Prepare release v0.10.4

fix network-policies
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-01-28 18:18:41 +00:00 · 2024-08-09 14:51:30 +02:00 · 2024-08-09 12:50:09 +02:00 · 2024-08-08 22:04:27 +02:00 · 2024-08-08 20:59:33 +02:00 · 2024-08-08 20:58:37 +02:00
36 changed files with 258 additions and 118 deletions
--- a/1
+++ b/1
@@ -6,6 +6,7 @@ build:
 	make -C packages/system/cilium image
 	make -C packages/system/kubeovn image
 	make -C packages/system/dashboard image
+	make -C packages/system/kamaji image
 	make -C packages/core/installer image
 	make manifests

--- a/manifests/cozystack-installer.yaml
+++ b/manifests/cozystack-installer.yaml
@@ -68,7 +68,7 @@ spec:
      serviceAccountName: cozystack
      containers:
      - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.10.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.10.4"
        env:
        - name: KUBERNETES_SERVICE_HOST
          value: localhost
@@ -87,7 +87,7 @@ spec:
            fieldRef:
              fieldPath: metadata.name
      - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.10.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.10.4"
        command:
        - /usr/bin/darkhttpd
        - /cozystack/assets
--- a/packages/apps/ferretdb/Chart.yaml
+++ b/packages/apps/ferretdb/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.1.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/ferretdb/templates/postgres.yaml
+++ b/packages/apps/ferretdb/templates/postgres.yaml
@@ -16,6 +16,10 @@ spec:
  storage:
    size: {{ required ".Values.size is required" .Values.size }}

+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"
+
  {{- if .Values.users }}
  managed:
    roles:
--- a/packages/apps/http-cache/images/nginx-cache.json
+++ b/packages/apps/http-cache/images/nginx-cache.json
@@ -32,17 +32,17 @@
      }
    }
  },
-  "buildx.build.ref": "cozystack/cozystack0/7j4plhjjn8onm0o8q0omik63x",
-  "containerimage.config.digest": "sha256:f30f57d817c596f7a7d0ecfe734b7b41994eca9d36d43307206314ee37bdb286",
+  "buildx.build.ref": "buildkit/buildkit0/u67issjnvf8mayitrr0yjhyvg",
+  "containerimage.config.digest": "sha256:4bfe7bdc746d0f7db6d8fccb4ef68c8b1dc2306c27e2716f589dee951bf86a03",
  "containerimage.descriptor": {
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:f7d86b1a72a12b60434a12a604e9ddd3779d9fa605205c7968fe9495e764c94c",
+    "digest": "sha256:6b5dbb5319ddcf9f545ba0f7b8b3f2117e85bc96e684b5e3adf23e0fef5dde8d",
    "size": 1094,
    "platform": {
      "architecture": "amd64",
      "os": "linux"
    }
  },
-  "containerimage.digest": "sha256:f7d86b1a72a12b60434a12a604e9ddd3779d9fa605205c7968fe9495e764c94c",
-  "image.name": "ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0,ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0-v0.10.1"
+  "containerimage.digest": "sha256:6b5dbb5319ddcf9f545ba0f7b8b3f2117e85bc96e684b5e3adf23e0fef5dde8d",
+  "image.name": "ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0,ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0-v0.10.4"
 }
--- a/packages/apps/kafka/Chart.yaml
+++ b/packages/apps/kafka/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.2
+version: 0.2.3

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/kafka/templates/kafka.yaml
+++ b/packages/apps/kafka/templates/kafka.yaml
@@ -65,3 +65,8 @@ spec:
  entityOperator:
    topicOperator: {}
    userOperator: {}
+    template:
+      pod:
+        metadata:
+         labels:
+           policy.cozystack.io/allow-to-apiserver: "true"
--- a/packages/apps/kubernetes/Chart.yaml
+++ b/packages/apps/kubernetes/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.0
+version: 0.8.2

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/kubernetes/images/ubuntu-container-disk.json
+++ b/packages/apps/kubernetes/images/ubuntu-container-disk.json
@@ -32,7 +32,7 @@
      }
    }
  },
-  "buildx.build.ref": "cozystack/cozystack0/xkanpm0dojuj7v0lo951qocfb",
