Prepare release v0.23.1 (#593)

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

MAINTAINERS.md

@@ -1,7 +1,12 @@
 # The Cozystack Maintainers
 
-| Maintainer | GitHub Username | Company |
-| ---------- | --------------- | ------- |
-| Andrei Kvapil | [@kvaps](https://github.com/kvaps) | Ænix |
-| George Gaál | [@gecube](https://github.com/gecube) | Ænix |
-| Eduard Generalov | [@egeneralov](https://github.com/egeneralov) | Ænix |
+| Maintainer | GitHub Username | Company |          Responsibility           |
+| ---------- | --------------- | ------- | --------------------------------- |
+| Andrei Kvapil | [@kvaps](https://github.com/kvaps) | Ænix | Core Maintainer |
+| George Gaál | [@gecube](https://github.com/gecube) | Ænix | DevOps Practices in Platform, Developers Advocate |
+| Kingdon Barrett | [@kingdonb](https://github.com/kingdonb) | Urmanac | FluxCD and flux-operator |
+| Timofei Larkin | [@lllamnyp](https://github.com/lllamnyp) | 3commas | Etcd-operator Lead |
+| Artem Bortnikov | [@aobort](https://github.com/aobort) | Timescale | Etcd-operator Lead |
+| Andrei Gumilev | [@chumkaska](https://github.com/chumkaska) | Ænix | Platform Documentation |
+| Timur Tukaev | [@tym83](https://github.com/tym83) | Ænix | Cozystack Website, Marketing, Community Management |
+| Kirill Klinchenkov | [@klinch0](https://github.com/klinch0) | Ænix | Core Maintainer |

Makefile

@@ -7,6 +7,7 @@ build:
 	make -C packages/apps/clickhouse image
 	make -C packages/apps/kubernetes image
 	make -C packages/system/cozystack-api image
+	make -C packages/system/cozystack-controller image
 	make -C packages/system/cilium image
 	make -C packages/system/kubeovn image
 	make -C packages/system/dashboard image
@@ -37,3 +38,6 @@ test:
 	make -C packages/core/testing apply
 	make -C packages/core/testing test
 	make -C packages/core/testing test-applications
+
+generate:
+	hack/update-codegen.sh

api/api-rules/cozystack_api_violation_exceptions.list

@@ -1,4 +1,4 @@
-API rule violation: list_type_missing,github.com/aenix.io/cozystack/pkg/apis/apps/v1alpha1,ApplicationStatus,Conditions
+API rule violation: list_type_missing,github.com/aenix-io/cozystack/pkg/apis/apps/v1alpha1,ApplicationStatus,Conditions
 API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,Ref
 API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,Schema
 API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XEmbeddedResource

api/v1alpha1/groupversion_info.go

@@ -0,0 +1,36 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the  v1alpha1 API group.
+// +kubebuilder:object:generate=true
+// +groupName=cozystack.io
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects.
+	GroupVersion = schema.GroupVersion{Group: "cozystack.io", Version: "v1alpha1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)

api/v1alpha1/workload_types.go

@@ -0,0 +1,70 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// WorkloadStatus defines the observed state of Workload
+type WorkloadStatus struct {
+	// Kind represents the type of workload (redis, postgres, etc.)
+	// +required
+	Kind string `json:"kind"`
+
+	// Type represents the specific role of the workload (redis, sentinel, etc.)
+	// If not specified, defaults to Kind
+	// +optional
+	Type string `json:"type,omitempty"`
+
+	// Resources specifies the compute resources allocated to this workload
+	// +required
+	Resources map[string]resource.Quantity `json:"resources"`
+
+	// Operational indicates if all pods of the workload are ready
+	// +optional
+	Operational bool `json:"operational"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:printcolumn:name="Kind",type="string",JSONPath=".status.kind"
+// +kubebuilder:printcolumn:name="Type",type="string",JSONPath=".status.type"
+// +kubebuilder:printcolumn:name="CPU",type="string",JSONPath=".status.resources.cpu"
+// +kubebuilder:printcolumn:name="Memory",type="string",JSONPath=".status.resources.memory"
+// +kubebuilder:printcolumn:name="Operational",type="boolean",JSONPath=`.status.operational`
+
+// Workload is the Schema for the workloads API
+type Workload struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Status WorkloadStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// WorkloadList contains a list of Workload
+type WorkloadList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Workload `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Workload{}, &WorkloadList{})
+}

api/v1alpha1/workloadmonitor_types.go

@@ -0,0 +1,91 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// WorkloadMonitorSpec defines the desired state of WorkloadMonitor
+type WorkloadMonitorSpec struct {
+	// Selector is a label selector to find workloads to monitor
+	// +required
+	Selector map[string]string `json:"selector"`
+
+	// Kind specifies the kind of the workload
+	// +optional
+	Kind string `json:"kind,omitempty"`
+
+	// Type specifies the type of the workload
+	// +optional
+	Type string `json:"type,omitempty"`
+
+	// Version specifies the version of the workload
+	// +optional
+	Version string `json:"version,omitempty"`
+
+	// MinReplicas specifies the minimum number of replicas that should be available
+	// +kubebuilder:validation:Minimum=0
+	// +optional
+	MinReplicas *int32 `json:"minReplicas,omitempty"`
+
+	// Replicas is the desired number of replicas
+	// If not specified, will use observedReplicas as the target
+	// +kubebuilder:validation:Minimum=0
+	// +optional
+	Replicas *int32 `json:"replicas,omitempty"`
+}
+
+// WorkloadMonitorStatus defines the observed state of WorkloadMonitor
+type WorkloadMonitorStatus struct {
+	// Operational indicates if the workload meets all operational requirements
+	// +optional
+	Operational *bool `json:"operational,omitempty"`
+
+	// AvailableReplicas is the number of ready replicas
+	// +optional
+	AvailableReplicas int32 `json:"availableReplicas"`
+
+	// ObservedReplicas is the total number of pods observed
+	// +optional
+	ObservedReplicas int32 `json:"observedReplicas"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Kind",type="string",JSONPath=".spec.kind"
+// +kubebuilder:printcolumn:name="Type",type="string",JSONPath=".spec.type"
+// +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version"
+// +kubebuilder:printcolumn:name="Replicas",type="integer",JSONPath=".spec.replicas"
+// +kubebuilder:printcolumn:name="MinReplicas",type="integer",JSONPath=".spec.minReplicas"
+// +kubebuilder:printcolumn:name="Available",type="integer",JSONPath=".status.availableReplicas"
+// +kubebuilder:printcolumn:name="Observed",type="integer",JSONPath=".status.observedReplicas"
+// +kubebuilder:printcolumn:name="Operational",type="boolean",JSONPath=".status.operational"
+
+// WorkloadMonitor is the Schema for the workloadmonitors API
+type WorkloadMonitor struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   WorkloadMonitorSpec   `json:"spec,omitempty"`
+	Status WorkloadMonitorStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// WorkloadMonitorList contains a list of WorkloadMonitor
+type WorkloadMonitorList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []WorkloadMonitor `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&WorkloadMonitor{}, &WorkloadMonitorList{})
+}
+
+// GetSelector returns the label selector from metadata
+func (w *WorkloadMonitor) GetSelector() map[string]string {
+	return w.Spec.Selector
+}
+
+// Selector specifies the label selector for workloads
+type Selector map[string]string

api/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,238 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/api/resource"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in Selector) DeepCopyInto(out *Selector) {
+	{
+		in := &in
+		*out = make(Selector, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Selector.
+func (in Selector) DeepCopy() Selector {
+	if in == nil {
+		return nil
+	}
+	out := new(Selector)
+	in.DeepCopyInto(out)
+	return *out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Workload) DeepCopyInto(out *Workload) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Workload.
+func (in *Workload) DeepCopy() *Workload {
+	if in == nil {
+		return nil
+	}
+	out := new(Workload)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Workload) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadList) DeepCopyInto(out *WorkloadList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Workload, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadList.
+func (in *WorkloadList) DeepCopy() *WorkloadList {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WorkloadList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadMonitor) DeepCopyInto(out *WorkloadMonitor) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadMonitor.
+func (in *WorkloadMonitor) DeepCopy() *WorkloadMonitor {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadMonitor)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WorkloadMonitor) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadMonitorList) DeepCopyInto(out *WorkloadMonitorList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]WorkloadMonitor, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadMonitorList.
+func (in *WorkloadMonitorList) DeepCopy() *WorkloadMonitorList {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadMonitorList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WorkloadMonitorList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadMonitorSpec) DeepCopyInto(out *WorkloadMonitorSpec) {
+	*out = *in
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.MinReplicas != nil {
+		in, out := &in.MinReplicas, &out.MinReplicas
+		*out = new(int32)
+		**out = **in
+	}
+	if in.Replicas != nil {
+		in, out := &in.Replicas, &out.Replicas
+		*out = new(int32)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadMonitorSpec.
+func (in *WorkloadMonitorSpec) DeepCopy() *WorkloadMonitorSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadMonitorSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadMonitorStatus) DeepCopyInto(out *WorkloadMonitorStatus) {
+	*out = *in
+	if in.Operational != nil {
+		in, out := &in.Operational, &out.Operational
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadMonitorStatus.
+func (in *WorkloadMonitorStatus) DeepCopy() *WorkloadMonitorStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadMonitorStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadStatus) DeepCopyInto(out *WorkloadStatus) {
+	*out = *in
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = make(map[string]resource.Quantity, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadStatus.
+func (in *WorkloadStatus) DeepCopy() *WorkloadStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadStatus)
+	in.DeepCopyInto(out)
+	return out
+}

cmd/cozystack-api/main.go

@@ -19,7 +19,7 @@ package main
 import (
 	"os"
 
-	"github.com/aenix.io/cozystack/pkg/cmd/server"
+	"github.com/aenix-io/cozystack/pkg/cmd/server"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	"k8s.io/component-base/cli"
 )

cmd/cozystack-controller/main.go

@@ -0,0 +1,210 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"os"
+	"time"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	// to ensure that exec-entrypoint and run can make use of them.
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
+	cozystackiov1alpha1 "github.com/aenix-io/cozystack/api/v1alpha1"
+	"github.com/aenix-io/cozystack/internal/controller"
+	"github.com/aenix-io/cozystack/internal/telemetry"
+	// +kubebuilder:scaffold:imports
+)
+
+var (
+	scheme   = runtime.NewScheme()
+	setupLog = ctrl.Log.WithName("setup")
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+
+	utilruntime.Must(cozystackiov1alpha1.AddToScheme(scheme))
+	// +kubebuilder:scaffold:scheme
+}
+
+func main() {
+	var metricsAddr string
+	var enableLeaderElection bool
+	var probeAddr string
+	var secureMetrics bool
+	var enableHTTP2 bool
+	var disableTelemetry bool
+	var telemetryEndpoint string
+	var telemetryInterval string
+	var cozystackVersion string
+	var tlsOpts []func(*tls.Config)
+	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
+		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
+	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	flag.BoolVar(&secureMetrics, "metrics-secure", true,
+		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.BoolVar(&enableHTTP2, "enable-http2", false,
+		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	flag.BoolVar(&disableTelemetry, "disable-telemetry", false,
+		"Disable telemetry collection")
+	flag.StringVar(&telemetryEndpoint, "telemetry-endpoint", "https://telemetry.cozystack.io",
+		"Endpoint for sending telemetry data")
+	flag.StringVar(&telemetryInterval, "telemetry-interval", "15m",
+		"Interval between telemetry data collection (e.g. 15m, 1h)")
+	flag.StringVar(&cozystackVersion, "cozystack-version", "unknown",
+		"Version of Cozystack")
+	opts := zap.Options{
+		Development: false,
+	}
+	opts.BindFlags(flag.CommandLine)
+	flag.Parse()
+
+	// Parse telemetry interval
+	interval, err := time.ParseDuration(telemetryInterval)
+	if err != nil {
+		setupLog.Error(err, "invalid telemetry interval")
+		os.Exit(1)
+	}
+
+	// Configure telemetry
+	telemetryConfig := telemetry.Config{
+		Disabled:         disableTelemetry,
+		Endpoint:         telemetryEndpoint,
+		Interval:         interval,
+		CozystackVersion: cozystackVersion,
+	}
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
+
+	// if the enable-http2 flag is false (the default), http/2 should be disabled
+	// due to its vulnerabilities. More specifically, disabling http/2 will
+	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+	// Rapid Reset CVEs. For more information see:
+	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+	// - https://github.com/advisories/GHSA-4374-p667-p6c8
+	disableHTTP2 := func(c *tls.Config) {
+		setupLog.Info("disabling http/2")
+		c.NextProtos = []string{"http/1.1"}
+	}
+
+	if !enableHTTP2 {
+		tlsOpts = append(tlsOpts, disableHTTP2)
+	}
+
+	webhookServer := webhook.NewServer(webhook.Options{
+		TLSOpts: tlsOpts,
+	})
+
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		TLSOpts:       tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+
+		// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
+		// generate self-signed certificates for the metrics server. While convenient for development and testing,
+		// this setup is not recommended for production.
+	}
+
+	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
+		WebhookServer:          webhookServer,
+		HealthProbeBindAddress: probeAddr,
+		LeaderElection:         enableLeaderElection,
+		LeaderElectionID:       "19a0338c.cozystack.io",
+		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
+		// when the Manager ends. This requires the binary to immediately end when the
+		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
+		// speeds up voluntary leader transitions as the new leader don't have to wait
+		// LeaseDuration time first.
+		//
+		// In the default scaffold provided, the program ends immediately after
+		// the manager stops, so would be fine to enable this option. However,
+		// if you are doing or is intended to do any operation such as perform cleanups
+		// after the manager stops then its usage might be unsafe.
+		// LeaderElectionReleaseOnCancel: true,
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to start manager")
+		os.Exit(1)
+	}
+
+	if err = (&controller.WorkloadMonitorReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "WorkloadMonitor")
+		os.Exit(1)
+	}
+	// +kubebuilder:scaffold:builder
+
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		os.Exit(1)
+	}
+
+	// Initialize telemetry collector
+	collector, err := telemetry.NewCollector(mgr.GetClient(), &telemetryConfig, mgr.GetConfig())
+	if err != nil {
+		setupLog.V(1).Error(err, "unable to create telemetry collector, telemetry will be disabled")
+	}
+
+	if collector != nil {
+		if err := mgr.Add(collector); err != nil {
+			setupLog.Error(err, "unable to set up telemetry collector")
+			setupLog.V(1).Error(err, "unable to set up telemetry collector, continuing without telemetry")
+		}
+	}
+
+	setupLog.Info("starting manager")
+	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+		setupLog.Error(err, "problem running manager")
+		os.Exit(1)
+	}
+}

