Fix kamaji to use default kubelet-config

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @kvaps

ADOPTERS.md

@@ -26,3 +26,6 @@ This list is sorted in chronological order, based on the submission date.
 | Organization | Contact | Date | Description of Use |
 | ------------ | ------- | ---- | ------------------ |
 | [Ænix](https://aenix.io/) | @kvaps | 2024-02-14 | Ænix provides consulting services for cloud providers and uses Cozystack as the main tool for organizing managed services for them. |
+| [Mediatech](https://mediatech.dev/) | @ugenk | 2024-05-01 | We're developing and hosting software for our and our custmer services. We're using cozystack as a kubernetes distribution for that. |
+| [Bootstack](https://bootstack.app/) | @mrkhachaturov | 2024-08-01| At Bootstack, we utilize a Kubernetes operator specifically designed to simplify and streamline cloud infrastructure creation.|
+| [gohost](https://gohost.kz/) | @karabass_off | 2024-02-01| Our company has been working in the market of Kazakhstan for more than 15 years, providing clients with a standard set of services: VPS/VDC, IaaS, shared hosting, etc. Now we are expanding the lineup by introducing Bare Metal Kubenetes cluster under Cozystack management.|

Makefile

@@ -6,6 +6,7 @@ build:
 	make -C packages/system/cilium image
 	make -C packages/system/kubeovn image
 	make -C packages/system/dashboard image
+	make -C packages/system/kamaji image
 	make -C packages/core/installer image
 	make manifests
 

packages/apps/bucket/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+name: bucket
+description: S3 compatible storage
+icon: /logos/bucket.svg
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"

packages/apps/bucket/Makefile

@@ -0,0 +1,2 @@
+generate:
+	readme-generator -v values.yaml -s values.schema.json -r README.md

packages/apps/bucket/logos/bucket.svg

@@ -0,0 +1,12 @@
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear_683_3091)"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M72 30.1641L117.983 36.7789V40.6739C117.983 46.4653 97.3862 51.1332 71.9827 51.1332C46.5792 51.1332 26 46.4653 26 40.6739V36.4431L72 30.1641ZM72 58.2678C91.2084 58.2678 107.658 55.5986 114.547 51.8048L116.803 48.111L117.723 44.753V48.9171L102.679 111.033C102.679 114.895 88.9533 118 72.0172 118C55.0812 118 41.3743 114.895 41.3743 111.033L26.33 48.9171V44.8369L29.8007 51.9382C36.7065 55.6653 52.9997 58.2678 72 58.2678Z" fill="#8C3123"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M72.0003 26C97.4038 26 118 30.6839 118 36.442C118 42.2 97.3866 46.8507 72.0003 46.8507C46.6141 46.8507 26.0176 42.2345 26.0176 36.442C26.0176 30.6494 46.5968 26 72.0003 26ZM72.0003 54.1037C95.6857 54.1037 115.172 50.058 117.706 44.8197L102.662 106.937C102.662 110.799 88.9364 113.905 72.0003 113.905C55.0643 113.905 41.339 110.816 41.339 106.954L26.2959 44.837C28.8466 50.058 48.3333 54.1037 72.0003 54.1037Z" fill="#E05243"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M61.1725 60.0293H81.0928V79.1676H61.1725V60.0293ZM45.3301 95.3688C45.3301 90.142 49.7104 85.9342 55.1511 85.9342C60.5917 85.9342 64.9721 90.142 64.9721 95.3688C64.9721 100.596 60.5917 104.803 55.1511 104.803C49.7104 104.803 45.3301 100.596 45.3301 95.3688ZM96.4487 104.368H76.7722L86.6105 86.7737L96.4487 104.368Z" fill="white"/>
+<defs>
+<linearGradient id="paint0_linear_683_3091" x1="0" y1="0" x2="151" y2="180" gradientUnits="userSpaceOnUse">
+<stop stop-color="#FFF0EE"/>
+<stop offset="1" stop-color="#EC887D"/>
+</linearGradient>
+</defs>
+</svg>

packages/apps/bucket/templates/bucketclaim.yaml

@@ -0,0 +1,20 @@
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $seaweedfs := index $myNS.metadata.annotations "namespace.cozystack.io/seaweedfs" }}
+apiVersion: objectstorage.k8s.io/v1alpha1
+kind: BucketClaim
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  bucketClassName: {{ $seaweedfs }}
+  protocols:
+    - s3
+---
+apiVersion: objectstorage.k8s.io/v1alpha1
+kind: BucketAccess
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  bucketAccessClassName: {{ $seaweedfs }}
+  bucketClaimName: {{ .Release.Name }}
+  credentialsSecretName: {{ .Release.Name }}
+  protocol: s3

packages/apps/bucket/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/apps/clickhouse/logos/clickhouse.svg

@@ -1 +1,11 @@
-<svg height="2222" viewBox="0 0 9 8" width="2500" xmlns="http://www.w3.org/2000/svg"><path d="m0 7h1v1h-1z" fill="#f00"/><path d="m0 0h1v7h-1zm2 0h1v8h-1zm2 0h1v8h-1zm2 0h1v8h-1zm2 3.25h1v1.5h-1z" fill="#fc0"/></svg>
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear_683_3202)"/>
+<path d="M23 105H34V116H23V105Z" fill="#FF0000"/>
+<path d="M23 28H34V105H23V28ZM45 28H55.9999V116H45V28ZM66.9999 28H77.9999V116H66.9999V28ZM88.9999 28H99.9999V116H88.9999V28ZM111 63.7499H122V80.2499H111V63.7499Z" fill="white"/>
+<defs>
+<linearGradient id="paint0_linear_683_3202" x1="-0.499998" y1="1.5" x2="153.5" y2="162" gradientUnits="userSpaceOnUse">
+<stop stop-color="#FFCC00"/>
+<stop offset="1" stop-color="#FF7A00"/>
+</linearGradient>
+</defs>
+</svg>