+  "buildx.build.ref": "buildkit/buildkit0/h1ysl3ux1rjq5dtblsuuc54l9",
  "containerimage.config.digest": "sha256:c144c5f12a47af7880ee5f056b14177c07b585b8ab1e68b7e7900e1c923083cf",
  "containerimage.descriptor": {
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
@@ -44,5 +44,5 @@
    }
  },
  "containerimage.digest": "sha256:81caf89efe252ae2ca1990d08a3a314552d70ff36bcd4022b173c7150fbec805",
-  "image.name": "ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1,ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1-v0.10.1"
+  "image.name": "ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1,ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1-v0.10.4"
 }
--- a/packages/apps/kubernetes/templates/ingress.yaml
+++ b/packages/apps/kubernetes/templates/ingress.yaml
@@ -7,16 +7,14 @@ kind: Ingress
 metadata:
  name: {{ .Release.Name }}-ingress-nginx
  annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
-    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
-    nginx.ingress.kubernetes.io/backend-protocol: "AUTO_HTTP"
+    nginx.ingress.kubernetes.io/backend-protocol: AUTO_HTTP
    nginx.ingress.kubernetes.io/configuration-snippet: |
-      set $proxy_upstream_name "{{ .Release.Namespace }}-{{ .Release.Name }}-ingress-nginx-80";
-      if ($scheme = https) {
-        set $proxy_upstream_name "{{ .Release.Namespace }}-{{ .Release.Name }}-ingress-nginx-443";
-        set $service_port 443;
+      if ($scheme = http) {
+        set $proxy_upstream_name "{{ .Release.Namespace }}-{{ .Release.Name }}-ingress-nginx-80";
+        set $proxy_host $proxy_upstream_name;
      }
-      set $proxy_host $proxy_upstream_name;
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
 spec:
  ingressClassName: "{{ $ingress }}"
  rules:
@@ -30,14 +28,14 @@ spec:
          service:
            name: {{ $.Release.Name }}-ingress-nginx
            port:
-              number: 80
+              number: 443
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: {{ $.Release.Name }}-ingress-nginx
            port:
-              number: 443
+              number: 80
  {{- end }}
 ---
 apiVersion: v1
--- a/packages/apps/postgres/Chart.yaml
+++ b/packages/apps/postgres/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.4.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/postgres/templates/db.yaml
+++ b/packages/apps/postgres/templates/db.yaml
@@ -19,3 +19,7 @@ spec:

  storage:
    size: {{ required ".Values.size is required" .Values.size }}
+
+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"
--- a/packages/apps/tenant/Chart.yaml
+++ b/packages/apps/tenant/Chart.yaml
@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg

 type: application
-version: 1.3.0
+version: 1.3.1
--- a/packages/apps/tenant/templates/namespace.yaml
+++ b/packages/apps/tenant/templates/namespace.yaml
@@ -1,3 +1,20 @@
+{{- define "cozystack.namespace-anotations" }}
+{{- $context := index . 0 }}
+{{- $existingNS := index . 1 }}
+{{- range $x := list "etcd" "monitoring" "ingress" }}
+{{- if (index $context.Values $x) }}
+namespace.cozystack.io/{{ $x }}: "{{ include "tenant.name" $context }}"
+{{- else }}
+namespace.cozystack.io/{{ $x }}: "{{ index $existingNS.metadata.annotations (printf "namespace.cozystack.io/%s" $x) | required (printf "namespace %s has no namespace.cozystack.io/%s annotation" $context.Release.Namespace $x) }}"
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- if not $existingNS }}
+{{- fail (printf "error lookup existing namespace: %s" .Release.Namespace) }}
+{{- end }}
+
 {{- if ne (include "tenant.name" .) "tenant-root" }}
 ---
 apiVersion: v1
@@ -5,22 +22,25 @@ kind: Namespace
 metadata:
  name: {{ include "tenant.name" . }}
  {{- if hasPrefix "tenant-" .Release.Namespace }}
-  {{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }}
-  {{- if $existingNS }}
  annotations:
    {{- if .Values.host }}
    namespace.cozystack.io/host: "{{ .Values.host }}"
    {{- else }}
