fix default values

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

Makefile

@@ -3,8 +3,6 @@
 build:
 	make -C packages/apps/http-cache image
 	make -C packages/apps/kubernetes image
-	make -C packages/system/cilium image
-	make -C packages/system/kubeovn image
 	make -C packages/system/dashboard image
 	make -C packages/core/installer image
 	make manifests
@@ -22,4 +20,4 @@ repos:
 	make -C packages/extra repo
 
 assets:
-	make -C packages/core/installer/ assets
+	make -C packages/core/talos/ assets

hack/e2e.sh

@@ -1,318 +0,0 @@
-#!/bin/bash
-if [ "$COZYSTACK_INSTALLER_YAML" = "" ]; then
-  echo 'COZYSTACK_INSTALLER_YAML variable is not set!' >&2
-  echo 'please set it with following command:' >&2
-  echo >&2
-  echo 'export COZYSTACK_INSTALLER_YAML=$(helm template -n cozy-system installer packages/core/installer)' >&2
-  echo >&2
-  exit 1
-fi
-
-if [ "$(cat /proc/sys/net/ipv4/ip_forward)" != 1 ]; then
-  echo "IPv4 forwarding is not enabled!" >&2
-  echo 'please enable forwarding with the following command:' >&2
-  echo >&2
-  echo 'echo 1 > /proc/sys/net/ipv4/ip_forward' >&2
-  echo >&2
-  exit 1
-fi
-
-set -x
-set -e
-
-kill `cat srv1/qemu.pid srv2/qemu.pid srv3/qemu.pid` || true
-
-ip link del cozy-br0 || true
-ip link add cozy-br0 type bridge
-ip link set cozy-br0 up
-ip addr add 192.168.123.1/24 dev cozy-br0
-
-# Enable forward & masquerading
-echo 1 > /proc/sys/net/ipv4/ip_forward
-iptables -t nat -A POSTROUTING -s 192.168.123.0/24 -j MASQUERADE
-
-rm -rf srv1 srv2 srv3
-mkdir -p srv1 srv2 srv3
-
-# Prepare cloud-init
-for i in 1 2 3; do
-  echo "local-hostname: srv$i" > "srv$i/meta-data"
-  echo '#cloud-config' > "srv$i/user-data"
-  cat > "srv$i/network-config" <<EOT
-version: 2
-ethernets:
-  eth0:
-    dhcp4: false
-    addresses:
-      - "192.168.123.1$i/26"
-    gateway4: "192.168.123.1"
-    nameservers:
-      search: [cluster.local]
-      addresses: [8.8.8.8]
-EOT
-
-  ( cd srv$i && genisoimage \
-      -output seed.img \
-      -volid cidata -rational-rock -joliet \
-      user-data meta-data network-config
-  )
-done
-
-# Prepare system drive
-if [ ! -f nocloud-amd64.raw ]; then
-  wget https://github.com/aenix-io/cozystack/releases/latest/download/nocloud-amd64.raw.xz -O nocloud-amd64.raw.xz
-  rm -f nocloud-amd64.raw
-  xz --decompress nocloud-amd64.raw.xz
-fi
-for i in 1 2 3; do
-  cp nocloud-amd64.raw srv$i/system.img
-  qemu-img resize srv$i/system.img 20G
-done
-
-# Prepare data drives
-for i in 1 2 3; do
-  qemu-img create srv$i/data.img 100G
-done
-
-# Prepare networking
-for i in 1 2 3; do
-  ip link del cozy-srv$i || true
-  ip tuntap add dev cozy-srv$i mode tap
-  ip link set cozy-srv$i up
-  ip link set cozy-srv$i master cozy-br0
-done
-
-# Start VMs
-for i in 1 2 3; do
-  qemu-system-x86_64 -machine type=pc,accel=kvm -cpu host -smp 4 -m 8192 \
-    -device virtio-net,netdev=net0,mac=52:54:00:12:34:5$i -netdev tap,id=net0,ifname=cozy-srv$i,script=no,downscript=no \
-    -drive file=srv$i/system.img,if=virtio,format=raw \
-    -drive file=srv$i/seed.img,if=virtio,format=raw \
-    -drive file=srv$i/data.img,if=virtio,format=raw \
-    -display none -daemonize -pidfile srv$i/qemu.pid
-done
-
-sleep 5
-
-# Wait for VM to start up
-timeout 60 sh -c 'until nc -nzv 192.168.123.11 50000 && nc -nzv 192.168.123.12 50000 && nc -nzv 192.168.123.13 50000; do sleep 1; done'
-
-cat > patch.yaml <<\EOT
-machine:
-  kubelet:
-    nodeIP:
-      validSubnets:
-      - 192.168.123.0/24
-    extraConfig:
-      maxPods: 512
-  kernel:
-    modules:
-    - name: openvswitch
-    - name: drbd
-      parameters:
-        - usermode_helper=disabled
-    - name: zfs
-    - name: spl
-  install:
-    image: ghcr.io/aenix-io/cozystack/talos:v1.7.1
-  files:
-  - content: |
-      [plugins]
-        [plugins."io.containerd.grpc.v1.cri"]
-          device_ownership_from_security_context = true      
-    path: /etc/cri/conf.d/20-customization.part
-    op: create
-
-cluster:
-  network:
-    cni:
-      name: none
-    dnsDomain: cozy.local
-    podSubnets:
-    - 10.244.0.0/16
-    serviceSubnets:
-    - 10.96.0.0/16
-EOT
-
-cat > patch-controlplane.yaml <<\EOT
-machine:
-  network:
-    interfaces:
-    - interface: eth0
-      vip:
-        ip: 192.168.123.10
-cluster:
-  allowSchedulingOnControlPlanes: true
-  controllerManager:
-    extraArgs:
-      bind-address: 0.0.0.0
-  scheduler:
-    extraArgs:
-      bind-address: 0.0.0.0
-  apiServer:
-    certSANs:
-    - 127.0.0.1
-  proxy:
-    disabled: true
-  discovery:
-    enabled: false
-  etcd:
-    advertisedSubnets:
-    - 192.168.123.0/24
-EOT
-
-# Gen configuration
-if [ ! -f secrets.yaml ]; then
-  talosctl gen secrets
-fi
-
-rm -f controlplane.yaml worker.yaml talosconfig kubeconfig
-talosctl gen config --with-secrets secrets.yaml cozystack https://192.168.123.10:6443 --config-patch=@patch.yaml --config-patch-control-plane @patch-controlplane.yaml
-export TALOSCONFIG=$PWD/talosconfig
-
-# Apply configuration
-talosctl apply -f controlplane.yaml -n 192.168.123.11 -e 192.168.123.11 -i
-talosctl apply -f controlplane.yaml -n 192.168.123.12 -e 192.168.123.12 -i
-talosctl apply -f controlplane.yaml -n 192.168.123.13 -e 192.168.123.13 -i
-
-# Wait for VM to be configured
-timeout 60 sh -c 'until nc -nzv 192.168.123.11 50000 && nc -nzv 192.168.123.12 50000 && nc -nzv 192.168.123.13 50000; do sleep 1; done'
-
-# Bootstrap
-talosctl bootstrap -n 192.168.123.11 -e 192.168.123.11
-
-# Wait for etcd
-timeout 120 sh -c 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep "rpc error"; do sleep 1; done'
-
-rm -f kubeconfig
-talosctl kubeconfig kubeconfig -e 192.168.123.10 -n 192.168.123.10
-export KUBECONFIG=$PWD/kubeconfig
-
-# Wait for kubernetes nodes appear
-timeout 60 sh -c 'until [ $(kubectl get node -o name | wc -l) = 3 ]; do sleep 1; done'
-kubectl create ns cozy-system
-kubectl create -f - <<\EOT
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: cozystack
-  namespace: cozy-system
-data:
-  bundle-name: "paas-full"
-  ipv4-pod-cidr: "10.244.0.0/16"
-  ipv4-pod-gateway: "10.244.0.1"
-  ipv4-svc-cidr: "10.96.0.0/16"
-  ipv4-join-cidr: "100.64.0.0/16"
-EOT
-
-#
-echo "$COZYSTACK_INSTALLER_YAML" | kubectl apply -f -
-
-# wait for cozystack pod to start
-kubectl wait deploy  --timeout=1m --for=condition=available -n cozy-system cozystack
-
-# wait for helmreleases appear
-timeout 60 sh -c 'until kubectl get hr -A | grep cozy; do sleep 1; done'
-
-sleep 5
-
-kubectl get hr -A | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n " $1 " hr/" $2 " &"} END{print "wait"}' | sh -x
-# Wait for linstor controller
-kubectl wait deploy --timeout=5m --for=condition=available -n cozy-linstor linstor-controller
-
-# Wait for all linstor nodes become Online
-timeout 60 sh -c 'until [ $(kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor node list | grep -c Online) = 3 ]; do sleep 1; done'
-
-kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs srv1 /dev/vdc --pool-name data --storage-pool data
-kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs srv2 /dev/vdc --pool-name data --storage-pool data
-kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs srv3 /dev/vdc --pool-name data --storage-pool data
-
-kubectl create -f- <<EOT
----
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: local
-  annotations:
-    storageclass.kubernetes.io/is-default-class: "true"
-provisioner: linstor.csi.linbit.com
-parameters:
-  linstor.csi.linbit.com/storagePool: "data"
-  linstor.csi.linbit.com/layerList: "storage"
-  linstor.csi.linbit.com/allowRemoteVolumeAccess: "false"
-volumeBindingMode: WaitForFirstConsumer
-allowVolumeExpansion: true
----
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: replicated
-provisioner: linstor.csi.linbit.com
-parameters:
-  linstor.csi.linbit.com/storagePool: "data"
-  linstor.csi.linbit.com/autoPlace: "3"
-  linstor.csi.linbit.com/layerList: "drbd storage"
-  linstor.csi.linbit.com/allowRemoteVolumeAccess: "true"
-  property.linstor.csi.linbit.com/DrbdOptions/auto-quorum: suspend-io
-  property.linstor.csi.linbit.com/DrbdOptions/Resource/on-no-data-accessible: suspend-io
-  property.linstor.csi.linbit.com/DrbdOptions/Resource/on-suspended-primary-outdated: force-secondary
-  property.linstor.csi.linbit.com/DrbdOptions/Net/rr-conflict: retry-connect
-volumeBindingMode: WaitForFirstConsumer
-allowVolumeExpansion: true
-EOT
-kubectl create -f- <<EOT
----
-apiVersion: metallb.io/v1beta1
-kind: L2Advertisement
-metadata:
-  name: cozystack
-  namespace: cozy-metallb
-spec:
-  ipAddressPools:
-  - cozystack
----
-apiVersion: metallb.io/v1beta1
-kind: IPAddressPool
-metadata:
-  name: cozystack
-  namespace: cozy-metallb
-spec:
-  addresses:
-  - 192.168.123.200-192.168.123.250
-  autoAssign: true
-  avoidBuggyIPs: false
-EOT
-
-kubectl patch -n tenant-root hr/tenant-root --type=merge -p '{"spec":{ "values":{
-  "host": "example.org",
-  "ingress": true,
-  "monitoring": true,
-  "etcd": true
-}}}'
-
-# Wait for HelmRelease be created
-timeout 60 sh -c 'until kubectl get hr -n tenant-root etcd ingress monitoring tenant-root; do sleep 1; done'
-
-# Wait for HelmReleases be installed
-kubectl wait --timeout=2m --for=condition=ready -n tenant-root hr etcd ingress monitoring tenant-root
-
-# Wait for nginx-ingress-controller
-timeout 60 sh -c 'until kubectl get deploy -n tenant-root root-ingress-controller; do sleep 1; done'
-kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy root-ingress-controller
-
-# Wait for etcd
-kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=3 -n tenant-root sts etcd
-
-# Wait for Victoria metrics
-kubectl wait --timeout=5m --for=condition=available deploy -n tenant-root vmalert-vmalert vminsert-longterm vminsert-shortterm
-kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=2 -n tenant-root sts vmalertmanager-alertmanager vmselect-longterm vmselect-shortterm vmstorage-longterm vmstorage-shortterm
-
-# Wait for grafana
-kubectl wait --timeout=5m --for=condition=ready -n tenant-root clusters.postgresql.cnpg.io grafana-db
-kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy grafana-deployment 
-
-# Get IP of nginx-ingress
-ip=$(kubectl get svc -n tenant-root root-ingress-controller -o jsonpath='{.status.loadBalancer.ingress..ip}')
-
-# Check Grafana
-curl -sS -k "https://$ip" -H 'Host: grafana.example.org' | grep Found

manifests/cozystack-installer.yaml

@@ -54,11 +54,6 @@ spec:
   selector:
     matchLabels:
       app: cozystack
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxSurge: 0
-      maxUnavailable: 1
   template:
     metadata:
       labels:
@@ -68,7 +63,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.9.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.4.0"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +82,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.9.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.4.0"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/Makefile

@@ -11,7 +11,7 @@ repo:
 	rm -rf "$(TMP)"
 
 fix-chartnames:
-	find . -maxdepth 2 -name Chart.yaml  | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done
+	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done
 
 gen-versions-map: fix-chartnames
 	../../hack/gen_versions_map.sh

packages/apps/clickhouse/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.1
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/clickhouse/templates/clickhouse.yaml

@@ -14,7 +14,6 @@ spec:
       {{- range $name, $u := . }}
       {{ $name }}/password_sha256_hex: {{ sha256sum $u.password }}
       {{ $name }}/profile: {{ ternary "readonly" "default" (index $u "readonly" | default false) }}
-      {{ $name }}/networks/ip: ["::/0"]
       {{- end }}
     {{- end }}
     profiles:

packages/apps/http-cache/images/nginx-cache.json

@@ -1,48 +1,4 @@
 {
-  "buildx.build.provenance": {
+  "containerimage.config.digest": "sha256:2be806d1d79cbb979b71774d75e610ebbaf1c22608402249a83e043860d754c7",
-    "buildType": "https://mobyproject.org/buildkit@v1",
+  "containerimage.digest": "sha256:49e22533ee97b90a716923aebf5f2654c4a8b47db0b2fab9daf8ecc34c40e7d0"
-    "materials": [
-      {
-        "uri": "pkg:docker/ubuntu@22.04?platform=linux%2Famd64",
-        "digest": {
-          "sha256": "340d9b015b194dc6e2a13938944e0d016e57b9679963fdeb9ce021daac430221"
-        }
-      }
-    ],
-    "invocation": {
-      "configSource": {
-        "entryPoint": "Dockerfile"
-      },
-      "parameters": {
-        "frontend": "dockerfile.v0",
-        "args": {
-          "build-arg:ARCH": "amd64"
-        },
-        "locals": [
-          {
-            "name": "context"
-          },
-          {
-            "name": "dockerfile"
-          }
-        ]
-      },
-      "environment": {
-        "platform": "linux/amd64"
-      }
-    }
-  },
-  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/q6c6lcwah1m8gj7fxrdn94eaz",
-  "containerimage.config.digest": "sha256:304f57018d29e52d00cfc8c35e1d5112eeb3d85f0056de5112baab79748528ab",
-  "containerimage.descriptor": {
-    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:7d2554ce0a988672ceab3d3a7a504a06ca30d5ccb1de0b677871169147b3130e",
-    "size": 1094,
-    "platform": {
-      "architecture": "amd64",
-      "os": "linux"
-    }
-  },
-  "containerimage.digest": "sha256:7d2554ce0a988672ceab3d3a7a504a06ca30d5ccb1de0b677871169147b3130e",
-  "image.name": "ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0,ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0-v0.9.1"
 }

packages/apps/kafka/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.1
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kafka/templates/topics.yaml