packages/apps/ferretdb/logos/ferretdb.svg

@@ -1,54 +1,12 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg
-   width="200mm"
-   height="195.323mm"
-   viewBox="0 0 200 195.323"
-   version="1.1"
-   id="svg948"
-   inkscape:version="1.1.1 (c3084ef, 2021-09-22)"
-   sodipodi:docname="ferretdb.svg"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:svg="http://www.w3.org/2000/svg">
-  <sodipodi:namedview
-     id="namedview950"
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1.0"
-     inkscape:pageshadow="2"
-     inkscape:pageopacity="0.0"
-     inkscape:pagecheckerboard="0"
-     inkscape:document-units="mm"
-     showgrid="false"
-     inkscape:zoom="0.64052329"
-     inkscape:cx="-69.474445"
-     inkscape:cy="579.99452"
-     inkscape:window-width="3440"
-     inkscape:window-height="1387"
-     inkscape:window-x="0"
-     inkscape:window-y="25"
-     inkscape:window-maximized="1"
-     inkscape:current-layer="layer1" />
-  <defs
-     id="defs945" />
-  <g
-     inkscape:label="Layer 1"
-     inkscape:groupmode="layer"
-     id="layer1">
-    <path
-       d="M 95.871302,0.25836635 C 73.52529,3.312081 51.107429,17.502874 38.138123,36.831094 c -2.083712,3.125567 -5.676318,9.628178 -5.676318,10.274847 0,0.0719 1.724451,-0.970003 3.808162,-2.335187 25.651206,-16.921175 56.260205,-20.046742 81.156963,-8.298921 5.42484,2.550751 8.83781,5.029648 13.68783,9.879665 8.15521,8.191137 14.11894,19.148592 18.25044,33.554942 2.15556,7.400765 3.95187,17.495992 4.4189,24.35786 0.10778,1.86816 0.39518,3.52075 0.57482,3.62853 1.00593,0.61075 5.53261,-5.96372 8.73003,-12.645965 5.06558,-10.634111 7.43669,-21.0886 7.40077,-32.692714 -0.036,-16.418213 -5.71224,-30.213814 -17.13674,-41.710153 C 143.22184,10.640997 130.43216,3.6354156 117.03174,0.90503536 113.90617,0.29429263 111.6069,0.11466224 105.75097,0.00688441 101.69132,-0.02904391 97.272414,0.07873086 95.871302,0.25836635 Z"
-       id="path824"
-       style="fill:#216778;stroke-width:0.0359261" />
-    <path
-       d="m 48.377049,48.219658 c -2.335194,1.149625 -6.251134,4.742233 -9.700036,8.873735 -1.54482,1.832222 -3.880014,4.095564 -5.604464,5.388902 -4.02372,3.017795 -10.885597,9.735963 -14.370424,14.083015 -18.1785821,22.525641 -23.2441594,48.21277 -14.585984,74.00768 7.113359,21.12453 23.567499,35.13569 48.859444,41.4946 9.843739,2.51482 24.60935,3.91593 30.788632,2.94593 l 1.580747,-0.25148 -2.442972,-1.43704 C 69.42972,185.49312 60.017093,172.27233 57.39449,157.57857 c -0.790373,-4.45483 -0.826299,-12.35856 -0.03593,-16.70562 1.760377,-9.77189 6.682247,-18.7534 13.364494,-24.35786 3.125567,-2.6226 8.586328,-5.31706 12.933381,-6.35891 6.538543,-1.58075 10.526335,-3.37705 14.657827,-6.64633 2.658538,-2.0837 4.993728,-5.2452 6.933738,-9.340763 1.65259,-3.484834 5.17335,-14.550063 5.17335,-16.310439 0,-1.221482 -1.25742,-2.874082 -3.05372,-3.987789 -0.93408,-0.574812 -2.40705,-0.898147 -6.17927,-1.293338 C 84.949773,70.888992 76.866409,67.943063 67.094521,60.218953 65.693406,59.105246 64.00488,57.847837 63.322285,57.416727 62.639691,57.021536 61.2745,55.512639 60.340423,54.111526 c -2.838159,-4.131492 -6.358912,-6.790025 -9.053367,-6.825953 -0.574817,0 -1.904081,0.431119 -2.910011,0.934085 z m 17.639695,16.633763 c 1.221486,0.610741 2.55075,1.401113 2.981863,1.724447 l 0.790373,0.646669 -1.257411,5.029649 c -1.077783,4.38298 -1.257413,5.496687 -1.149634,8.622257 0.107777,3.089642 0.215555,3.77223 0.934077,4.778161 1.18556,1.616673 3.233345,2.586676 5.532613,2.586676 3.269271,0 5.820021,-1.86815 10.059296,-7.436693 1.221486,-1.580744 2.19149,-2.442973 3.628532,-3.125571 2.227415,-1.113706 3.808162,-1.221481 8.765958,-0.790372 l 3.305202,0.323335 v 1.940007 c 0,3.053724 1.616677,4.814099 4.921857,5.317065 l 1.58075,0.21555 -0.57481,1.329266 c -2.51483,6.071499 -8.981521,12.93338 -15.05302,15.987093 -0.970004,0.46703 -3.161494,1.32926 -4.850018,1.90408 -2.766306,0.89815 -3.520754,1.00593 -8.262994,1.00593 -4.706313,0 -5.496687,-0.10778 -8.083363,-0.97001 -7.795954,-2.58667 -13.58005,-8.334832 -16.202652,-16.058942 -0.934077,-2.73038 -0.970004,-10.670039 -0.03593,-13.975231 1.257413,-4.562611 3.484828,-8.33485 5.820023,-9.80782 1.508893,-0.970003 4.311126,-0.646669 7.149285,0.754454 z"
-       id="path826"
-       style="fill:#216778;stroke-width:0.0359261" />
-    <path
-       d="m 181.55494,78.397542 c 0,1.616673 -1.7963,9.089295 -3.30519,13.759681 -5.67632,17.495987 -15.95117,33.195677 -29.35159,44.656087 -9.41263,8.08336 -16.09488,11.64004 -26.69306,14.26265 -6.82596,1.68852 -11.28078,2.22741 -19.93897,2.44297 -10.813737,0.2874 -21.483776,-0.6826 -31.040108,-2.76631 -1.832229,-0.39519 -3.377049,-0.64667 -3.484828,-0.53889 -0.431112,0.39519 1.221487,5.89187 2.658529,8.80189 2.622602,5.38891 5.604466,9.41262 10.921522,14.72968 5.604465,5.60446 9.771888,8.6941 16.238576,12.03522 16.023019,8.263 34.417169,9.37671 53.278339,3.1615 19.90304,-6.50262 34.52495,-18.25043 42.39275,-34.05791 5.24521,-10.4904 7.40077,-21.69934 6.6104,-34.489 -0.97001,-15.77155 -6.79003,-31.219754 -15.23265,-40.344967 -1.32926,-1.437041 -2.55075,-2.586676 -2.73038,-2.586676 -0.17963,0 -0.32334,0.431109 -0.32334,0.934075 z"
-       id="path828"
-       style="fill:#216778;stroke-width:0.0359261" />
-  </g>
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect x="-0.00195312" width="144" height="144" rx="24" fill="url(#paint0_linear_683_2952)"/>
+<path d="M69.5923 22.131C58.2662 23.6787 46.9037 30.8714 40.3302 40.6679C39.274 42.2521 37.4531 45.548 37.4531 45.8757C37.4531 45.9122 38.3272 45.3841 39.3833 44.6921C52.3847 36.1156 67.8989 34.5314 80.5178 40.4858C83.2674 41.7787 84.9973 43.0351 87.4555 45.4933C91.589 49.645 94.6117 55.1988 96.7058 62.5007C97.7983 66.2518 98.7088 71.3686 98.9455 74.8465C99.0001 75.7934 99.1458 76.631 99.2369 76.6856C99.7467 76.9952 102.041 73.6629 103.662 70.276C106.229 64.8861 107.431 59.5872 107.413 53.7057C107.395 45.3841 104.518 38.3917 98.727 32.5648C93.592 27.3934 87.1095 23.8426 80.3175 22.4587C78.7333 22.1492 77.5679 22.0581 74.5999 22.0035C72.5422 21.9853 70.3025 22.0399 69.5923 22.131Z" fill="white"/>
+<path d="M45.52 46.4402C44.3364 47.0229 42.3516 48.8438 40.6035 50.9379C39.8205 51.8666 38.6369 53.0137 37.7629 53.6693C35.7234 55.1989 32.2455 58.604 30.4792 60.8073C21.2654 72.2244 18.6979 85.244 23.0863 98.3182C26.6917 109.025 35.0315 116.127 47.8508 119.35C52.8401 120.624 60.324 121.335 63.456 120.843L64.2572 120.715L63.019 119.987C56.1906 116.018 51.4198 109.317 50.0905 101.869C49.6899 99.611 49.6717 95.605 50.0723 93.4017C50.9645 88.4488 53.4592 83.8965 56.8461 81.0559C58.4303 79.7266 61.1981 78.3609 63.4014 77.8329C66.7155 77.0317 68.7367 76.1212 70.8307 74.4642C72.1782 73.408 73.3618 71.8056 74.3451 69.7298C75.1827 67.9635 76.9672 62.3551 76.9672 61.4628C76.9672 60.8437 76.3299 60.0061 75.4195 59.4416C74.946 59.1502 74.1994 58.9864 72.2875 58.7861C64.0569 57.9302 59.9599 56.4371 55.007 52.5221C54.2968 51.9576 53.441 51.3203 53.095 51.1018C52.749 50.9015 52.0571 50.1367 51.5836 49.4265C50.1451 47.3325 48.3606 45.985 46.9949 45.9668C46.7036 45.9668 46.0298 46.1853 45.52 46.4402ZM54.4607 54.8711C55.0798 55.1806 55.7535 55.5812 55.972 55.7451L56.3727 56.0729L55.7353 58.6222C55.1891 60.8437 55.098 61.4082 55.1526 62.9924C55.2073 64.5584 55.2619 64.9043 55.6261 65.4142C56.227 66.2336 57.2649 66.7253 58.4303 66.7253C60.0873 66.7253 61.3802 65.7784 63.5289 62.956C64.148 62.1548 64.6396 61.7177 65.368 61.3718C66.497 60.8073 67.2982 60.7527 69.811 60.9712L71.4863 61.135V62.1183C71.4863 63.6661 72.3057 64.5584 73.9809 64.8133L74.7821 64.9226L74.4908 65.5963C73.2161 68.6736 69.9385 72.1516 66.8611 73.6994C66.3695 73.9361 65.2587 74.3731 64.4029 74.6645C63.0008 75.1197 62.6184 75.1743 60.2148 75.1743C57.8294 75.1743 57.4288 75.1197 56.1177 74.6827C52.1663 73.3716 49.2347 70.4581 47.9054 66.5432C47.4319 65.1593 47.4137 61.135 47.8872 59.4598C48.5245 57.1472 49.6535 55.2353 50.8371 54.4887C51.6018 53.997 53.0222 54.1609 54.4607 54.8711Z" fill="white"/>
+<path d="M113.022 61.7361C113.022 62.5555 112.111 66.3431 111.347 68.7102C108.47 77.5781 103.262 85.5355 96.4697 91.3443C91.6989 95.4413 88.3119 97.244 82.9402 98.5733C79.4805 99.4291 77.2226 99.7023 72.8341 99.8115C67.3532 99.9572 61.9451 99.4655 57.1014 98.4094C56.1727 98.2091 55.3898 98.0816 55.3351 98.1363C55.1166 98.3366 55.9542 101.123 56.6826 102.598C58.0119 105.329 59.5232 107.368 62.2182 110.063C65.0588 112.904 67.1711 114.47 70.4487 116.163C78.57 120.351 87.8931 120.916 97.453 117.766C107.541 114.47 114.952 108.516 118.94 100.503C121.598 95.1864 122.691 89.5051 122.29 83.0227C121.799 75.0288 118.849 67.1989 114.57 62.5738C113.896 61.8454 113.277 61.2627 113.186 61.2627C113.095 61.2627 113.022 61.4812 113.022 61.7361Z" fill="white"/>
+<defs>
+<linearGradient id="paint0_linear_683_2952" x1="5.5" y1="11" x2="141" y2="124.5" gradientUnits="userSpaceOnUse">
+<stop stop-color="#45ADC6"/>
+<stop offset="1" stop-color="#216778"/>
+</linearGradient>
+</defs>
 </svg>

packages/apps/ferretdb/templates/postgres.yaml

@@ -16,6 +16,10 @@ spec:
   storage:
     size: {{ required ".Values.size is required" .Values.size }}
 