-    {{ $parentHost := index $existingNS.metadata.annotations "namespace.cozystack.io/host" | required (printf "namespace %s has no namespace.cozystack.io/host annotation" $.Release.Namespace) }}
+    {{ $parentHost := index $existingNS.metadata.annotations "namespace.cozystack.io/host" | required (printf "namespace %s has no namespace.cozystack.io/host annotation" .Release.Namespace) }}
    namespace.cozystack.io/host: "{{ splitList "-" (include "tenant.name" .) | last }}.{{ $parentHost }}"
    {{- end }}
-    {{- range $x := list "etcd" "monitoring" "ingress" }}
-    {{- if (index $.Values $x) }}
-    namespace.cozystack.io/{{ $x }}: "{{ include "tenant.name" $ }}"
-    {{- else }}
-    namespace.cozystack.io/{{ $x }}: "{{ index $existingNS.metadata.annotations (printf "namespace.cozystack.io/%s" $x) | required (printf "namespace %s has no namespace.cozystack.io/%s annotation" $.Release.Namespace $x) }}"
+    {{- include "cozystack.namespace-anotations" (list . $existingNS) | nindent 4 }}
+  labels:
+    tenant.cozystack.io/{{ include "tenant.name" $ }}: ""
+    {{- if hasPrefix "tenant-" .Release.Namespace }}
+    {{- $parts := splitList "-" .Release.Namespace }}
+    {{- range $i, $v := $parts }}
+    {{- if ne $i 0 }}
+    tenant.cozystack.io/{{ join "-" (slice $parts 0 (add $i 1)) }}: ""
    {{- end }}
    {{- end }}
+    {{- end }}
+    {{- include "cozystack.namespace-anotations" (list $ $existingNS) | nindent 4 }}
  ownerReferences:
  - apiVersion: v1
    blockOwnerDeletion: true
@@ -28,8 +48,5 @@ metadata:
    kind: Namespace
    name: {{ .Release.Namespace }}
    uid: {{ $existingNS.metadata.uid }}
-  {{- else }}
-  {{- fail (printf "error lookup exiting namespace: %s" .Release.Namespace) }}
-  {{- end }}
  {{- end }}
 {{- end }}
--- a/packages/apps/tenant/templates/networkpolicy.yaml
+++ b/packages/apps/tenant/templates/networkpolicy.yaml
@@ -29,55 +29,75 @@ spec:
      - world
 ---
 apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
+kind: CiliumClusterwideNetworkPolicy
 metadata:
-  name: allow-from-system
-  namespace: {{ include "tenant.name" . }}
+  name: {{ include "tenant.name" . }}-egress
 spec:
-  endpointSelector: {}
-  ingress:
-  - fromEntities:
-    - cluster
---
-{{- if ne (include "tenant.name" .) "tenant-root" }}
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-from-upper-tenants
-  namespace: {{ include "tenant.name" . }}
-spec:
-  endpointSelector: {}
-  ingress:
-  - fromEndpoints:
+  endpointSelector:
+    matchLabels:
+      "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}"
+  egress:
+  - toEndpoints:
    - matchLabels:
-        "kubernetes.io/metadata.name": "tenant-root"
+        "k8s:io.cilium.k8s.namespace.labels.tenant.cozystack.io/{{ include "tenant.name" . }}": ""
+  {{- if ne (include "tenant.name" .) "tenant-root" }}
+  - toEndpoints:
    {{- if hasPrefix "tenant-" .Release.Namespace }}
    {{- $parts := splitList "-" .Release.Namespace }}
    {{- range $i, $v := $parts }}
    {{- if ne $i 0 }}
    - matchLabels:
-        "kubernetes.io/metadata.name": {{ join "-" (slice $parts 0 (add $i 1)) }}
+        "k8s:io.kubernetes.pod.namespace": {{ join "-" (slice $parts 0 (add $i 1)) }}
    {{- end }}
    {{- end }}
    {{- end }}
-{{- end }}
+  {{- end }}
 ---
-{{- if not .Values.etcd }}
-{{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
+kind: CiliumClusterwideNetworkPolicy
 metadata:
-  name: allow-to-etcd
-  namespace: {{ include "tenant.name" . }}
+  name: {{ include "tenant.name" . }}-ingress
 spec:
  endpointSelector:
    matchLabels:
-      policy.cozystack.io/allow-to-etcd: "true"
-  egress:
-  - toEndpoints:
+      "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}"
+  ingress:
+  - fromEntities:
+    - kube-apiserver
+  - fromEndpoints:
+      - matchLabels:
+          "k8s:io.cilium.k8s.namespace.labels.cozystack.io/system": "true"
+  - fromEndpoints:
+      - matchLabels:
+          "k8s:io.kubernetes.pod.namespace": kube-system