go.mod

@@ -1,22 +1,27 @@
 // This is a generated file. Do not edit directly.
 
-module github.com/aenix.io/cozystack
+module github.com/aenix-io/cozystack
 
 go 1.23.0
 
 require (
-	github.com/emicklei/go-restful/v3 v3.11.0
+	github.com/fluxcd/helm-controller/api v1.1.0
 	github.com/google/gofuzz v1.2.0
+	github.com/onsi/ginkgo/v2 v2.19.0
+	github.com/onsi/gomega v1.33.1
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
+	gopkg.in/yaml.v2 v2.4.0
+	k8s.io/api v0.31.2
 	k8s.io/apiextensions-apiserver v0.31.2
 	k8s.io/apimachinery v0.31.2
 	k8s.io/apiserver v0.31.2
 	k8s.io/client-go v0.31.2
-	k8s.io/code-generator v0.31.2
 	k8s.io/component-base v0.31.2
+	k8s.io/klog/v2 v2.130.1
 	k8s.io/kube-openapi v0.0.0-20240827152857-f7e401e7b4c2
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
+	sigs.k8s.io/controller-runtime v0.19.0
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1
 )
 
@@ -31,23 +36,27 @@ require (
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fluxcd/helm-controller/api v1.1.0 // indirect
 	github.com/fluxcd/pkg/apis/kustomize v1.6.1 // indirect
 	github.com/fluxcd/pkg/apis/meta v1.6.1 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/cel-go v0.21.0 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
@@ -84,7 +93,6 @@ require (
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/crypto v0.28.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/mod v0.21.0 // indirect
 	golang.org/x/net v0.30.0 // indirect
 	golang.org/x/oauth2 v0.23.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
@@ -93,6 +101,7 @@ require (
 	golang.org/x/text v0.19.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
 	golang.org/x/tools v0.26.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
 	google.golang.org/grpc v1.65.0 // indirect
@@ -100,14 +109,9 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.31.2 // indirect
-	k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9 // indirect
-	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kms v0.31.2 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 // indirect
-	sigs.k8s.io/controller-runtime v0.19.0 // indirect
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )

go.sum

@@ -26,6 +26,10 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/evanphx/json-patch v0.5.2 h1:xVCHIVMUu1wtM/VkR9jVZ45N3FhZfYMMYGorLCR8P3k=
+github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
+github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
+github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fluxcd/helm-controller/api v1.1.0 h1:NS5Wm3U6Kv4w7Cw2sDOV++vf2ecGfFV00x1+2Y3QcOY=
@@ -214,8 +218,6 @@ golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
-golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -252,6 +254,8 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
+gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
 google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY=
 google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4=
 google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 h1:7whR9kGa5LUwFtpLm2ArCEejtnxlGeLbAyjFY8sGNFw=
@@ -287,12 +291,8 @@ k8s.io/apiserver v0.31.2 h1:VUzOEUGRCDi6kX1OyQ801m4A7AUPglpsmGvdsekmcI4=
 k8s.io/apiserver v0.31.2/go.mod h1:o3nKZR7lPlJqkU5I3Ove+Zx3JuoFjQobGX1Gctw6XuE=
 k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc=
 k8s.io/client-go v0.31.2/go.mod h1:NPa74jSVR/+eez2dFsEIHNa+3o09vtNaWwWwb1qSxSs=
-k8s.io/code-generator v0.31.2 h1:xLWxG0HEpMSHfcM//3u3Ro2Hmc6AyyLINQS//Z2GEOI=
-k8s.io/code-generator v0.31.2/go.mod h1:eEQHXgBU/m7LDaToDoiz3t97dUUVyOblQdwOr8rivqc=
 k8s.io/component-base v0.31.2 h1:Z1J1LIaC0AV+nzcPRFqfK09af6bZ4D1nAOpWsy9owlA=
 k8s.io/component-base v0.31.2/go.mod h1:9PeyyFN/drHjtJZMCTkSpQJS3U9OXORnHQqMLDz0sUQ=
-k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9 h1:si3PfKm8dDYxgfbeA6orqrtLkvvIeH8UqffFJDl0bz4=
-k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kms v0.31.2 h1:pyx7l2qVOkClzFMIWMVF/FxsSkgd+OIGH7DecpbscJI=

hack/boilerplate.go.txt

@@ -1,5 +1,5 @@
 /*
-Copyright 2024 The Cozystack Authors.
+Copyright 2025 The Cozystack Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

hack/e2e.sh

@@ -229,6 +229,7 @@ sleep 5
 kubectl get hr -A | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n " $1 " hr/" $2 " &"} END{print "wait"}' | sh -x
 
 # Wait for Cluster-API providers
+timeout 30 sh -c 'until kubectl get deploy -n cozy-cluster-api capi-controller-manager capi-kamaji-controller-manager capi-kubeadm-bootstrap-controller-manager capi-operator-cluster-api-operator capk-controller-manager; do sleep 1; done'
 kubectl wait deploy --timeout=30s --for=condition=available -n cozy-cluster-api capi-controller-manager capi-kamaji-controller-manager capi-kubeadm-bootstrap-controller-manager capi-operator-cluster-api-operator capk-controller-manager
 
 # Wait for linstor controller
@@ -297,6 +298,9 @@ spec:
   avoidBuggyIPs: false
 EOT
 
+# Wait for cozystack-api
+kubectl wait --for=condition=Available apiservices v1alpha1.apps.cozystack.io --timeout=2m
+
 kubectl patch -n tenant-root tenants.apps.cozystack.io root --type=merge -p '{"spec":{
   "host": "example.org",
   "ingress": true,

hack/update-codegen.sh

@@ -22,6 +22,7 @@ SCRIPT_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
 CODEGEN_PKG=${CODEGEN_PKG:-$(cd "${SCRIPT_ROOT}"; ls -d -1 ./vendor/k8s.io/code-generator 2>/dev/null || echo ../code-generator)}
 API_KNOWN_VIOLATIONS_DIR="${API_KNOWN_VIOLATIONS_DIR:-"${SCRIPT_ROOT}/api/api-rules"}"
 UPDATE_API_KNOWN_VIOLATIONS="${UPDATE_API_KNOWN_VIOLATIONS:-true}"
+CONTROLLER_GEN="go run sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.4"
 
 source "${CODEGEN_PKG}/kube_codegen.sh"
 
@@ -46,3 +47,6 @@ kube::codegen::gen_openapi \
     ${update_report:+"${update_report}"} \
     --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
     "${SCRIPT_ROOT}/pkg/apis"
+
+$CONTROLLER_GEN object:headerFile="hack/boilerplate.go.txt" paths="./api/..."
+$CONTROLLER_GEN rbac:roleName=manager-role crd paths="./api/..." output:crd:artifacts:config=packages/system/cozystack-controller/templates/crds

internal/controller/suite_test.go

@@ -0,0 +1,96 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"context"
+	"fmt"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+
+	cozystackiov1alpha1 "github.com/aenix-io/cozystack/api/v1alpha1"
+	// +kubebuilder:scaffold:imports
+)
+
+// These tests use Ginkgo (BDD-style Go testing framework). Refer to
+// http://onsi.github.io/ginkgo/ to learn more about Ginkgo.
+
+var cfg *rest.Config
+var k8sClient client.Client
+var testEnv *envtest.Environment
+var ctx context.Context
+var cancel context.CancelFunc
+
+func TestControllers(t *testing.T) {
+	RegisterFailHandler(Fail)
+
+	RunSpecs(t, "Controller Suite")
+}
+
+var _ = BeforeSuite(func() {
+	logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true)))
+
+	ctx, cancel = context.WithCancel(context.TODO())
+
+	By("bootstrapping test environment")
+	testEnv = &envtest.Environment{
+		CRDDirectoryPaths:     []string{filepath.Join("..", "..", "config", "crd", "bases")},
+		ErrorIfCRDPathMissing: true,
+
+		// The BinaryAssetsDirectory is only required if you want to run the tests directly
+		// without call the makefile target test. If not informed it will look for the
+		// default path defined in controller-runtime which is /usr/local/kubebuilder/.
+		// Note that you must have the required binaries setup under the bin directory to perform
+		// the tests directly. When we run make test it will be setup and used automatically.
+		BinaryAssetsDirectory: filepath.Join("..", "..", "bin", "k8s",
+			fmt.Sprintf("1.31.0-%s-%s", runtime.GOOS, runtime.GOARCH)),
+	}
+
+	var err error
+	// cfg is defined in this file globally.
+	cfg, err = testEnv.Start()
+	Expect(err).NotTo(HaveOccurred())
+	Expect(cfg).NotTo(BeNil())
+
+	err = cozystackiov1alpha1.AddToScheme(scheme.Scheme)
+	Expect(err).NotTo(HaveOccurred())
+
+	// +kubebuilder:scaffold:scheme
+
+	k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme})
+	Expect(err).NotTo(HaveOccurred())
+	Expect(k8sClient).NotTo(BeNil())
+
+})
+
+var _ = AfterSuite(func() {
+	By("tearing down the test environment")
+	cancel()
+	err := testEnv.Stop()
+	Expect(err).NotTo(HaveOccurred())
+})