+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"
+
   {{- if .Values.users }}
   managed:
     roles:

packages/apps/http-cache/Makefile

@@ -14,7 +14,9 @@ image-nginx:
 		--metadata-file images/nginx-cache.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/nginx-cache:$(call settag,$(NGINX_CACHE_TAG))" > images/nginx-cache.tag
+	echo "$(REGISTRY)/nginx-cache:$(call settag,$(NGINX_CACHE_TAG))@$$(yq e '."containerimage.digest"' images/nginx-cache.json -o json -r)" \
+		> images/nginx-cache.tag
+	rm -f images/nginx-cache.json
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md

packages/apps/http-cache/images/nginx-cache.json

@@ -1,48 +0,0 @@
-{
-  "buildx.build.provenance": {
-    "buildType": "https://mobyproject.org/buildkit@v1",
-    "materials": [
-      {
-        "uri": "pkg:docker/ubuntu@22.04?platform=linux%2Famd64",
-        "digest": {
-          "sha256": "340d9b015b194dc6e2a13938944e0d016e57b9679963fdeb9ce021daac430221"
-        }
-      }
-    ],
-    "invocation": {
-      "configSource": {
-        "entryPoint": "Dockerfile"
-      },
-      "parameters": {
-        "frontend": "dockerfile.v0",
-        "args": {
-          "build-arg:ARCH": "amd64"
-        },
-        "locals": [
-          {
-            "name": "context"
-          },
-          {
-            "name": "dockerfile"
-          }
-        ]
-      },
-      "environment": {
-        "platform": "linux/amd64"
-      }
-    }
-  },
-  "buildx.build.ref": "cozystack/cozystack0/7j4plhjjn8onm0o8q0omik63x",
-  "containerimage.config.digest": "sha256:f30f57d817c596f7a7d0ecfe734b7b41994eca9d36d43307206314ee37bdb286",
-  "containerimage.descriptor": {
-    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:f7d86b1a72a12b60434a12a604e9ddd3779d9fa605205c7968fe9495e764c94c",
-    "size": 1094,
-    "platform": {
-      "architecture": "amd64",
-      "os": "linux"
-    }
-  },
-  "containerimage.digest": "sha256:f7d86b1a72a12b60434a12a604e9ddd3779d9fa605205c7968fe9495e764c94c",
-  "image.name": "ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0,ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0-v0.10.1"
-}

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0
+ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0@sha256:f77d5b63f1ed9dfda4725696d9170130939219a2465260b6ba941947460de2da

packages/apps/http-cache/images/nginx.json

@@ -1,4 +0,0 @@
-{
-  "containerimage.config.digest": "sha256:b1916dbacb372ed89ea3f920f08ee68730be2edc016f2caa373a7bbfbad25845",
-  "containerimage.digest": "sha256:f77d5b63f1ed9dfda4725696d9170130939219a2465260b6ba941947460de2da"
-}

packages/apps/http-cache/logos/nginx.svg

@@ -1,2 +1,10 @@
-<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
-<svg width="800px" height="800px" viewBox="0 0 32 32" xmlns="http://www.w3.org/2000/svg"><title>file_type_nginx</title><path d="M15.948,2h.065a10.418,10.418,0,0,1,.972.528Q22.414,5.65,27.843,8.774a.792.792,0,0,1,.414.788c-.008,4.389,0,8.777-.005,13.164a.813.813,0,0,1-.356.507q-5.773,3.324-11.547,6.644a.587.587,0,0,1-.657.037Q9.912,26.6,4.143,23.274a.7.7,0,0,1-.4-.666q0-6.582,0-13.163a.693.693,0,0,1,.387-.67Q9.552,5.657,14.974,2.535c.322-.184.638-.379.974-.535" style="fill:#019639"/><path d="M8.767,10.538q0,5.429,0,10.859a1.509,1.509,0,0,0,.427,1.087,1.647,1.647,0,0,0,2.06.206,1.564,1.564,0,0,0,.685-1.293c0-2.62-.005-5.24,0-7.86q3.583,4.29,7.181,8.568a2.833,2.833,0,0,0,2.6.782,1.561,1.561,0,0,0,1.251-1.371q.008-5.541,0-11.081a1.582,1.582,0,0,0-3.152,0c0,2.662-.016,5.321,0,7.982-2.346-2.766-4.663-5.556-7-8.332A2.817,2.817,0,0,0,10.17,9.033,1.579,1.579,0,0,0,8.767,10.538Z" style="fill:#fff"/></svg>
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear_681_2825)"/>
+<path d="M26.0026 37.8588C26.0026 60.919 26.0026 83.9814 26.0026 107.046C25.973 108.323 26.1996 109.593 26.6692 110.783C27.1387 111.972 27.8418 113.056 28.7374 113.972C30.4539 115.659 32.7 116.709 35.1009 116.948C37.5019 117.187 39.9126 116.6 41.931 115.284C43.282 114.371 44.3881 113.143 45.1527 111.707C45.9174 110.271 46.3175 108.671 46.3181 107.046C46.3181 90.3528 46.2861 73.6597 46.3181 56.9666C61.6168 75.1889 76.9474 93.3856 92.31 111.557C94.4444 113.708 97.0875 115.291 99.997 116.162C102.906 117.032 105.989 117.162 108.962 116.539C111.061 116.128 112.973 115.057 114.415 113.485C115.857 111.913 116.754 109.921 116.974 107.804C117.009 84.2681 117.009 60.7343 116.974 37.2025C116.754 34.6907 115.595 32.3522 113.726 30.6486C111.858 28.945 109.415 28 106.881 28C104.346 28 101.903 28.945 100.035 30.6486C98.1663 32.3522 97.0074 34.6907 96.7869 37.2025C96.7869 54.1632 96.6844 71.1048 96.7869 88.0591C81.7616 70.4358 66.9219 52.6596 51.9543 34.9725C49.981 32.4554 47.3685 30.5073 44.3863 29.3291C41.4041 28.1509 38.1599 27.7852 34.9883 28.2698C32.5857 28.5359 30.3583 29.6493 28.7099 31.4084C27.0615 33.1675 26.101 35.4559 26.0026 37.8588Z" fill="white"/>
+<defs>
+<linearGradient id="paint0_linear_681_2825" x1="10" y1="15.5" x2="144" y2="131.5" gradientUnits="userSpaceOnUse">
+<stop stop-color="#00C54A"/>
+<stop offset="1" stop-color="#019639"/>
+</linearGradient>
+</defs>
+</svg>

packages/apps/http-cache/templates/nginx/deployment.yaml

@@ -52,7 +52,7 @@ spec:
       shareProcessNamespace: true
       containers:
       - name: nginx
-        image: "{{ $.Files.Get "images/nginx-cache.tag" | trim }}@{{ index ($.Files.Get "images/nginx-cache.json" | fromJson) "containerimage.digest" }}"
+        image: "{{ $.Files.Get "images/nginx-cache.tag" | trim }}"
         readinessProbe:
           httpGet:
             path: /healthz
@@ -81,7 +81,7 @@ spec:
         - mountPath: /run
           name: run
       - name: reloader
-        image: "{{ $.Files.Get "images/nginx-cache.tag" | trim }}@{{ index ($.Files.Get "images/nginx-cache.json" | fromJson) "containerimage.digest" }}"
+        image: "{{ $.Files.Get "images/nginx-cache.tag" | trim }}"
         command: ["/usr/bin/nginx-reloader.sh"]
         #command: ["sleep", "infinity"]
         volumeMounts:

packages/apps/kafka/logos/kafka.svg

@@ -1 +1,10 @@
-<svg width="154" height="250" viewBox="0 0 256 416" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMidYMid"><path d="M201.816 230.216c-16.186 0-30.697 7.171-40.634 18.461l-25.463-18.026c2.703-7.442 4.255-15.433 4.255-23.797 0-8.219-1.498-16.076-4.112-23.408l25.406-17.835c9.936 11.233 24.409 18.365 40.548 18.365 29.875 0 54.184-24.305 54.184-54.184 0-29.879-24.309-54.184-54.184-54.184-29.875 0-54.184 24.305-54.184 54.184 0 5.348.808 10.505 2.258 15.389l-25.423 17.844c-10.62-13.175-25.911-22.374-43.333-25.182v-30.64c24.544-5.155 43.037-26.962 43.037-53.019C124.171 24.305 99.862 0 69.987 0 40.112 0 15.803 24.305 15.803 54.184c0 25.708 18.014 47.246 42.067 52.769v31.038C25.044 143.753 0 172.401 0 206.854c0 34.621 25.292 63.374 58.355 68.94v32.774c-24.299 5.341-42.552 27.011-42.552 52.894 0 29.879 24.309 54.184 54.184 54.184 29.875 0 54.184-24.305 54.184-54.184 0-25.883-18.253-47.553-42.552-52.894v-32.775a69.965 69.965 0 0 0 42.6-24.776l25.633 18.143c-1.423 4.84-2.22 9.946-2.22 15.24 0 29.879 24.309 54.184 54.184 54.184 29.875 0 54.184-24.305 54.184-54.184 0-29.879-24.309-54.184-54.184-54.184zm0-126.695c14.487 0 26.27 11.788 26.27 26.271s-11.783 26.27-26.27 26.27-26.27-11.787-26.27-26.27c0-14.483 11.783-26.271 26.27-26.271zm-158.1-49.337c0-14.483 11.784-26.27 26.271-26.27s26.27 11.787 26.27 26.27c0 14.483-11.783 26.27-26.27 26.27s-26.271-11.787-26.271-26.27zm52.541 307.278c0 14.483-11.783 26.27-26.27 26.27s-26.271-11.787-26.271-26.27c0-14.483 11.784-26.27 26.271-26.27s26.27 11.787 26.27 26.27zm-26.272-117.97c-20.205 0-36.642-16.434-36.642-36.638 0-20.205 16.437-36.642 36.642-36.642 20.204 0 36.641 16.437 36.641 36.642 0 20.204-16.437 36.638-36.641 36.638zm131.831 67.179c-14.487 0-26.27-11.788-26.27-26.271s11.783-26.27 26.27-26.27 26.27 11.787 26.27 26.27c0 14.483-11.783 26.271-26.27 26.271z" style="fill:#231f20"/></svg>
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear_681_2820)"/>
+<path d="M91.0307 77.8185C86.8577 77.8185 83.1166 79.6818 80.5547 82.6154L73.9901 77.9315C74.6869 75.9978 75.087 73.9215 75.087 71.7482C75.087 69.6126 74.7008 67.5711 74.0269 65.666L80.5769 61.0318C83.1385 63.9505 86.8699 65.8037 91.0307 65.8037C98.7328 65.8037 105 59.4884 105 51.7247C105 43.961 98.7328 37.6457 91.0307 37.6457C83.3285 37.6457 77.0614 43.961 77.0614 51.7247C77.0614 53.1143 77.2697 54.4543 77.6435 55.7233L71.0891 60.3598C68.3512 56.9365 64.409 54.5463 59.9174 53.8166V45.8553C66.2451 44.5158 71.0128 38.8495 71.0128 32.079C71.0128 24.3153 64.7457 18 57.0435 18C49.3414 18 43.0742 24.3153 43.0742 32.079C43.0742 38.7589 47.7184 44.3552 53.9196 45.7903V53.8551C45.4567 55.3523 39 62.7961 39 71.7482C39 80.744 45.5206 88.2151 54.0446 89.6613V98.1772C47.7801 99.565 43.0742 105.196 43.0742 111.921C43.0742 119.685 49.3414 126 57.0435 126C64.7457 126 71.0128 119.685 71.0128 111.921C71.0128 105.196 66.307 99.565 60.0424 98.1772V89.6611C64.3569 88.9286 68.2601 86.6407 71.0252 83.2234L77.6337 87.9376C77.2669 89.1952 77.0614 90.5219 77.0614 91.8975C77.0614 99.6612 83.3285 105.976 91.0307 105.976C98.7328 105.976 105 99.6612 105 91.8975C105 84.1338 98.7328 77.8185 91.0307 77.8185ZM91.0307 44.8985C94.7656 44.8985 97.8034 47.9615 97.8034 51.7247C97.8034 55.4879 94.7656 58.5506 91.0307 58.5506C87.2958 58.5506 84.258 55.4879 84.258 51.7247C84.258 47.9615 87.2958 44.8985 91.0307 44.8985ZM50.2705 32.079C50.2705 28.3158 53.3086 25.2531 57.0435 25.2531C60.7785 25.2531 63.8163 28.3158 63.8163 32.079C63.8163 35.8422 60.7785 38.9049 57.0435 38.9049C53.3086 38.9049 50.2705 35.8422 50.2705 32.079ZM63.8163 111.921C63.8163 115.684 60.7785 118.747 57.0435 118.747C53.3086 118.747 50.2705 115.684 50.2705 111.921C50.2705 108.158 53.3086 105.095 57.0435 105.095C60.7785 105.095 63.8163 108.158 63.8163 111.921ZM57.043 81.2681C51.8339 81.2681 47.5962 76.998 47.5962 71.7482C47.5962 66.4982 51.8339 62.2273 57.043 62.2273C62.2519 62.2273 66.4895 66.4982 66.4895 71.7482C66.4895 76.998 62.2519 81.2681 57.043 81.2681ZM91.0307 98.7237C87.2958 98.7237 84.258 95.6607 84.258 91.8975C84.258 88.1343 87.2958 85.0716 91.0307 85.0716C94.7656 85.0716 97.8034 88.1343 97.8034 91.8975C97.8034 95.6607 94.7656 98.7237 91.0307 98.7237Z" fill="white"/>
+<defs>
+<linearGradient id="paint0_linear_681_2820" x1="140" y1="130.5" x2="4" y2="9.49999" gradientUnits="userSpaceOnUse">
+<stop/>
+<stop offset="1" stop-color="#434141"/>
+</linearGradient>
+</defs>
+</svg>

packages/apps/kafka/templates/kafka.yaml

@@ -65,3 +65,8 @@ spec:
   entityOperator:
     topicOperator: {}
     userOperator: {}
+    template:
+      pod:
+        metadata:
+         labels:
+           policy.cozystack.io/allow-to-apiserver: "true"

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.0
+version: 0.8.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/Makefile

@@ -17,4 +17,6 @@ image-ubuntu-container-disk:
 		--metadata-file images/ubuntu-container-disk.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/ubuntu-container-disk:$(call settag,$(UBUNTU_CONTAINER_DISK_TAG))" > images/ubuntu-container-disk.tag
+	echo "$(REGISTRY)/ubuntu-container-disk:$(call settag,$(UBUNTU_CONTAINER_DISK_TAG))@$$(yq e '."containerimage.digest"' images/ubuntu-container-disk.json -o json -r)" \
+		> images/ubuntu-container-disk.tag
+	rm -f images/ubuntu-container-disk.json

packages/apps/kubernetes/images/ubuntu-container-disk.json

@@ -1,48 +0,0 @@
-{
-  "buildx.build.provenance": {
-    "buildType": "https://mobyproject.org/buildkit@v1",
-    "materials": [
-      {
-        "uri": "pkg:docker/ubuntu@22.04?platform=linux%2Famd64",
-        "digest": {
-          "sha256": "340d9b015b194dc6e2a13938944e0d016e57b9679963fdeb9ce021daac430221"
-        }
-      }
-    ],
-    "invocation": {
-      "configSource": {
-        "entryPoint": "Dockerfile"
-      },
-      "parameters": {
-        "frontend": "dockerfile.v0",
-        "args": {
-          "build-arg:ARCH": "amd64"
-        },
-        "locals": [
-          {
-            "name": "context"
-          },
-          {
-            "name": "dockerfile"
-          }
-        ]
-      },
-      "environment": {
-        "platform": "linux/amd64"
-      }
-    }
-  },
-  "buildx.build.ref": "cozystack/cozystack0/xkanpm0dojuj7v0lo951qocfb",
-  "containerimage.config.digest": "sha256:c144c5f12a47af7880ee5f056b14177c07b585b8ab1e68b7e7900e1c923083cf",
-  "containerimage.descriptor": {
-    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:81caf89efe252ae2ca1990d08a3a314552d70ff36bcd4022b173c7150fbec805",
-    "size": 506,
-    "platform": {
-      "architecture": "amd64",
-      "os": "linux"
-    }
-  },
-  "containerimage.digest": "sha256:81caf89efe252ae2ca1990d08a3a314552d70ff36bcd4022b173c7150fbec805",
-  "image.name": "ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1,ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1-v0.10.1"
-}

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:81caf89efe252ae2ca1990d08a3a314552d70ff36bcd4022b173c7150fbec805

packages/apps/kubernetes/templates/cluster.yaml

@@ -45,7 +45,7 @@ spec:
           volumes:
           - name: system
             containerDisk:
-              image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}"
+              image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}"
           - name: ephemeral
             emptyDisk:
               capacity: {{ .group.ephemeralStorage | default "20Gi" }}

packages/apps/kubernetes/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-admin-kubeconfig
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/apps/kubernetes/templates/ingress.yaml