+  {{- if ne (include "tenant.name" .) "tenant-root" }}
+  - fromEndpoints:
+    {{- if hasPrefix "tenant-" .Release.Namespace }}
+    {{- $parts := splitList "-" .Release.Namespace }}
+    {{- range $i, $v := $parts }}
+    {{- if ne $i 0 }}
    - matchLabels:
-        io.kubernetes.pod.namespace: "{{ index $existingNS.metadata.annotations "namespace.cozystack.io/etcd" }}"
-        cozystack.io/service: etcd
+        "k8s:io.kubernetes.pod.namespace": {{ join "-" (slice $parts 0 (add $i 1)) }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+  {{- end }}
+---
+{{- if .Values.etcd }}
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: {{ include "tenant.name" . }}-ingress-etcd
+spec:
+  endpointSelector:
+    matchLabels:
+      "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}"
+      cozystack.io/service: etcd
+  ingress:
+  - fromEndpoints:
+    - matchLabels:
+        "k8s:io.cilium.k8s.namespace.labels.namespace.cozystack.io/etcd": "{{ include "tenant.name" . }}"
+        policy.cozystack.io/allow-to-etcd: "true"
 {{- end }}
 ---
 apiVersion: cilium.io/v2
@@ -107,7 +127,7 @@ spec:
  egress:
  - toEndpoints:
    - matchLabels:
-        io.kubernetes.pod.namespace: kube-system
+        "k8s:io.kubernetes.pod.namespace": kube-system
        k8s-app: kube-dns
 ---
 apiVersion: cilium.io/v2
@@ -120,7 +140,7 @@ spec:
  egress:
  - toEndpoints:
      - matchLabels:
-          io.kubernetes.pod.namespace: cozy-dashboard
+          "k8s:io.kubernetes.pod.namespace": cozy-dashboard
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -1,13 +1,15 @@
 clickhouse 0.1.0 ca79f72
 clickhouse 0.2.0 7cd7de73
 clickhouse 0.2.1 HEAD
-ferretdb 0.1.0 HEAD
+ferretdb 0.1.0 4ffa8615
+ferretdb 0.1.1 HEAD
 http-cache 0.1.0 a956713
 http-cache 0.2.0 HEAD
 kafka 0.1.0 760f86d2
 kafka 0.2.0 a2cc83d
 kafka 0.2.1 3ac17018
-kafka 0.2.2 HEAD
+kafka 0.2.2 d0758692
+kafka 0.2.3 HEAD
 kubernetes 0.1.0 f642698
 kubernetes 0.2.0 7cd7de73
 kubernetes 0.3.0 7caccec1
@@ -15,7 +17,9 @@ kubernetes 0.4.0 6cae6ce8
 kubernetes 0.5.0 6bd2d455
 kubernetes 0.6.0 4cbc8a2c
 kubernetes 0.7.0 ceefae03
-kubernetes 0.8.0 HEAD
+kubernetes 0.8.0 ac11056e
+kubernetes 0.8.1 e54608d8
+kubernetes 0.8.2 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 HEAD
@@ -24,7 +28,8 @@ postgres 0.1.0 f642698
 postgres 0.2.0 7cd7de73
 postgres 0.2.1 4a97e297
 postgres 0.3.0 995dea6f
-postgres 0.4.0 HEAD
+postgres 0.4.0 ec283c33
+postgres 0.4.1 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 HEAD
 redis 0.1.1 f642698
@@ -37,7 +42,8 @@ tenant 0.1.5 e3ab858
 tenant 1.0.0 7cd7de7
 tenant 1.1.0 4da8ac3b
 tenant 1.2.0 15478a88
-tenant 1.3.0 HEAD
+tenant 1.3.0 ceefae03
+tenant 1.3.1 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 HEAD
--- a/packages/core/installer/Makefile
+++ b/packages/core/installer/Makefile
@@ -26,7 +26,7 @@ image-cozystack:
 		--tag $(REGISTRY)/cozystack:$(call settag,$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/cozystack:latest \
 		--platform linux/amd64,linux/arm64 \
-		--cache-to type=inline \
+		--cache-to type=inline,mode=max \
 		--metadata-file images/cozystack.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
@@ -46,7 +46,7 @@ image-matchbox:
 		--tag $(REGISTRY)/matchbox:$(call settag,$(TAG)) \
 		--tag $(REGISTRY)/matchbox:$(call settag,$(TALOS_VERSION)-$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/matchbox:latest \
-		--cache-to type=inline \
+		--cache-to type=inline,mode=max \
 		--metadata-file images/matchbox.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
--- a/packages/core/installer/images/cozystack.json
+++ b/packages/core/installer/images/cozystack.json
@@ -1,10 +1,10 @@
 {
-  "buildx.build.ref": "cozystack/cozystack0/zk58yqp4vkrfgx3gdjumn9k70",
+  "buildx.build.ref": "buildkit/buildkit0/n6lhtwop5zjb6wsgfaxvgm7wi",
  "containerimage.descriptor": {
    "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
-    "digest": "sha256:b92988122fa68adc85751384170a46895b5761cc5bf27e80b0b53b12b89b6d6c",