internal/controller/workloadmonitor_controller.go

@@ -0,0 +1,273 @@
+package controller
+
+import (
+	"context"
+	"encoding/json"
+	"sort"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/pointer"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	cozyv1alpha1 "github.com/aenix-io/cozystack/api/v1alpha1"
+)
+
+// WorkloadMonitorReconciler reconciles a WorkloadMonitor object
+type WorkloadMonitorReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+// +kubebuilder:rbac:groups=cozystack.io,resources=workloadmonitors,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=cozystack.io,resources=workloadmonitors/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=cozystack.io,resources=workloads,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=cozystack.io,resources=workloads/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch
+
+// isPodReady checks if the Pod is in the Ready condition.
+func (r *WorkloadMonitorReconciler) isPodReady(pod *corev1.Pod) bool {
+	for _, c := range pod.Status.Conditions {
+		if c.Type == corev1.PodReady && c.Status == corev1.ConditionTrue {
+			return true
+		}
+	}
+	return false
+}
+
+// updateOwnerReferences adds the given monitor as a new owner reference to the object if not already present.
+// It then sorts the owner references to enforce a consistent order.
+func updateOwnerReferences(obj metav1.Object, monitor client.Object) {
+	// Retrieve current owner references
+	owners := obj.GetOwnerReferences()
+
+	// Check if current monitor is already in owner references
+	var alreadyOwned bool
+	for _, ownerRef := range owners {
+		if ownerRef.UID == monitor.GetUID() {
+			alreadyOwned = true
+			break
+		}
+	}
+
+	runtimeObj, ok := monitor.(runtime.Object)
+	if !ok {
+		return
+	}
+	gvk := runtimeObj.GetObjectKind().GroupVersionKind()
+
+	// If not already present, add new owner reference without controller flag
+	if !alreadyOwned {
+		newOwnerRef := metav1.OwnerReference{
+			APIVersion: gvk.GroupVersion().String(),
+			Kind:       gvk.Kind,
+			Name:       monitor.GetName(),
+			UID:        monitor.GetUID(),
+			// Set Controller to false to avoid conflict as multiple controllers are not allowed
+			Controller:         pointer.BoolPtr(false),
+			BlockOwnerDeletion: pointer.BoolPtr(true),
+		}
+		owners = append(owners, newOwnerRef)
+	}
+
+	// Sort owner references to enforce a consistent order by UID
+	sort.SliceStable(owners, func(i, j int) bool {
+		return owners[i].UID < owners[j].UID
+	})
+
+	// Update the owner references of the object
+	obj.SetOwnerReferences(owners)
+}
+
+// reconcilePodForMonitor creates or updates a Workload object for the given Pod and WorkloadMonitor.
+func (r *WorkloadMonitorReconciler) reconcilePodForMonitor(
+	ctx context.Context,
+	monitor *cozyv1alpha1.WorkloadMonitor,
+	pod corev1.Pod,
+) error {
+	logger := log.FromContext(ctx)
+
+	// Combine both init containers and normal containers to sum resources properly
+	combinedContainers := append(pod.Spec.InitContainers, pod.Spec.Containers...)
+
+	// totalResources will store the sum of all container resource limits
+	totalResources := make(map[string]resource.Quantity)
+
+	// Iterate over all containers to aggregate their Limits
+	for _, container := range combinedContainers {
+		for name, qty := range container.Resources.Limits {
+			if existing, exists := totalResources[name.String()]; exists {
+				existing.Add(qty)
+				totalResources[name.String()] = existing
+			} else {
+				totalResources[name.String()] = qty.DeepCopy()
+			}
+		}
+	}
+
+	// If annotation "workload.cozystack.io/resources" is present, parse and merge
+	if resourcesStr, ok := pod.Annotations["workload.cozystack.io/resources"]; ok {
+		annRes := map[string]string{}
+		if err := json.Unmarshal([]byte(resourcesStr), &annRes); err != nil {
+			logger.Error(err, "Failed to parse resources annotation", "pod", pod.Name)
+		} else {
+			for k, v := range annRes {
+				parsed, err := resource.ParseQuantity(v)
+				if err != nil {
+					logger.Error(err, "Failed to parse resource quantity from annotation", "key", k, "value", v)
+					continue
+				}
+				totalResources[k] = parsed
+			}
+		}
+	}
+
+	workload := &cozyv1alpha1.Workload{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      pod.Name,
+			Namespace: pod.Namespace,
+		},
+	}
+
+	_, err := ctrl.CreateOrUpdate(ctx, r.Client, workload, func() error {
+		// Update owner references with the new monitor
+		updateOwnerReferences(workload.GetObjectMeta(), monitor)
+
+		// Copy labels from the Pod if needed
+		workload.Labels = pod.Labels
+
+		// Fill Workload status fields:
+		workload.Status.Kind = monitor.Spec.Kind
+		workload.Status.Type = monitor.Spec.Type
+		workload.Status.Resources = totalResources
+		workload.Status.Operational = r.isPodReady(&pod)
+
+		return nil
+	})
+	if err != nil {
+		logger.Error(err, "Failed to CreateOrUpdate Workload", "workload", workload.Name)
+		return err
+	}
+
+	return nil
+}
+
+// Reconcile is the main reconcile loop.
+// 1. It reconciles WorkloadMonitor objects themselves (create/update/delete).
+// 2. It also reconciles Pod events mapped to WorkloadMonitor via label selector.
+func (r *WorkloadMonitorReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	logger := log.FromContext(ctx)
+
+	// Fetch the WorkloadMonitor object if it exists
+	monitor := &cozyv1alpha1.WorkloadMonitor{}
+	err := r.Get(ctx, req.NamespacedName, monitor)
+	if err != nil {
+		// If the resource is not found, it may be a Pod event (mapFunc).
+		if apierrors.IsNotFound(err) {
+			return ctrl.Result{}, nil
+		}
+		logger.Error(err, "Unable to fetch WorkloadMonitor")
+		return ctrl.Result{}, err
+	}
+
+	// List Pods that match the WorkloadMonitor's selector
+	podList := &corev1.PodList{}
+	if err := r.List(
+		ctx,
+		podList,
+		client.InNamespace(monitor.Namespace),
+		client.MatchingLabels(monitor.Spec.Selector),
+	); err != nil {
+		logger.Error(err, "Unable to list Pods for WorkloadMonitor", "monitor", monitor.Name)
+		return ctrl.Result{}, err
+	}
+
+	var observedReplicas, availableReplicas int32
+
+	// For each matching Pod, reconcile the corresponding Workload
+	for _, pod := range podList.Items {
+		observedReplicas++
+		if err := r.reconcilePodForMonitor(ctx, monitor, pod); err != nil {
+			logger.Error(err, "Failed to reconcile Workload for Pod", "pod", pod.Name)
+			continue
+		}
+		if r.isPodReady(&pod) {
+			availableReplicas++
+		}
+	}
+
+	// Update WorkloadMonitor status based on observed pods
+	monitor.Status.ObservedReplicas = observedReplicas
+	monitor.Status.AvailableReplicas = availableReplicas
+
+	// Default to operational = true, but check MinReplicas if set
+	monitor.Status.Operational = pointer.Bool(true)
+	if monitor.Spec.MinReplicas != nil && availableReplicas < *monitor.Spec.MinReplicas {
+		monitor.Status.Operational = pointer.Bool(false)
+	}
+
+	// Update the WorkloadMonitor status in the cluster
+	if err := r.Status().Update(ctx, monitor); err != nil {
+		logger.Error(err, "Unable to update WorkloadMonitor status", "monitor", monitor.Name)
+		return ctrl.Result{}, err
+	}
+
+	// Return without requeue if we want purely event-driven reconciliations
+	return ctrl.Result{}, nil
+}
+
+// SetupWithManager registers our controller with the Manager and sets up watches.
+func (r *WorkloadMonitorReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		// Watch WorkloadMonitor objects
+		For(&cozyv1alpha1.WorkloadMonitor{}).
+		// Also watch Pod objects and map them back to WorkloadMonitor if labels match
+		Watches(
+			&corev1.Pod{},
+			handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, obj client.Object) []reconcile.Request {
+				pod, ok := obj.(*corev1.Pod)
+				if !ok {
+					return nil
+				}
+
+				var monitorList cozyv1alpha1.WorkloadMonitorList
+				// List all WorkloadMonitors in the same namespace
+				if err := r.List(ctx, &monitorList, client.InNamespace(pod.Namespace)); err != nil {
+					return nil
+				}
+
+				// Match each monitor's selector with the Pod's labels
+				var requests []reconcile.Request
+				for _, m := range monitorList.Items {
+					matches := true
+					for k, v := range m.Spec.Selector {
+						if podVal, exists := pod.Labels[k]; !exists || podVal != v {
+							matches = false
+							break
+						}
+					}
+					if matches {
+						requests = append(requests, reconcile.Request{
+							NamespacedName: types.NamespacedName{
+								Namespace: m.Namespace,
+								Name:      m.Name,
+							},
+						})
+					}
+				}
+				return requests
+			}),
+		).
+		// Watch for changes to Workload objects we create (owned by WorkloadMonitor)
+		Owns(&cozyv1alpha1.Workload{}).
+		Complete(r)
+}

internal/telemetry/collector.go

@@ -0,0 +1,292 @@
+package telemetry
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/rest"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	cozyv1alpha1 "github.com/aenix-io/cozystack/api/v1alpha1"
+)
+
+// Collector handles telemetry data collection and sending
+type Collector struct {
+	client          client.Client
+	discoveryClient discovery.DiscoveryInterface
+	config          *Config
+	ticker          *time.Ticker
+	stopCh          chan struct{}
+}
+
+// NewCollector creates a new telemetry collector
+func NewCollector(client client.Client, config *Config, kubeConfig *rest.Config) (*Collector, error) {
+	discoveryClient, err := discovery.NewDiscoveryClientForConfig(kubeConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create discovery client: %w", err)
+	}
+	return &Collector{
+		client:          client,
+		discoveryClient: discoveryClient,
+		config:          config,
+	}, nil
+}
+
+// Start implements manager.Runnable
+func (c *Collector) Start(ctx context.Context) error {
+	if c.config.Disabled {
+		return nil
+	}
+
+	c.ticker = time.NewTicker(c.config.Interval)
+	c.stopCh = make(chan struct{})
+
+	// Initial collection
+	c.collect(ctx)
+
+	for {
+		select {
+		case <-ctx.Done():
+			c.ticker.Stop()
+			close(c.stopCh)
+			return nil
+		case <-c.ticker.C:
+			c.collect(ctx)
+		}
+	}
+}
+
+// NeedLeaderElection implements manager.LeaderElectionRunnable
+func (c *Collector) NeedLeaderElection() bool {
+	// Only run telemetry collector on the leader
+	return true
+}
+
+// Stop halts telemetry collection
+func (c *Collector) Stop() {
+	close(c.stopCh)
+}
+
+// getSizeGroup returns the exponential size group for PVC
+func getSizeGroup(size resource.Quantity) string {
+	gb := size.Value() / (1024 * 1024 * 1024)
+	switch {
+	case gb <= 1:
+		return "1Gi"
+	case gb <= 5:
+		return "5Gi"
+	case gb <= 10:
+		return "10Gi"
+	case gb <= 25:
+		return "25Gi"
+	case gb <= 50:
+		return "50Gi"
+	case gb <= 100:
+		return "100Gi"
+	case gb <= 250:
+		return "250Gi"
+	case gb <= 500:
+		return "500Gi"
+	case gb <= 1024:
+		return "1Ti"
+	case gb <= 2048:
+		return "2Ti"
+	case gb <= 5120:
+		return "5Ti"
+	default:
+		return "10Ti"
+	}
+}
+
+// collect gathers and sends telemetry data
+func (c *Collector) collect(ctx context.Context) {
+	logger := log.FromContext(ctx).V(1)
+
+	// Get cluster ID from kube-system namespace
+	var kubeSystemNS corev1.Namespace
+	if err := c.client.Get(ctx, types.NamespacedName{Name: "kube-system"}, &kubeSystemNS); err != nil {
+		logger.Info(fmt.Sprintf("Failed to get kube-system namespace: %v", err))
+		return
+	}
+
+	clusterID := string(kubeSystemNS.UID)
+
+	var cozystackCM corev1.ConfigMap
+	if err := c.client.Get(ctx, types.NamespacedName{Namespace: "cozy-system", Name: "cozystack"}, &cozystackCM); err != nil {
+		logger.Info(fmt.Sprintf("Failed to get cozystack configmap in cozy-system namespace: %v", err))
+		return
+	}
+
+	oidcEnabled := cozystackCM.Data["oidc-enabled"]
+	bundle := cozystackCM.Data["bundle-name"]
+	bundleEnable := cozystackCM.Data["bundle-enable"]
+	bundleDisable := cozystackCM.Data["bundle-disable"]
+
+	// Get Kubernetes version from nodes
+	var nodeList corev1.NodeList
+	if err := c.client.List(ctx, &nodeList); err != nil {
+		logger.Info(fmt.Sprintf("Failed to list nodes: %v", err))
+		return
+	}
+
+	// Create metrics buffer
+	var metrics strings.Builder
+
+	// Add Cozystack info metric
+	if len(nodeList.Items) > 0 {
+		k8sVersion, _ := c.discoveryClient.ServerVersion()
+		metrics.WriteString(fmt.Sprintf(
+			"cozy_cluster_info{cozystack_version=\"%s\",kubernetes_version=\"%s\",oidc_enabled=\"%s\",bundle_name=\"%s\",bunde_enable=\"%s\",bunde_disable=\"%s\"} 1\n",
+			c.config.CozystackVersion,
+			k8sVersion,
+			oidcEnabled,
+			bundle,
+			bundleEnable,
+			bundleDisable,
+		))
+	}
+
+	// Collect node metrics
+	nodeOSCount := make(map[string]int)
+	for _, node := range nodeList.Items {
+		key := fmt.Sprintf("%s (%s)", node.Status.NodeInfo.OperatingSystem, node.Status.NodeInfo.OSImage)
+		nodeOSCount[key] = nodeOSCount[key] + 1
+	}
+
+	for osKey, count := range nodeOSCount {
+		metrics.WriteString(fmt.Sprintf(
+			"cozy_nodes_count{os=\"%s\",kernel=\"%s\"} %d\n",
+			osKey,
+			nodeList.Items[0].Status.NodeInfo.KernelVersion,
+			count,
+		))
+	}
+
+	// Collect LoadBalancer services metrics
+	var serviceList corev1.ServiceList
+	if err := c.client.List(ctx, &serviceList); err != nil {
+		logger.Info(fmt.Sprintf("Failed to list Services: %v", err))
+	} else {
+		lbCount := 0
+		for _, svc := range serviceList.Items {
+			if svc.Spec.Type == corev1.ServiceTypeLoadBalancer {
+				lbCount++
+			}
+		}
+		metrics.WriteString(fmt.Sprintf("cozy_loadbalancers_count %d\n", lbCount))
+	}
+
+	// Count tenant namespaces
+	var nsList corev1.NamespaceList
+	if err := c.client.List(ctx, &nsList); err != nil {
+		logger.Info(fmt.Sprintf("Failed to list Namespaces: %v", err))
+	} else {
+		tenantCount := 0
+		for _, ns := range nsList.Items {
+			if strings.HasPrefix(ns.Name, "tenant-") {
+				tenantCount++
+			}
+		}
+		metrics.WriteString(fmt.Sprintf("cozy_tenants_count %d\n", tenantCount))
+	}
+
+	// Collect PV metrics grouped by driver and size
+	var pvList corev1.PersistentVolumeList
+	if err := c.client.List(ctx, &pvList); err != nil {
+		logger.Info(fmt.Sprintf("Failed to list PVs: %v", err))
+	} else {
+		// Map to store counts by size and driver
+		pvMetrics := make(map[string]map[string]int)
+
+		for _, pv := range pvList.Items {
+			if capacity, ok := pv.Spec.Capacity[corev1.ResourceStorage]; ok {
+				sizeGroup := getSizeGroup(capacity)
+
+				// Get the CSI driver name
+				driver := "unknown"
+				if pv.Spec.CSI != nil {
+					driver = pv.Spec.CSI.Driver
+				} else if pv.Spec.HostPath != nil {
+					driver = "hostpath"
+				} else if pv.Spec.NFS != nil {
+					driver = "nfs"
+				}
+
+				// Initialize nested map if needed
+				if _, exists := pvMetrics[sizeGroup]; !exists {
+					pvMetrics[sizeGroup] = make(map[string]int)
+				}
+
+				// Increment count for this size/driver combination
+				pvMetrics[sizeGroup][driver]++
+			}
+		}
+
+		// Write metrics
+		for size, drivers := range pvMetrics {
+			for driver, count := range drivers {
+				metrics.WriteString(fmt.Sprintf(
+					"cozy_pvs_count{driver=\"%s\",size=\"%s\"} %d\n",
+					driver,
+					size,
+					count,
+				))
+			}
+		}
+	}
+
+	// Collect workload metrics
+	var monitorList cozyv1alpha1.WorkloadMonitorList
+	if err := c.client.List(ctx, &monitorList); err != nil {
+		logger.Info(fmt.Sprintf("Failed to list WorkloadMonitors: %v", err))
+		return
+	}
+
+	for _, monitor := range monitorList.Items {
+		metrics.WriteString(fmt.Sprintf(
+			"cozy_workloads_count{uid=\"%s\",kind=\"%s\",type=\"%s\",version=\"%s\"} %d\n",
+			monitor.UID,
+			monitor.Spec.Kind,
+			monitor.Spec.Type,
+			monitor.Spec.Version,
+			monitor.Status.ObservedReplicas,
+		))
+	}
+
+	// Send metrics
+	if err := c.sendMetrics(clusterID, metrics.String()); err != nil {
+		logger.Info(fmt.Sprintf("Failed to send metrics: %v", err))
+	}
+}
+
+// sendMetrics sends collected metrics to the configured endpoint
+func (c *Collector) sendMetrics(clusterID, metrics string) error {
+	req, err := http.NewRequest("POST", c.config.Endpoint, bytes.NewBufferString(metrics))
+	if err != nil {
+		return fmt.Errorf("failed to create request: %w", err)
+	}
+
+	req.Header.Set("Content-Type", "text/plain")
+	req.Header.Set("X-Cluster-ID", clusterID)
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to send request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("unexpected status code: %d", resp.StatusCode)
+	}
+
+	return nil
+}