@@ -7,16 +7,14 @@ kind: Ingress
 metadata:
   name: {{ .Release.Name }}-ingress-nginx
   annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
-    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
-    nginx.ingress.kubernetes.io/backend-protocol: "AUTO_HTTP"
+    nginx.ingress.kubernetes.io/backend-protocol: AUTO_HTTP
     nginx.ingress.kubernetes.io/configuration-snippet: |
-      set $proxy_upstream_name "{{ .Release.Namespace }}-{{ .Release.Name }}-ingress-nginx-80";
-      if ($scheme = https) {
-        set $proxy_upstream_name "{{ .Release.Namespace }}-{{ .Release.Name }}-ingress-nginx-443";
-        set $service_port 443;
+      if ($scheme = http) {
+        set $proxy_upstream_name "{{ .Release.Namespace }}-{{ .Release.Name }}-ingress-nginx-80";
+        set $proxy_host $proxy_upstream_name;
       }
-      set $proxy_host $proxy_upstream_name;
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
 spec:
   ingressClassName: "{{ $ingress }}"
   rules:
@@ -30,14 +28,14 @@ spec:
           service:
             name: {{ $.Release.Name }}-ingress-nginx
             port:
-              number: 80
+              number: 443
       - path: /
         pathType: ImplementationSpecific
         backend:
           service:
             name: {{ $.Release.Name }}-ingress-nginx
             port:
-              number: 443
+              number: 80
   {{- end }}
 ---
 apiVersion: v1

packages/apps/mysql/logos/mariadb.svg

@@ -1,12 +1,12 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
-<svg width="800px" height="800px" viewBox="0 -43 256 256" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" preserveAspectRatio="xMidYMid">
-    <g>
-        <path d="M250.382523,0.00447241672 C246.426131,0.130891567 247.677353,1.27087056 239.128415,3.37469592 C230.495553,5.49917829 219.950359,4.84773528 210.654095,8.74649903 C182.903099,20.3847485 177.335232,60.1626339 152.106938,74.4118517 C133.249415,85.0635193 114.223916,85.9130759 97.1188786,91.2730771 C85.8778244,94.7980074 73.5811418,102.026905 63.3964279,110.803626 C55.49096,117.618586 55.2845466,123.610697 47.0245784,132.158212 C38.1894743,141.300822 11.9101646,132.312705 0,146.305625 C3.83670733,150.185042 5.51875114,151.271649 13.0796841,150.265122 C11.5142932,153.232113 2.28663486,155.732479 4.09296236,160.097129 C5.99360595,164.689675 28.3022154,167.802917 48.5816837,155.559279 C58.0261053,149.857249 65.5486285,141.638595 80.2576532,139.676806 C99.2917078,137.139881 121.218611,141.30404 143.253683,144.481588 C139.986431,154.22355 133.426672,160.702176 128.172006,168.461009 C126.544787,170.213508 131.440311,170.409956 137.025262,169.350783 C147.071883,166.866533 154.312169,164.86632 161.894457,160.453039 C171.209327,155.030397 172.62088,141.127864 184.04984,138.119701 C190.417778,147.907219 207.737102,150.219223 218.48411,142.390618 C209.053925,139.721295 206.447626,119.648695 209.630855,110.803626 C212.646122,102.431204 215.625486,89.0383196 218.662065,77.9709494 C221.922199,66.0849867 223.124932,51.1038191 227.070434,45.0492956 C233.00651,35.9401552 239.565643,32.81205 245.260156,27.675489 C250.954656,22.538928 256.166954,17.538894 255.995904,5.78538669 C255.940809,1.99964564 253.983391,-0.11060033 250.382523,0.00447241672 L250.382523,0.00447241672 Z" fill="#002B64">
-
-</path>
-        <path d="M241.905484,6.96809574 C242.853676,10.2001831 244.337002,11.6835082 250.750076,12.2768382 C249.813239,20.407447 244.389521,24.8545834 238.308598,29.1214497 C232.957272,32.8744751 227.094944,36.4883945 223.327724,42.3507224 C219.46824,48.3564147 217.01827,68.9100487 211.033869,89.2081817 C205.861394,106.746904 198.050161,124.088323 184.409248,131.686638 C182.98412,128.099688 184.590937,121.479374 181.756296,119.303358 C179.922367,124.53403 177.848551,129.524816 175.419872,134.163578 C167.415594,149.462409 155.564607,160.917369 135.760443,164.414894 C145.157201,151.699462 154.142319,138.568131 154.336783,116.651825 C147.723566,118.082631 147.864092,133.703676 141.069185,137.879698 C136.712894,138.353794 132.299824,138.350955 127.858366,138.084099 C109.618435,136.991122 90.9072468,131.509207 73.84404,136.984025 C62.2258429,140.71292 52.7240456,149.509251 42.8858386,153.776117 C31.323,158.791033 22.5664139,160.853494 8.16751449,158.791033 C6.33926307,156.328288 18.7055102,153.150139 17.9659769,147.803072 C12.3307609,147.179933 9.058929,148.545444 4.16040754,146.319747 C4.70121793,145.323293 5.49610985,144.492915 6.49682201,143.801643 C15.4748424,137.587291 40.9766785,142.333932 47.8013935,135.632709 C52.0143206,131.499271 54.7779895,127.172788 57.6396004,122.966958 C60.4146249,118.886039 63.2833331,114.918677 67.6538192,111.343083 C69.2677337,110.022994 71.0221737,108.71852 72.8844919,107.445273 C80.3323453,102.348029 89.5459944,97.7248808 98.6134401,94.5382159 C110.965493,90.1961188 123.482202,89.8384174 136.647599,84.8078871 C144.781047,81.6992919 153.625639,77.8596801 160.835025,72.4870623 C162.546881,71.2095575 164.166473,69.8483051 165.663993,68.3891106 C186.250274,48.3209285 190.331193,12.9212684 222.449085,9.62246697 C226.3327,9.22360156 229.512267,9.3527715 232.406525,9.26476561 C235.742233,9.16540412 238.694688,8.77789431 241.905484,6.96809574 Z M202.75118,120.267107 C203.134432,126.40197 206.695831,138.573752 209.839913,141.531886 C203.682339,143.029405 193.074791,140.555304 190.353705,136.211788 C191.751863,129.940658 199.027963,124.2075 202.75118,120.267107 Z" fill="#C49A6C" fill-rule="nonzero">
-
-</path>
-        <path d="M244.218787,13.8370641 C242.980829,16.4335799 240.610981,19.7812981 240.610981,26.3910072 C240.60081,27.5258023 239.749351,28.3031588 239.734821,26.5537435 C239.798753,20.0936937 241.508937,17.3010225 243.32519,13.6307377 C244.169385,12.12688 244.677936,12.7473121 244.218787,13.8370641 Z M242.972111,12.8591933 C241.511843,15.3365629 237.995576,19.8554012 237.414375,26.4404093 C237.306853,27.5693924 236.388555,28.2682867 236.528044,26.5232305 C237.161553,20.0951467 239.97166,16.0717822 242.104668,12.5744048 C243.072368,11.1519152 243.527158,11.8144844 242.972111,12.8591933 Z M241.835862,11.5631149 C240.172174,13.9082613 234.759739,19.3352263 233.62785,25.8490372 C233.42443,26.9634903 232.450918,27.5853754 232.73716,25.8577553 C233.90828,19.5037746 238.573871,14.5098044 240.993121,11.2071293 C242.077061,9.86891382 242.473731,10.5678081 241.835862,11.5631149 Z M240.821667,10.1173773 L240.274318,10.6995682 C237.854262,13.2941372 232.232203,19.6224619 230.358594,25.4145894 C229.99825,26.4898114 228.947729,26.9693023 229.475169,25.2983492 C231.526809,19.17249 237.177536,12.5744048 240.037045,9.64515141 C241.299704,8.47257825 241.593211,9.22087463 240.821667,10.1173773 Z M211.771784,23.2321794 C213.025725,17.8458985 217.214732,15.391777 224.446326,15.9904141 C226.191383,24.0298779 216.425752,27.2729799 211.771784,23.2321794 Z" fill="#002B64">
-
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect x="-0.00195312" width="144" height="144" rx="24" fill="url(#paint0_linear_683_2930)"/>
+<path d="M133.191 29.0022C131.213 29.0654 131.839 29.6354 127.564 30.6873C123.248 31.7496 117.975 31.4239 113.327 33.3733C99.4516 39.1924 96.6676 59.0813 84.0535 66.2059C74.6247 71.5318 65.112 71.9565 56.5594 74.6365C50.9389 76.399 44.7906 80.0135 39.6982 84.4018C35.7455 87.8093 35.6423 90.8054 31.5123 95.0791C27.0947 99.6504 13.9551 95.1564 8 102.153C9.91835 104.093 10.7594 104.636 14.5398 104.133C13.7571 105.616 9.14332 106.866 10.0465 109.049C10.9968 111.345 22.1511 112.901 32.2908 106.78C37.0131 103.929 40.7743 99.8193 48.1288 98.8384C57.6459 97.5699 68.6093 99.652 79.6268 101.241C77.9932 106.112 74.7133 109.351 72.086 113.231C71.2724 114.107 73.7202 114.205 76.5126 113.675C81.5359 112.433 85.1561 111.433 88.9472 109.227C93.6047 106.515 94.3104 99.5639 100.025 98.0599C103.209 102.954 111.869 104.11 117.242 100.195C112.527 98.8607 111.224 88.8244 112.815 84.4018C114.323 80.2156 115.813 73.5192 117.331 67.9855C118.961 62.0425 119.562 54.5519 121.535 51.5247C124.503 46.9701 127.783 45.406 130.63 42.8377C133.477 40.2695 136.083 37.7694 135.998 31.8927C135.97 29.9998 134.992 28.9447 133.191 29.0022Z" fill="#04244E"/>
+<path d="M128.953 32.4844C129.427 34.1004 130.168 34.8421 133.375 35.1387C132.906 39.2041 130.195 41.4276 127.154 43.5611C124.479 45.4376 121.547 47.2445 119.664 50.1757C117.734 53.1785 116.509 63.4554 113.517 73.6044C110.931 82.3738 107.025 91.0445 100.204 94.8437C99.4919 93.0502 100.295 89.74 98.878 88.652C97.9611 91.2674 96.9242 93.7627 95.7098 96.0821C91.7077 103.732 85.7822 109.459 75.8801 111.208C80.5785 104.85 85.071 98.2844 85.1683 87.3262C81.8617 88.0417 81.9319 95.8522 78.5345 97.9402C76.3563 98.1772 74.1498 98.1758 71.9291 98.0424C62.8091 97.4959 53.4535 94.7549 44.9219 97.4923C39.1128 99.3568 34.3619 103.755 29.4428 105.888C23.6614 108.396 19.2831 109.427 12.0836 108.396C11.1695 107.164 17.3526 105.575 16.9829 102.902C14.1653 102.59 12.5293 103.273 10.0801 102.16C10.3505 101.662 10.7479 101.247 11.2483 100.901C15.7373 97.794 28.4882 100.167 31.9006 96.8167C34.007 94.75 35.3889 92.5867 36.8197 90.4838C38.2072 88.4434 39.6415 86.4597 41.8268 84.6719C42.6337 84.0118 43.511 83.3596 44.4421 82.723C48.166 80.1743 52.7729 77.8628 57.3066 76.2694C63.4826 74.0984 69.741 73.9195 76.3237 71.4043C80.3904 69.85 84.8127 67.9302 88.4174 65.2439C89.2733 64.6051 90.0831 63.9245 90.8319 63.1949C101.125 53.1608 103.165 35.461 119.224 33.8116C121.166 33.6121 122.756 33.6767 124.203 33.6327C125.871 33.583 127.347 33.3893 128.953 32.4844ZM109.375 89.1339C109.567 92.2013 111.348 98.2872 112.92 99.7663C109.841 100.515 104.537 99.278 103.177 97.1062C103.876 93.9707 107.514 91.1041 109.375 89.1339Z" fill="white"/>
+<path d="M130.109 35.9187C129.49 37.2169 128.305 38.8908 128.305 42.1956C128.3 42.763 127.875 43.1517 127.867 42.277C127.899 39.047 128.754 37.6507 129.662 35.8155C130.085 35.0636 130.339 35.3738 130.109 35.9187ZM129.486 35.4297C128.756 36.6684 126.998 38.9278 126.707 42.2203C126.653 42.7848 126.194 43.1343 126.264 42.2618C126.581 39.0477 127.986 37.036 129.052 35.2873C129.536 34.5761 129.763 34.9074 129.486 35.4297ZM128.918 34.7817C128.086 35.9543 125.38 38.6678 124.814 41.9247C124.712 42.4819 124.225 42.7928 124.368 41.929C124.954 38.752 127.287 36.255 128.496 34.6037C129.038 33.9346 129.237 34.284 128.918 34.7817ZM128.411 34.0588L128.137 34.3499C126.927 35.6472 124.116 38.8114 123.179 41.7074C122.999 42.245 122.474 42.4848 122.737 41.6493C123.763 38.5864 126.589 35.2873 128.018 33.8227C128.65 33.2364 128.796 33.6106 128.411 34.0588ZM113.886 40.6162C114.513 37.9231 116.607 36.696 120.223 36.9953C121.096 41.0151 116.213 42.6366 113.886 40.6162Z" fill="#04244E"/>
+<defs>
+<linearGradient id="paint0_linear_683_2930" x1="140.5" y1="141" x2="5.99999" y2="-5.50228e-06" gradientUnits="userSpaceOnUse">
+<stop stop-color="#C49A6C"/>
+<stop offset="1" stop-color="#E7BF93"/>
+</linearGradient>
+</defs>
+</svg>