+    "digest": "sha256:629ce818af1441896a499120f62471934faf2fb8f7e9f922631f51c877de7b44",
    "size": 685
  },
-  "containerimage.digest": "sha256:b92988122fa68adc85751384170a46895b5761cc5bf27e80b0b53b12b89b6d6c",
-  "image.name": "ghcr.io/aenix-io/cozystack/cozystack:latest"
+  "containerimage.digest": "sha256:629ce818af1441896a499120f62471934faf2fb8f7e9f922631f51c877de7b44",
+  "image.name": "ghcr.io/aenix-io/cozystack/cozystack:v0.10.4"
 }
--- a/packages/core/installer/images/cozystack.tag
+++ b/packages/core/installer/images/cozystack.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cozystack:latest
+ghcr.io/aenix-io/cozystack/cozystack:v0.10.4
--- a/packages/core/installer/images/matchbox.json
+++ b/packages/core/installer/images/matchbox.json
@@ -29,17 +29,17 @@
      }
    }
  },
-  "buildx.build.ref": "cozystack/cozystack0/qu2ygr61roizh7ga2l4kkmdx6",
-  "containerimage.config.digest": "sha256:94aa5abc006ac672ccdd91b8d9361fd14de6e0b286299f4e44dd09002becc3b7",
+  "buildx.build.ref": "buildkit/buildkit0/bloh5mrl9qylqab5x8nsx7c3w",
+  "containerimage.config.digest": "sha256:82ae30cc8115b1ff19eeaf9e99130268f25e4440ae285208aa48321da285c5ac",
  "containerimage.descriptor": {
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:b1e6084402619dde9dcdc8251cd581cbfc3940c885e938547b7b7306376a411e",
+    "digest": "sha256:22a4a0d40c9101af9c934425438ac39ca8312456d8b22ddd8b92d506b15e3517",
    "size": 1488,
    "platform": {
      "architecture": "amd64",
      "os": "linux"
    }
  },
-  "containerimage.digest": "sha256:b1e6084402619dde9dcdc8251cd581cbfc3940c885e938547b7b7306376a411e",
-  "image.name": "ghcr.io/aenix-io/cozystack/matchbox:v0.10.1,ghcr.io/aenix-io/cozystack/matchbox:v1.7.1-v0.10.1"
+  "containerimage.digest": "sha256:22a4a0d40c9101af9c934425438ac39ca8312456d8b22ddd8b92d506b15e3517",
+  "image.name": "ghcr.io/aenix-io/cozystack/matchbox:v0.10.4,ghcr.io/aenix-io/cozystack/matchbox:v1.7.1-v0.10.4"
 }
--- a/packages/core/platform/bundles/distro-full.yaml
+++ b/packages/core/platform/bundles/distro-full.yaml
@@ -93,13 +93,13 @@ releases:
  releaseName: kafka-operator
  chart: cozy-kafka-operator
  namespace: cozy-kafka-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: [cilium]

 - name: clickhouse-operator
  releaseName: clickhouse-operator
  chart: cozy-clickhouse-operator
  namespace: cozy-clickhouse-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: [cilium]

 - name: rabbitmq-operator
  releaseName: rabbitmq-operator
--- a/packages/extra/monitoring/Chart.yaml
+++ b/packages/extra/monitoring/Chart.yaml
@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.2.0
+version: 1.2.1
--- a/packages/extra/monitoring/templates/grafana/db.yaml
+++ b/packages/extra/monitoring/templates/grafana/db.yaml
@@ -6,3 +6,7 @@ spec:
  instances: 2
  storage:
    size: 10Gi
+
+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"
--- a/packages/extra/monitoring/templates/oncall/oncall-db.yaml
+++ b/packages/extra/monitoring/templates/oncall/oncall-db.yaml
@@ -8,4 +8,8 @@ spec:
  instances: 2
  storage:
    size: 10Gi
+
+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"
 {{- end }}
--- a/packages/extra/versions_map
+++ b/packages/extra/versions_map
@@ -8,4 +8,5 @@ ingress 1.1.0 838bee5d
 ingress 1.2.0 HEAD
 monitoring 1.0.0 f642698
 monitoring 1.1.0 15478a88
-monitoring 1.2.0 HEAD
+monitoring 1.2.0 c9e0d63b
+monitoring 1.2.1 HEAD
--- a/packages/system/cilium/images/cilium.json
+++ b/packages/system/cilium/images/cilium.json
@@ -11,7 +11,7 @@
      {
        "uri": "pkg:docker/golang@1.22-bookworm?platform=linux%2Famd64",
        "digest": {
-          "sha256": "af9b40f2b1851be993763b85288f8434af87b5678af04355b1e33ff530b5765f"
+          "sha256": "39b7e6ebaca464d51989858871f792f2e186dce8ce0cbdba7e88e4444b244407"
        }
      },
      {
@@ -45,17 +45,17 @@
      }
    }
  },
-  "buildx.build.ref": "cozystack/cozystack0/3a5uyqqyj3lnwkgdniwjp341a",