internal/telemetry/config.go

@@ -0,0 +1,27 @@
+package telemetry
+
+import (
+	"time"
+)
+
+// Config holds telemetry configuration
+type Config struct {
+	// Disable telemetry collection if set to true
+	Disabled bool
+	// Endpoint to send telemetry data to
+	Endpoint string
+	// Interval between telemetry data collection
+	Interval time.Duration
+	// CozystackVersion represents the current version of Cozystack
+	CozystackVersion string
+}
+
+// DefaultConfig returns default telemetry configuration
+func DefaultConfig() *Config {
+	return &Config{
+		Disabled:         false,
+		Endpoint:         "https://telemetry.cozystack.io",
+		Interval:         15 * time.Minute,
+		CozystackVersion: "unknown",
+	}
+}

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.21.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.23.1"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.21.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.23.1"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/clickhouse/images/clickhouse-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/clickhouse-backup:0.6.1@sha256:dda84420cb8648721299221268a00d72a05c7af5b7fb452619bac727068b9e61
+ghcr.io/aenix-io/cozystack/clickhouse-backup:0.6.1@sha256:7a99cabdfd541f863aa5d1b2f7b49afd39838fb94c8448986634a1dc9050751c

packages/apps/ferretdb/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:4d2271b345240c6c5b37599996745646012004b0f57e31c4c9deb1aba7408a51
+ghcr.io/aenix-io/cozystack/postgres-backup:0.8.0@sha256:6a8ec7e7052f2d02ec5457d7cbac6ee52b3ed93a883988a192d1394fc7c88117

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:3e8ae1bd576858a88c995aefb1431a1b89f55b7a1ef60575fecae4bbf5aa0d4e
+ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:a3c25199acb8e8426e6952658ccc4acaadb50fe2cfa6359743b64e5166b3fc70

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.14.1
+version: 0.15.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.14.1@sha256:0ea139c71e08db5adb275d81a7efa9a0d8b8db61a1fc1a67167a33a347c07fd8
+ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.15.0@sha256:538ee308f16c9e627ed16ee7c4aaa65919c2e6c4c2778f964a06e4797610d1cd

packages/apps/kubernetes/images/cluster-autoscaler/Dockerfile

@@ -1,12 +1,14 @@
 # Source: https://raw.githubusercontent.com/kubernetes/autoscaler/refs/heads/master/cluster-autoscaler/Dockerfile.amd64
-ARG builder_image=docker.io/library/golang:1.22.5
+ARG builder_image=docker.io/library/golang:1.23.4
 ARG BASEIMAGE=gcr.io/distroless/static:nonroot-amd64
 FROM ${builder_image} AS builder
 RUN git clone https://github.com/kubernetes/autoscaler /src/autoscaler \
  && cd /src/autoscaler/cluster-autoscaler \
- && git checkout cluster-autoscaler-1.31.0
+ && git checkout cluster-autoscaler-1.32.0
 
 WORKDIR /src/autoscaler/cluster-autoscaler
+COPY fix-downscale.diff /fix-downscale.diff
+RUN git apply /fix-downscale.diff
 RUN make build
 
 FROM $BASEIMAGE

packages/apps/kubernetes/images/cluster-autoscaler/fix-downscale.diff

@@ -0,0 +1,13 @@
+diff --git a/cluster-autoscaler/cloudprovider/clusterapi/clusterapi_unstructured.go b/cluster-autoscaler/cloudprovider/clusterapi/clusterapi_unstructured.go
+index 4eec0e4bf..f28fd9241 100644
+--- a/cluster-autoscaler/cloudprovider/clusterapi/clusterapi_unstructured.go
++++ b/cluster-autoscaler/cloudprovider/clusterapi/clusterapi_unstructured.go
+@@ -106,8 +106,6 @@ func (r unstructuredScalableResource) Replicas() (int, error) {
+ 
+ func (r unstructuredScalableResource) SetSize(nreplicas int) error {
+ 	switch {
+-	case nreplicas > r.maxSize:
+-		return fmt.Errorf("size increase too large - desired:%d max:%d", nreplicas, r.maxSize)
+ 	case nreplicas < r.minSize:
+ 		return fmt.Errorf("size decrease too large - desired:%d min:%d", nreplicas, r.minSize)
+ 	}

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.14.1@sha256:f595d50689405a504249c2af4b84562e8a0d16bdf9287d4eedf7c87959c4fba1
+ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.0@sha256:7716c88947d13dc90ccfcc3e60bfdd6e6fa9b201339a75e9c84bf825c76e2b1f

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.14.1@sha256:644379ba92c72dbbf07257d70f88ef3e5c1f1fb88f161c03758c13588d33ac2d
+ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.0@sha256:be5e0eef92dada3ace5cddda5c68b30c9fe4682774c5e6e938ed31efba11ebbf

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:a64fefbd94535be2f8ac92943f0cad076a7b4c61c289a6ac0086a40859ed9d0e
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:8392f00a7182294ce6fd417d254f7c2aa09fb9203d829dec70344a8050369430

packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml

@@ -30,6 +30,12 @@ spec:
         - /cluster-autoscaler
         args:
         - --cloud-provider=clusterapi
+        - --enforce-node-group-min-size=true
+        - --ignore-daemonsets-utilization=true
+        - --ignore-mirror-pods-utilization=true
+        - --scale-down-unneeded-time=30s
+        - --scan-interval=25s
+        - --force-delete-unregistered-nodes=true
         - --kubeconfig=/etc/kubernetes/kubeconfig/super-admin.svc
         - --clusterapi-cloud-config-authoritative
         - --node-group-auto-discovery=clusterapi:namespace={{ .Release.Namespace }},clusterName={{ .Release.Name }}

packages/apps/kubernetes/templates/cluster.yaml

@@ -29,6 +29,7 @@ spec:
             {{- range .group.roles }}
             node-role.kubernetes.io/{{ . }}: ""
             {{- end }}
+            cluster.x-k8s.io/deployment-name: {{ $.Release.Name }}-{{ .groupName }}
         spec:
           domain:
             {{- if and .group.resources .group.resources.cpu }}
@@ -126,6 +127,21 @@ spec:
   replicas: 2
   version: 1.30.1
 ---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 2
+  minReplicas: 1
+  kind: kubernetes
+  type: control-plane
+  selector:
+    kamaji.clastix.io/component: deployment
+    kamaji.clastix.io/name: {{ .Release.Name }}
+  version: {{ $.Chart.Version }}
+---
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
 kind: KubevirtCluster
 metadata:
@@ -172,6 +188,7 @@ spec:
 ---
 {{- $context := deepCopy $ }}
 {{- $_ := set $context "group" $group }}
+{{- $_ := set $context "groupName" $groupName }}
 {{- $kubevirtmachinetemplate := include "kubevirtmachinetemplate" $context }}
 {{- $kubevirtmachinetemplateHash := $kubevirtmachinetemplate | sha256sum | trunc 6 }}
 {{- $kubevirtmachinetemplateName := printf "%s-%s-%s" $.Release.Name $groupName $kubevirtmachinetemplateHash }}
@@ -255,6 +272,21 @@ spec:
   - type: Ready
     status: "False"
     timeout: 300s
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-{{ $groupName }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+  minReplicas: {{ $group.minReplicas }}
+  kind: kubernetes
+  type: worker
+  selector:
+    cluster.x-k8s.io/cluster-name: {{ $.Release.Name }}
+    cluster.x-k8s.io/deployment-name: {{ $.Release.Name }}-{{ $groupName }}
+    cluster.x-k8s.io/role: worker
+  version: {{ $.Chart.Version }}
 {{- end }}
 ---
 {{- /*

packages/apps/kubernetes/templates/dashboard-resourcemap.yaml

@@ -24,3 +24,13 @@ rules:
   resourceNames:
   - {{ .Release.Name }}
   verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  {{- range $groupName, $group := .Values.nodeGroups }}
+  - {{ $.Release.Name }}-{{ $groupName }}
+  {{- end }}
+  verbs: ["get", "list", "watch"]

packages/apps/mysql/images/mariadb-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:948d41556939d90bdc37b4406b18935d46490dcb3f38a27aa117a4c3973e5604
+ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:4bbfbb397bd7ecea45507ca47989c51429c4a24f40853ac92583e5b5b352fbea

packages/apps/postgres/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.1
+version: 0.8.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/postgres/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:4d2271b345240c6c5b37599996745646012004b0f57e31c4c9deb1aba7408a51
+ghcr.io/aenix-io/cozystack/postgres-backup:0.8.0@sha256:6a8ec7e7052f2d02ec5457d7cbac6ee52b3ed93a883988a192d1394fc7c88117

packages/apps/postgres/templates/dashboard-resourcemap.yaml

@@ -19,3 +19,10 @@ rules:
   resourceNames:
   - {{ .Release.Name }}-credentials
   verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/apps/postgres/templates/db.yaml