@@ -8,12 +8,8 @@ metadata:
     strimzi.io/cluster: "{{ $.Release.Name }}"
 spec:
   topicName: "{{ $topic.name }}"
-  {{- with $topic.partitions }}
+  partitions: 10
-  partitions: "{{ . }}"
+  replicas: 3
-  {{- end }}
-  {{- with $topic.replicas }}
-  replicas: "{{ . }}"
-  {{- end }}
   {{- with $topic.config }}
   config:
     {{- toYaml . | nindent 4 }}

packages/apps/kafka/values.yaml

@@ -32,6 +32,6 @@ zookeeper:
 ##       max.compaction.lag.ms: 5400000
 ##       min.insync.replicas: 2
 ##     partitions: 1
-##     replicas: 3
+##     replicationFactor: 3
 ##
 topics: []

packages/apps/kubernetes/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.30.1"
+appVersion: "1.19.0"

packages/apps/kubernetes/Makefile

@@ -1,4 +1,4 @@
-UBUNTU_CONTAINER_DISK_TAG = v1.30.1
+UBUNTU_CONTAINER_DISK_TAG = v1.29.1
 
 include ../../../scripts/common-envs.mk
 

packages/apps/kubernetes/README.md

@@ -36,13 +36,3 @@ kubectl get secret -n <namespace> kubernetes-<clusterName>-admin-kubeconfig -o g
 | `host`                  | The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host). | `""`  |
 | `controlPlane.replicas` | Number of replicas for Kubernetes contorl-plane components                                                                             | `2`   |
 | `nodeGroups`            | nodeGroups configuration                                                                                                               | `{}`  |
-
-### Cluster Addons
-
-| Name                          | Description                                                                        | Value   |
-| ----------------------------- | ---------------------------------------------------------------------------------- | ------- |
-| `addons.certManager.enabled`  | Enables the cert-manager                                                           | `false` |
-| `addons.ingressNginx.enabled` | Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role)           | `false` |
-| `addons.ingressNginx.hosts`   | List of domain names that should be passed through to the cluster by upper cluster | `[]`    |
-| `addons.fluxcd.enabled`       | Enables Flux CD                                                                    | `false` |
-

packages/apps/kubernetes/images/ubuntu-container-disk.json

@@ -1,48 +1,4 @@
 {
-  "buildx.build.provenance": {
+  "containerimage.config.digest": "sha256:a7e8e6e35ac07bcf6253c9cfcf21fd3c315bd0653ad0427dd5f0cae95ffd3722",
-    "buildType": "https://mobyproject.org/buildkit@v1",
+  "containerimage.digest": "sha256:c03bffeeb70fe7dd680d2eca3021d2405fbcd9961dd38437f5673560c31c72cc"
-    "materials": [
-      {
-        "uri": "pkg:docker/ubuntu@22.04?platform=linux%2Famd64",
-        "digest": {
-          "sha256": "340d9b015b194dc6e2a13938944e0d016e57b9679963fdeb9ce021daac430221"
-        }
-      }
-    ],
-    "invocation": {
-      "configSource": {
-        "entryPoint": "Dockerfile"
-      },
-      "parameters": {
-        "frontend": "dockerfile.v0",
-        "args": {
-          "build-arg:ARCH": "amd64"
-        },
-        "locals": [
-          {
-            "name": "context"
-          },
-          {
-            "name": "dockerfile"
-          }
-        ]
-      },
-      "environment": {
-        "platform": "linux/amd64"
-      }
-    }
-  },
-  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/px2lfxfyhlqfufdvuvk6z8aek",
-  "containerimage.config.digest": "sha256:c144c5f12a47af7880ee5f056b14177c07b585b8ab1e68b7e7900e1c923083cf",
-  "containerimage.descriptor": {
-    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:81caf89efe252ae2ca1990d08a3a314552d70ff36bcd4022b173c7150fbec805",
-    "size": 506,
-    "platform": {
-      "architecture": "amd64",
-      "os": "linux"
-    }
-  },
-  "containerimage.digest": "sha256:81caf89efe252ae2ca1990d08a3a314552d70ff36bcd4022b173c7150fbec805",
-  "image.name": "ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1,ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1-v0.9.1"
 }

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.29.1

packages/apps/kubernetes/images/ubuntu-container-disk/Dockerfile

@@ -26,8 +26,8 @@ RUN qemu-img resize image.img 5G \
  && guestfish --remote sh "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" \
  && guestfish --remote sh 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list' \
 # kubernetes repo
- && guestfish --remote sh "curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.30/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" \
+ && guestfish --remote sh "curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" \
- && guestfish --remote sh "echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list" \
+ && guestfish --remote sh "echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list" \
 # install containerd
  && guestfish --remote command "apt-get update -y" \
  && guestfish --remote command "apt-get install -y containerd.io" \

packages/apps/kubernetes/templates/cluster.yaml

@@ -2,58 +2,6 @@
 {{- $etcd := index $myNS.metadata.annotations "namespace.cozystack.io/etcd" }}
 {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
 {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
-{{- $kubevirtmachinetemplateNames := list }}
-{{- define "kubevirtmachinetemplate" -}}
-spec:
-  virtualMachineBootstrapCheck:
-    checkStrategy: ssh
-  virtualMachineTemplate:
-    metadata:
-      namespace: {{ $.Release.Namespace }}
-      labels:
-        {{- range .group.roles }}
-        node-role.kubernetes.io/{{ . }}: ""
-        {{- end }}
-    spec:
-      runStrategy: Always
-      template:
-        spec:
-          domain:
-            cpu:
-              threads: 1
-              cores: {{ .group.resources.cpu }}
-              sockets: 1
-            devices:
-              disks:
-              - name: system
-                disk:
-                  bus: virtio
-                  pciAddress: 0000:07:00.0
-              - name: containerd
-                disk:
-                  bus: virtio
-                  pciAddress: 0000:08:00.0
-              - name: kubelet
-                disk:
-                  bus: virtio
-                  pciAddress: 0000:09:00.0
-              networkInterfaceMultiqueue: true
-            memory:
-              guest: {{ .group.resources.memory }}
-          evictionStrategy: External
-          volumes:
-          - name: system
-            containerDisk:
-              image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}"
-          - name: containerd
-            emptyDisk:
-              capacity: 20Gi
-          - name: kubelet
-            emptyDisk:
-              capacity: 20Gi
-{{- end }}
-
-
 ---
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: Cluster
@@ -91,9 +39,7 @@ metadata:
 spec:
   dataStoreName: "{{ $etcd }}"
   addons:
-    coreDNS:
+    coreDNS: {}
-      dnsServiceIPs:
-      - 10.95.0.10
     konnectivity: {}
   kubelet:
     cgroupfs: systemd
@@ -109,7 +55,7 @@ spec:
       className: "{{ $ingress }}"
   deployment:
   replicas: 2
-  version: 1.30.1
+  version: 1.29.0
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
 kind: KubevirtCluster
@@ -128,21 +74,6 @@ metadata:
 spec:
   template:
     spec:
-      diskSetup:
-        filesystems:
-        - device: /dev/vdb
-          filesystem: xfs
-          label: containerd
-          partition: "none"
-        - device: /dev/vdc
-          filesystem: xfs
-          label: kubelet
-          partition: "none"
-      mounts:
-      - ["LABEL=containerd", "/var/lib/containerd"]
-      - ["LABEL=kubelet", "/var/lib/kubelet"]
-      preKubeadmCommands:
-      - sed -i 's|root:x:|root::|' /etc/passwd
       joinConfiguration:
         nodeRegistration:
           kubeletExtraArgs: {}
@@ -153,20 +84,41 @@ spec:
         skipPhases:
         - addon/kube-proxy
 ---
-{{- $context := deepCopy $ }}
-{{- $_ := set $context "group" $group }}
-{{- $kubevirtmachinetemplate := include "kubevirtmachinetemplate" $context }}
-{{- $kubevirtmachinetemplateHash := $kubevirtmachinetemplate | sha256sum | trunc 6 }}
-{{- $kubevirtmachinetemplateName := printf "%s-%s-%s" $.Release.Name $groupName $kubevirtmachinetemplateHash }}
-{{- $kubevirtmachinetemplateNames = append $kubevirtmachinetemplateNames $kubevirtmachinetemplateName }}
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
 kind: KubevirtMachineTemplate
 metadata:
-  name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }}
+  name: {{ $.Release.Name }}-{{ $groupName }}
   namespace: {{ $.Release.Namespace }}
 spec:
   template:
-    {{- $kubevirtmachinetemplate | nindent 4 }}
+    spec:
+      virtualMachineBootstrapCheck:
+        checkStrategy: ssh
+      virtualMachineTemplate:
+        metadata:
+          namespace: {{ $.Release.Namespace }}
+        spec:
+          runStrategy: Always
+          template:
+            spec:
+              domain:
+                cpu:
+                  threads: 1
+                  cores: {{ $group.resources.cpu }}
+                  sockets: 1
+                devices:
+                  disks:
+                  - disk:
+                      bus: virtio
+                    name: containervolume
+                  networkInterfaceMultiqueue: true
+                memory:
+                  guest: {{ $group.resources.memory }}
+              evictionStrategy: External
+              volumes:
+              - containerDisk:
+                  image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}"
+                name: containervolume
 ---
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: MachineDeployment
@@ -181,55 +133,18 @@ metadata:
 spec:
   clusterName: {{ $.Release.Name }}
   template:
-    metadata:
-      labels:
-        cluster.x-k8s.io/cluster-name: {{ $.Release.Name }}
-        cluster.x-k8s.io/deployment-name: {{ $.Release.Name }}-{{ $groupName }}
-        {{- range $group.roles }}
-        node-role.kubernetes.io/{{ . }}: ""
-        {{- end }}
     spec:
       bootstrap:
         configRef:
           apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
           kind: KubeadmConfigTemplate
           name: {{ $.Release.Name }}-{{ $groupName }}
-          namespace: {{ $.Release.Namespace }}
+          namespace: default
       clusterName: {{ $.Release.Name }}
       infrastructureRef:
         apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
         kind: KubevirtMachineTemplate
-        name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }}
+        name: {{ $.Release.Name }}-{{ $groupName }}
         namespace: default
-      version: v1.30.1
+      version: v1.29.0
-{{- end }}
----
-{{- /*
-We must preserve all previous KubevirtMachineTemplates until a MachineSet references them.
-*/ -}}
-{{- $mss := (lookup "cluster.x-k8s.io/v1beta1" "MachineSet" $.Release.Namespace "").items }}
-{{- $oldKubevirtmachinetemplates := dict }}
-{{- range $kmt := (lookup "infrastructure.cluster.x-k8s.io/v1alpha1" "KubevirtMachineTemplate" .Release.Namespace "").items }}
-{{- range $or := $kmt.metadata.ownerReferences }}
-{{- if and (eq $or.kind "Cluster") (eq $or.name $.Release.Name) }}
-{{- range $ms := $mss }}
-{{- if and (eq $ms.spec.template.spec.infrastructureRef.kind "KubevirtMachineTemplate") (eq $ms.spec.template.spec.infrastructureRef.name $kmt.metadata.name) }}
-{{- if not (has $kmt.metadata.name $kubevirtmachinetemplateNames) }}
-{{- $oldKubevirtmachinetemplates = merge $oldKubevirtmachinetemplates (dict $kmt.metadata.name $kmt) }}
-{{- end }}
-{{- end }}
-{{- end }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{- range $oldKubevirtmachinetemplates }}
----
-apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
-kind: KubevirtMachineTemplate
-metadata:
-  name: {{ .metadata.name }}
-  namespace: {{ .metadata.Namespace }}
-spec:
-  {{- .spec | toYaml | nindent 2 }}
 {{- end }}

packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml

@@ -1,39 +0,0 @@
-{{- if .Values.addons.certManager.enabled }}
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: {{ .Release.Name }}-cert-manager
-  labels:
-    cozystack.io/repository: system
-    coztstack.io/target-cluster-name: {{ .Release.Name }}
-spec:
-  interval: 5m
-  releaseName: cert-manager
-  chart:
-    spec:
-      chart: cozy-cert-manager
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-  kubeConfig:
-    secretRef:
-      name: {{ .Release.Name }}-kubeconfig
-  targetNamespace: cozy-cert-manager
-  storageNamespace: cozy-cert-manager
-  install:
-    createNamespace: true
-    remediation:
-      retries: -1
-  upgrade:
-    remediation:
-      retries: -1
-  dependsOn:
-  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
-  - name: {{ .Release.Name }}
-    namespace: {{ .Release.Namespace }}
-  {{- end }}
-  - name: {{ .Release.Name }}-cilium
-    namespace: {{ .Release.Namespace }}
-{{- end }}

packages/apps/kubernetes/templates/helmreleases/cilium.yaml

@@ -1,4 +1,4 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: {{ .Release.Name }}-cilium
@@ -6,7 +6,7 @@ metadata:
     cozystack.io/repository: system
     coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
-  interval: 5m
+  interval: 1m
   releaseName: cilium
   chart:
     spec:
@@ -23,17 +23,10 @@ spec:
   storageNamespace: cozy-cilium
   install:
     createNamespace: true
-    remediation:
-      retries: -1
-  upgrade:
-    remediation:
-      retries: -1
   values:
     cilium:
       tunnel: disabled
-      autoDirectNodeRoutes: false
+      autoDirectNodeRoutes: true
-      bpf:
-        masquerade: true
       cgroup:
         autoMount:
           enabled: true
@@ -45,11 +38,9 @@ spec:
         chainingMode: ~
         customConf: false
         configMap: ""
-      routingMode: tunnel
+      routingMode: native
       enableIPv4Masquerade: true
-      ipv4NativeRoutingCIDR: ""
+      ipv4NativeRoutingCIDR: "10.244.0.0/16"
   dependsOn:
-  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
   - name: {{ .Release.Name }}
     namespace: {{ .Release.Namespace }}
-  {{- end }}

packages/apps/kubernetes/templates/helmreleases/csi.yaml

@@ -1,4 +1,4 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: {{ .Release.Name }}-csi
@@ -6,7 +6,7 @@ metadata:
     cozystack.io/repository: system
     coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
-  interval: 5m
+  interval: 1m
   releaseName: csi
   chart:
     spec:
@@ -23,13 +23,6 @@ spec:
   storageNamespace: cozy-csi
   install:
     createNamespace: true
-    remediation:
-      retries: -1
-  upgrade:
-    remediation:
-      retries: -1
   dependsOn:
-  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
   - name: {{ .Release.Name }}
     namespace: {{ .Release.Namespace }}
-  {{- end }}

packages/apps/kubernetes/templates/helmreleases/delete.yaml

@@ -20,23 +20,17 @@ spec:
           effect: "NoSchedule"
       containers:
         - name: kubectl
-          image: docker.io/clastix/kubectl:v1.30.1
+          image: docker.io/clastix/kubectl:v1.29.1
           command:
-            - /bin/sh
+            - kubectl
-            - -c
+            - --namespace={{ .Release.Namespace }}
-            - |
+            - patch
-                kubectl
+            - helmrelease
-                --namespace={{ .Release.Namespace }}
+            - {{ .Release.Name }}-cilium
-                patch
+            - {{ .Release.Name }}-csi
-                helmrelease
+            - -p
-                {{ .Release.Name }}-cilium
+            - '{"spec": {"suspend": true}}'
-                {{ .Release.Name }}-csi
+            - --type=merge
-                {{ .Release.Name }}-cert-manager
-                {{ .Release.Name }}-ingress-nginx
-                {{ .Release.Name }}-fluxcd-operator
-                {{ .Release.Name }}-fluxcd
-                -p '{"spec": {"suspend": true}}'
-                --type=merge --field-manager=flux-client-side-apply || true
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -66,10 +60,6 @@ rules:
     resourceNames:
       - {{ .Release.Name }}-cilium
       - {{ .Release.Name }}-csi
-      - {{ .Release.Name }}-cert-manager
-      - {{ .Release.Name }}-ingress-nginx
-      - {{ .Release.Name }}-fluxcd-operator
-      - {{ .Release.Name }}-fluxcd
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml

@@ -1,84 +0,0 @@
-{{- if .Values.addons.fluxcd.enabled }}
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: {{ .Release.Name }}-fluxcd-operator
-  labels:
-    cozystack.io/repository: system
-    coztstack.io/target-cluster-name: {{ .Release.Name }}
-spec:
-  interval: 5m
-  releaseName: fluxcd-operator
-  chart:
-    spec:
-      chart: cozy-fluxcd-operator
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-  kubeConfig:
-    secretRef:
-      name: {{ .Release.Name }}-kubeconfig
-  targetNamespace: cozy-fluxcd
-  storageNamespace: cozy-fluxcd
-  install:
-    createNamespace: true
-    remediation:
-      retries: -1
-  upgrade:
-    remediation:
-      retries: -1
-  values:
-    flux-operator:
-      fullnameOverride: flux-operator
-      tolerations: []
-      hostNetwork: false
-  dependsOn:
-  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
-  - name: {{ .Release.Name }}
-    namespace: {{ .Release.Namespace }}
-  {{- end }}
-  - name: {{ .Release.Name }}-cilium
-    namespace: {{ .Release.Namespace }}
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: {{ .Release.Name }}-fluxcd
-  labels:
-    cozystack.io/repository: system
-    coztstack.io/target-cluster-name: {{ .Release.Name }}
-spec:
-  interval: 5m
-  releaseName: fluxcd
-  chart:
-    spec:
-      chart: cozy-fluxcd
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-  kubeConfig:
-    secretRef:
-      name: {{ .Release.Name }}-kubeconfig
-  targetNamespace: cozy-fluxcd
-  storageNamespace: cozy-fluxcd
-  install:
-    createNamespace: true
-    remediation:
-      retries: -1
-  upgrade:
-    remediation:
-      retries: -1
-  dependsOn:
-  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
-  - name: {{ .Release.Name }}
-    namespace: {{ .Release.Namespace }}
-  {{- end }}
-  - name: {{ .Release.Name }}-cilium
-    namespace: {{ .Release.Namespace }}
-  - name: {{ .Release.Name }}-fluxcd-operator
-    namespace: {{ .Release.Namespace }}
-{{- end }}

packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml

@@ -1,49 +0,0 @@
-{{- if .Values.addons.ingressNginx.enabled }}
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: {{ .Release.Name }}-ingress-nginx
-  labels:
-    cozystack.io/repository: system
-    coztstack.io/target-cluster-name: {{ .Release.Name }}
-spec:
-  interval: 5m
-  releaseName: ingress-nginx
-  chart:
-    spec:
-      chart: cozy-ingress-nginx
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-  kubeConfig:
-    secretRef:
-      name: {{ .Release.Name }}-kubeconfig
-  targetNamespace: cozy-ingress-nginx
-  storageNamespace: cozy-ingress-nginx
-  install:
-    createNamespace: true
-    remediation:
-      retries: -1
-  upgrade:
-    remediation:
-      retries: -1
-  values:
-    ingress-nginx:
-      fullnameOverride: ingress-nginx
-      controller:
-        kind: DaemonSet
-        hostNetwork: true
-        service:
-          enabled: false
-      nodeSelector:
-        node-role.kubernetes.io/ingress-nginx: ""
-  dependsOn:
-  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
-  - name: {{ .Release.Name }}
-    namespace: {{ .Release.Namespace }}
-  {{- end }}
-  - name: {{ .Release.Name }}-cilium
-    namespace: {{ .Release.Namespace }}
-{{- end }}

packages/apps/kubernetes/templates/ingress.yaml

@@ -1,45 +0,0 @@
-{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
-{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
-{{- if .Values.addons.ingressNginx.hosts }}
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ .Release.Name }}-ingress-nginx
-  annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
-    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
-spec:
-  ingressClassName: "{{ $ingress }}"
-  rules:
-  {{- range .Values.addons.ingressNginx.hosts }}
-  - host: {{ . | quote }}
-    http:
-      paths:
-      - path: /
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: {{ $.Release.Name }}-ingress-nginx
-            port:
-              number: 443
-  {{- end }}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ .Release.Name }}-ingress-nginx
-spec:
-  ports:
-  - appProtocol: http
-    name: http
-    port: 80
-    targetPort: 80
-  - appProtocol: https
-    name: https
-    port: 443
-    targetPort: 443
-  selector:
-    cluster.x-k8s.io/cluster-name: {{ .Release.Name }}
-    node-role.kubernetes.io/ingress-nginx: ""
-{{- end }}

packages/apps/kubernetes/values.schema.json

@@ -16,47 +16,6 @@
                     "default": 2
                 }
             }
-        },
-        "addons": {
-            "type": "object",
-            "properties": {
-                "certManager": {
-                    "type": "object",
-                    "properties": {
-                        "enabled": {
-                            "type": "boolean",
-                            "description": "Enables the cert-manager",
-                            "default": false
-                        }
-                    }
-                },
-                "ingressNginx": {
-                    "type": "object",
-                    "properties": {
-                        "enabled": {
-                            "type": "boolean",
-                            "description": "Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role)",
-                            "default": false
-                        },
-                        "hosts": {
-                            "type": "array",
-                            "description": "List of domain names that should be passed through to the cluster by upper cluster",
-                            "default": [],
-                            "items": {}
-                        }
-                    }
-                },
-                "fluxcd": {
-                    "type": "object",
-                    "properties": {
-                        "enabled": {
-                            "type": "boolean",
-                            "description": "Enables Flux CD",
-                            "default": false
-                        }
-                    }
-                }
-            }
         }
     }
 }

packages/apps/kubernetes/values.yaml

@@ -16,36 +16,3 @@ nodeGroups:
     resources:
       cpu: 2
       memory: 1024Mi
-    roles:
-    - ingress-nginx
-
-## @section Cluster Addons
-##
-addons:
-
-  ## Cert-manager: automatically creates and manages SSL/TLS certificate
-  ##
-  certManager:
-    ## @param addons.certManager.enabled Enables the cert-manager
-    enabled: false
-
-  ## Ingress-NGINX Controller
-  ##
-  ingressNginx:
-    ## @param addons.ingressNginx.enabled Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role)
-    ##
-    enabled: false
-    ## @param addons.ingressNginx.hosts List of domain names that should be passed through to the cluster by upper cluster
-    ## e.g:
-    ## hosts:
-    ## - example.org
-    ## - foo.example.net
-    ##
-    hosts: []
-
-  ## Flux CD
-  ##
-  fluxcd:
-    ## @param addons.fluxcd.enabled Enables Flux CD
-    ##
-    enabled: false

packages/apps/mysql/templates/mariadb.yaml

@@ -4,11 +4,9 @@ kind: MariaDB
 metadata:
   name: {{ .Release.Name }}
 spec:
-  {{- if (and .Values.users.root .Values.users.root.password) }}
   rootPasswordSecretKeyRef:
     name: {{ .Release.Name }}
     key: root-password
-  {{- end }}
 
   image: "mariadb:11.0.2"
 

packages/apps/mysql/templates/secret.yaml

@@ -7,3 +7,11 @@ stringData:
   {{- range $name, $u := .Values.users }}
   {{ $name }}-password: {{ $u.password }}
   {{- end }}
+  {{- if not (and .Values.users.root .Values.users.root.password) }}
+  {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace .Release.Name }}
+  {{- if and $existingSecret (index $existingSecret.data "root-password") }}
+  root-password: {{ index $existingSecret.data "root-password" }}
+  {{- else }}
+  root-password: {{ randAlphaNum 10 }}
+  {{- end }}
+  {{- end }}

packages/apps/postgres/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/postgres/README.md

@@ -35,13 +35,11 @@ more details:
 
 ### Common parameters
 
-| Name                     | Description                                                                                                             | Value   |
+| Name       | Description                                     | Value   |
-| ------------------------ | ----------------------------------------------------------------------------------------------------------------------- | ------- |
+| ---------- | ----------------------------------------------- | ------- |
-| `external`               | Enable external access from outside the cluster                                                                         | `false` |
+| `external` | Enable external access from outside the cluster | `false` |
-| `size`                   | Persistent Volume size                                                                                                  | `10Gi`  |
+| `size`     | Persistent Volume size                          | `10Gi`  |
-| `replicas`               | Number of Postgres replicas                                                                                             | `2`     |
+| `replicas` | Number of MariaDB replicas                      | `2`     |
-| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.           | `0`     |
-| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances). | `0`     |
 
 ### Configuration parameters
 

packages/apps/postgres/templates/db.yaml

@@ -11,9 +11,6 @@ spec:
     parameters:
       max_wal_senders: "30"
 
-  minSyncReplicas: {{ .Values.quorum.minSyncReplicas }}
-  maxSyncReplicas: {{ .Values.quorum.maxSyncReplicas }}
-
   monitoring:
     enablePodMonitor: true
 

packages/apps/postgres/templates/init-script.yaml

@@ -100,13 +100,13 @@ stringData:
     echo "== assign roles to users"
     psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
     {{- range $database, $d := .Values.databases }}
-    {{- range $user, $u := $.Values.users }}
+    {{- range $user, $u := $.Values.roles }}
-    {{- if has $user $d.roles.admin }}
+    {{- if has $user $d.users.admin }}
     GRANT {{ $database }}_admin TO {{ $user }};
     {{- else }}
     REVOKE {{ $database }}_admin FROM {{ $user }};
     {{- end }}
-    {{- if has $user $d.roles.readonly }}
+    {{- if has $user $d.users.readonly }}
     GRANT {{ $database }}_readonly TO {{ $user }};
     {{- else }}
     REVOKE {{ $database }}_readonly FROM {{ $user }};

packages/apps/postgres/values.schema.json

@@ -14,24 +14,9 @@
         },
         "replicas": {
             "type": "number",
-            "description": "Number of Postgres replicas",
+            "description": "Number of MariaDB replicas",
             "default": 2
         },
-        "quorum": {
-            "type": "object",
-            "properties": {
-                "minSyncReplicas": {
-                    "type": "number",
-                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.",
-                    "default": 0
-                },
-                "maxSyncReplicas": {
-                    "type": "number",
-                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).",
-                    "default": 0
-                }
-            }
-        },
         "databases": {
             "type": "object",
             "description": "Databases configuration",

packages/apps/postgres/values.yaml

@@ -2,19 +2,12 @@
 
 ## @param external Enable external access from outside the cluster
 ## @param size Persistent Volume size
-## @param replicas Number of Postgres replicas
+## @param replicas Number of MariaDB replicas
 ##
 external: false
 size: 10Gi
 replicas: 2
 
-## Configuration for the quorum-based synchronous replication
-## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.
-## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).
-quorum:
-  minSyncReplicas: 0
-  maxSyncReplicas: 0
-
 ## @section Configuration parameters
 
 ## @param users [object] Users configuration

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: https://upload.wikimedia.org/wikipedia/commons/0/04/User_icon_1.svg
 
 type: application
-version: 1.2.0
+version: 1.1.0

packages/apps/tenant/README.md

@@ -25,7 +25,7 @@ tenant-root (example.org)
 
 Thus, you can create `tenant-u1` with a set of services like `etcd`, `ingress`, `monitoring`. And create another tenant namespace `tenant-u2` inside of `tenant-u1`.
 
-Let's see what will happen when you run Kubernetes and Postgres under `tenant-u2` namespace.
+Let's see what will happen when you run Kubernetes and Postgres under `tenant-u2` namesapce.
 
 Since `tenant-u2` does not have its own cluster services like `etcd`, `ingress`, and `monitoring`, the applications will use the cluster services of the parent tenant.  
 This in turn means:

packages/apps/tenant/templates/etcd.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.etcd }}
-apiVersion: helm.toolkit.fluxcd.io/v2
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: etcd

packages/apps/tenant/templates/ingress.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.ingress }}
-apiVersion: helm.toolkit.fluxcd.io/v2
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: ingress

packages/apps/tenant/templates/monitoring.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.monitoring }}
-apiVersion: helm.toolkit.fluxcd.io/v2
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: monitoring

packages/apps/versions_map

@@ -1,24 +1,16 @@
 clickhouse 0.1.0 ca79f72
-clickhouse 0.2.0 7cd7de73
+clickhouse 0.2.0 HEAD
-clickhouse 0.2.1 HEAD
 http-cache 0.1.0 a956713
 http-cache 0.2.0 HEAD
 kafka 0.1.0 760f86d2
-kafka 0.2.0 a2cc83d
+kafka 0.2.0 HEAD
-kafka 0.2.1 HEAD
 kubernetes 0.1.0 f642698
-kubernetes 0.2.0 7cd7de73
+kubernetes 0.2.0 HEAD
-kubernetes 0.3.0 7caccec1
-kubernetes 0.4.0 6cae6ce8
-kubernetes 0.5.0 6bd2d455
-kubernetes 0.6.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 HEAD
 postgres 0.1.0 f642698
-postgres 0.2.0 7cd7de73
+postgres 0.2.0 HEAD
-postgres 0.2.1 4a97e297
-postgres 0.3.0 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 HEAD
 redis 0.1.1 f642698
@@ -29,8 +21,7 @@ tenant 0.1.3 3d1b86c
 tenant 0.1.4 d200480
 tenant 0.1.5 e3ab858
 tenant 1.0.0 7cd7de7
-tenant 1.1.0 4da8ac3b
+tenant 1.1.0 HEAD
-tenant 1.2.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 HEAD

packages/core/fluxcd/Makefile

@@ -0,0 +1,13 @@
+NAME=fluxcd
+NAMESPACE=cozy-$(NAME)
+
+API_VERSIONS_FLAGS=$(addprefix -a ,$(shell kubectl api-versions))
+
+show:
+	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS)
+
+apply:
+	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl apply -n $(NAMESPACE) -f-
+
+diff:
+	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f-

packages/core/fluxcd/charts/flux2/.helmignore

@@ -21,4 +21,5 @@
 .idea/
 *.tmproj
 .vscode/
-helmdocs.gotmpl
+
+tests/

packages/core/fluxcd/charts/flux2/Chart.yaml

@@ -0,0 +1,11 @@
+annotations:
+  artifacthub.io/changes: |
+    - "[Chore]: Update App Version to upstream 2.2.3"
+apiVersion: v2
+appVersion: 2.2.3
+description: A Helm chart for flux2
+name: flux2
+sources:
+- https://github.com/fluxcd-community/helm-charts
+type: application
+version: 2.12.4