-  "containerimage.config.digest": "sha256:db99b8b1e565f406af5b240b1ef76b5cc3ba1b510c6e035e1497c5089d65ee12",
+  "buildx.build.ref": "buildkit/buildkit0/t1ir71rh3wc8qnuoktu7d4esj",
+  "containerimage.config.digest": "sha256:e4a2ffa097cfead78a8e7623cf186d5f594e72e139e4dda5a06bcd1c58c6838e",
  "containerimage.descriptor": {
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:0e9fa8f6f5194b84227ea7e7b93ef77244b5550ec62671e04d398818dccfb282",
+    "digest": "sha256:8110f6b17ec98d87d9aebf3f4b99409f020840a958166e28c74b2d4e1bfb5a51",
    "size": 2083,
    "platform": {
      "architecture": "amd64",
      "os": "linux"
    }
  },
-  "containerimage.digest": "sha256:0e9fa8f6f5194b84227ea7e7b93ef77244b5550ec62671e04d398818dccfb282",
-  "image.name": "ghcr.io/aenix-io/cozystack/cilium:1.15.5,ghcr.io/aenix-io/cozystack/cilium:1.15.5-v0.10.1"
+  "containerimage.digest": "sha256:8110f6b17ec98d87d9aebf3f4b99409f020840a958166e28c74b2d4e1bfb5a51",
+  "image.name": "ghcr.io/aenix-io/cozystack/cilium:1.15.5,ghcr.io/aenix-io/cozystack/cilium:1.15.5-v0.10.4"
 }
--- a/packages/system/dashboard/images/dashboard.json
+++ b/packages/system/dashboard/images/dashboard.json
@@ -35,17 +35,17 @@
      }
    }
  },
-  "buildx.build.ref": "cozystack/cozystack0/puq8k1x2nsc986l15a2vanb8s",
-  "containerimage.config.digest": "sha256:2c68c6ce6620a8c8afd84fed1c2265738d661a47ded0be21b2517b0309ed7307",
+  "buildx.build.ref": "buildkit/buildkit0/cwujns3lenpi0n9e0ippe836g",
+  "containerimage.config.digest": "sha256:975a58288a675b6fb7b1a8a10d52e0c6090ba0fb3185f618ade444ad0b3c9993",
  "containerimage.descriptor": {
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:fdabfe2caa3fe2d92ca4a07b60a55c91163d7db25aa12cc4c6034c32ac1dcb17",
+    "digest": "sha256:f6a14b2291c6750cb4cb4c1b8ddefdb5d32081a2a6af661d8b3bcfad731de695",
    "size": 703,
    "platform": {
      "architecture": "amd64",
      "os": "linux"
    }
  },
-  "containerimage.digest": "sha256:fdabfe2caa3fe2d92ca4a07b60a55c91163d7db25aa12cc4c6034c32ac1dcb17",
-  "image.name": "ghcr.io/aenix-io/cozystack/dashboard:v0.10.1"
+  "containerimage.digest": "sha256:f6a14b2291c6750cb4cb4c1b8ddefdb5d32081a2a6af661d8b3bcfad731de695",
+  "image.name": "ghcr.io/aenix-io/cozystack/dashboard:v0.10.4"
 }
--- a/packages/system/dashboard/images/dashboard.tag
+++ b/packages/system/dashboard/images/dashboard.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/dashboard:v0.10.1
+ghcr.io/aenix-io/cozystack/dashboard:v0.10.4
--- a/packages/system/dashboard/images/kubeapps-apis.json
+++ b/packages/system/dashboard/images/kubeapps-apis.json
@@ -11,7 +11,7 @@
      {
        "uri": "pkg:docker/bitnami/minideb@bookworm?platform=linux%2Famd64",
        "digest": {
-          "sha256": "b13cb4b41be91e22858e9b050a51137b636a34694a92ff17c27cb010e5f93f04"
+          "sha256": "83bb31f8fcd1f639603350886a70a96204dc0de3368cb6b573170642c888cf82"
        }
      },
      {
@@ -41,17 +41,17 @@
      }
    }
  },
-  "buildx.build.ref": "cozystack/cozystack0/nk99hhpt81cl5xu6eecdk86qs",
-  "containerimage.config.digest": "sha256:662ea8b8642d1c6662e5eef79ea8329863f5178a80457e1faf983506efe7a611",
+  "buildx.build.ref": "buildkit/buildkit0/p6nqttiwicifoqgamrjx2fdrq",
+  "containerimage.config.digest": "sha256:348ce29b9ea660f8f9c35d2b103cf164ce82b057935da06a79cae1822934b8f7",
  "containerimage.descriptor": {
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:eaedcb64abd1c245bd2959c66df430d0fcbbb5968334501f484231707de7ed7d",
+    "digest": "sha256:236fd33ce19599e06f3fedcc97a287880e1aab2354a6b17634e84a74d092e095",
    "size": 1890,
    "platform": {
      "architecture": "amd64",
      "os": "linux"
    }
  },
-  "containerimage.digest": "sha256:eaedcb64abd1c245bd2959c66df430d0fcbbb5968334501f484231707de7ed7d",
-  "image.name": "ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.10.1"
+  "containerimage.digest": "sha256:236fd33ce19599e06f3fedcc97a287880e1aab2354a6b17634e84a74d092e095",