@@ -29,3 +29,17 @@ spec:
   inheritedMetadata:
     labels:
       policy.cozystack.io/allow-to-apiserver: "true"
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: 1
+  kind: postgres
+  type: postgres
+  selector:
+    cnpg.io/cluster: {{ .Release.Name }}
+    cnpg.io/podRole: instance
+  version: {{ $.Chart.Version }}

packages/apps/redis/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.5.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/redis/templates/dashboard-resourcemap.yaml

@@ -20,3 +20,11 @@ rules:
   resourceNames:
   - "{{ .Release.Name }}-auth"
   verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}-redis
+  - {{ .Release.Name }}-sentinel
+  verbs: ["get", "list", "watch"]

packages/apps/redis/templates/redisfailover.yaml

@@ -73,3 +73,34 @@ spec:
   auth:
     secretPath: {{ .Release.Name }}-auth
   {{- end }}
+
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-redis
+  namespace: {{ $.Release.Namespace }}
+spec:
+  minReplicas: 1
+  replicas: {{ .Values.replicas }}
+  kind: redis
+  type: redis
+  selector:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+  version: {{ $.Chart.Version }}
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-sentinel
+  namespace: {{ $.Release.Namespace }}
+spec:
+  minReplicas: 2
+  replicas: 3
+  kind: redis
+  type: sentinel
+  selector:
+    app.kubernetes.io/component: sentinel
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+  version: {{ $.Chart.Version }}

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.6.5
+version: 1.6.6

packages/apps/tenant/templates/monitoring.yaml

@@ -26,12 +26,24 @@ spec:
     metricsStorages:
     - name: shortterm
       retentionPeriod: "3d"
-      deduplicationInterval: "5m"
-      storage: 10Gi
-    - name: longterm
-      retentionPeriod: "14d"
       deduplicationInterval: "15s"
       storage: 10Gi
+      vminsert:
+        resources: {}
+      vmselect:
+        resources: {}
+      vmstorage:
+        resources: {}
+    - name: longterm
+      retentionPeriod: "14d"
+      deduplicationInterval: "5m"
+      storage: 10Gi
+      vminsert:
+        resources: {}
+      vmselect:
+        resources: {}
+      vmstorage:
+        resources: {}
     oncall:
       enabled: false
 {{- end }}

packages/apps/versions_map

@@ -42,7 +42,8 @@ kubernetes 0.12.0 74649f8
 kubernetes 0.12.1 28fca4e
 kubernetes 0.13.0 ced8e5b9
 kubernetes 0.14.0 bfbde07c
-kubernetes 0.14.1 HEAD
+kubernetes 0.14.1 fde4bcfa
+kubernetes 0.15.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
@@ -65,7 +66,8 @@ postgres 0.5.0 c07c4bbd
 postgres 0.6.0 2a4768a
 postgres 0.6.2 54fd61c
 postgres 0.7.0 dc9d8bb
-postgres 0.7.1 HEAD
+postgres 0.7.1 175a65f
+postgres 0.8.0 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 5ca8823
 rabbitmq 0.3.0 9e33dc0
@@ -77,7 +79,8 @@ redis 0.1.1 f642698
 redis 0.2.0 5ca8823
 redis 0.3.0 c07c4bbd
 redis 0.3.1 b7375f73
-redis 0.4.0 HEAD
+redis 0.4.0 abc8f082
+redis 0.5.0 HEAD
 tcp-balancer 0.1.0 f642698
 tcp-balancer 0.2.0 HEAD
 tenant 0.1.3 3d1b86c
@@ -95,16 +98,21 @@ tenant 1.6.1 edbbb9be
 tenant 1.6.2 ccedc5fe
 tenant 1.6.3 2057bb96
 tenant 1.6.4 3c9e50a4
-tenant 1.6.5 HEAD
+tenant 1.6.5 f1e11451
+tenant 1.6.6 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823
 virtual-machine 0.3.0 b908400
 virtual-machine 0.4.0 4746d51
-virtual-machine 0.5.0 HEAD
+virtual-machine 0.5.0 cad9cde
+virtual-machine 0.6.0 0e728870
+virtual-machine 0.7.0 HEAD
 vm-disk 0.1.0 HEAD
 vm-instance 0.1.0 ced8e5b9
-vm-instance 0.2.0 HEAD
+vm-instance 0.2.0 4f767ee3
+vm-instance 0.3.0 0e728870
+vm-instance 0.4.0 HEAD
 vpn 0.1.0 f642698
 vpn 0.2.0 7151424
 vpn 0.3.0 a2bcf100

packages/apps/virtual-machine/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.7.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.1"
+appVersion: "0.7.0"

packages/apps/virtual-machine/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: 1
+  minReplicas: 1
+  kind: virtual-machine
+  type: virtual-machine
+  selector:
+    vm.kubevirt.io/name: {{ .Release.Name }}
+  version: {{ $.Chart.Version }}

packages/apps/virtual-machine/templates/vm-update-hook.yaml

@@ -0,0 +1,118 @@
+{{- $vmName := include "virtual-machine.fullname" . -}}
+{{- $namespace := .Release.Namespace -}}
+
+{{- $existingVM := lookup "kubevirt.io/v1" "VirtualMachine" $namespace $vmName -}}
+{{- $existingPVC := lookup "v1" "PersistentVolumeClaim" $namespace $vmName -}}
+
+{{- $instanceType := .Values.instanceType | default "" -}}
+{{- $instanceProfile := .Values.instanceProfile | default "" -}}
+{{- $desiredStorage := .Values.systemDisk.storage | default "" -}}
+
+{{- $needUpdateType := false -}}
+{{- $needUpdateProfile := false -}}
+{{- $needResizePVC := false -}}
+
+{{- if and $existingVM $instanceType -}}
+  {{- if not (eq $existingVM.spec.instancetype.name $instanceType) -}}
+    {{- $needUpdateType = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and $existingVM $instanceProfile -}}
+  {{- if not (eq $existingVM.spec.preference.name $instanceProfile) -}}
+    {{- $needUpdateProfile = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and $existingPVC $desiredStorage -}}
+  {{- $currentStorage := $existingPVC.spec.resources.requests.storage | toString -}}
+  {{- if not (eq $currentStorage $desiredStorage) -}}
+    {{- $needResizePVC = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if or $needUpdateType $needUpdateProfile $needResizePVC }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ $.Release.Name }}-update-hook"
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "0"
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      labels:
+        app: "{{ $.Release.Name }}-update-hook"
+    spec:
+      serviceAccountName: {{ $.Release.Name }}-update-hook
+      restartPolicy: Never
+      containers:
+        - name: update-resources
+          image: bitnami/kubectl:latest
+          command: ["sh", "-exc"]
+          args:
+            - |
+              {{- if $needUpdateType }}
+              echo "Patching VirtualMachine for instancetype update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"instancetype":{"name": "{{ $instanceType }}", "revisionName": null}}}'
+              {{- end }}
+              
+              {{- if $needUpdateProfile }}
+              echo "Patching VirtualMachine for preference update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"preference":{"name": "{{ $instanceProfile }}", "revisionName": null}}}'
+              {{- end }}
+
+              {{- if $needResizePVC }}
+              echo "Patching PVC for storage resize..."
+              kubectl patch pvc {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"resources":{"requests":{"storage":"{{ $desiredStorage }}"}}}}'
+              {{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+rules:
+  - apiGroups: ["kubevirt.io"]
+    resources: ["virtualmachines"]
+    verbs: ["patch", "get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["patch", "get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Release.Name }}-update-hook
+roleRef:
+  kind: Role
+  name: {{ $.Release.Name }}-update-hook
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

packages/apps/vm-instance/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.2.0"
+appVersion: "0.4.0"

packages/apps/vm-instance/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+  replicas: 1
+  minReplicas: 1
+  kind: virtual-machine
+  type: virtual-machine
+  selector:
+    vm.kubevirt.io/name: {{ $.Release.Name }}
+  version: {{ $.Chart.Version }}

packages/apps/vm-instance/templates/vm-update-hook.yaml

@@ -0,0 +1,98 @@
+{{- $vmName := include "virtual-machine.fullname" . -}}
+{{- $namespace := .Release.Namespace -}}
+
+{{- $existingVM := lookup "kubevirt.io/v1" "VirtualMachine" $namespace $vmName -}}
+
+{{- $instanceType := .Values.instanceType | default "" -}}
+{{- $instanceProfile := .Values.instanceProfile | default "" -}}
+
+{{- $needUpdateType := false -}}
+{{- $needUpdateProfile := false -}}
+
+{{- if and $existingVM $instanceType -}}
+  {{- if not (eq $existingVM.spec.instancetype.name $instanceType) -}}
+    {{- $needUpdateType = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and $existingVM $instanceProfile -}}
+  {{- if not (eq $existingVM.spec.preference.name $instanceProfile) -}}
+    {{- $needUpdateProfile = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if or $needUpdateType $needUpdateProfile }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ $.Release.Name }}-update-hook"
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "0"
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      labels:
+        app: "{{ $.Release.Name }}-update-hook"
+    spec:
+      serviceAccountName: {{ $.Release.Name }}-update-hook
+      restartPolicy: Never
+      containers:
+        - name: update-resources
+          image: bitnami/kubectl:latest
+          command: ["sh", "-exc"]
+          args:
+            - |
+              {{- if $needUpdateType }}
+              echo "Patching VirtualMachine for instancetype update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"instancetype":{"name": "{{ $instanceType }}", "revisionName": null}}}'
+              {{- end }}
+              
+              {{- if $needUpdateProfile }}
+              echo "Patching VirtualMachine for preference update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"preference":{"name": "{{ $instanceProfile }}", "revisionName": null}}}'
+              {{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+rules:
+  - apiGroups: ["kubevirt.io"]
+    resources: ["virtualmachines"]
+    verbs: ["patch", "get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Release.Name }}-update-hook
+roleRef:
+  kind: Role
+  name: {{ $.Release.Name }}-update-hook
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

packages/apps/vm-instance/templates/vm.yaml

@@ -17,15 +17,12 @@ spec:
   instancetype:
     kind: VirtualMachineClusterInstancetype
     name: {{ . }}
-    revisionName: null
-  {{- end }}
+    {{- end }}
   {{- with .Values.instanceProfile }}
   preference:
     kind: VirtualMachineClusterPreference
     name: {{ . }}
-    revisionName: null
-  {{- end }}
-
+    {{- end }}
   template:
     metadata:
       annotations:
@@ -47,7 +44,7 @@ spec:
           disks:
           {{- range $i, $disk := .Values.disks }}
           - name: disk-{{ .name }}
-            {{- $disk := lookup "cdi.kubevirt.io/v1beta1" "DataVolume" $.Release.Namespace .name }}
+            {{- $disk := lookup "cdi.kubevirt.io/v1beta1" "DataVolume" $.Release.Namespace (printf "vm-disk-%s" .name) }}
             {{- if $disk }}
             {{- if and (hasKey $disk.metadata.annotations "vm-disk.cozystack.io/optical") (eq (index $disk.metadata.annotations "vm-disk.cozystack.io/optical") "true") }}
             cdrom: {}

packages/core/builder/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: builder
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/core/builder/Makefile