packages/core/fluxcd/charts/flux2/README.md

@@ -0,0 +1,174 @@
+# flux2
+
+![Version: 2.12.4](https://img.shields.io/badge/Version-2.12.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.2.3](https://img.shields.io/badge/AppVersion-2.2.3-informational?style=flat-square)
+
+A Helm chart for flux2
+
+This helm chart is maintained and released by the fluxcd-community on a best effort basis.
+
+## Source Code
+
+* <https://github.com/fluxcd-community/helm-charts>
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| cli.affinity | object | `{}` |  |
+| cli.annotations | object | `{}` |  |
+| cli.image | string | `"ghcr.io/fluxcd/flux-cli"` |  |
+| cli.nodeSelector | object | `{}` |  |
+| cli.serviceAccount.automount | bool | `true` |  |
+| cli.tag | string | `"v2.2.3"` |  |
+| cli.tolerations | list | `[]` |  |
+| clusterDomain | string | `"cluster.local"` |  |
+| crds.annotations | object | `{}` | Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep |
+| extraObjects | list | `[]` | Array of extra K8s manifests to deploy |
+| helmController.affinity | object | `{}` |  |
+| helmController.annotations."prometheus.io/port" | string | `"8080"` |  |
+| helmController.annotations."prometheus.io/scrape" | string | `"true"` |  |
+| helmController.container.additionalArgs | list | `[]` |  |
+| helmController.create | bool | `true` |  |
+| helmController.extraEnv | list | `[]` |  |
+| helmController.image | string | `"ghcr.io/fluxcd/helm-controller"` |  |
+| helmController.imagePullPolicy | string | `""` |  |
+| helmController.labels | object | `{}` |  |
+| helmController.nodeSelector | object | `{}` |  |
+| helmController.priorityClassName | string | `""` |  |
+| helmController.resources.limits | object | `{}` |  |
+| helmController.resources.requests.cpu | string | `"100m"` |  |
+| helmController.resources.requests.memory | string | `"64Mi"` |  |
+| helmController.serviceAccount.annotations | object | `{}` |  |
+| helmController.serviceAccount.automount | bool | `true` |  |
+| helmController.serviceAccount.create | bool | `true` |  |
+| helmController.tag | string | `"v0.37.4"` |  |
+| helmController.tolerations | list | `[]` |  |
+| imageAutomationController.affinity | object | `{}` |  |
+| imageAutomationController.annotations."prometheus.io/port" | string | `"8080"` |  |
+| imageAutomationController.annotations."prometheus.io/scrape" | string | `"true"` |  |
+| imageAutomationController.container.additionalArgs | list | `[]` |  |
+| imageAutomationController.create | bool | `true` |  |
+| imageAutomationController.extraEnv | list | `[]` |  |
+| imageAutomationController.image | string | `"ghcr.io/fluxcd/image-automation-controller"` |  |
+| imageAutomationController.imagePullPolicy | string | `""` |  |
+| imageAutomationController.labels | object | `{}` |  |
+| imageAutomationController.nodeSelector | object | `{}` |  |
+| imageAutomationController.priorityClassName | string | `""` |  |
+| imageAutomationController.resources.limits | object | `{}` |  |
+| imageAutomationController.resources.requests.cpu | string | `"100m"` |  |
+| imageAutomationController.resources.requests.memory | string | `"64Mi"` |  |
+| imageAutomationController.serviceAccount.annotations | object | `{}` |  |
+| imageAutomationController.serviceAccount.automount | bool | `true` |  |
+| imageAutomationController.serviceAccount.create | bool | `true` |  |
+| imageAutomationController.tag | string | `"v0.37.1"` |  |
+| imageAutomationController.tolerations | list | `[]` |  |
+| imagePullSecrets | list | `[]` | contents of pod imagePullSecret in form 'name=[secretName]'; applied to all controllers |
+| imageReflectionController.affinity | object | `{}` |  |
+| imageReflectionController.annotations."prometheus.io/port" | string | `"8080"` |  |
+| imageReflectionController.annotations."prometheus.io/scrape" | string | `"true"` |  |
+| imageReflectionController.container.additionalArgs | list | `[]` |  |
+| imageReflectionController.create | bool | `true` |  |
+| imageReflectionController.extraEnv | list | `[]` |  |
+| imageReflectionController.image | string | `"ghcr.io/fluxcd/image-reflector-controller"` |  |
+| imageReflectionController.imagePullPolicy | string | `""` |  |
+| imageReflectionController.labels | object | `{}` |  |
+| imageReflectionController.nodeSelector | object | `{}` |  |
+| imageReflectionController.priorityClassName | string | `""` |  |
+| imageReflectionController.resources.limits | object | `{}` |  |
+| imageReflectionController.resources.requests.cpu | string | `"100m"` |  |
+| imageReflectionController.resources.requests.memory | string | `"64Mi"` |  |
+| imageReflectionController.serviceAccount.annotations | object | `{}` |  |
+| imageReflectionController.serviceAccount.automount | bool | `true` |  |
+| imageReflectionController.serviceAccount.create | bool | `true` |  |
+| imageReflectionController.tag | string | `"v0.31.2"` |  |
+| imageReflectionController.tolerations | list | `[]` |  |
+| installCRDs | bool | `true` |  |
+| kustomizeController.affinity | object | `{}` |  |
+| kustomizeController.annotations."prometheus.io/port" | string | `"8080"` |  |
+| kustomizeController.annotations."prometheus.io/scrape" | string | `"true"` |  |
+| kustomizeController.container.additionalArgs | list | `[]` |  |
+| kustomizeController.create | bool | `true` |  |
+| kustomizeController.envFrom | object | `{"map":{"name":""},"secret":{"name":""}}` | Defines envFrom using a configmap and/or secret. |
+| kustomizeController.extraEnv | list | `[]` |  |
+| kustomizeController.extraSecretMounts | list | `[]` | Defines additional mounts with secrets. Secrets must be manually created in the namespace or with kustomizeController.secret |
+| kustomizeController.image | string | `"ghcr.io/fluxcd/kustomize-controller"` |  |
+| kustomizeController.imagePullPolicy | string | `""` |  |
+| kustomizeController.labels | object | `{}` |  |
+| kustomizeController.nodeSelector | object | `{}` |  |
+| kustomizeController.priorityClassName | string | `""` |  |
+| kustomizeController.resources.limits | object | `{}` |  |
+| kustomizeController.resources.requests.cpu | string | `"100m"` |  |
+| kustomizeController.resources.requests.memory | string | `"64Mi"` |  |
+| kustomizeController.secret.create | bool | `false` | Create a secret to use it with extraSecretMounts. Defaults to false. |
+| kustomizeController.secret.data | object | `{}` |  |
+| kustomizeController.secret.name | string | `""` |  |
+| kustomizeController.serviceAccount.annotations | object | `{}` |  |
+| kustomizeController.serviceAccount.automount | bool | `true` |  |
+| kustomizeController.serviceAccount.create | bool | `true` |  |
+| kustomizeController.tag | string | `"v1.2.2"` |  |
+| kustomizeController.tolerations | list | `[]` |  |
+| logLevel | string | `"info"` |  |
+| multitenancy.defaultServiceAccount | string | `"default"` | All Kustomizations and HelmReleases which don’t have spec.serviceAccountName specified, will use the default account from the tenant’s namespace. Tenants have to specify a service account in their Flux resources to be able to deploy workloads in their namespaces as the default account has no permissions. |
+| multitenancy.enabled | bool | `false` | Implement the patches for Multi-tenancy lockdown. See https://fluxcd.io/docs/installation/#multi-tenancy-lockdown |
+| multitenancy.privileged | bool | `true` | Both kustomize-controller and helm-controller service accounts run privileged with cluster-admin ClusterRoleBinding. Disable if you want to run them with a minimum set of permissions. |
+| notificationController.affinity | object | `{}` |  |
+| notificationController.annotations."prometheus.io/port" | string | `"8080"` |  |
+| notificationController.annotations."prometheus.io/scrape" | string | `"true"` |  |
+| notificationController.container.additionalArgs | list | `[]` |  |
+| notificationController.create | bool | `true` |  |
+| notificationController.extraEnv | list | `[]` |  |
+| notificationController.image | string | `"ghcr.io/fluxcd/notification-controller"` |  |
+| notificationController.imagePullPolicy | string | `""` |  |
+| notificationController.labels | object | `{}` |  |
+| notificationController.nodeSelector | object | `{}` |  |
+| notificationController.priorityClassName | string | `""` |  |
+| notificationController.resources.limits | object | `{}` |  |
+| notificationController.resources.requests.cpu | string | `"100m"` |  |
+| notificationController.resources.requests.memory | string | `"64Mi"` |  |
+| notificationController.service.annotations | object | `{}` |  |
+| notificationController.service.labels | object | `{}` |  |
+| notificationController.serviceAccount.annotations | object | `{}` |  |
+| notificationController.serviceAccount.automount | bool | `true` |  |
+| notificationController.serviceAccount.create | bool | `true` |  |
+| notificationController.tag | string | `"v1.2.4"` |  |
+| notificationController.tolerations | list | `[]` |  |
+| notificationController.webhookReceiver.ingress.annotations | object | `{}` |  |
+| notificationController.webhookReceiver.ingress.create | bool | `false` |  |
+| notificationController.webhookReceiver.ingress.hosts[0].host | string | `"flux-webhook.example.com"` |  |
+| notificationController.webhookReceiver.ingress.hosts[0].paths[0].path | string | `"/"` |  |
+| notificationController.webhookReceiver.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` |  |
+| notificationController.webhookReceiver.ingress.labels | object | `{}` |  |
+| notificationController.webhookReceiver.ingress.tls | list | `[]` |  |
+| notificationController.webhookReceiver.service.annotations | object | `{}` |  |
+| notificationController.webhookReceiver.service.labels | object | `{}` |  |
+| policies.create | bool | `true` |  |
+| prometheus.podMonitor.create | bool | `false` | Enables podMonitor endpoint |
+| prometheus.podMonitor.podMetricsEndpoints[0].port | string | `"http-prom"` |  |
+| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].action | string | `"keep"` |  |
+| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].regex | string | `"Running"` |  |
+| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_phase"` |  |
+| rbac.annotations | object | `{}` | Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep |
+| rbac.create | bool | `true` |  |
+| rbac.createAggregation | bool | `true` | Grant the Kubernetes view, edit and admin roles access to Flux custom resources |
+| sourceController.affinity | object | `{}` |  |
+| sourceController.annotations."prometheus.io/port" | string | `"8080"` |  |
+| sourceController.annotations."prometheus.io/scrape" | string | `"true"` |  |
+| sourceController.container.additionalArgs | list | `[]` |  |
+| sourceController.create | bool | `true` |  |
+| sourceController.extraEnv | list | `[]` |  |
+| sourceController.image | string | `"ghcr.io/fluxcd/source-controller"` |  |
+| sourceController.imagePullPolicy | string | `""` |  |
+| sourceController.labels | object | `{}` |  |
+| sourceController.nodeSelector | object | `{}` |  |
+| sourceController.priorityClassName | string | `""` |  |
+| sourceController.resources.limits | object | `{}` |  |
+| sourceController.resources.requests.cpu | string | `"100m"` |  |
+| sourceController.resources.requests.memory | string | `"64Mi"` |  |
+| sourceController.service.annotations | object | `{}` |  |
+| sourceController.service.labels | object | `{}` |  |
+| sourceController.serviceAccount.annotations | object | `{}` |  |
+| sourceController.serviceAccount.automount | bool | `true` |  |
+| sourceController.serviceAccount.create | bool | `true` |  |
+| sourceController.tag | string | `"v1.2.4"` |  |
+| sourceController.tolerations | list | `[]` |  |
+| watchAllNamespaces | bool | `true` |  |

packages/core/fluxcd/charts/flux2/templates/_helper.tpl

@@ -0,0 +1,7 @@
+{{- define "template.image" -}}
+{{- if eq (substr 0 7 .tag) "sha256:" -}}
+{{- printf "%s@%s" .image .tag -}}
+{{- else -}}
+{{- printf "%s:%s" .image .tag -}}
+{{- end -}}
+{{- end -}}

packages/core/fluxcd/charts/flux2/templates/aggregate-clusterroles.yaml

@@ -0,0 +1,47 @@
+{{- if .Values.rbac.createAggregation }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  {{- with .Values.rbac.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+  name: flux-edit
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+  - apiGroups:
+      - notification.toolkit.fluxcd.io
+      - source.toolkit.fluxcd.io
+      - helm.toolkit.fluxcd.io
+      - image.toolkit.fluxcd.io
+      - kustomize.toolkit.fluxcd.io
+    resources: ["*"]
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flux-view
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+  - apiGroups:
+      - notification.toolkit.fluxcd.io
+      - source.toolkit.fluxcd.io
+      - helm.toolkit.fluxcd.io
+      - image.toolkit.fluxcd.io
+      - kustomize.toolkit.fluxcd.io
+    resources: ["*"]
+    verbs:
+      - get
+      - list
+      - watch
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml

@@ -0,0 +1,26 @@
+{{- if and .Values.rbac.create (or (not .Values.multitenancy.enabled) .Values.multitenancy.privileged) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  {{- with .Values.rbac.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: cluster-reconciler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.rbac.roleRef.name }}
+subjects:
+- kind: ServiceAccount
+  name: kustomize-controller
+  namespace: {{ .Release.Namespace }}
+- kind: ServiceAccount
+  name: helm-controller
+  namespace: {{ .Release.Namespace }}
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml

@@ -0,0 +1,19 @@
+{{- if and .Values.rbac.create .Values.multitenancy.enabled (not .Values.multitenancy.privileged) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  {{- with .Values.rbac.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+  name: cluster-reconciler-impersonator
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+rules:
+- apiGroups: [""]
+  resources: ["serviceaccounts"]
+  verbs: ["impersonate"]
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml

@@ -0,0 +1,26 @@
+{{- if and .Values.rbac.create .Values.multitenancy.enabled (not .Values.multitenancy.privileged) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  {{- with .Values.rbac.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: cluster-reconciler-impersonator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-reconciler-impersonator
+subjects:
+- kind: ServiceAccount
+  name: kustomize-controller
+  namespace: {{ .Release.Namespace }}
+- kind: ServiceAccount
+  name: helm-controller
+  namespace: {{ .Release.Namespace }}
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrole.yaml

@@ -0,0 +1,82 @@
+{{- if and .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  {{- with .Values.rbac.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+  name: crd-controller
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+rules:
+- apiGroups: ['source.toolkit.fluxcd.io']
+  resources: ['*']
+  verbs: ['*']
+- apiGroups: ['kustomize.toolkit.fluxcd.io']
+  resources: ['*']
+  verbs: ['*']
+- apiGroups: ['helm.toolkit.fluxcd.io']
+  resources: ['*']
+  verbs: ['*']
+- apiGroups: ['notification.toolkit.fluxcd.io']
+  resources: ['*']
+  verbs: ['*']
+- apiGroups: ['image.toolkit.fluxcd.io']
+  resources: ['*']
+  verbs: ['*']
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  - secrets
+  - configmaps
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+# required by leader election
+- apiGroups:
+    - ""
+  resources:
+    - configmaps
+  verbs:
+    - get
+    - list
+    - watch
+    - create
+    - update
+    - patch
+    - delete
+- apiGroups:
+    - ""
+  resources:
+    - configmaps/status
+  verbs:
+    - get
+    - update
+    - patch
+- apiGroups:
+  - "coordination.k8s.io"
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrolebinding.yaml

@@ -0,0 +1,38 @@
+{{- if and .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  {{- with .Values.rbac.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+  name: crd-controller
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: crd-controller
+subjects:
+  - kind: ServiceAccount
+    name: kustomize-controller
+    namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: helm-controller
+    namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: source-controller
+    namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: notification-controller
+    namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: image-reflector-controller
+    namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: image-automation-controller
+    namespace: {{ .Release.Namespace }}
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/extra-manifests.yaml

@@ -0,0 +1,4 @@
+{{ range .Values.extraObjects }}
+---
+{{ tpl (toYaml .) $ }}
+{{ end }}

packages/core/fluxcd/charts/flux2/templates/helm-controller-sa.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.helmController.create}}
+{{- if .Values.helmController.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: helm-controller
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: helm-controller
+  {{- with .Values.helmController.serviceAccount.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}
+{{- end -}}

packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml

@@ -0,0 +1,133 @@
+{{- if and .Values.helmController.create}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: helm-controller
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    control-plane: controller
+    {{- with .Values.helmController.labels }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
+  name: helm-controller
+spec:
+  {{- if kindIs "invalid" .Values.helmController.replicas }}
+  replicas: 1
+  {{- else }}
+  replicas: {{ .Values.helmController.replicas  }}
+  {{- end}}
+  selector:
+    matchLabels:
+      app: helm-controller
+  template:
+    metadata:
+      {{- with .Values.helmController.annotations }}
+      annotations: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        app: helm-controller
+{{ with .Values.helmController.labels }}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      automountServiceAccountToken: {{ .Values.helmController.serviceAccount.automount }}
+    {{- if .Values.helmController.initContainers}}
+      initContainers:
+        {{- toYaml .Values.helmController.initContainers | nindent 8}}
+    {{- end}}
+      containers:
+      - args:
+        {{- if .Values.multitenancy.enabled }}
+        - --no-cross-namespace-refs=true
+        - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default"  }}
+        {{- end}}
+        {{- if .Values.notificationController.create }}
+        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
+        {{- end}}
+        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
+        - --log-level={{ .Values.logLevel | default "info" }}
+        - --log-encoding=json
+        - --enable-leader-election
+        {{- range .Values.helmController.container.additionalArgs }}
+        - {{ . }}
+        {{- end}}
+        env:
+        - name: RUNTIME_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- with .Values.helmController.extraEnv }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        image: {{ template "template.image" .Values.helmController }}
+        {{- if .Values.helmController.imagePullPolicy }}
+        imagePullPolicy: {{ .Values.helmController.imagePullPolicy }}
+        {{- else }}
+        imagePullPolicy: IfNotPresent
+        {{- end }}
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: healthz
+        name: manager
+        ports:
+        - containerPort: 8080
+          name: http-prom
+        - containerPort: 9440
+          name: healthz
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: healthz
+        {{- with .Values.helmController.resources }}
+        resources: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- if .Values.helmController.securityContext }}
+        securityContext: {{ toYaml .Values.helmController.securityContext | nindent 10 }}
+        {{- else }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+        {{- end}}
+        volumeMounts:
+        - mountPath: /tmp
+          name: temp
+        {{- if .Values.helmController.volumeMounts }}
+        {{- toYaml .Values.helmController.volumeMounts | nindent 8 }}
+        {{- end}}
+      {{- if .Values.helmController.priorityClassName }}
+      priorityClassName: {{ .Values.helmController.priorityClassName | quote }}
+      {{- end }}
+      {{- if .Values.helmController.podSecurityContext }}
+      securityContext: {{ toYaml .Values.helmController.podSecurityContext | nindent 8 }}
+      {{- end }}
+      serviceAccountName: helm-controller
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 600
+      volumes:
+      - emptyDir: {}
+        name: temp
+      {{- if .Values.helmController.volumes }}
+      {{- toYaml .Values.helmController.volumes | nindent 6 }}
+      {{- end}}
+      {{- with .Values.helmController.nodeSelector }}
+      nodeSelector: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.helmController.affinity }}
+      affinity: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.helmController.tolerations }}
+      tolerations: {{ toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/image-automation-controller-sa.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.imageAutomationController.create }}
+{{- if .Values.imageAutomationController.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: image-automation-controller
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: image-automation-controller
+  {{- with .Values.imageAutomationController.serviceAccount.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}
+{{- end -}}

packages/core/fluxcd/charts/flux2/templates/image-automation-controller.crds.yaml