+  "image.name": "ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.10.4"
 }
--- a/packages/system/dashboard/images/kubeapps-apis.tag
+++ b/packages/system/dashboard/images/kubeapps-apis.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.10.1
+ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.10.4
--- a/packages/system/kamaji/Makefile
+++ b/packages/system/kamaji/Makefile
@@ -1,6 +1,7 @@
 export NAME=kamaji
 export NAMESPACE=cozy-$(NAME)

+include ../../../scripts/common-envs.mk
 include ../../../scripts/package-system.mk

 update:
@@ -8,3 +9,19 @@ update:
 	helm repo add clastix https://clastix.github.io/charts
 	helm repo update clastix
 	helm pull clastix/kamaji --untar --untardir charts
+
+image:
+	docker buildx build images/kamaji \
+		--provenance false \
+		--tag $(REGISTRY)/kamaji:$(call settag,$(TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/kamaji:latest \
+		--cache-to type=inline \
+		--metadata-file images/kamaji.json \
+		--push=$(PUSH) \
+		--label "org.opencontainers.image.source=https://github.com/aenix-io/cozystack"
+		--load=$(LOAD)
+	REPOSITORY="$(REGISTRY)/kamaji" \
+		yq -i '.kamaji.image.repository = strenv(REPOSITORY)' values.yaml
+	TAG=$(TAG)@$$(yq e '."containerimage.digest"' images/kamaji.json -o json -r) \
+		yq -i '.kamaji.image.tag = strenv(TAG)' values.yaml
+	rm -f images/kamaji.json
--- a/packages/system/kamaji/images/kamaji/Dockerfile
+++ b/packages/system/kamaji/images/kamaji/Dockerfile
@@ -0,0 +1,25 @@
+# Build the manager binary
+FROM golang:1.22 as builder
+
+ARG VERSION=v1.0.0
+ARG TARGETOS TARGETARCH
+
+WORKDIR /workspace
+
+RUN curl -sSL https://github.com/clastix/kamaji/archive/refs/tags/v1.0.0.tar.gz | tar -xzvf- --strip=1
+
+COPY patches /patches
+RUN git apply /patches/enable-gc.diff
+
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build \
+    -ldflags "-X github.com/clastix/kamaji/internal.GitRepo=$GIT_REPO -X github.com/clastix/kamaji/internal.GitTag=$GIT_LAST_TAG -X github.com/clastix/kamaji/internal.GitCommit=$GIT_HEAD_COMMIT -X github.com/clastix/kamaji/internal.GitDirty=$GIT_MODIFIED -X github.com/clastix/kamaji/internal.BuildTime=$BUILD_DATE" \
+    -a -o kamaji main.go
+
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/kamaji .
+USER 65532:65532
+
+ENTRYPOINT ["/kamaji"]
--- a/packages/system/kamaji/images/kamaji/patches/enable-gc.diff
+++ b/packages/system/kamaji/images/kamaji/patches/enable-gc.diff
@@ -0,0 +1,30 @@
+diff --git a/internal/kubeadm/uploadconfig.go b/internal/kubeadm/uploadconfig.go
+index 0dc9e71..e516390 100644
+--- a/internal/kubeadm/uploadconfig.go
+++ b/internal/kubeadm/uploadconfig.go
+@@ -98,21 +98,15 @@ func getKubeletConfigmapContent(kubeletConfiguration KubeletConfiguration) ([]by
+ 				CacheUnauthorizedTTL: zeroDuration,
+ 			},
+ 		},
+-		CgroupDriver:              kubeletConfiguration.TenantControlPlaneCgroupDriver,
+-		ClusterDNS:                kubeletConfiguration.TenantControlPlaneDNSServiceIPs,
+-		ClusterDomain:             kubeletConfiguration.TenantControlPlaneDomain,
+-		CPUManagerReconcilePeriod: zeroDuration,
+-		EvictionHard: map[string]string{
+-			"imagefs.available": "0%",
+-			"nodefs.available":  "0%",
+-			"nodefs.inodesFree": "0%",
+-		},
+		CgroupDriver:                     kubeletConfiguration.TenantControlPlaneCgroupDriver,
+		ClusterDNS:                       kubeletConfiguration.TenantControlPlaneDNSServiceIPs,
+		ClusterDomain:                    kubeletConfiguration.TenantControlPlaneDomain,
+		CPUManagerReconcilePeriod:        zeroDuration,
+ 		EvictionPressureTransitionPeriod: zeroDuration,
+ 		FileCheckFrequency:               zeroDuration,
+ 		HealthzBindAddress:               "127.0.0.1",
+ 		HealthzPort:                      pointer.To(int32(10248)),
+ 		HTTPCheckFrequency:               zeroDuration,
+-		ImageGCHighThresholdPercent:      pointer.To(int32(100)),
+ 		NodeStatusUpdateFrequency:        zeroDuration,
+ 		NodeStatusReportFrequency:        zeroDuration,