@@ -0,0 +1,35 @@
+NAMESPACE=cozy-builder
+NAME := builder
+
+TALOS_VERSION=$(shell awk '/^version:/ {print $$2}' ../installer/images/talos/profiles/installer.yaml)
+
+include ../../../scripts/common-envs.mk
+
+help: ## Show this help.
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
+
+show:
+	helm template -n $(NAMESPACE) $(NAME) .
+
+apply: ## Create builder sandbox in existing Kubernetes cluster.
+	helm template -n $(NAMESPACE) $(NAME) . | kubectl apply -f -
+	docker buildx ls | grep -q '^buildkit-builder*' || docker buildx create \
+		--bootstrap \
+		--name=buildkit-$(NAME) \
+		--driver=kubernetes \
+		--driver-opt=namespace=$(NAMESPACE),replicas=1 \
+		--platform=linux/amd64 \
+		--platform=linux/arm64 \
+		--use \
+		--config config.toml
+
+diff:
+	helm template -n $(NAMESPACE) $(NAME) . | kubectl diff -f -
+
+delete: ## Remove builder sandbox from existing Kubernetes cluster.
+	kubectl delete deploy -n $(NAMESPACE) $(NAME)-talos-imager
+	docker buildx rm buildkit-$(NAME)
+
+wait-for-builder:
+	kubectl wait deploy --for=condition=Progressing -n $(NAMESPACE) $(NAME)-talos-imager
+	kubectl wait pod --for=condition=Ready -n $(NAMESPACE) -l app=$(NAME)-talos-imager

packages/core/builder/config.toml

@@ -0,0 +1,11 @@
+[worker.oci]
+  gc = true
+  gckeepstorage = 50000
+
+  [[worker.oci.gcpolicy]]
+    keepBytes = 10737418240
+    keepDuration = 604800
+    filters = [ "type==source.local", "type==exec.cachemount", "type==source.git.checkout"]
+  [[worker.oci.gcpolicy]]
+    all = true
+    keepBytes = 53687091200

packages/core/builder/templates/sandbox.yaml

@@ -0,0 +1,43 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Release.Namespace }}
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-talos-imager
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-talos-imager
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-talos-imager
+    spec:
+      automountServiceAccountToken: false
+      terminationGracePeriodSeconds: 1
+      containers:
+      - name: imager
+        image: "{{ .Values.talos.imager.image }}"
+        securityContext:
+          privileged: true
+        command:
+        - sleep
+        - infinity
+        volumeMounts:
+        - mountPath: /dev
+          name: dev
+      volumes:
+      - hostPath:
+          path: /dev
+          type: Directory
+        name: dev

packages/core/builder/values.yaml

@@ -0,0 +1,3 @@
+talos:
+  imager:
+    image: ghcr.io/siderolabs/imager:v1.9.2

packages/core/installer/Makefile

@@ -19,10 +19,12 @@ diff:
 
 update:
 	hack/gen-profiles.sh
+	IMAGE=$$(yq '.input.baseInstaller.imageRef | sub("/installer:", "/imager:")' images/talos/profiles/installer.yaml) \
+		yq -i '.talos.imager.image = strenv(IMAGE)' ../builder/values.yaml
 
 image: pre-checks image-cozystack image-talos image-matchbox
 
-image-cozystack:
+image-cozystack: run-builder
 	make -C ../../.. repos
 	docker buildx build -f images/cozystack/Dockerfile ../../.. \
 		--provenance false \
@@ -37,13 +39,11 @@ image-cozystack:
 		yq -i '.cozystack.image = strenv(IMAGE)' values.yaml
 	rm -f images/cozystack.json
 
-image-talos:
-	test -f ../../../_out/assets/installer-amd64-secureboot.tar || make talos-installer
-	docker load -i ../../../_out/assets/installer-amd64-secureboot.tar
-	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
-	docker push $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
+image-talos: run-builder
+	test -f ../../../_out/assets/installer-amd64.tar || make talos-installer
+	skopeo copy docker-archive:../../../_out/assets/installer-amd64.tar docker://$(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
 
-image-matchbox:
+image-matchbox:  run-builder
 	test -f ../../../_out/assets/kernel-amd64 || make talos-kernel
 	test -f ../../../_out/assets/initramfs-metal-amd64.xz || make talos-initramfs
 	docker buildx build -f images/matchbox/Dockerfile ../../.. \
@@ -59,17 +59,11 @@ image-matchbox:
 
 assets: talos-iso talos-nocloud talos-metal
 
-talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud talos-metal: secureboot-keys
+talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud talos-metal:
 	mkdir -p ../../../_out/assets
-	docker rm -f talos-imager 2>/dev/null || true 
-	docker run -d --rm --name talos-imager --privileged -v /dev:/dev --entrypoint=/bin/sleep "ghcr.io/siderolabs/imager:$(TALOS_VERSION)" infinity
-	docker cp ../../../_out/secureboot talos-imager:/secureboot && \
 	cat images/talos/profiles/$(subst talos-,,$@).yaml | \
-		docker exec -i talos-imager /bin/imager --tar-to-stdout - | \
-		tar -C ../../../_out/assets -xzf- ; \
-	docker rm -f talos-imager
+		kubectl exec -i -n cozy-builder deploy/builder-talos-imager -- imager --tar-to-stdout - | \
+		tar -C ../../../_out/assets -xzf-
 
-secureboot-keys:
-	test -d ../../../_out/secureboot || ( \
-	talosctl gen secureboot uki --common-name "SecureBoot Key" -o ../../../_out/secureboot/ && \
-	talosctl gen secureboot pcr -o ../../../_out/secureboot/ )
+run-builder:
+	make -C ../builder/ apply wait-for-builder

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.1
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: initramfs
   imageOptions: {}

packages/core/installer/images/talos/profiles/installer.yaml

@@ -2,15 +2,15 @@
 # do not edit it
 arch: amd64
 platform: metal
-version: v1.9.1
-secureboot: true
+secureboot: false
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.1
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,12 +19,9 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: installer
   imageOptions: {}
   outFormat: raw
-customization:
-  extraKernelArgs:
-  - -selinux

packages/core/installer/images/talos/profiles/iso.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.1
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: iso
   imageOptions: {}

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.1
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: kernel
   imageOptions: {}

packages/core/installer/images/talos/profiles/metal.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.1
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.1
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.21.0@sha256:90487dafccb12705b5e9760595b43c0352f3a94551c55c5fa7778bf9173d1737
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.23.1@sha256:dfa803a3e02ec9ea221029d361aa9d7aef0b5eb0a36d66c949b265d4ac4fc114

packages/core/platform/bundles/distro-full.yaml

@@ -37,6 +37,17 @@ releases:
   namespace: cozy-cert-manager
   dependsOn: [cilium]
 
+- name: cozystack-controller
+  releaseName: cozystack-controller
+  chart: cozy-cozystack-controller
+  namespace: cozy-system
+  dependsOn: [cilium]
+  {{- if eq (index $cozyConfig.data "telemetry-enabled") "false" }}
+  values:
+    cozystackController:
+      disableTelemetry: true
+  {{- end }}
+
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
@@ -98,7 +109,7 @@ releases:
   chart: cozy-postgres-operator
   namespace: cozy-postgres-operator
   optional: true
-  dependsOn: [cilium,cert-manager]
+  dependsOn: [cilium,cert-manager,victoria-metrics-operator]
 
 - name: kafka-operator
   releaseName: kafka-operator

packages/core/platform/bundles/distro-hosted.yaml

@@ -20,6 +20,17 @@ releases:
   namespace: cozy-cert-manager
   dependsOn: []
 
+- name: cozystack-controller
+  releaseName: cozystack-controller
+  chart: cozy-cozystack-controller
+  namespace: cozy-system
+  dependsOn: [cilium]
+  {{- if eq (index $cozyConfig.data "telemetry-enabled") "false" }}
+  values:
+    cozystackController:
+      disableTelemetry: true
+  {{- end }}
+
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
@@ -74,7 +85,7 @@ releases:
   chart: cozy-postgres-operator
   namespace: cozy-postgres-operator
   optional: true
-  dependsOn: [cert-manager]
+  dependsOn: [victoria-metrics-operator]
 
 - name: kafka-operator
   releaseName: kafka-operator

packages/core/platform/bundles/paas-full.yaml

@@ -62,6 +62,17 @@ releases:
   namespace: cozy-system
   dependsOn: [cilium,kubeovn]
 
+- name: cozystack-controller
+  releaseName: cozystack-controller
+  chart: cozy-cozystack-controller
+  namespace: cozy-system
+  dependsOn: [cilium,kubeovn]
+  {{- if eq (index $cozyConfig.data "telemetry-enabled") "false" }}
+  values:
+    cozystackController:
+      disableTelemetry: true
+  {{- end }}
+
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
@@ -91,7 +102,7 @@ releases:
   releaseName: kubevirt-operator
   chart: cozy-kubevirt-operator
   namespace: cozy-kubevirt
-  dependsOn: [cilium,kubeovn]
+  dependsOn: [cilium,kubeovn,victoria-metrics-operator]
 
 - name: kubevirt
   releaseName: kubevirt
@@ -288,4 +299,7 @@ releases:
   chart: cozy-keycloak-configure
   namespace: cozy-keycloak
   dependsOn: [keycloak-operator]
+  values:
+    cozystack:
+      configHash: {{ $cozyConfig | toJson | sha256sum }}
 {{- end }}

packages/core/platform/bundles/paas-hosted.yaml

@@ -35,6 +35,17 @@ releases:
   namespace: cozy-system
   dependsOn: []
 
+- name: cozystack-controller
+  releaseName: cozystack-controller
+  chart: cozy-cozystack-controller
+  namespace: cozy-system
+  dependsOn: []
+  {{- if eq (index $cozyConfig.data "telemetry-enabled") "false" }}
+  values:
+    cozystackController:
+      disableTelemetry: true
+  {{- end }}
+
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
@@ -82,7 +93,7 @@ releases:
   releaseName: postgres-operator
   chart: cozy-postgres-operator
   namespace: cozy-postgres-operator
-  dependsOn: [cert-manager]
+  dependsOn: [cert-manager,victoria-metrics-operator]
 
 - name: kafka-operator
   releaseName: kafka-operator
@@ -184,4 +195,7 @@ releases:
   chart: cozy-keycloak-configure
   namespace: cozy-keycloak
   dependsOn: [keycloak-operator]
+  values:
+    cozystack:
+      configHash: {{ $cozyConfig | toJson | sha256sum }}
 {{- end }}

packages/core/testing/Makefile

@@ -36,7 +36,10 @@ image-e2e-sandbox:
 copy-hack-dir:
 	tar -C ../../../ -cf- hack | kubectl exec -i -n $(NAMESPACE) deploy/cozystack-e2e-$(NAME) -- tar -xf-
 
-test: wait-for-sandbox copy-hack-dir ## Run the end-to-end tests in existing sandbox.
+copy-image:
+	cat ../../../_out/assets/nocloud-amd64.raw.xz | kubectl exec -i -n $(NAMESPACE) deploy/cozystack-e2e-$(NAME) -- sh -xec 'xz --decompress > /nocloud-amd64.raw'
+
+test: wait-for-sandbox copy-hack-dir copy-image ## Run the end-to-end tests in existing sandbox.
 	helm template -n cozy-system installer ../installer | kubectl exec -i -n $(NAMESPACE) deploy/cozystack-e2e-$(NAME) -- sh -c 'cat > /cozystack-installer.yaml'
 	kubectl exec -ti -n $(NAMESPACE) deploy/cozystack-e2e-$(NAME) -- sh -c 'export COZYSTACK_INSTALLER_YAML=$$(cat /cozystack-installer.yaml) && /hack/e2e.sh'
 

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.21.0@sha256:38229517c86e179984a6d39f5510b859d13d965e35b216bc01ce456f9ab5f8b5
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.23.1@sha256:0f4ffa7f23d6cdc633c0c4a0b852fde9710edbce96486fd9bd29c7d0d7710380

packages/extra/etcd/Chart.yaml

@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: /logos/etcd.svg
 type: application
-version: 2.3.0
+version: 2.4.0

packages/extra/etcd/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - etcd
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/extra/etcd/templates/etcd-cluster.yaml