@@ -0,0 +1,326 @@
+{{- if and .Values.installCRDs .Values.imageAutomationController.create }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.12.0
+    {{- with .Values.crds.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
+  labels:
+    app.kubernetes.io/component: image-automation-controller
+    app.kubernetes.io/instance: '{{ .Release.Namespace }}'
+    app.kubernetes.io/managed-by: '{{ .Release.Service }}'
+    app.kubernetes.io/part-of: flux
+    app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
+    helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+  name: imageupdateautomations.image.toolkit.fluxcd.io
+spec:
+  group: image.toolkit.fluxcd.io
+  names:
+    kind: ImageUpdateAutomation
+    listKind: ImageUpdateAutomationList
+    plural: imageupdateautomations
+    singular: imageupdateautomation
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.lastAutomationRunTime
+      name: Last run
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ImageUpdateAutomation is the Schema for the imageupdateautomations
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ImageUpdateAutomationSpec defines the desired state of ImageUpdateAutomation
+            properties:
+              git:
+                description: GitSpec contains all the git-specific definitions. This
+                  is technically optional, but in practice mandatory until there are
+                  other kinds of source allowed.
+                properties:
+                  checkout:
+                    description: Checkout gives the parameters for cloning the git
+                      repository, ready to make changes. If not present, the `spec.ref`
+                      field from the referenced `GitRepository` or its default will
+                      be used.
+                    properties:
+                      ref:
+                        description: Reference gives a branch, tag or commit to clone
+                          from the Git repository.
+                        properties:
+                          branch:
+                            description: Branch to check out, defaults to 'master'
+                              if no other field is defined.
+                            type: string
+                          commit:
+                            description: "Commit SHA to check out, takes precedence
+                              over all reference fields. \n This can be combined with
+                              Branch to shallow clone the branch, in which the commit
+                              is expected to exist."
+                            type: string
+                          name:
+                            description: "Name of the reference to check out; takes
+                              precedence over Branch, Tag and SemVer. \n It must be
+                              a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description
+                              Examples: \"refs/heads/main\", \"refs/tags/v0.1.0\",
+                              \"refs/pull/420/head\", \"refs/merge-requests/1/head\""
+                            type: string
+                          semver:
+                            description: SemVer tag expression to check out, takes
+                              precedence over Tag.
+                            type: string
+                          tag:
+                            description: Tag to check out, takes precedence over Branch.
+                            type: string
+                        type: object
+                    required:
+                    - ref
+                    type: object
+                  commit:
+                    description: Commit specifies how to commit to the git repository.
+                    properties:
+                      author:
+                        description: Author gives the email and optionally the name
+                          to use as the author of commits.
+                        properties:
+                          email:
+                            description: Email gives the email to provide when making
+                              a commit.
+                            type: string
+                          name:
+                            description: Name gives the name to provide when making
+                              a commit.
+                            type: string
+                        required:
+                        - email
+                        type: object
+                      messageTemplate:
+                        description: MessageTemplate provides a template for the commit
+                          message, into which will be interpolated the details of
+                          the change made.
+                        type: string
+                      signingKey:
+                        description: SigningKey provides the option to sign commits
+                          with a GPG key
+                        properties:
+                          secretRef:
+                            description: SecretRef holds the name to a secret that
+                              contains a 'git.asc' key corresponding to the ASCII
+                              Armored file containing the GPG signing keypair as the
+                              value. It must be in the same namespace as the ImageUpdateAutomation.
+                            properties:
+                              name:
+                                description: Name of the referent.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        type: object
+                    required:
+                    - author
+                    type: object
+                  push:
+                    description: Push specifies how and where to push commits made
+                      by the automation. If missing, commits are pushed (back) to
+                      `.spec.checkout.branch` or its default.
+                    properties:
+                      branch:
+                        description: Branch specifies that commits should be pushed
+                          to the branch named. The branch is created using `.spec.checkout.branch`
+                          as the starting point, if it doesn't already exist.
+                        type: string
+                      options:
+                        additionalProperties:
+                          type: string
+                        description: 'Options specifies the push options that are
+                          sent to the Git server when performing a push operation.
+                          For details, see: https://git-scm.com/docs/git-push#Documentation/git-push.txt---push-optionltoptiongt'
+                        type: object
+                      refspec:
+                        description: 'Refspec specifies the Git Refspec to use for
+                          a push operation. If both Branch and Refspec are provided,
+                          then the commit is pushed to the branch and also using the
+                          specified refspec. For more details about Git Refspecs,
+                          see: https://git-scm.com/book/en/v2/Git-Internals-The-Refspec'
+                        type: string
+                    type: object
+                required:
+                - commit
+                type: object
+              interval:
+                description: Interval gives an lower bound for how often the automation
+                  run should be attempted.
+                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
+                type: string
+              sourceRef:
+                description: SourceRef refers to the resource giving access details
+                  to a git repository.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  kind:
+                    default: GitRepository
+                    description: Kind of the referent.
+                    enum:
+                    - GitRepository
+                    type: string
+                  name:
+                    description: Name of the referent.
+                    type: string
+                  namespace:
+                    description: Namespace of the referent, defaults to the namespace
+                      of the Kubernetes resource object that contains the reference.
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
+              suspend:
+                description: Suspend tells the controller to not run this automation,
+                  until it is unset (or set to false). Defaults to false.
+                type: boolean
+              update:
+                default:
+                  strategy: Setters
+                description: Update gives the specification for how to update the
+                  files in the repository. This can be left empty, to use the default
+                  value.
+                properties:
+                  path:
+                    description: Path to the directory containing the manifests to
+                      be updated. Defaults to 'None', which translates to the root
+                      path of the GitRepositoryRef.
+                    type: string
+                  strategy:
+                    default: Setters
+                    description: Strategy names the strategy to be used.
+                    enum:
+                    - Setters
+                    type: string
+                required:
+                - strategy
+                type: object
+            required:
+            - interval
+            - sourceRef
+            type: object
+          status:
+            default:
+              observedGeneration: -1
+            description: ImageUpdateAutomationStatus defines the observed state of
+              ImageUpdateAutomation
+            properties:
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastAutomationRunTime:
+                description: LastAutomationRunTime records the last time the controller
+                  ran this automation through to completion (even if no updates were
+                  made).
+                format: date-time
+                type: string
+              lastHandledReconcileAt:
+                description: LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value can
+                  be detected.
+                type: string
+              lastPushCommit:
+                description: LastPushCommit records the SHA1 of the last commit made
+                  by the controller, for this automation object
+                type: string
+              lastPushTime:
+                description: LastPushTime records the time of the last pushed change.
+                format: date-time
+                type: string
+              observedGeneration:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml

@@ -0,0 +1,135 @@
+{{- if and .Values.imageAutomationController.create}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: image-automation-controller
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    control-plane: controller
+    {{- with .Values.imageAutomationController.labels }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
+  name: image-automation-controller
+spec:
+  {{- if kindIs "invalid" .Values.imageAutomationController.replicas }}
+  replicas: 1
+  {{- else }}
+  replicas: {{ .Values.imageAutomationController.replicas  }}
+  {{- end}}
+  selector:
+    matchLabels:
+      app: image-automation-controller
+  template:
+    metadata:
+      {{- with .Values.imageAutomationController.annotations }}
+      annotations: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        app: image-automation-controller
+{{ with .Values.imageAutomationController.labels }}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      automountServiceAccountToken: {{ .Values.imageAutomationController.serviceAccount.automount }}
+      {{- if .Values.imageAutomationController.initContainers}}
+      initContainers:
+        {{- toYaml .Values.imageAutomationController.initContainers | nindent 8}}
+      {{- end}}
+      containers:
+      - args:
+        {{- if .Values.multitenancy.enabled }}
+        - --no-cross-namespace-refs=true
+        {{- end}}
+        {{- if .Values.notificationController.create }}
+        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
+        {{- end}}
+        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
+        - --log-level={{ .Values.logLevel | default "info" }}
+        - --log-encoding=json
+        - --enable-leader-election
+        {{- range .Values.imageAutomationController.container.additionalArgs }}
+        - {{ . }}
+        {{- end}}
+        env:
+        - name: RUNTIME_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- with .Values.imageAutomationController.extraEnv }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        image: {{ template "template.image" .Values.imageAutomationController }}
+        {{- if .Values.imageAutomationController.imagePullPolicy }}
+        imagePullPolicy: {{ .Values.imageAutomationController.imagePullPolicy }}
+        {{- else }}
+        imagePullPolicy: IfNotPresent
+        {{- end }}
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: healthz
+        name: manager
+        ports:
+        - containerPort: 8080
+          name: http-prom
+        - containerPort: 9440
+          name: healthz
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: healthz
+        {{- with .Values.imageAutomationController.resources }}
+        resources: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- if .Values.imageAutomationController.securityContext }}
+        securityContext: {{ toYaml .Values.imageAutomationController.securityContext | nindent 10 }}
+        {{- else }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+        {{- end}}
+        volumeMounts:
+        - mountPath: /tmp
+          name: temp
+        {{- if .Values.imageAutomationController.volumeMounts }}
+        {{- toYaml .Values.imageAutomationController.volumeMounts | nindent 8 }}
+        {{- end}}
+      {{- if .Values.imageAutomationController.priorityClassName }}
+      priorityClassName: {{ .Values.imageAutomationController.priorityClassName | quote }}
+      {{- end }}
+      {{- if .Values.imageAutomationController.podSecurityContext }}
+      securityContext: {{ toYaml .Values.imageAutomationController.podSecurityContext | nindent 8 }}
+      {{- else }}
+      securityContext:
+        fsGroup: 1337
+      {{- end}}
+      serviceAccountName: image-automation-controller
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 10
+      volumes:
+      - emptyDir: {}
+        name: temp
+      {{- if .Values.imageAutomationController.volumes }}
+      {{- toYaml .Values.imageAutomationController.volumes | nindent 6 }}
+      {{- end}}
+      {{- with .Values.imageAutomationController.nodeSelector }}
+      nodeSelector: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.imageAutomationController.affinity }}
+      affinity: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.imageAutomationController.tolerations }}
+      tolerations: {{ toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/image-reflector-controller-sa.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.imageReflectionController.create }}
+{{- if .Values.imageReflectionController.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: image-reflector-controller
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: image-reflector-controller
+  {{- with .Values.imageReflectionController.serviceAccount.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}
+{{- end -}}

packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.crds.yaml

@@ -0,0 +1,901 @@
+{{- if and .Values.installCRDs .Values.imageReflectionController.create }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.12.0
+    {{- with .Values.crds.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
+  labels:
+    app.kubernetes.io/component: image-reflector-controller
+    app.kubernetes.io/instance: '{{ .Release.Namespace }}'
+    app.kubernetes.io/managed-by: '{{ .Release.Service }}'
+    app.kubernetes.io/part-of: flux
+    app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
+    helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+  name: imagepolicies.image.toolkit.fluxcd.io
+spec:
+  group: image.toolkit.fluxcd.io
+  names:
+    kind: ImagePolicy
+    listKind: ImagePolicyList
+    plural: imagepolicies
+    singular: imagepolicy
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.latestImage
+      name: LatestImage
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ImagePolicy is the Schema for the imagepolicies API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ImagePolicySpec defines the parameters for calculating the
+              ImagePolicy
+            properties:
+              filterTags:
+                description: FilterTags enables filtering for only a subset of tags
+                  based on a set of rules. If no rules are provided, all the tags
+                  from the repository will be ordered and compared.
+                properties:
+                  extract:
+                    description: Extract allows a capture group to be extracted from
+                      the specified regular expression pattern, useful before tag
+                      evaluation.
+                    type: string
+                  pattern:
+                    description: Pattern specifies a regular expression pattern used
+                      to filter for image tags.
+                    type: string
+                type: object
+              imageRepositoryRef:
+                description: ImageRepositoryRef points at the object specifying the
+                  image being scanned
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                  namespace:
+                    description: Namespace of the referent, when not specified it
+                      acts as LocalObjectReference.
+                    type: string
+                required:
+                - name
+                type: object
+              policy:
+                description: Policy gives the particulars of the policy to be followed
+                  in selecting the most recent image
+                properties:
+                  alphabetical:
+                    description: Alphabetical set of rules to use for alphabetical
+                      ordering of the tags.
+                    properties:
+                      order:
+                        default: asc
+                        description: Order specifies the sorting order of the tags.
+                          Given the letters of the alphabet as tags, ascending order
+                          would select Z, and descending order would select A.
+                        enum:
+                        - asc
+                        - desc
+                        type: string
+                    type: object
+                  numerical:
+                    description: Numerical set of rules to use for numerical ordering
+                      of the tags.
+                    properties:
+                      order:
+                        default: asc
+                        description: Order specifies the sorting order of the tags.
+                          Given the integer values from 0 to 9 as tags, ascending
+                          order would select 9, and descending order would select
+                          0.
+                        enum:
+                        - asc
+                        - desc
+                        type: string
+                    type: object
+                  semver:
+                    description: SemVer gives a semantic version range to check against
+                      the tags available.
+                    properties:
+                      range:
+                        description: Range gives a semver range for the image tag;
+                          the highest version within the range that's a tag yields
+                          the latest image.
+                        type: string
+                    required:
+                    - range
+                    type: object
+                type: object
+            required:
+            - imageRepositoryRef
+            - policy
+            type: object
+          status:
+            default:
+              observedGeneration: -1
+            description: ImagePolicyStatus defines the observed state of ImagePolicy
+            properties:
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              latestImage:
+                description: LatestImage gives the first in the list of images scanned
+                  by the image repository, when filtered and ordered according to
+                  the policy.
+                type: string
+              observedGeneration:
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.latestImage
+      name: LatestImage
+      type: string
+    name: v1beta2
+    schema:
+      openAPIV3Schema:
+        description: ImagePolicy is the Schema for the imagepolicies API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ImagePolicySpec defines the parameters for calculating the
+              ImagePolicy.
+            properties:
+              filterTags:
+                description: FilterTags enables filtering for only a subset of tags
+                  based on a set of rules. If no rules are provided, all the tags
+                  from the repository will be ordered and compared.
+                properties:
+                  extract:
+                    description: Extract allows a capture group to be extracted from
+                      the specified regular expression pattern, useful before tag
+                      evaluation.
+                    type: string
+                  pattern:
+                    description: Pattern specifies a regular expression pattern used
+                      to filter for image tags.
+                    type: string
+                type: object
+              imageRepositoryRef:
+                description: ImageRepositoryRef points at the object specifying the
+                  image being scanned
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                  namespace:
+                    description: Namespace of the referent, when not specified it
+                      acts as LocalObjectReference.
+                    type: string
+                required:
+                - name
+                type: object
+              policy:
+                description: Policy gives the particulars of the policy to be followed
+                  in selecting the most recent image
+                properties:
+                  alphabetical:
+                    description: Alphabetical set of rules to use for alphabetical
+                      ordering of the tags.
+                    properties:
+                      order:
+                        default: asc
+                        description: Order specifies the sorting order of the tags.
+                          Given the letters of the alphabet as tags, ascending order
+                          would select Z, and descending order would select A.
+                        enum:
+                        - asc
+                        - desc
+                        type: string
+                    type: object
+                  numerical:
+                    description: Numerical set of rules to use for numerical ordering
+                      of the tags.
+                    properties:
+                      order:
+                        default: asc
+                        description: Order specifies the sorting order of the tags.
+                          Given the integer values from 0 to 9 as tags, ascending
+                          order would select 9, and descending order would select
+                          0.
+                        enum:
+                        - asc
+                        - desc
+                        type: string
+                    type: object
+                  semver:
+                    description: SemVer gives a semantic version range to check against
+                      the tags available.
+                    properties:
+                      range:
+                        description: Range gives a semver range for the image tag;
+                          the highest version within the range that's a tag yields
+                          the latest image.
+                        type: string
+                    required:
+                    - range
+                    type: object
+                type: object
+            required:
+            - imageRepositoryRef
+            - policy
+            type: object
+          status:
+            default:
+              observedGeneration: -1
+            description: ImagePolicyStatus defines the observed state of ImagePolicy
+            properties:
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              latestImage:
+                description: LatestImage gives the first in the list of images scanned
+                  by the image repository, when filtered and ordered according to
+                  the policy.
+                type: string
+              observedGeneration:
+                format: int64
+                type: integer
+              observedPreviousImage:
+                description: ObservedPreviousImage is the observed previous LatestImage.
+                  It is used to keep track of the previous and current images.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.12.0
+    {{- with .Values.crds.annotations }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
+  labels:
+    app.kubernetes.io/component: image-reflector-controller
+    app.kubernetes.io/instance: '{{ .Release.Namespace }}'
+    app.kubernetes.io/managed-by: '{{ .Release.Service }}'
+    app.kubernetes.io/part-of: flux
+    app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
+    helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+  name: imagerepositories.image.toolkit.fluxcd.io
+spec:
+  group: image.toolkit.fluxcd.io
+  names:
+    kind: ImageRepository
+    listKind: ImageRepositoryList
+    plural: imagerepositories
+    singular: imagerepository
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.lastScanResult.scanTime
+      name: Last scan
+      type: string
+    - jsonPath: .status.lastScanResult.tagCount
+      name: Tags
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ImageRepository is the Schema for the imagerepositories API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ImageRepositorySpec defines the parameters for scanning an
+              image repository, e.g., `fluxcd/flux`.
+            properties:
+              accessFrom:
+                description: AccessFrom defines an ACL for allowing cross-namespace
+                  references to the ImageRepository object based on the caller's namespace
+                  labels.
+                properties:
+                  namespaceSelectors:
+                    description: NamespaceSelectors is the list of namespace selectors
+                      to which this ACL applies. Items in this list are evaluated
+                      using a logical OR operation.
+                    items:
+                      description: NamespaceSelector selects the namespaces to which
+                        this ACL applies. An empty map of MatchLabels matches all
+                        namespaces in a cluster.
+                      properties:
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: MatchLabels is a map of {key,value} pairs.
+                            A single {key,value} in the matchLabels map is equivalent
+                            to an element of matchExpressions, whose key field is
+                            "key", the operator is "In", and the values array contains
+                            only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                    type: array
+                required:
+                - namespaceSelectors
+                type: object
+              certSecretRef:
+                description: "CertSecretRef can be given the name of a secret containing
+                  either or both of \n - a PEM-encoded client certificate (`certFile`)
+                  and private key (`keyFile`); - a PEM-encoded CA certificate (`caFile`)
+                  \n and whichever are supplied, will be used for connecting to the
+                  registry. The client cert and key are useful if you are authenticating
+                  with a certificate; the CA cert is useful if you are using a self-signed
+                  server certificate."
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              exclusionList:
+                description: ExclusionList is a list of regex strings used to exclude
+                  certain tags from being stored in the database.
+                items:
+                  type: string
+                type: array
+              image:
+                description: Image is the name of the image repository
+                type: string
+              interval:
+                description: Interval is the length of time to wait between scans
+                  of the image repository.
+                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
+                type: string
+              secretRef:
+                description: SecretRef can be given the name of a secret containing
+                  credentials to use for the image registry. The secret should be
+                  created with `kubectl create secret docker-registry`, or the equivalent.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              serviceAccountName:
+                description: ServiceAccountName is the name of the Kubernetes ServiceAccount
+                  used to authenticate the image pull if the service account has attached
+                  pull secrets.
+                maxLength: 253
+                type: string
+              suspend:
+                description: This flag tells the controller to suspend subsequent
+                  image scans. It does not apply to already started scans. Defaults
+                  to false.
+                type: boolean
+              timeout:
+                description: Timeout for image scanning. Defaults to 'Interval' duration.
+                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
+                type: string
+            type: object
+          status:
+            default:
+              observedGeneration: -1
+            description: ImageRepositoryStatus defines the observed state of ImageRepository
+            properties:
+              canonicalImageName:
+                description: CanonicalName is the name of the image repository with
+                  all the implied bits made explicit; e.g., `docker.io/library/alpine`
+                  rather than `alpine`.
+                type: string
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastHandledReconcileAt:
+                description: LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value can
+                  be detected.
+                type: string
+              lastScanResult:
+                description: LastScanResult contains the number of fetched tags.
+                properties:
+                  scanTime:
+                    format: date-time
+                    type: string
+                  tagCount:
+                    type: integer
+                required:
+                - tagCount
+                type: object
+              observedGeneration:
+                description: ObservedGeneration is the last reconciled generation.
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.lastScanResult.scanTime
+      name: Last scan
+      type: string
+    - jsonPath: .status.lastScanResult.tagCount
+      name: Tags
+      type: string
+    name: v1beta2
+    schema:
+      openAPIV3Schema:
+        description: ImageRepository is the Schema for the imagerepositories API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ImageRepositorySpec defines the parameters for scanning an
+              image repository, e.g., `fluxcd/flux`.
+            properties:
+              accessFrom:
+                description: AccessFrom defines an ACL for allowing cross-namespace
+                  references to the ImageRepository object based on the caller's namespace
+                  labels.
+                properties:
+                  namespaceSelectors:
+                    description: NamespaceSelectors is the list of namespace selectors
+                      to which this ACL applies. Items in this list are evaluated
+                      using a logical OR operation.
+                    items:
+                      description: NamespaceSelector selects the namespaces to which
+                        this ACL applies. An empty map of MatchLabels matches all
+                        namespaces in a cluster.
+                      properties:
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: MatchLabels is a map of {key,value} pairs.
+                            A single {key,value} in the matchLabels map is equivalent
+                            to an element of matchExpressions, whose key field is
+                            "key", the operator is "In", and the values array contains
+                            only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                    type: array
+                required:
+                - namespaceSelectors
+                type: object
+              certSecretRef:
+                description: "CertSecretRef can be given the name of a Secret containing
+                  either or both of \n - a PEM-encoded client certificate (`tls.crt`)
+                  and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`)
+                  \n and whichever are supplied, will be used for connecting to the
+                  registry. The client cert and key are useful if you are authenticating
+                  with a certificate; the CA cert is useful if you are using a self-signed
+                  server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`.
+                  \n Note: Support for the `caFile`, `certFile` and `keyFile` keys
+                  has been deprecated."
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              exclusionList:
+                default:
+                - ^.*\.sig$
+                description: ExclusionList is a list of regex strings used to exclude
+                  certain tags from being stored in the database.
+                items:
+                  type: string
+                maxItems: 25
+                type: array
+              image:
+                description: Image is the name of the image repository
+                type: string
+              insecure:
+                description: Insecure allows connecting to a non-TLS HTTP container
+                  registry.
+                type: boolean
+              interval:
+                description: Interval is the length of time to wait between scans
+                  of the image repository.
+                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
+                type: string
+              provider:
+                default: generic
+                description: The provider used for authentication, can be 'aws', 'azure',
+                  'gcp' or 'generic'. When not specified, defaults to 'generic'.
+                enum:
+                - generic
+                - aws
+                - azure
+                - gcp
+                type: string
+              secretRef:
+                description: SecretRef can be given the name of a secret containing
+                  credentials to use for the image registry. The secret should be
+                  created with `kubectl create secret docker-registry`, or the equivalent.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              serviceAccountName:
+                description: ServiceAccountName is the name of the Kubernetes ServiceAccount
+                  used to authenticate the image pull if the service account has attached
+                  pull secrets.
+                maxLength: 253
+                type: string
+              suspend:
+                description: This flag tells the controller to suspend subsequent
+                  image scans. It does not apply to already started scans. Defaults
+                  to false.
+                type: boolean
+              timeout:
+                description: Timeout for image scanning. Defaults to 'Interval' duration.
+                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
+                type: string
+            type: object
+          status:
+            default:
+              observedGeneration: -1
+            description: ImageRepositoryStatus defines the observed state of ImageRepository
+            properties:
+              canonicalImageName:
+                description: CanonicalName is the name of the image repository with
+                  all the implied bits made explicit; e.g., `docker.io/library/alpine`
+                  rather than `alpine`.
+                type: string
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastHandledReconcileAt:
+                description: LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value can
+                  be detected.
+                type: string
+              lastScanResult:
+                description: LastScanResult contains the number of fetched tags.
+                properties:
+                  latestTags:
+                    items:
+                      type: string
+                    type: array
+                  scanTime:
+                    format: date-time
+                    type: string
+                  tagCount:
+                    type: integer
+                required:
+                - tagCount
+                type: object
+              observedExclusionList:
+                description: ObservedExclusionList is a list of observed exclusion
+                  list. It reflects the exclusion rules used for the observed scan
+                  result in spec.lastScanResult.
+                items:
+                  type: string
+                type: array
+              observedGeneration:
+                description: ObservedGeneration is the last reconciled generation.
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml

@@ -0,0 +1,139 @@
+{{- if and .Values.imageReflectionController.create }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: image-reflector-controller
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    control-plane: controller
+    {{- with .Values.imageReflectionController.labels }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
+  name: image-reflector-controller
+spec:
+  {{- if kindIs "invalid" .Values.imageReflectionController.replicas }}
+  replicas: 1
+  {{- else }}
+  replicas: {{ .Values.imageReflectionController.replicas  }}
+  {{- end}}
+  selector:
+    matchLabels:
+      app: image-reflector-controller
+  template:
+    metadata:
+      {{- with .Values.imageReflectionController.annotations }}
+      annotations: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        app: image-reflector-controller
+{{ with .Values.imageReflectionController.labels }}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      automountServiceAccountToken: {{ .Values.imageReflectionController.serviceAccount.automount }}
+      {{- if .Values.imageReflectionController.initContainers}}
+      initContainers:
+        {{- toYaml .Values.imageReflectionController.initContainers | nindent 8}}
+      {{- end}}
+      containers:
+      - args:
+        {{- if .Values.multitenancy.enabled }}
+        - --no-cross-namespace-refs=true
+        {{- end}}
+        {{- if .Values.notificationController.create }}
+        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
+        {{- end}}
+        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
+        - --log-level={{ .Values.logLevel | default "info" }}
+        - --log-encoding=json
+        - --enable-leader-election
+        {{- range .Values.imageReflectionController.container.additionalArgs }}
+        - {{ . }}
+        {{- end}}
+        env:
+        - name: RUNTIME_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- with .Values.imageReflectionController.extraEnv }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        image: {{ template "template.image" .Values.imageReflectionController }}
+        {{- if .Values.imageReflectionController.imagePullPolicy }}
+        imagePullPolicy: {{ .Values.imageReflectionController.imagePullPolicy }}
+        {{- else }}
+        imagePullPolicy: IfNotPresent
+        {{- end }}
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: healthz
+        name: manager
+        ports:
+        - containerPort: 8080
+          name: http-prom
+        - containerPort: 9440
+          name: healthz
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: healthz
+        {{- with .Values.imageReflectionController.resources }}
+        resources: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- if .Values.imageReflectionController.securityContext }}
+        securityContext: {{ toYaml .Values.imageReflectionController.securityContext | nindent 10 }}
+        {{- else }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+        {{- end}}
+        volumeMounts:
+        - mountPath: /tmp
+          name: temp
+        - mountPath: /data
+          name: data
+        {{- if .Values.imageReflectionController.volumeMounts }}
+        {{- toYaml .Values.imageReflectionController.volumeMounts | nindent 8 }}
+        {{- end}}
+      {{- if .Values.imageReflectionController.priorityClassName }}
+      priorityClassName: {{ .Values.imageReflectionController.priorityClassName | quote }}
+      {{- end }}
+      {{- if .Values.imageReflectionController.podSecurityContext }}
+      securityContext: {{ toYaml .Values.imageReflectionController.podSecurityContext | nindent 8 }}
+      {{- else }}
+      securityContext:
+        fsGroup: 1337
+      {{- end}}
+      serviceAccountName: image-reflector-controller
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 10
+      volumes:
+      - emptyDir: {}
+        name: temp
+      - emptyDir: {}
+        name: data
+      {{- if .Values.imageReflectionController.volumes }}
+      {{- toYaml .Values.imageReflectionController.volumes | nindent 6 }}
+      {{- end}}
+      {{- with .Values.imageReflectionController.nodeSelector }}
+      nodeSelector: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.imageReflectionController.affinity }}
+      affinity: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.imageReflectionController.tolerations }}
+      tolerations: {{ toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/kustomize-controller-sa.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.kustomizeController.create }}
+{{- if .Values.kustomizeController.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: kustomize-controller
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: kustomize-controller
+  {{- with .Values.kustomizeController.serviceAccount.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}
+{{- end -}}

packages/core/fluxcd/charts/flux2/templates/kustomize-controller-secret.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.kustomizeController.secret.create }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.kustomizeController.secret.name }}
+  namespace:  {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+type: Opaque
+data:
+  {{- range $key, $value := .Values.kustomizeController.secret.data }}
+  {{ $key }}: {{ $value | toString | b64enc | quote }}
+  {{- end }}
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml

@@ -0,0 +1,158 @@
+{{- if and .Values.kustomizeController.create }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: kustomize-controller
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    control-plane: controller
+    {{- with .Values.kustomizeController.labels }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
+  name: kustomize-controller
+spec:
+  {{- if kindIs "invalid" .Values.kustomizeController.replicas }}
+  replicas: 1
+  {{- else }}
+  replicas: {{ .Values.kustomizeController.replicas  }}
+  {{- end}}
+  selector:
+    matchLabels:
+      app: kustomize-controller
+  template:
+    metadata:
+      {{- with .Values.kustomizeController.annotations }}
+      annotations: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        app: kustomize-controller
+{{ with .Values.kustomizeController.labels }}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      automountServiceAccountToken: {{ .Values.kustomizeController.serviceAccount.automount }}
+      {{- if .Values.kustomizeController.initContainers}}
+      initContainers:
+        {{- toYaml .Values.kustomizeController.initContainers | nindent 8}}
+      {{- end}}
+      containers:
+      - args:
+        {{- if .Values.multitenancy.enabled }}
+        - --no-cross-namespace-refs=true
+        - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default"  }}
+        {{- end}}
+        {{- if .Values.notificationController.create }}
+        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
+        {{- end}}
+        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
+        - --log-level={{ .Values.logLevel | default "info" }}
+        - --log-encoding=json
+        - --enable-leader-election
+        {{- range .Values.kustomizeController.container.additionalArgs }}
+        - {{ . }}
+        {{- end}}
+        env:
+        - name: RUNTIME_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- with .Values.kustomizeController.extraEnv }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- if or (.Values.kustomizeController.envFrom.map.name) (.Values.kustomizeController.envFrom.secret.name) }}
+        envFrom:
+          {{- if .Values.kustomizeController.envFrom.map.name }}
+          - configMapRef:
+              name: {{ .Values.kustomizeController.envFrom.map.name }}
+          {{- end }}
+          {{- if .Values.kustomizeController.envFrom.secret.name }}
+          - secretRef:
+              name: {{ .Values.kustomizeController.envFrom.secret.name }}
+          {{- end }}
+        {{- end }}
+        image: {{ template "template.image" .Values.kustomizeController }}
+        {{- if .Values.kustomizeController.imagePullPolicy }}
+        imagePullPolicy: {{ .Values.kustomizeController.imagePullPolicy }}
+        {{- else }}
+        imagePullPolicy: IfNotPresent
+        {{- end }}
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: healthz
+        name: manager
+        ports:
+        - containerPort: 8080
+          name: http-prom
+        - containerPort: 9440
+          name: healthz
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: healthz
+        {{- with .Values.kustomizeController.resources }}
+        resources: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- if .Values.kustomizeController.securityContext }}
+        securityContext: {{ toYaml .Values.kustomizeController.securityContext | nindent 10 }}
+        {{- else }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+        {{- end}}
+        volumeMounts:
+        - mountPath: /tmp
+          name: temp
+        {{- if .Values.kustomizeController.volumeMounts }}
+        {{- toYaml .Values.kustomizeController.volumeMounts | nindent 8 }}
+        {{- end}}
+      {{- if .Values.kustomizeController.priorityClassName }}
+      priorityClassName: {{ .Values.kustomizeController.priorityClassName | quote }}
+      {{- end }}
+      {{- range .Values.kustomizeController.extraSecretMounts }}
+        - name: {{ .name }}
+          mountPath: {{ .mountPath }}
+          subPath: {{ .subPath }}
+          readOnly: {{ .readOnly }}
+      {{- end }}
+      {{- if .Values.kustomizeController.podSecurityContext }}
+      securityContext: {{ toYaml .Values.kustomizeController.podSecurityContext | nindent 8 }}
+      {{- else }}
+      securityContext:
+        fsGroup: 1337
+      {{- end}}
+      serviceAccountName: kustomize-controller
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 60
+      volumes:
+      - emptyDir: {}
+        name: temp
+      {{- if .Values.kustomizeController.volumes }}
+      {{- toYaml .Values.kustomizeController.volumes | nindent 6 }}
+      {{- end}}
+      {{- range .Values.kustomizeController.extraSecretMounts }}
+      - name: {{ .name }}
+        secret:
+          secretName: {{ .secretName }}
+      {{- end }}
+      {{- with .Values.kustomizeController.nodeSelector }}
+      nodeSelector: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.kustomizeController.affinity }}
+      affinity: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.kustomizeController.tolerations }}
+      tolerations: {{ toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/notification-controller-ingress.yaml