+ 		RotateCertificates:               true,
--- a/packages/system/kamaji/values.yaml
+++ b/packages/system/kamaji/values.yaml
@@ -1,3 +1,7 @@
 kamaji:
  etcd:
    deploy: false
+  image:
+    pullPolicy: IfNotPresent
+    tag: v0.10.4@sha256:f7e4036ed809176dafc671953a5c95a652dc7d637a67470142e625103f91ca3d
+    repository: ghcr.io/aenix-io/cozystack/kamaji
--- a/packages/system/kubeovn/images/kubeovn.json
+++ b/packages/system/kubeovn/images/kubeovn.json
@@ -3,15 +3,15 @@
    "buildType": "https://mobyproject.org/buildkit@v1",
    "materials": [
      {
-        "uri": "pkg:docker/kubeovn/kube-ovn-base@v1.13.0?platform=linux%2Famd64",
+        "uri": "pkg:docker/kubeovn/kube-ovn-base@v1.12.19?platform=linux%2Famd64",
        "digest": {
-          "sha256": "789041d6e02edaa9a28f9385e2175d47cecd564d163e7a0fb89d225de8ada2a2"
+          "sha256": "9f9e2199be2a0a10d058c3f45bda08d3a3ea9a8817170219a8f898c90ffbdf9e"
        }
      },
      {
        "uri": "pkg:docker/golang@1.22-bookworm?platform=linux%2Famd64",
        "digest": {
-          "sha256": "800e361142daeb47b5e5bce2ede55be8d67159be75748cb31cbb48798ebec39d"
+          "sha256": "39b7e6ebaca464d51989858871f792f2e186dce8ce0cbdba7e88e4444b244407"
        }
      }
    ],
@@ -35,17 +35,17 @@
      }
    }
  },
-  "buildx.build.ref": "mybuild/mybuild0/sgrxqzg8w1l4zxyi2tpcluk8p",
-  "containerimage.config.digest": "sha256:7bdcdea14eb90de0b87b53e79e1b1fbe35ead5be316a7b4f83859454cb5506af",
+  "buildx.build.ref": "buildkit/buildkit0/m5gbswwgqddc64uba1uy011fy",
+  "containerimage.config.digest": "sha256:050f4b7fe5e8812106c70cc8865b109258f55e9d32f5ab92f1a76347ff620144",
  "containerimage.descriptor": {
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:89cac6416d9a8bae534d1f5276b0d0a399e873d6b919bb6a3ad780ecf71c8b81",
-    "size": 4621,
+    "digest": "sha256:af48ff43d05006403f2dbc072a98a1b167a4ddd7ba6d90a7063c9a30401f4bc5",
+    "size": 5015,
    "platform": {
      "architecture": "amd64",
      "os": "linux"
    }
  },
-  "containerimage.digest": "sha256:89cac6416d9a8bae534d1f5276b0d0a399e873d6b919bb6a3ad780ecf71c8b81",
-  "image.name": "ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0,ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0-v0.10.0"
+  "containerimage.digest": "sha256:af48ff43d05006403f2dbc072a98a1b167a4ddd7ba6d90a7063c9a30401f4bc5",
+  "image.name": "ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0,ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0-v0.10.4"
 }
--- a/packages/system/kubeovn/images/kubeovn/Dockerfile
+++ b/packages/system/kubeovn/images/kubeovn/Dockerfile
@@ -1,4 +1,4 @@
-ARG VERSION=v1.13.0
+ARG VERSION=v1.12.19
 ARG BASE_TAG=$VERSION

 FROM golang:1.22-bookworm as builder
Author	SHA1	Message	Date
Andrei Kvapil	91b0499ae2	Prepare release v0.10.4	2024-08-09 14:51:30 +02:00
Andrei Kvapil	4a885ab0e7	fix network-policies Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2024-08-09 12:50:09 +02:00
Andrei Kvapil	f81be0758e	Prepare release v0.10.3 Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2024-08-08 22:04:27 +02:00
Andrei Kvapil	7f8e09889e	fix kamaji garbage collection (#263 ) upstream issue https://github.com/clastix/kamaji/issues/508 Signed-off-by: Andrei Kvapil <kvapss@gmail.com> Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2024-08-08 20:59:33 +02:00
Andrei Kvapil	0864020afa	Fix hardcoded values in ingress resource (#269 )	2024-08-08 20:58:37 +02:00
Andrei Kvapil	5bcb3f7b47	fix: kubeovn building (#253 ) While update isn't possbile for now, let's use workaround, to hardcode older ovn version - details: https://github.com/aenix-io/cozystack/pull/252	2024-08-08 20:58:14 +02:00
Andrei Kvapil	366bcafc45	Prepare release v0.10.2	2024-07-30 19:26:12 +02:00
Andrei Kvapil	0619e3d7f4	Fix ingress forward both 80 and 443 ports to tenant clusters (#243 )	2024-07-30 19:25:31 +02:00
Andrei Kvapil	23b2521c81	remove kubeovn ependency from distro-full bundle (#240 )	2024-07-30 19:12:11 +02:00