packages/apps/nats/logos/nats.svg

@@ -1,76 +1,12 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Generator: Adobe Illustrator 24.3.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-
-<svg
-   version="1.0"
-   id="katman_1"
-   x="0px"
-   y="0px"
-   viewBox="0 0 440.79001 456.32996"
-   xml:space="preserve"
-   sodipodi:docname="NATS.io.svg"
-   width="440.79001"
-   height="456.32999"
-   inkscape:version="1.1.1 (c3084ef, 2021-09-22)"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:svg="http://www.w3.org/2000/svg"><defs
-   id="defs843" /><sodipodi:namedview
-   id="namedview841"
-   pagecolor="#ffffff"
-   bordercolor="#666666"
-   borderopacity="1.0"
-   inkscape:pageshadow="2"
-   inkscape:pageopacity="0.0"
-   inkscape:pagecheckerboard="0"
-   showgrid="false"
-   width="440.79px"
-   height="456.32999px"
-   inkscape:zoom="0.27371294"
-   inkscape:cx="524.2719"
-   inkscape:cy="823.85584"
-   inkscape:window-width="1312"
-   inkscape:window-height="969"
-   inkscape:window-x="0"
-   inkscape:window-y="25"
-   inkscape:window-maximized="0"
-   inkscape:current-layer="katman_1" />
-<style
-   type="text/css"
-   id="style824">
-	.st0{fill:#32A574;}
-	.st1{fill:#2AAAE1;}
-	.st2{fill:#8EC044;}
-	.st3{fill:#385C93;}
-	.st4{fill:#FFFFFF;}
-</style>
-<path
-   class="st0"
-   d="M 220.4,0 H 440.79 V 178.67 H 220.4 Z"
-   id="path826" />
-<path
-   class="st1"
-   d="M 0,0 H 220.39 V 178.67 H 0 Z"
-   id="path828" />
-<path
-   class="st2"
-   d="M 220.4,178.83 H 440.79 V 357.5 H 220.4 Z"
-   id="path830" />
-<path
-   class="st3"
-   d="M 0,178.83 H 220.39 V 357.5 H 0 Z"
-   id="path832" />
-<path
-   class="st2"
-   d="m 188,356.52 107.82,99.81 v -99.81 z"
-   id="path834" />
-<path
-   class="st3"
-   d="m 220.4,356.52 1.15,31.41 -34.52,-32.23 z"
-   id="path836" />
-<path
-   class="st4"
-   d="M 311.7,231.03 V 83.12 h 52.69 V 274.39 H 284.54 L 123.37,123.86 V 274.55 H 70.52 V 83.12 h 82.63 z"
-   id="path838" />
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear_681_2821)"/>
+<rect width="144" height="144" rx="24" fill="black" fill-opacity="0.3"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M117.48 25H27V98.9693H66.0689L87.7075 119V98.9693H117.48V25Z" fill="white"/>
+<path d="M92.1352 72.4552V42.625H102.773V81.1999H86.6519L54.114 50.8414V81.2322H43.4443V42.625H60.1262L92.1352 72.4552Z" fill="black"/>
+<defs>
+<linearGradient id="paint0_linear_681_2821" x1="10" y1="15.5" x2="144" y2="131.5" gradientUnits="userSpaceOnUse">
+<stop stop-color="#385C93"/>
+<stop offset="1" stop-color="#32A574"/>
+</linearGradient>
+</defs>
 </svg>

packages/apps/postgres/README.md

@@ -6,7 +6,7 @@ PostgreSQL is currently the leading choice among relational databases, known for
 
 This managed service is controlled by the CloudNativePG operator, ensuring efficient management and seamless operation.
 
-- Docs: https://cloudnative-pg.io/documentation/
+- Docs: https://cloudnative-pg.io/docs/
 - Github: https://github.com/cloudnative-pg/cloudnative-pg
 