@@ -0,0 +1,49 @@
+{{- if and .Values.notificationController.create .Values.notificationController.webhookReceiver.ingress.create }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    control-plane: controller
+    {{- with .Values.notificationController.webhookReceiver.ingress.labels }}{{ toYaml . | nindent 4 }}{{ end }}
+  {{- with .Values.notificationController.webhookReceiver.ingress.annotations }}
+  annotations:
+    {{- range $key, $value := . }}
+    {{ $key }}: {{ tpl $value $ | quote }}
+    {{- end }}
+  {{- end }}
+  name: webhook-receiver
+spec:
+  {{- if .Values.notificationController.webhookReceiver.ingress.ingressClassName }}
+  ingressClassName: {{ .Values.notificationController.webhookReceiver.ingress.ingressClassName }}
+  {{- end -}}
+  {{- if .Values.notificationController.webhookReceiver.ingress.tls }}
+  tls:
+    {{- range .Values.notificationController.webhookReceiver.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.notificationController.webhookReceiver.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: webhook-receiver
+                port:
+                  number: 80
+          {{- end }}
+    {{- end }}
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/notification-controller-sa.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.notificationController.create -}}
+{{- if .Values.notificationController.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: notification-controller
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: notification-controller
+  {{- with .Values.notificationController.serviceAccount.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}
+{{- end -}}

packages/core/fluxcd/charts/flux2/templates/notification-controller-service.yaml

@@ -0,0 +1,29 @@
+{{- if and .Values.notificationController.create }}
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    control-plane: controller
+    {{- with .Values.notificationController.service.labels }}{{ toYaml . | nindent 4 }}{{ end }}
+  name: notification-controller
+  {{- with .Values.notificationController.service.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  {{- if .Values.notificationController.service.ports }}
+  {{- toYaml .Values.notificationController.service.ports | nindent 2 }}
+  {{- end}}
+  selector:
+    app: notification-controller
+  type: ClusterIP
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/notification-controller-webhook-service.yaml

@@ -0,0 +1,26 @@
+{{- if and .Values.notificationController.create }}
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    control-plane: controller
+    {{- with .Values.notificationController.webhookReceiver.service.labels }}{{ toYaml . | nindent 4 }}{{ end }}
+  name: webhook-receiver
+  {{- with .Values.notificationController.webhookReceiver.service.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 9292
+  selector:
+    app: notification-controller
+  type: ClusterIP
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/notification-controller.yaml

@@ -0,0 +1,136 @@
+{{- if and .Values.notificationController.create }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: notification-controller
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    control-plane: controller
+    {{- with .Values.notificationController.labels }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
+  name: notification-controller
+spec:
+  {{- if kindIs "invalid" .Values.notificationController.replicas }}
+  replicas: 1
+  {{- else }}
+  replicas: {{ .Values.notificationController.replicas  }}
+  {{- end}}
+  selector:
+    matchLabels:
+      app: notification-controller
+  template:
+    metadata:
+      {{- with .Values.notificationController.annotations }}
+      annotations: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        app: notification-controller
+{{ with .Values.notificationController.labels }}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      automountServiceAccountToken: {{ .Values.notificationController.serviceAccount.automount }}
+      {{- if .Values.notificationController.initContainers}}
+      initContainers:
+        {{- toYaml .Values.notificationController.initContainers | nindent 8}}
+      {{- end}}
+      containers:
+      - args:
+        {{- if .Values.multitenancy.enabled }}
+        - --no-cross-namespace-refs=true
+        {{- end}}
+        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
+        - --log-level={{ .Values.logLevel | default "info" }}
+        - --log-encoding=json
+        - --enable-leader-election
+        {{- range .Values.notificationController.container.additionalArgs }}
+        - {{ . }}
+        {{- end}}
+        env:
+        - name: RUNTIME_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- with .Values.notificationController.extraEnv }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        image: {{ template "template.image" .Values.notificationController }}
+        {{- if .Values.notificationController.imagePullPolicy }}
+        imagePullPolicy: {{ .Values.notificationController.imagePullPolicy }}
+        {{- else }}
+        imagePullPolicy: IfNotPresent
+        {{- end }}
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: healthz
+        name: manager
+        ports:
+        - containerPort: 9090
+          name: http
+          protocol: TCP
+        - containerPort: 9292
+          name: http-webhook
+          protocol: TCP
+        - containerPort: 8080
+          name: http-prom
+          protocol: TCP
+        - containerPort: 9440
+          name: healthz
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: healthz
+        {{- with .Values.notificationController.resources }}
+        resources: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- if .Values.notificationController.securityContext }}
+        securityContext: {{ toYaml .Values.notificationController.securityContext | nindent 10 }}
+        {{- else }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+        {{- end}}
+        volumeMounts:
+        - mountPath: /tmp
+          name: temp
+        {{- if .Values.notificationController.volumeMounts }}
+        {{- toYaml .Values.notificationController.volumeMounts | nindent 8 }}
+        {{- end}}
+      {{- if .Values.notificationController.priorityClassName }}
+      priorityClassName: {{ .Values.notificationController.priorityClassName | quote }}
+      {{- end }}
+      {{- if .Values.notificationController.podSecurityContext }}
+      securityContext: {{ toYaml .Values.notificationController.podSecurityContext | nindent 8 }}
+      {{- end }}
+      serviceAccountName: notification-controller
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 10
+      volumes:
+      - emptyDir: {}
+        name: temp
+      {{- if .Values.notificationController.volumes }}
+      {{- toYaml .Values.notificationController.volumes | nindent 6 }}
+      {{- end}}
+      {{- with .Values.notificationController.nodeSelector }}
+      nodeSelector: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.notificationController.affinity }}
+      affinity: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.notificationController.tolerations }}
+      tolerations: {{ toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/podmonitor.yaml

@@ -0,0 +1,32 @@
+{{ if .Values.prometheus.podMonitor.create }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ .Release.Name }}
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    {{- range $key, $value := .Values.prometheus.podMonitor.additionalLabels }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+spec:
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchExpressions:
+      - key: app
+        operator: In
+        values:
+          - helm-controller
+          - source-controller
+          - kustomize-controller
+          - notification-controller
+          - image-automation-controller
+          - image-reflector-controller
+  podMetricsEndpoints:
+{{ toYaml .Values.prometheus.podMonitor.podMetricsEndpoints | indent 4 }}
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/policies.yaml

@@ -0,0 +1,63 @@
+{{- if and .Values.policies.create}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: allow-egress
+spec:
+  egress:
+  - {}
+  ingress:
+  - from:
+    - podSelector: {}
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: allow-scraping
+spec:
+  ingress:
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: 8080
+      protocol: TCP
+  podSelector: {}
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: allow-webhooks
+spec:
+  ingress:
+  - from:
+    - namespaceSelector: {}
+  podSelector:
+    matchLabels:
+      app: notification-controller
+  policyTypes:
+  - Ingress
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/pre-install-job-serviceaccount.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: "{{ .Release.Name }}-flux-check"
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

packages/core/fluxcd/charts/flux2/templates/pre-install-job.yaml

@@ -0,0 +1,72 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Release.Name }}-flux-check"
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  backoffLimit: 1
+  template:
+    metadata:
+      name: "{{ .Release.Name }}"
+      {{- with .Values.cli.annotations }}
+      annotations: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+        app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+        app.kubernetes.io/part-of: flux
+        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    spec:
+      restartPolicy: Never
+      serviceAccountName: "{{ .Release.Name }}-flux-check"
+      automountServiceAccountToken: {{ .Values.cli.serviceAccount.automount }}
+      containers:
+      - name: flux-cli
+        image: {{ template "template.image" .Values.cli }}
+        command: ["/usr/local/bin/flux", "check",  "--pre", "--namespace", {{ .Release.Namespace }}]
+        {{- with .Values.cli.resources }}
+        resources: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- if .Values.cli.securityContext }}
+        securityContext: {{ toYaml .Values.cli.securityContext | nindent 10 }}
+        {{- else }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+        {{- end}}
+        {{- if .Values.cli.volumeMounts }}
+        volumeMounts:
+        {{- toYaml .Values.cli.volumeMounts | nindent 10 }}
+        {{- end}}
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
+      {{- end }}
+      {{- with .Values.cli.nodeSelector }}
+      nodeSelector: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.cli.volumes }}
+      volumes:
+      {{- toYaml .Values.cli.volumes | nindent 8 }}
+      {{- end}}
+      {{- with .Values.cli.affinity }}
+      affinity: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.cli.tolerations }}
+      tolerations: {{ toYaml . | nindent 8 }}
+      {{- end }}

packages/core/fluxcd/charts/flux2/templates/source-controller-service.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.sourceController.create }}
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    control-plane: controller
+    {{- with .Values.sourceController.service.labels }}{{ toYaml . | nindent 4 }}{{ end }}
+  name: source-controller
+  {{- with .Values.sourceController.service.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  {{- if .Values.sourceController.service.ports }}
+  {{- toYaml .Values.sourceController.service.ports | nindent 2 }}
+  {{- end}}
+  selector:
+    app: source-controller
+  type: ClusterIP
+{{- end }}

packages/core/fluxcd/charts/flux2/templates/source-controller-serviceaccount.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.sourceController.create -}}
+{{- if .Values.sourceController.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: source-controller
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: source-controller
+  {{- with .Values.sourceController.serviceAccount.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}
+{{- end -}}

packages/core/fluxcd/charts/flux2/templates/source-controller.yaml

@@ -0,0 +1,140 @@
+{{- if .Values.sourceController.create }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: source-controller
+    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote  }}
+    app.kubernetes.io/part-of: flux
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    control-plane: controller
+    {{- with .Values.sourceController.labels }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
+  name: source-controller
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: source-controller
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      {{- with .Values.sourceController.annotations }}
+      annotations: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        app: source-controller
+{{ with .Values.sourceController.labels }}{{ toYaml . | indent 8 }}{{ end }}
+    spec:
+      automountServiceAccountToken: {{ .Values.sourceController.serviceAccount.automount }}
+      {{- if .Values.sourceController.initContainers}}
+      initContainers:
+        {{- toYaml .Values.sourceController.initContainers | nindent 8}}
+      {{- end}}
+      containers:
+      - args:
+        {{- if .Values.notificationController.create }}
+        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
+        {{- end}}
+        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
+        - --log-level={{ .Values.logLevel | default "info" }}
+        - --log-encoding=json
+        - --enable-leader-election
+        - --storage-path=/data
+        - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
+        {{- range .Values.sourceController.container.additionalArgs }}
+        - {{ . }}
+        {{- end}}
+        env:
+        - name: RUNTIME_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- with .Values.sourceController.extraEnv }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        image: {{ template "template.image" .Values.sourceController }}
+        {{- if .Values.sourceController.imagePullPolicy }}
+        imagePullPolicy: {{ .Values.sourceController.imagePullPolicy }}
+        {{- else }}
+        imagePullPolicy: IfNotPresent
+        {{- end }}
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: healthz
+        name: manager
+        ports:
+        - containerPort: 9090
+          name: http
+          protocol: TCP
+        - containerPort: 8080
+          name: http-prom
+          protocol: TCP
+        - containerPort: 9440
+          name: healthz
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /
+            port: http
+        {{- with .Values.sourceController.resources }}
+        resources: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- if .Values.sourceController.securityContext }}
+        securityContext: {{ toYaml .Values.sourceController.securityContext | nindent 10 }}
+        {{- else }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+        {{- end}}
+        volumeMounts:
+        - mountPath: /data
+          name: data
+        - mountPath: /tmp
+          name: tmp
+        {{- if .Values.sourceController.volumeMounts }}
+        {{- toYaml .Values.sourceController.volumeMounts | nindent 8 }}
+        {{- end}}
+      {{- if .Values.sourceController.priorityClassName }}
+      priorityClassName: {{ .Values.sourceController.priorityClassName | quote }}
+      {{- end }}
+      {{- if .Values.sourceController.podSecurityContext }}
+      securityContext: {{ toYaml .Values.sourceController.podSecurityContext | nindent 8 }}
+      {{- else }}
+      securityContext:
+        fsGroup: 1337
+      {{- end}}
+      serviceAccountName: source-controller
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 10
+      volumes:
+      - emptyDir: {}
+        name: data
+      - emptyDir: {}
+        name: tmp
+      {{- if .Values.sourceController.volumes }}
+      {{- toYaml .Values.sourceController.volumes | nindent 6 }}
+      {{- end}}
+      {{- with .Values.sourceController.nodeSelector }}
+      nodeSelector: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.sourceController.affinity }}
+      affinity: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.sourceController.tolerations }}
+      tolerations: {{ toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

packages/core/fluxcd/charts/flux2/values.yaml

@@ -0,0 +1,327 @@
+# global
+
+installCRDs: true
+crds:
+  # -- Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep
+  annotations: {}
+
+multitenancy:
+  # -- Implement the patches for Multi-tenancy lockdown.
+  # See https://fluxcd.io/docs/installation/#multi-tenancy-lockdown
+  enabled: false
+  # -- All Kustomizations and HelmReleases which don’t have spec.serviceAccountName
+  # specified, will use the default account from the tenant’s namespace.
+  # Tenants have to specify a service account in their Flux resources to be able
+  # to deploy workloads in their namespaces as the default account has no permissions.
+  defaultServiceAccount: "default"
+  # -- Both kustomize-controller and helm-controller service accounts run privileged
+  # with cluster-admin ClusterRoleBinding. Disable if you want to run them with a
+  # minimum set of permissions.
+  privileged: true
+
+clusterDomain: cluster.local
+
+cli:
+  image: ghcr.io/fluxcd/flux-cli
+  tag: v2.2.3
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
+  annotations: {}
+  serviceAccount:
+    automount: true
+
+# controllers
+
+helmController:
+  create: true
+  image: ghcr.io/fluxcd/helm-controller
+  tag: v0.37.4
+  resources:
+    limits: {}
+    # cpu: 1000m
+    # memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 64Mi
+  priorityClassName: ""
+  annotations:
+    prometheus.io/port: "8080"
+    prometheus.io/scrape: "true"
+  labels: {}
+  container:
+    additionalArgs: []
+  extraEnv: []
+  serviceAccount:
+    create: true
+    automount: true
+    annotations: {}
+  imagePullPolicy: ""
+  nodeSelector: {}
+  # expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
+  # for example:
+  #   affinity:
+  #     nodeAffinity:
+  #      requiredDuringSchedulingIgnoredDuringExecution:
+  #        nodeSelectorTerms:
+  #        - matchExpressions:
+  #          - key: foo.bar.com/role
+  #            operator: In
+  #            values:
+  #            - master
+
+  affinity: {}
+  # expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core
+  # for example:
+  #   tolerations:
+  #   - key: foo.bar.com/role
+  #     operator: Equal
+  #     value: master
+  #     effect: NoSchedule
+
+  tolerations: []
+
+imageAutomationController:
+  create: true
+  image: ghcr.io/fluxcd/image-automation-controller
+  tag: v0.37.1
+  resources:
+    limits: {}
+    # cpu: 1000m
+    # memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 64Mi
+  priorityClassName: ""
+  annotations:
+    prometheus.io/port: "8080"
+    prometheus.io/scrape: "true"
+  labels: {}
+  container:
+    additionalArgs: []
+  extraEnv: []
+  serviceAccount:
+    create: true
+    automount: true
+    annotations: {}
+  imagePullPolicy: ""
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
+
+imageReflectionController:
+  create: true
+  image: ghcr.io/fluxcd/image-reflector-controller
+  tag: v0.31.2
+  resources:
+    limits: {}
+    # cpu: 1000m
+    # memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 64Mi
+  priorityClassName: ""
+  annotations:
+    prometheus.io/port: "8080"
+    prometheus.io/scrape: "true"
+  labels: {}
+  container:
+    additionalArgs: []
+  extraEnv: []
+  serviceAccount:
+    create: true
+    automount: true
+    annotations: {}
+  imagePullPolicy: ""
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
+
+kustomizeController:
+  create: true
+  image: ghcr.io/fluxcd/kustomize-controller
+  tag: v1.2.2
+  resources:
+    limits: {}
+    # cpu: 1000m
+    # memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 64Mi
+  priorityClassName: ""
+  annotations:
+    prometheus.io/port: "8080"
+    prometheus.io/scrape: "true"
+  labels: {}
+  container:
+    additionalArgs: []
+  extraEnv: []
+  serviceAccount:
+    create: true
+    automount: true
+    annotations: {}
+  imagePullPolicy: ""
+  secret:
+    # -- Create a secret to use it with extraSecretMounts. Defaults to false.
+    create: false
+    name: ""
+    data: {}
+  # -- Defines envFrom using a configmap and/or secret.
+  envFrom:
+    map:
+      name: ""
+    secret:
+      name: ""
+  # -- Defines additional mounts with secrets.
+  # Secrets must be manually created in the namespace or with kustomizeController.secret
+  extraSecretMounts: []
+  # - name: secret-files
+  #   mountPath: /etc/secrets
+  #   subPath: ""
+  #   secretName: secret-files
+  #   readOnly: true
+
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
+
+notificationController:
+  create: true
+  image: ghcr.io/fluxcd/notification-controller
+  tag: v1.2.4
+  resources:
+    limits: {}
+    # cpu: 1000m
+    # memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 64Mi
+  priorityClassName: ""
+  annotations:
+    prometheus.io/port: "8080"
+    prometheus.io/scrape: "true"
+  labels: {}
+  container:
+    additionalArgs: []
+  extraEnv: []
+  serviceAccount:
+    create: true
+    automount: true
+    annotations: {}
+  imagePullPolicy: ""
+  service:
+    labels: {}
+    annotations: {}
+  webhookReceiver:
+    service:
+      labels: {}
+      annotations: {}
+    ingress:
+      create: false
+      # ingressClassName: nginx
+      annotations: {}
+      # kubernetes.io/ingress.class: nginx
+      # kubernetes.io/tls-acme: "true"
+      labels: {}
+      hosts:
+        - host: flux-webhook.example.com
+          paths:
+            - path: /
+              pathType: ImplementationSpecific
+      tls: []
+      #  - secretName: flux-webhook-tls
+      #    hosts:
+      #      - flux-webhook.example.com
+
+
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
+
+sourceController:
+  create: true
+  image: ghcr.io/fluxcd/source-controller
+  tag: v1.2.4
+  resources:
+    limits: {}
+    # cpu: 1000m
+    # memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 64Mi
+  priorityClassName: ""
+  annotations:
+    prometheus.io/port: "8080"
+    prometheus.io/scrape: "true"
+  labels: {}
+  container:
+    additionalArgs: []
+  serviceAccount:
+    create: true
+    automount: true
+    annotations: {}
+  imagePullPolicy: ""
+  service:
+    labels: {}
+    annotations: {}
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
+  extraEnv: []
+
+policies:
+  create: true
+
+rbac:
+  create: true
+  # -- Grant the Kubernetes view, edit and admin roles access to Flux custom resources
+  createAggregation: true
+  # -- Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep
+  annotations: {}
+  roleRef:
+    name: cluster-admin
+
+logLevel: info
+watchAllNamespaces: true
+
+# -- contents of pod imagePullSecret in form 'name=[secretName]'; applied to all controllers
+imagePullSecrets: []
+
+# -- Array of extra K8s manifests to deploy
+extraObjects: []
+# Example usage from https://fluxcd.io/docs/components/source/buckets/#static-authentication
+# - apiVersion: source.toolkit.fluxcd.io/v1beta2
+#   kind: Bucket
+#   metadata:
+#     name: podinfo
+#     namespace: default
+#   spec:
+#     interval: 1m
+#     provider: generic
+#     bucketName: podinfo
+#     endpoint: minio.minio.svc.cluster.local:9000
+#     insecure: true
+#     secretRef:
+#       name: minio-credentials
+# - apiVersion: v1
+#   kind: Secret
+#   metadata:
+#     name: minio-credentials
+#     namespace: default
+#   type: Opaque
+#   data:
+#     accesskey: <BASE64>
+#     secretkey: <BASE64>
+
+# Enables podMonitor creation for the Prometheus Operator
+prometheus:
+  podMonitor:
+    # -- Enables podMonitor endpoint
+    create: false
+    podMetricsEndpoints:
+      - port: http-prom
+        relabelings:
+          # https://github.com/prometheus-operator/prometheus-operator/issues/4816
+          - sourceLabels: [__meta_kubernetes_pod_phase]
+            action: keep
+            regex: Running