@@ -193,3 +193,19 @@ spec:
   issuerRef:
     name: etcd-issuer
     kind: Issuer
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: {{ div .Values.replicas 2 | add1 }}
+  kind: etcd
+  type: etcd
+  selector:
+    app.kubernetes.io/instance: etcd
+    app.kubernetes.io/managed-by: etcd-operator
+    app.kubernetes.io/name: etcd
+  version: {{ $.Chart.Version }}

packages/extra/ingress/Chart.yaml

@@ -3,4 +3,4 @@ name: ingress
 description: NGINX Ingress Controller
 icon: /logos/ingress-nginx.svg
 type: application
-version: 1.3.0
+version: 1.4.0

packages/extra/ingress/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ trimPrefix "tenant-" .Release.Namespace }}-ingress-controller
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/extra/ingress/templates/workloadmonitor.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: {{ div .Values.replicas 2 | add1 }}
+  kind: ingress
+  type: controller
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: ingress-nginx-system
+    app.kubernetes.io/name: ingress-nginx
+  version: {{ $.Chart.Version }}

packages/extra/monitoring/Chart.yaml

@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.5.3
+version: 1.7.0

packages/extra/monitoring/README.md

@@ -4,13 +4,14 @@
 
 ### Common parameters
 
-| Name                            | Description                                                                                               | Value  |
-| ------------------------------- | --------------------------------------------------------------------------------------------------------- | ------ |
-| `host`                          | The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host). | `""`   |
-| `metricsStorages`               | Configuration of metrics storage instances                                                                | `[]`   |
-| `logsStorages`                  | Configuration of logs storage instances                                                                   | `[]`   |
-| `alerta.storage`                | Persistent Volume size for alerta database                                                                | `10Gi` |
-| `alerta.storageClassName`       | StorageClass used to store the data                                                                       | `""`   |
-| `alerta.alerts.telegram.token`  | telegram token for your bot                                                                               | `""`   |
-| `alerta.alerts.telegram.chatID` | specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot                       | `""`   |
-| `grafana.db.size`               | Persistent Volume size for grafana database                                                               | `10Gi` |
+| Name                                      | Description                                                                                               | Value  |
+| ----------------------------------------- | --------------------------------------------------------------------------------------------------------- | ------ |
+| `host`                                    | The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host). | `""`   |
+| `metricsStorages`                         | Configuration of metrics storage instances                                                                | `[]`   |
+| `logsStorages`                            | Configuration of logs storage instances                                                                   | `[]`   |
+| `alerta.storage`                          | Persistent Volume size for alerta database                                                                | `10Gi` |
+| `alerta.storageClassName`                 | StorageClass used to store the data                                                                       | `""`   |
+| `alerta.alerts.telegram.token`            | telegram token for your bot                                                                               | `""`   |
+| `alerta.alerts.telegram.chatID`           | specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot                       | `""`   |
+| `alerta.alerts.telegram.disabledSeverity` | list of severity without alerts, separated comma like: "informational,warning"                            | `""`   |
+| `grafana.db.size`                         | Persistent Volume size for grafana database                                                               | `10Gi` |

packages/extra/monitoring/dashboards.list

@@ -31,3 +31,4 @@ control-plane/control-plane-status
 control-plane/deprecated-resources
 control-plane/dns-coredns
 control-plane/kube-etcd3
+kubevirt/kubevirt-control-plane

packages/extra/monitoring/templates/alerta/alerta-db.yaml

@@ -11,6 +11,23 @@ spec:
     storageClass: {{ . }}
     {{- end }}
 
+  monitoring:
+    enablePodMonitor: true
+
   inheritedMetadata:
     labels:
       policy.cozystack.io/allow-to-apiserver: "true"
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: alerta-db
+spec:
+  replicas: 2
+  minReplicas: 1
+  kind: monitoring
+  type: postgres
+  selector:
+    cnpg.io/cluster: alerta-db
+    cnpg.io/podRole: instance
+  version: {{ $.Chart.Version }}

packages/extra/monitoring/templates/alerta/alerta.yaml

@@ -116,6 +116,8 @@ spec:
               value: "{{ .Values.alerta.alerts.telegram.token }}"
             - name: TELEGRAM_WEBHOOK_URL
               value: "https://{{ printf "alerta.%s" (.Values.host | default $host) }}/api/webhooks/telegram?api-key={{ $apiKey }}"
+            - name: TELEGRAM_DISABLE_NOTIFICATION_SEVERITY
+              value: "{{ .Values.alerta.alerts.telegram.disabledSeverity }}"
             {{- end }}
 
           ports:
@@ -170,6 +172,20 @@ spec:
                 port:
                   name: http
 ---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: alerta
+spec:
+  replicas: 1
+  minReplicas: 1
+  kind: monitoring
+  type: alerta
+  selector:
+    app: alerta
+    release: alerta
+  version: {{ $.Chart.Version }}
+---
 apiVersion: v1
 kind: Secret
 metadata:
@@ -217,3 +233,17 @@ spec:
   podMetadata:
     labels:
       policy.cozystack.io/allow-to-apiserver: "true"
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: alertmanager
+spec:
+  replicas: 3
+  minReplicas: 2
+  kind: monitoring
+  type: alertmanager
+  selector:
+    app.kubernetes.io/instance: alertmanager
+    app.kubernetes.io/name: vmalertmanager
+  version: {{ $.Chart.Version }}

packages/extra/monitoring/templates/dashboard-resourcemap.yaml

@@ -26,3 +26,28 @@ rules:
   - grafana-service
   - alerta
   verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - alerta
+  - grafana
+  - grafana-db
+  - alerta-db
+  - alermanager
+  {{- range .Values.metricsStorages }}
+  - {{ .name }}-vmstorage
+  - {{ .name }}-vmselect
+  - {{ .name }}-vminsert
+  {{- end }}
+  {{- range .Values.logsStorages }}
+  - {{ $.Release.Name }}-vlogs-{{ .name }}
+  {{- end }}
+  {{- range .Values.metricsStorages }}
+  - vmalert-{{ .name }}
+  {{- break }}
+  {{- end }}
+  verbs: ["get", "list", "watch"]
+
+

packages/extra/monitoring/templates/grafana/db.yaml

@@ -7,6 +7,23 @@ spec:
   storage:
     size: {{ .Values.grafana.db.size }}
 
+  monitoring:
+    enablePodMonitor: true
+
   inheritedMetadata:
     labels:
       policy.cozystack.io/allow-to-apiserver: "true"
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: grafana-db
+spec:
+  replicas: 2
+  minReplicas: 1
+  kind: monitoring
+  type: postgres
+  selector:
+    cnpg.io/cluster: grafana-db
+    cnpg.io/podRole: instance
+  version: {{ $.Chart.Version }}

packages/extra/monitoring/templates/grafana/grafana.yaml

@@ -114,3 +114,16 @@ spec:
       - hosts:
         - "{{ printf "grafana.%s" (.Values.host | default $host) }}"
         secretName: grafana-ingress-tls
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: grafana
+spec:
+  replicas: 2
+  minReplicas: 1
+  kind: monitoring
+  type: grafana
+  selector:
+    app: grafana
+  version: {{ $.Chart.Version }}

packages/extra/monitoring/templates/vlogs/vlogs.yaml

@@ -12,4 +12,19 @@ spec:
     accessModes: [ReadWriteOnce]
   retentionPeriod: "{{ .retentionPeriod }}"
   removePvcAfterDelete: true
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: vlogs-{{ .name }}
+spec:
+  replicas: 1
+  minReplicas: 1
+  kind: monitoring
+  type: vlogs
+  selector:
+    app.kubernetes.io/component: monitoring
+    app.kubernetes.io/instance: {{ .name }}
+    app.kubernetes.io/name: vlogs
+  version: {{ $.Chart.Version }}
 {{- end }}

packages/extra/monitoring/templates/vm/vmalert.yaml

@@ -18,5 +18,19 @@ spec:
     url: http://vminsert-{{ .name }}.{{ $.Release.Namespace }}.svc:8480/insert/0/prometheus/api/v1/write
   resources: {}
   selectAllByDefault: true
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: vmalert-{{ .name }}
+spec:
+  replicas: 1
+  minReplicas: 1
+  kind: monitoring
+  type: vmalert
+  selector:
+    app.kubernetes.io/instance: vmalert-{{ .name }}
+    app.kubernetes.io/name: vmalert
+  version: {{ $.Chart.Version }}
 {{- break }}
 {{- end }}

packages/extra/monitoring/templates/vm/vmcluster.yaml

@@ -6,22 +6,35 @@ metadata:
   name: {{ .name }}
 spec:
   replicationFactor: 2
-  retentionPeriod: "3"
+  retentionPeriod: {{ .retentionPeriod | quote }}
   vminsert:
-    replicaCount: 2
-    resources: {}
-  vmselect:
     replicaCount: 2
     resources:
+      {{- if and (hasKey . "vminsert") (hasKey .vminsert "resources") }}
+      {{- toYaml .vminsert.resources | nindent 6 }}
+      {{- else }}
       limits:
         memory: 1000Mi
       requests:
         cpu: 100m
         memory: 500Mi
+      {{- end }}
+  vmselect:
+    replicaCount: 2
+    resources:
+      {{- if and (hasKey . "vmselect") (hasKey .vmselect "resources") }}
+      {{- toYaml .vmselect.resources | nindent 6 }}
+      {{- else }}
+      limits:
+        memory: 1000Mi
+      requests:
+        cpu: 100m
+        memory: 500Mi
+      {{- end }}
     extraArgs:
       search.maxUniqueTimeseries: "600000"
       vmalert.proxyURL: http://vmalert-{{ .name }}.{{ $.Release.Namespace }}.svc:8080
-      dedup.minScrapeInterval: "15s"
+      dedup.minScrapeInterval: {{ .deduplicationInterval | quote}}
     cacheMountPath: /select-cache
     storage:
       volumeClaimTemplate:
@@ -35,11 +48,15 @@ spec:
   vmstorage:
     replicaCount: 2
     resources:
+      {{- if and (hasKey . "vmstorage") (hasKey .vmstorage "resources") }}
+      {{- toYaml .vmstorage.resources | nindent 6 }}
+      {{- else }}
       limits:
-        memory: 1000Mi
+        memory: 2048Mi
       requests:
         cpu: 100m
         memory: 500Mi
+      {{- end }}
     storage:
       volumeClaimTemplate:
         spec:
@@ -50,4 +67,49 @@ spec:
             requests:
               storage: {{ .storage }}
     storageDataPath: /vm-data
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ .name }}-vmstorage
+spec:
+  replicas: 2
+  minReplicas: 1
+  kind: monitoring
+  type: vmstorage
+  selector:
+    app.kubernetes.io/component: monitoring
+    app.kubernetes.io/instance: {{ .name }}
+    app.kubernetes.io/name: vmstorage
+  version: {{ $.Chart.Version }}
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ .name }}-vmselect
+spec:
+  replicas: 2
+  minReplicas: 1
+  kind: monitoring
+  type: vmselect
+  selector:
+    app.kubernetes.io/component: monitoring
+    app.kubernetes.io/instance: {{ .name }}
+    app.kubernetes.io/name: vmselect
+  version: {{ $.Chart.Version }}
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ .name }}-vminsert
+spec:
+  replicas: 2
+  minReplicas: 1
+  kind: monitoring
+  type: vminsert
+  selector:
+    app.kubernetes.io/component: monitoring
+    app.kubernetes.io/instance: {{ .name }}
+    app.kubernetes.io/name: vminsert
+  version: {{ $.Chart.Version }}
 {{- end }}

packages/extra/monitoring/values.schema.json

@@ -51,6 +51,11 @@
                   "type": "string",
                   "description": "specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot",
                   "default": ""
+                },
+                "disabledSeverity": {
+                  "type": "string",
+                  "description": "list of severity without alerts, separated comma like: \"informational,warning\"",
+                  "default": ""
                 }
               }
             }

packages/extra/monitoring/values.yaml

@@ -5,17 +5,59 @@ host: ""
 
 ## @param metricsStorages [array] Configuration of metrics storage instances
 ##
+## Example:
+## metricsStorages:
+## - name: shortterm
+##   retentionPeriod: "3d"
+##   deduplicationInterval: "15s"
+##   storage: 10Gi
+##   storageClassName: ""
+##   vminsert:
+##     resources:
+##       limits:
+##         memory: 1024Mi
+##       requests:
+##         cpu: 200m
+##         memory: 512Mi
+##   vmselect:
+##     resources:
+##       limits:
+##         memory: 2048Mi
+##       requests:
+##         cpu: 300m
+##         memory: 1Gi
+##   vmstorage:
+##     resources:
+##       limits:
+##         memory: 4096Mi
+##       requests:
+##         cpu: 500m
+##         memory: 2Gi
+##
 metricsStorages:
 - name: shortterm
   retentionPeriod: "3d"
-  deduplicationInterval: "5m"
-  storage: 10Gi
-  storageClassName: ""
-- name: longterm
-  retentionPeriod: "14d"
   deduplicationInterval: "15s"
   storage: 10Gi
   storageClassName: ""
+  vminsert:
+    resources: {}
+  vmselect:
+    resources: {}
+  vmstorage:
+    resources: {}
+- name: longterm
+  retentionPeriod: "14d"
+  deduplicationInterval: "5m"
+  storage: 10Gi
+  storageClassName: ""
+  vminsert:
+    resources: {}
+  vmselect:
+    resources: {}
+  vmstorage:
+    resources: {}
+
 
 ## @param logsStorages [array] Configuration of logs storage instances
 ##
@@ -36,14 +78,17 @@ alerta:
   alerts:
     ## @param alerta.alerts.telegram.token telegram token for your bot
     ## @param alerta.alerts.telegram.chatID specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot
+    ## @param alerta.alerts.telegram.disabledSeverity list of severity without alerts, separated comma like: "informational,warning"
     ## example:
     ##   telegram:
     ##     token: "7262461387:AAGtwq16iwuVtWtzoN6TUEMpF00fpC9Xz34"
     ##     chatID: "-4520856007"
+    ##     disabledSeverity: "informational,warning"
     ##
     telegram:
       token: ""
       chatID: ""
+      disabledSeverity: ""
 