 ## HowTos

packages/apps/postgres/logos/postgres.svg

@@ -1,22 +1,20 @@
-<?xml version="1.0"?>
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
-  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-
-<svg width="432.071pt" height="445.383pt" viewBox="0 0 432.071 445.383" xml:space="preserve" xmlns="http://www.w3.org/2000/svg">
-<g id="orginal" style="fill-rule:nonzero;clip-rule:nonzero;stroke:#000000;stroke-miterlimit:4;">
-	</g>
-<g id="Layer_x0020_3" style="fill-rule:nonzero;clip-rule:nonzero;fill:none;stroke:#FFFFFF;stroke-width:12.4651;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;">
-<path style="fill:#000000;stroke:#000000;stroke-width:37.3953;stroke-linecap:butt;stroke-linejoin:miter;" d="M323.205,324.227c2.833-23.601,1.984-27.062,19.563-23.239l4.463,0.392c13.517,0.615,31.199-2.174,41.587-7c22.362-10.376,35.622-27.7,13.572-23.148c-50.297,10.376-53.755-6.655-53.755-6.655c53.111-78.803,75.313-178.836,56.149-203.322    C352.514-5.534,262.036,26.049,260.522,26.869l-0.482,0.089c-9.938-2.062-21.06-3.294-33.554-3.496c-22.761-0.374-40.032,5.967-53.133,15.904c0,0-161.408-66.498-153.899,83.628c1.597,31.936,45.777,241.655,98.47,178.31    c19.259-23.163,37.871-42.748,37.871-42.748c9.242,6.14,20.307,9.272,31.912,8.147l0.897-0.765c-0.281,2.876-0.157,5.689,0.359,9.019c-13.572,15.167-9.584,17.83-36.723,23.416c-27.457,5.659-11.326,15.734-0.797,18.367c12.768,3.193,42.305,7.716,62.268-20.224    l-0.795,3.188c5.325,4.26,4.965,30.619,5.72,49.452c0.756,18.834,2.017,36.409,5.856,46.771c3.839,10.36,8.369,37.05,44.036,29.406c29.809-6.388,52.6-15.582,54.677-101.107"/>
-<path style="fill:#336791;stroke:none;" d="M402.395,271.23c-50.302,10.376-53.76-6.655-53.76-6.655c53.111-78.808,75.313-178.843,56.153-203.326c-52.27-66.785-142.752-35.2-144.262-34.38l-0.486,0.087c-9.938-2.063-21.06-3.292-33.56-3.496c-22.761-0.373-40.026,5.967-53.127,15.902    c0,0-161.411-66.495-153.904,83.63c1.597,31.938,45.776,241.657,98.471,178.312c19.26-23.163,37.869-42.748,37.869-42.748c9.243,6.14,20.308,9.272,31.908,8.147l0.901-0.765c-0.28,2.876-0.152,5.689,0.361,9.019c-13.575,15.167-9.586,17.83-36.723,23.416    c-27.459,5.659-11.328,15.734-0.796,18.367c12.768,3.193,42.307,7.716,62.266-20.224l-0.796,3.188c5.319,4.26,9.054,27.711,8.428,48.969c-0.626,21.259-1.044,35.854,3.147,47.254c4.191,11.4,8.368,37.05,44.042,29.406c29.809-6.388,45.256-22.942,47.405-50.555    c1.525-19.631,4.976-16.729,5.194-34.28l2.768-8.309c3.192-26.611,0.507-35.196,18.872-31.203l4.463,0.392c13.517,0.615,31.208-2.174,41.591-7c22.358-10.376,35.618-27.7,13.573-23.148z"/>
-<path d="M215.866,286.484c-1.385,49.516,0.348,99.377,5.193,111.495c4.848,12.118,15.223,35.688,50.9,28.045c29.806-6.39,40.651-18.756,45.357-46.051c3.466-20.082,10.148-75.854,11.005-87.281"/>
-<path d="M173.104,38.256c0,0-161.521-66.016-154.012,84.109c1.597,31.938,45.779,241.664,98.473,178.316c19.256-23.166,36.671-41.335,36.671-41.335"/>
-<path d="M260.349,26.207c-5.591,1.753,89.848-34.889,144.087,34.417c19.159,24.484-3.043,124.519-56.153,203.329"/>
-<path style="stroke-linejoin:bevel;" d="M348.282,263.953c0,0,3.461,17.036,53.764,6.653c22.04-4.552,8.776,12.774-13.577,23.155c-18.345,8.514-59.474,10.696-60.146-1.069c-1.729-30.355,21.647-21.133,19.96-28.739c-1.525-6.85-11.979-13.573-18.894-30.338    c-6.037-14.633-82.796-126.849,21.287-110.183c3.813-0.789-27.146-99.002-124.553-100.599c-97.385-1.597-94.19,119.762-94.19,119.762"/>
-<path d="M188.604,274.334c-13.577,15.166-9.584,17.829-36.723,23.417c-27.459,5.66-11.326,15.733-0.797,18.365c12.768,3.195,42.307,7.718,62.266-20.229c6.078-8.509-0.036-22.086-8.385-25.547c-4.034-1.671-9.428-3.765-16.361,3.994z"/>
-<path d="M187.715,274.069c-1.368-8.917,2.93-19.528,7.536-31.942c6.922-18.626,22.893-37.255,10.117-96.339c-9.523-44.029-73.396-9.163-73.436-3.193c-0.039,5.968,2.889,30.26-1.067,58.548c-5.162,36.913,23.488,68.132,56.479,64.938"/>
-<path style="fill:#FFFFFF;stroke-width:4.155;stroke-linecap:butt;stroke-linejoin:miter;" d="M172.517,141.7c-0.288,2.039,3.733,7.48,8.976,8.207c5.234,0.73,9.714-3.522,9.998-5.559c0.284-2.039-3.732-4.285-8.977-5.015c-5.237-0.731-9.719,0.333-9.996,2.367z"/>
-<path style="fill:#FFFFFF;stroke-width:2.0775;stroke-linecap:butt;stroke-linejoin:miter;" d="M331.941,137.543c0.284,2.039-3.732,7.48-8.976,8.207c-5.238,0.73-9.718-3.522-10.005-5.559c-0.277-2.039,3.74-4.285,8.979-5.015c5.239-0.73,9.718,0.333,10.002,2.368z"/>
-<path d="M350.676,123.432c0.863,15.994-3.445,26.888-3.988,43.914c-0.804,24.748,11.799,53.074-7.191,81.435"/>
-<path style="stroke-width:3;" d="M0,60.232"/>
-</g>
-</svg>
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear_683_2849)"/>
+<path d="M94.481 93.3049C95.0718 88.3477 94.8948 87.6208 98.5612 88.4238L99.492 88.5061C102.311 88.6353 105.999 88.0495 108.166 87.0358C112.83 84.8564 115.595 81.2176 110.996 82.1738C100.506 84.3532 99.7849 80.7759 99.7849 80.7759C110.862 64.224 115.493 43.2128 111.496 38.0697C100.594 24.0412 81.7231 30.675 81.4073 30.8472L81.3068 30.8659C79.234 30.4328 76.9143 30.174 74.3085 30.1316C69.5613 30.053 65.9591 31.3849 63.2266 33.4721C63.2266 33.4721 29.5621 19.5047 31.1282 51.0375C31.4613 57.7454 40.6758 101.795 51.6659 88.4901C55.6827 83.6249 59.5646 79.5113 59.5646 79.5113C61.4922 80.8009 63.8 81.4588 66.2204 81.2225L66.4075 81.0618C66.3489 81.6659 66.3747 82.2567 66.4824 82.9562C63.6517 86.1419 64.4835 86.7012 58.8231 87.8745C53.0965 89.0631 56.4609 91.1793 58.6569 91.7324C61.3199 92.403 67.4804 93.353 71.644 87.4845L71.4782 88.1541C72.5888 89.0489 72.5137 94.5854 72.6712 98.5411C72.8289 102.497 73.0919 106.189 73.8926 108.365C74.6933 110.541 75.6381 116.147 83.0771 114.541C89.2943 113.2 94.0478 111.269 94.481 93.3049Z" fill="black" stroke="black" stroke-width="6"/>
+<path d="M110.998 82.1727C100.506 84.3521 99.7849 80.7748 99.7849 80.7748C110.862 64.2218 115.493 43.2102 111.497 38.0678C100.595 24.0401 81.7231 30.6743 81.4082 30.8465L81.3068 30.8648C79.2341 30.4315 76.9144 30.1733 74.3073 30.1305C69.56 30.0521 65.9591 31.3838 63.2267 33.4706C63.2267 33.4706 29.5615 19.5038 31.1272 51.0364C31.4603 57.7447 40.6746 101.795 51.6651 88.4895C55.6821 83.6243 59.5634 79.5106 59.5634 79.5106C61.4912 80.8002 63.799 81.4581 66.2184 81.2218L66.4063 81.0611C66.3479 81.6652 66.3746 82.256 66.4816 82.9555C63.6503 86.1412 64.4822 86.7005 58.8223 87.8738C53.0953 89.0625 56.4597 91.1786 58.6563 91.7317C61.3193 92.4023 67.4802 93.3524 71.643 87.4838L71.477 88.1534C72.5864 89.0482 73.3654 93.9739 73.2348 98.439C73.1042 102.904 73.0171 105.97 73.8912 108.364C74.7653 110.759 75.6365 116.146 83.0769 114.541C89.2941 113.199 92.5159 109.722 92.9641 103.922C93.2822 99.7988 94.0019 100.408 94.0474 96.7219L94.6247 94.9766C95.2905 89.3872 94.7305 87.584 98.5608 88.4227L99.4917 88.505C102.311 88.6342 106.001 88.0484 108.166 87.0347C112.829 84.8553 115.595 81.2166 110.997 82.1727H110.998Z" fill="#336791"/>
+<path d="M72.0933 85.377C71.8045 95.7774 72.1659 106.25 73.1764 108.796C74.1876 111.341 76.3514 116.292 83.7925 114.686C90.0091 113.344 92.271 110.747 93.2526 105.014C93.9755 100.796 95.3691 89.081 95.5479 86.6809" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M63.175 33.2393C63.175 33.2393 29.4868 19.3732 31.053 50.9058C31.386 57.6141 40.601 101.665 51.5913 88.3597C55.6075 83.4938 59.2397 79.6776 59.2397 79.6776" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M81.3713 30.7078C80.2052 31.076 100.111 23.3796 111.423 37.9368C115.419 43.0795 110.789 64.0911 99.7115 80.6445" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M99.711 80.6448C99.711 80.6448 100.433 84.223 110.924 82.0422C115.521 81.0861 112.755 84.7252 108.093 86.9057C104.267 88.694 95.6883 89.1523 95.5482 86.6812C95.1876 80.3053 100.063 82.2423 99.711 80.6448ZM99.711 80.6448C99.3929 79.206 97.2128 77.7939 95.7705 74.2725C94.5114 71.199 78.5019 47.6289 100.21 51.1294C101.006 50.9637 94.5485 30.3348 74.2325 29.9994C53.9211 29.6639 54.5875 55.1545 54.5875 55.1545" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="bevel"/>
+<path d="M66.4077 82.8253C63.576 86.0108 64.4088 86.5702 58.7485 87.7439C53.0214 88.9327 56.3862 91.0485 58.5822 91.6013C61.2452 92.2724 67.4061 93.2224 71.5689 87.3524C72.8366 85.5651 71.5614 82.7134 69.8201 81.9864C68.9787 81.6354 67.8537 81.1956 66.4077 82.8253Z" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M66.2225 82.7691C65.9372 80.8961 66.8336 78.6674 67.7943 76.0599C69.238 72.1477 72.569 68.2348 69.9044 55.8246C67.9182 46.5767 54.5963 53.9 54.588 55.154C54.5798 56.4075 55.1905 61.5099 54.3654 67.4515C53.2888 75.2048 59.2643 81.7621 66.1451 81.0913" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M63.0528 54.9665C62.9928 55.3948 63.8314 56.5377 64.9249 56.6904C66.0166 56.8437 66.951 55.9506 67.0102 55.5227C67.0694 55.0945 66.2318 54.6227 65.1379 54.4694C64.0456 54.3158 63.1108 54.5393 63.0531 54.9665H63.0528Z" fill="white" stroke="white" stroke-width="2"/>
+<path d="M96.3034 54.0924C96.3627 54.5207 95.5251 55.6635 94.4313 55.8162C93.3389 55.9696 92.4045 55.0765 92.3446 54.6486C92.2868 54.2203 93.1247 53.7486 94.2173 53.5953C95.31 53.4419 96.2442 53.6652 96.3034 54.0926V54.0924Z" fill="white" stroke="white"/>
+<path d="M100.21 51.1289C100.39 54.4883 99.492 56.7765 99.3787 60.3527C99.211 65.5508 101.84 71.5005 97.8789 77.4575" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+<defs>
+<linearGradient id="paint0_linear_683_2849" x1="140" y1="130.5" x2="4" y2="9.49999" gradientUnits="userSpaceOnUse">
+<stop stop-color="#002C4C"/>
+<stop offset="1" stop-color="#00477B"/>
+</linearGradient>
+</defs>
+</svg>