packages/core/installer/Makefile

@@ -25,7 +25,6 @@ image-cozystack:
 		--provenance false \
 		--tag $(REGISTRY)/cozystack:$(call settag,$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/cozystack:latest \
-		--platform linux/amd64,linux/arm64 \
 		--cache-to type=inline \
 		--metadata-file images/cozystack.json \
 		--push=$(PUSH) \
@@ -35,8 +34,8 @@ image-cozystack:
 image-talos:
 	test -f ../../../_out/assets/installer-amd64.tar || make talos-installer
 	docker load -i ../../../_out/assets/installer-amd64.tar
-	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
+	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) ghcr.io/aenix-io/cozystack/talos:$(call settag,$(TALOS_VERSION))
-	docker push $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
+	docker push ghcr.io/aenix-io/cozystack/talos:$(call settag,$(TALOS_VERSION))
 
 image-matchbox:
 	test -f ../../../_out/assets/kernel-amd64 || make talos-kernel

packages/core/installer/hack/gen-profiles.sh

@@ -35,20 +35,16 @@ for profile in $PROFILES; do
   if [ "$profile" = "nocloud" ]; then
     image_options="{ diskSize: 1306525696, diskFormat: raw }"
     out_format=".xz"
-    platform="nocloud"
-    kind="image"
   else
     image_options="{}"
     out_format="raw"
-    platform="metal"
-    kind="$profile"
   fi
 
   cat > images/talos/profiles/$profile.yaml <<EOT
 # this file generated by hack/gen-profiles.sh
 # do not edit it
 arch: amd64
-platform: ${platform}
+platform: metal
 secureboot: false
 version: ${TALOS_VERSION}
 input:
@@ -69,7 +65,7 @@ input:
     - imageRef: ghcr.io/siderolabs/drbd:${DRBD_VERSION}
     - imageRef: ghcr.io/siderolabs/zfs:${ZFS_VERSION}
 output:
-  kind: ${kind}
+  kind: ${profile}
   imageOptions: ${image_options}
   outFormat: ${out_format}
 EOT

packages/core/installer/images/cozystack.json

@@ -1,10 +1,4 @@
 {
-  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/extxoj9ofu1pnz4jjx5x5813k",
+  "containerimage.config.digest": "sha256:cf9793f2de9d8f1400234a73f9446f3f9876b807463dae985d3cef4aafb33aae",
-  "containerimage.descriptor": {
+  "containerimage.digest": "sha256:ce3d54b388d9027ed6ca2d3d67b1759e9f061e5736f61a75d586f33a1ee19fa4"
-    "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
-    "digest": "sha256:1309102e4c59935e0d9fbdb439f11b62f01e858a1569b5168ba5eb6b338197ee",
-    "size": 685
-  },
-  "containerimage.digest": "sha256:1309102e4c59935e0d9fbdb439f11b62f01e858a1569b5168ba5eb6b338197ee",
-  "image.name": "ghcr.io/aenix-io/cozystack/cozystack:v0.9.1"
 }

packages/core/installer/images/cozystack.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cozystack:v0.9.1
+ghcr.io/aenix-io/cozystack/cozystack:v0.4.0

packages/core/installer/images/cozystack/Dockerfile

@@ -3,15 +3,12 @@ FROM golang:alpine3.19 as k8s-await-election-builder
 ARG K8S_AWAIT_ELECTION_GITREPO=https://github.com/LINBIT/k8s-await-election
 ARG K8S_AWAIT_ELECTION_VERSION=0.4.1
 
-# TARGETARCH is a docker special variable: https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope
-ARG TARGETARCH
-
 RUN apk add --no-cache git make
 RUN git clone ${K8S_AWAIT_ELECTION_GITREPO} /usr/local/go/k8s-await-election/ \
  && cd /usr/local/go/k8s-await-election \
  && git reset --hard v${K8S_AWAIT_ELECTION_VERSION} \
  && make \
- && mv ./out/k8s-await-election-${TARGETARCH} /k8s-await-election
+ && mv ./out/k8s-await-election-amd64 /k8s-await-election
 
 FROM alpine:3.19 AS builder
 

packages/core/installer/images/matchbox.json

@@ -1,45 +1,4 @@
 {
-  "buildx.build.provenance": {
+  "containerimage.config.digest": "sha256:68ea72fcc581352fabfd87fa6fd482968cc85ee520cab7a614f1244d7ae36eb0",
-    "buildType": "https://mobyproject.org/buildkit@v1",
+  "containerimage.digest": "sha256:cea915e08a19eb6892f3facf3b3648368cd4a05abefc49bc2616ba3340c27e82"
-    "materials": [
-      {
-        "uri": "pkg:docker/quay.io/poseidon/matchbox@v0.10.0?platform=linux%2Famd64",
-        "digest": {
-          "sha256": "e14cc4a8f6e8f1182fce74d04fe949b6bfc91b04132b3944297661e2c38c9790"
-        }
-      }
-    ],
-    "invocation": {
-      "configSource": {
-        "entryPoint": "Dockerfile"
-      },
-      "parameters": {
-        "frontend": "dockerfile.v0",
-        "locals": [
-          {
-            "name": "context"
-          },
-          {
-            "name": "dockerfile"
-          }
-        ]
-      },
-      "environment": {
-        "platform": "linux/amd64"
-      }
-    }
-  },
-  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/zcwi0hxjd3o0u3a9vd855h1ss",
-  "containerimage.config.digest": "sha256:e504821d142164128080de70a3723da8d444a433c06304ed85696e3881278761",
-  "containerimage.descriptor": {
-    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:1db6c0e94c2cfaa787a6a2f9c10f5da2644fdb7add06182fb763541316c63edd",
-    "size": 1488,
-    "platform": {
-      "architecture": "amd64",
-      "os": "linux"
-    }
-  },
-  "containerimage.digest": "sha256:1db6c0e94c2cfaa787a6a2f9c10f5da2644fdb7add06182fb763541316c63edd",
-  "image.name": "ghcr.io/aenix-io/cozystack/matchbox:v0.9.1,ghcr.io/aenix-io/cozystack/matchbox:v1.7.1-v0.9.1"
 }

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -1,7 +1,7 @@
 # this file generated by hack/gen-profiles.sh
 # do not edit it
 arch: amd64
-platform: nocloud
+platform: metal
 secureboot: false
 version: v1.7.1
 input:
@@ -22,6 +22,6 @@ input:
     - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
     - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
 output:
-  kind: image
+  kind: nocloud
   imageOptions: { diskSize: 1306525696, diskFormat: raw }
   outFormat: .xz

packages/core/installer/templates/cozystack.yaml

@@ -35,11 +35,6 @@ spec:
   selector:
     matchLabels:
       app: cozystack
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxSurge: 0
-      maxUnavailable: 1
   template:
     metadata:
       labels:

packages/core/platform/bundles/distro-full.yaml

@@ -1,19 +1,6 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 
 releases:
-- name: fluxcd-operator
-  releaseName: fluxcd-operator
-  chart: cozy-fluxcd-operator
-  namespace: cozy-fluxcd
-  privileged: true
-  dependsOn: []
-
-- name: fluxcd
-  releaseName: fluxcd
-  chart: cozy-fluxcd
-  namespace: cozy-fluxcd
-  dependsOn: [fluxcd-operator,cilium]
-
 - name: cilium
   releaseName: cilium
   chart: cozy-cilium

packages/core/platform/bundles/distro-hosted.yaml

@@ -1,19 +1,6 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 
 releases:
-- name: fluxcd-operator
-  releaseName: fluxcd-operator
-  chart: cozy-fluxcd-operator
-  namespace: cozy-fluxcd
-  privileged: true
-  dependsOn: []
-
-- name: fluxcd
-  releaseName: fluxcd
-  chart: cozy-fluxcd
-  namespace: cozy-fluxcd
-  dependsOn: [fluxcd-operator]
-
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
@@ -67,13 +54,13 @@ releases:
   releaseName: kafka-operator
   chart: cozy-kafka-operator
   namespace: cozy-kafka-operator
-  dependsOn: []
+  dependsOn: [cilium,kubeovn]
 
 - name: clickhouse-operator
   releaseName: clickhouse-operator
   chart: cozy-clickhouse-operator
   namespace: cozy-clickhouse-operator
-  dependsOn: []
+  dependsOn: [cilium,kubeovn]
 
 - name: rabbitmq-operator
   releaseName: rabbitmq-operator

packages/core/platform/bundles/paas-full.yaml

@@ -1,19 +1,6 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 
 releases:
-- name: fluxcd-operator
-  releaseName: fluxcd-operator
-  chart: cozy-fluxcd-operator
-  namespace: cozy-fluxcd
-  privileged: true
-  dependsOn: []
-
-- name: fluxcd
-  releaseName: fluxcd
-  chart: cozy-fluxcd
-  namespace: cozy-fluxcd
-  dependsOn: [fluxcd-operator,cilium,kubeovn]
-
 - name: cilium
   releaseName: cilium
   chart: cozy-cilium
@@ -166,8 +153,8 @@ releases:
   chart: cozy-dashboard
   namespace: cozy-dashboard
   dependsOn: [cilium,kubeovn]
-  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
+  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }}
-  {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
+  {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }}
   values:
     kubeapps:
       redis:

packages/core/platform/bundles/paas-hosted.yaml

@@ -1,19 +1,6 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 
 releases:
-- name: fluxcd-operator
-  releaseName: fluxcd-operator
-  chart: cozy-fluxcd-operator
-  namespace: cozy-fluxcd
-  privileged: true
-  dependsOn: []
-
-- name: fluxcd
-  releaseName: fluxcd
-  chart: cozy-fluxcd
-  namespace: cozy-fluxcd
-  dependsOn: [fluxcd-operator]
-
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
@@ -67,13 +54,13 @@ releases:
   releaseName: kafka-operator
   chart: cozy-kafka-operator
   namespace: cozy-kafka-operator
-  dependsOn: []
+  dependsOn: [cilium,kubeovn]
 
 - name: clickhouse-operator
   releaseName: clickhouse-operator
   chart: cozy-clickhouse-operator
   namespace: cozy-clickhouse-operator
-  dependsOn: []
+  dependsOn: [cilium,kubeovn]
 
 - name: rabbitmq-operator
   releaseName: rabbitmq-operator
@@ -104,8 +91,8 @@ releases:
   chart: cozy-dashboard
   namespace: cozy-dashboard
   dependsOn: []
-  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
+  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }}
-  {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
+  {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }}
   values:
     kubeapps:
       redis:

packages/core/platform/templates/apps.yaml

@@ -3,8 +3,8 @@
 {{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
 {{- $host := "example.org" }}
 {{- $tenantRoot := list }}
-{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2" }}
+{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2beta2" }}
-{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" "tenant-root" "tenant-root" }}
+{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2beta2" "HelmRelease" "tenant-root" "tenant-root" }}
 {{- end }}
 {{- if and $tenantRoot $tenantRoot.spec $tenantRoot.spec.values $tenantRoot.spec.values.host }}
 {{- $host = $tenantRoot.spec.values.host }}
@@ -22,7 +22,7 @@ metadata:
     namespace.cozystack.io/host: "{{ $host }}"
   name: tenant-root
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
   name: tenant-root

packages/core/platform/templates/helmreleases.yaml

@@ -12,7 +12,7 @@
 {{- range $x := $bundle.releases }}
 {{- if not (has $x.name $disabledComponents) }}
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
   name: {{ $x.name }}
@@ -20,7 +20,7 @@ metadata:
   labels:
     cozystack.io/repository: system
 spec:
-  interval: 5m
+  interval: 1m
   releaseName: {{ $x.releaseName | default $x.name }}
   install:
     crds: CreateReplace

packages/core/platform/templates/helmrepos.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: HelmRepository
 metadata:
   name: cozystack-system
@@ -10,7 +10,7 @@ spec:
   interval: 5m0s
   url: http://cozystack.cozy-system.svc/repos/system
 ---
-apiVersion: source.toolkit.fluxcd.io/v1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: HelmRepository
 metadata:
   name: cozystack-apps
@@ -22,7 +22,7 @@ spec:
   interval: 5m0s
   url: http://cozystack.cozy-system.svc/repos/apps
 ---
-apiVersion: source.toolkit.fluxcd.io/v1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: HelmRepository
 metadata:
   name: cozystack-extra

packages/core/platform/templates/namespaces.yaml

@@ -16,6 +16,7 @@
 
 {{/* Add extra namespaces */}}
 {{- $_ := set $namespaces "cozy-public" false }}
+{{- $_ := set $namespaces "cozy-fluxcd" false }}
 
 {{- range $namespace, $privileged := $namespaces }}
 ---

packages/extra/Makefile

@@ -11,7 +11,7 @@ repo:
 	rm -rf "$(TMP)"
 
 fix-chartnames:
-	find . -maxdepth 2 -name Chart.yaml | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done
+	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done
 
 gen-versions-map: fix-chartnames
 	../../hack/gen_versions_map.sh

packages/extra/etcd/Chart.yaml

@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: https://www.svgrepo.com/show/353714/etcd.svg
 type: application
-version: 2.1.0
+version: 2.0.0