnsProxy.dnsRejectResponseCode }}
  tofqdns-dns-reject-response-code: {{ .Values.dnsProxy.dnsRejectResponseCode | quote }}
  {{- end }}
--- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml
+++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml
@@ -82,7 +82,7 @@ spec:
        {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }}
        startupProbe:
          httpGet:
-            host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
+            host: "localhost"
            path: /healthz
            port: {{ .Values.envoy.healthPort }}
            scheme: HTTP
@@ -92,7 +92,7 @@ spec:
        {{- end }}
        livenessProbe:
          httpGet:
-            host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
+            host: "localhost"
            path: /healthz
            port: {{ .Values.envoy.healthPort }}
            scheme: HTTP
@@ -110,7 +110,7 @@ spec:
          timeoutSeconds: 5
        readinessProbe:
          httpGet:
-            host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
+            host: "localhost"
            path: /healthz
            port: {{ .Values.envoy.healthPort }}
            scheme: HTTP
--- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml
+++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml
@@ -7,7 +7,6 @@ metadata:
  namespace: {{ .Values.envoy.prometheus.serviceMonitor.namespace | default .Release.Namespace }}
  labels:
    app.kubernetes.io/part-of: cilium
    app.kubernetes.io/name: cilium-envoy
    {{- with .Values.envoy.prometheus.serviceMonitor.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
@@ -23,7 +22,7 @@ spec:
    matchNames:
    - {{ .Release.Namespace }}
  endpoints:
-  - port: envoy-metrics
+  - port: metrics
    interval: {{ .Values.envoy.prometheus.serviceMonitor.interval | quote }}
    honorLabels: true
    path: /metrics
--- a/Show More
+++ b/Show More
`@@ -1,2 +1 @@`
	`replicas: 3`
	`external: false`	`external: false`
`@@ -1 +1 @@`
	`ghcr.io/aenix-io/cozystack/cozystack:v0.4.0`	`ghcr.io/aenix-io/cozystack/cozystack:v0.1.0`