 ## Configuration for Grafana
 ## @param grafana.db.size Persistent Volume size for grafana database

packages/extra/seaweedfs/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.1
+version: 0.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/extra/seaweedfs/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,29 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ $.Release.Name }}-s3
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  resourceNames:
+  - ingress-{{ $.Release.Name }}-s3
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ $.Release.Name }}-master
+  - {{ $.Release.Name }}-filer
+  - {{ $.Release.Name }}-volume
+  - {{ $.Release.Name }}-db
+  verbs: ["get", "list", "watch"]

packages/extra/seaweedfs/templates/seaweedfs.yaml

@@ -60,3 +60,59 @@ spec:
       cosi:
         driverName: "{{ .Release.Namespace }}.seaweedfs.objectstorage.k8s.io"
         bucketClassName: "{{ .Release.Namespace }}"
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-master
+spec:
+  replicas: 3
+  minReplicas: 2
+  kind: seaweedfs
+  type: master
+  selector:
+    app.kubernetes.io/component: master
+    app.kubernetes.io/name: seaweedfs
+  version: {{ $.Chart.Version }}
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-filer
+spec:
+  replicas: 2
+  minReplicas: 1
+  kind: seaweedfs
+  type: filer
+  selector:
+    app.kubernetes.io/component: filer
+    app.kubernetes.io/name: seaweedfs
+  version: {{ $.Chart.Version }}
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-volume
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: {{ div .Values.replicas 2 | add1 }}
+  kind: seaweedfs
+  type: volume
+  selector:
+    app.kubernetes.io/component: volume
+    app.kubernetes.io/name: seaweedfs
+  version: {{ $.Chart.Version }}
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-db
+spec:
+  replicas: 2
+  minReplicas: 1
+  kind: seaweedfs
+  type: postgres
+  selector:
+    cnpg.io/cluster: seaweedfs-db
+    cnpg.io/podRole: instance
+  version: {{ $.Chart.Version }}

packages/extra/versions_map

@@ -3,11 +3,13 @@ etcd 2.0.0 a6d0f7cf
 etcd 2.0.1 6fc1cc7d
 etcd 2.1.0 2b00fcf8
 etcd 2.2.0 5ca8823
-etcd 2.3.0 HEAD
+etcd 2.3.0 b908400d
+etcd 2.4.0 HEAD
 ingress 1.0.0 f642698
 ingress 1.1.0 838bee5d
 ingress 1.2.0 ced8e5b
-ingress 1.3.0 HEAD
+ingress 1.3.0 edbbb9be
+ingress 1.4.0 HEAD
 monitoring 1.0.0 f642698
 monitoring 1.1.0 15478a88
 monitoring 1.2.0 c9e0d63b
@@ -17,7 +19,12 @@ monitoring 1.4.0 adaf603b
 monitoring 1.5.0 4b90bf5a
 monitoring 1.5.1 57e90b70
 monitoring 1.5.2 898374b5
-monitoring 1.5.3 HEAD
+monitoring 1.5.3 c1ca19dc
+monitoring 1.5.4 d4634797
+monitoring 1.6.0 cb7b8158
+monitoring 1.6.1 3bb97596
+monitoring 1.7.0 HEAD
 seaweedfs 0.1.0 5ca8823
 seaweedfs 0.2.0 9e33dc0
-seaweedfs 0.2.1 HEAD
+seaweedfs 0.2.1 249bf35
+seaweedfs 0.3.0 HEAD

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:109b1f36e85353066b387472aaab936d7d5b691ac99547312acd26484e3ebe8e
+ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:35e9a8ba7e1a3b0cee634f6d2bd92d2b08c47c7ed3316559c9ea25ff733eb5d5

packages/system/cilium/charts/cilium/Chart.yaml

@@ -79,7 +79,7 @@ annotations:
     Pod IP Pool\n  description: |\n    CiliumPodIPPool defines an IP pool that can
     be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n"
 apiVersion: v2
-appVersion: 1.16.4
+appVersion: 1.16.5
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
@@ -95,4 +95,4 @@ kubeVersion: '>= 1.21.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.16.4
+version: 1.16.5

packages/system/cilium/charts/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.16.4](https://img.shields.io/badge/Version-1.16.4-informational?style=flat-square) ![AppVersion: 1.16.4](https://img.shields.io/badge/AppVersion-1.16.4-informational?style=flat-square)
+![Version: 1.16.5](https://img.shields.io/badge/Version-1.16.5-informational?style=flat-square) ![AppVersion: 1.16.5](https://img.shields.io/badge/AppVersion-1.16.5-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -83,7 +83,7 @@ contributors across the globe, there is almost always someone available to help.
 | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
 | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true |
 | authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. |
-| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:c230832bd3b0be59a6c47ed64294f9ce71e91b327957920b6929a0caa8353140","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server |
+| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:d75b758a4fea99ffff4db799e16f853bbde8643671b5b72464a8ba94cbe3dbe3","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server |
 | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into |
 | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration |
 | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations |
@@ -182,7 +182,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
 | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.4","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.5","useDigest":true}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
@@ -353,7 +353,7 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:0287b36f70cfbdf54f894160082f4f94d1ee1fb10389f3a95baa6c8e448586ed","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.30.7-1731393961-97edc2815e2c6a174d3d12e71731d54f5d32ea16","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:709c08ade3d17d52da4ca2af33f431360ec26268d288d9a6cd1d98acc9a1dced","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8","useDigest":true}` | Envoy container image. |
 | envoy.initialFetchTimeoutSeconds | int | `30` | Time in seconds after which the initial fetch on an xDS stream is considered timed out |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
@@ -485,7 +485,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.4","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.5","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -591,7 +591,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.4","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.5","useDigest":true}` | Agent container image. |
 | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -718,7 +718,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.hostNetwork | bool | `true` | HostNetwork setting |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686","awsDigest":"sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be","azureDigest":"sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de","genericDigest":"sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.4","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0","awsDigest":"sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476","azureDigest":"sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9","genericDigest":"sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.5","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -768,7 +768,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.4","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.5","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |

packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json

@@ -52,6 +52,30 @@
                       }
                     }
                   ],
+                  "internal_address_config": {
+                    "cidr_ranges": [
+                      {
+                        "address_prefix": "10.0.0.0",
+                        "prefix_len": 8
+                      },
+                      {
+                        "address_prefix": "172.16.0.0",
+                        "prefix_len": 12
+                      },
+                      {
+                        "address_prefix": "192.168.0.0",
+                        "prefix_len": 16
+                      },
+                      {
+                        "address_prefix": "127.0.0.1",
+                        "prefix_len": 32
+                      },
+                      {
+                        "address_prefix": "::1",
+                        "prefix_len": 128
+                      }
+                    ]
+                  },
                   "stream_idle_timeout": "0s"
                 }
               }
@@ -119,6 +143,30 @@
                       }
                     }
                   ],
+                  "internal_address_config": {
+                    "cidr_ranges": [
+                      {
+                        "address_prefix": "10.0.0.0",
+                        "prefix_len": 8
+                      },
+                      {
+                        "address_prefix": "172.16.0.0",
+                        "prefix_len": 12
+                      },
+                      {
+                        "address_prefix": "192.168.0.0",
+                        "prefix_len": 16
+                      },
+                      {
+                        "address_prefix": "127.0.0.1",
+                        "prefix_len": 32
+                      },
+                      {
+                        "address_prefix": "::1",
+                        "prefix_len": 128
+                      }
+                    ]
+                  },
                   "stream_idle_timeout": "0s"
                 }
               }
@@ -185,6 +233,30 @@
                       }
                     }
                   ],
+                  "internal_address_config": {
+                    "cidr_ranges": [
+                      {
+                        "address_prefix": "10.0.0.0",
+                        "prefix_len": 8
+                      },
+                      {
+                        "address_prefix": "172.16.0.0",
+                        "prefix_len": 12
+                      },
+                      {
+                        "address_prefix": "192.168.0.0",
+                        "prefix_len": 16
+                      },
+                      {
+                        "address_prefix": "127.0.0.1",
+                        "prefix_len": 32
+                      },
+                      {
+                        "address_prefix": "::1",
+                        "prefix_len": 128
+                      }
+                    ]
+                  },
                   "stream_idle_timeout": "0s"
                 }
               }

packages/system/cilium/charts/cilium/templates/hubble-relay/configmap.yaml

@@ -16,7 +16,7 @@ metadata:
 data:
   config.yaml: |
     cluster-name: {{ .Values.cluster.name }}
-    peer-service: "hubble-peer.{{ .Release.Namespace }}.svc.{{ .Values.hubble.peerService.clusterDomain }}:{{ $peerSvcPort }}"
+    peer-service: "hubble-peer.{{ .Release.Namespace }}.svc.{{ .Values.hubble.peerService.clusterDomain }}.:{{ $peerSvcPort }}"
     listen-address: {{ include "hubble-relay.config.listenAddress" . }}
     gops: {{ .Values.hubble.relay.gops.enabled }}
     gops-port: {{ .Values.hubble.relay.gops.port | quote }}

packages/system/cilium/charts/cilium/values.yaml

@@ -153,10 +153,10 @@ image:
   # @schema
   override: ~
   repository: "quay.io/cilium/cilium"
-  tag: "v1.16.4"
+  tag: "v1.16.5"
   pullPolicy: "IfNotPresent"
   # cilium-digest
-  digest: "sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf"
+  digest: "sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d"
   useDigest: true
 # -- Affinity for cilium-agent.
 affinity:
@@ -1314,9 +1314,9 @@ hubble:
       # @schema
       override: ~
       repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.16.4"
+      tag: "v1.16.5"
       # hubble-relay-digest
-      digest: "sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2"
+      digest: "sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00"
       useDigest: true
       pullPolicy: "IfNotPresent"
     # -- Specifies the resources for the hubble-relay pods
@@ -2165,9 +2165,9 @@ envoy:
     # @schema
     override: ~
     repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.30.7-1731393961-97edc2815e2c6a174d3d12e71731d54f5d32ea16"
+    tag: "v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8"
     pullPolicy: "IfNotPresent"
-    digest: "sha256:0287b36f70cfbdf54f894160082f4f94d1ee1fb10389f3a95baa6c8e448586ed"
+    digest: "sha256:709c08ade3d17d52da4ca2af33f431360ec26268d288d9a6cd1d98acc9a1dced"
     useDigest: true
   # -- Additional containers added to the cilium Envoy DaemonSet.
   extraContainers: []
@@ -2480,15 +2480,15 @@ operator:
     # @schema
     override: ~
     repository: "quay.io/cilium/operator"
-    tag: "v1.16.4"
+    tag: "v1.16.5"
     # operator-generic-digest
-    genericDigest: "sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5"
+    genericDigest: "sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039"
     # operator-azure-digest
-    azureDigest: "sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de"
+    azureDigest: "sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9"
     # operator-aws-digest
-    awsDigest: "sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be"
+    awsDigest: "sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476"
     # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686"
+    alibabacloudDigest: "sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0"
     useDigest: true
     pullPolicy: "IfNotPresent"
     suffix: ""
@@ -2762,9 +2762,9 @@ preflight:
     # @schema
     override: ~
     repository: "quay.io/cilium/cilium"
-    tag: "v1.16.4"
+    tag: "v1.16.5"
     # cilium-digest
-    digest: "sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf"
+    digest: "sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d"
     useDigest: true
     pullPolicy: "IfNotPresent"
   # -- The priority class to use for the preflight pod.
@@ -2911,9 +2911,9 @@ clustermesh:
       # @schema
       override: ~
       repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.16.4"
+      tag: "v1.16.5"
       # clustermesh-apiserver-digest
-      digest: "sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2"
+      digest: "sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958"
       useDigest: true
       pullPolicy: "IfNotPresent"
     # -- TCP port for the clustermesh-apiserver health API.
@@ -3412,7 +3412,7 @@ authentication:
           override: ~
           repository: "docker.io/library/busybox"
           tag: "1.36.1"
-          digest: "sha256:c230832bd3b0be59a6c47ed64294f9ce71e91b327957920b6929a0caa8353140"
+          digest: "sha256:d75b758a4fea99ffff4db799e16f853bbde8643671b5b72464a8ba94cbe3dbe3"
           useDigest: true
           pullPolicy: "IfNotPresent"
         # SPIRE agent configuration

packages/system/cilium/images/cilium/Dockerfile

@@ -1,2 +1,2 @@
-ARG VERSION=v1.16.4
+ARG VERSION=v1.16.5
 FROM quay.io/cilium/cilium:${VERSION}