packages/apps/postgres/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - postgres-service-r
+  - postgres-service-ro
+  - postgres-service-rw
+  verbs: ["get", "list", "watch"]

packages/apps/postgres/templates/db.yaml

@@ -19,3 +19,7 @@ spec:
 
   storage:
     size: {{ required ".Values.size is required" .Values.size }}
+
+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"

packages/apps/rabbitmq/logos/rabbitmq.svg

@@ -1,2 +1,10 @@
-<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
-<svg width="800px" height="800px" viewBox="-7.5 0 271 271" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMidYMid"><path d="M245.44 108.308h-85.09a7.738 7.738 0 0 1-7.735-7.734v-88.68C152.615 5.327 147.29 0 140.726 0h-30.375c-6.568 0-11.89 5.327-11.89 11.894v88.143c0 4.573-3.697 8.29-8.27 8.31l-27.885.133c-4.612.025-8.359-3.717-8.35-8.325l.173-88.241C54.144 5.337 48.817 0 42.24 0H11.89C5.321 0 0 5.327 0 11.894V260.21c0 5.834 4.726 10.56 10.555 10.56H245.44c5.834 0 10.56-4.726 10.56-10.56V118.868c0-5.834-4.726-10.56-10.56-10.56zm-39.902 93.233c0 7.645-6.198 13.844-13.843 13.844H167.69c-7.646 0-13.844-6.199-13.844-13.844v-24.005c0-7.646 6.198-13.844 13.844-13.844h24.005c7.645 0 13.843 6.198 13.843 13.844v24.005z" fill="#F60"/></svg>
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect x="-0.00195312" width="144" height="144" rx="24" fill="url(#paint0_linear_683_2972)"/>
+<path d="M111.411 62.8H82.4939C81.7969 62.7997 81.1285 62.5228 80.6356 62.0301C80.1427 61.5373 79.8656 60.8691 79.8653 60.1722V30.0412C79.8653 27.81 78.0556 26 75.8249 26H65.5021C63.27 26 61.4614 27.81 61.4614 30.0412V59.9898C61.4614 61.5435 60.205 62.8065 58.6508 62.8133L49.1743 62.8584C47.6069 62.8669 46.3336 61.5955 46.3366 60.0298L46.3954 30.048C46.4005 27.8134 44.5902 26 42.355 26H32.0407C29.8083 26 28 27.81 28 30.0412V114.412C28 116.394 29.6061 118 31.5871 118H111.411C113.394 118 115 116.394 115 114.412V66.388C115 64.4058 113.394 62.8 111.411 62.8ZM97.8508 94.4779C97.8508 97.0755 95.7445 99.1817 93.1464 99.1817H84.9884C82.39 99.1817 80.2836 97.0755 80.2836 94.4779V86.3217C80.2836 83.7238 82.39 81.6179 84.9884 81.6179H93.1464C95.7445 81.6179 97.8508 83.7238 97.8508 86.3217V94.4779Z" fill="white"/>
+<defs>
+<linearGradient id="paint0_linear_683_2972" x1="5" y1="-7.5" x2="141" y2="124.5" gradientUnits="userSpaceOnUse">
+<stop stop-color="#FF822F"/>
+<stop offset="1" stop-color="#FF6600"/>
+</linearGradient>
+</defs>
+</svg>

packages/apps/redis/logos/redis.svg

@@ -1,2 +1,18 @@
-<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
-<svg width="800px" height="800px" viewBox="0 -18 256 256" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMinYMin meet"><path d="M245.97 168.943c-13.662 7.121-84.434 36.22-99.501 44.075-15.067 7.856-23.437 7.78-35.34 2.09-11.902-5.69-87.216-36.112-100.783-42.597C3.566 169.271 0 166.535 0 163.951v-25.876s98.05-21.345 113.879-27.024c15.828-5.679 21.32-5.884 34.79-.95 13.472 4.936 94.018 19.468 107.331 24.344l-.006 25.51c.002 2.558-3.07 5.364-10.024 8.988" fill="#912626"/><path d="M245.965 143.22c-13.661 7.118-84.431 36.218-99.498 44.072-15.066 7.857-23.436 7.78-35.338 2.09-11.903-5.686-87.214-36.113-100.78-42.594-13.566-6.485-13.85-10.948-.524-16.166 13.326-5.22 88.224-34.605 104.055-40.284 15.828-5.677 21.319-5.884 34.789-.948 13.471 4.934 83.819 32.935 97.13 37.81 13.316 4.881 13.827 8.9.166 16.02" fill="#C6302B"/><path d="M245.97 127.074c-13.662 7.122-84.434 36.22-99.501 44.078-15.067 7.853-23.437 7.777-35.34 2.087-11.903-5.687-87.216-36.112-100.783-42.597C3.566 127.402 0 124.67 0 122.085V96.206s98.05-21.344 113.879-27.023c15.828-5.679 21.32-5.885 34.79-.95C162.142 73.168 242.688 87.697 256 92.574l-.006 25.513c.002 2.557-3.07 5.363-10.024 8.987" fill="#912626"/><path d="M245.965 101.351c-13.661 7.12-84.431 36.218-99.498 44.075-15.066 7.854-23.436 7.777-35.338 2.087-11.903-5.686-87.214-36.112-100.78-42.594-13.566-6.483-13.85-10.947-.524-16.167C23.151 83.535 98.05 54.148 113.88 48.47c15.828-5.678 21.319-5.884 34.789-.949 13.471 4.934 83.819 32.933 97.13 37.81 13.316 4.88 13.827 8.9.166 16.02" fill="#C6302B"/><path d="M245.97 83.653c-13.662 7.12-84.434 36.22-99.501 44.078-15.067 7.854-23.437 7.777-35.34 2.087-11.903-5.687-87.216-36.113-100.783-42.595C3.566 83.98 0 81.247 0 78.665v-25.88s98.05-21.343 113.879-27.021c15.828-5.68 21.32-5.884 34.79-.95C162.142 29.749 242.688 44.278 256 49.155l-.006 25.512c.002 2.555-3.07 5.361-10.024 8.986" fill="#912626"/><path d="M245.965 57.93c-13.661 7.12-84.431 36.22-99.498 44.074-15.066 7.854-23.436 7.777-35.338 2.09C99.227 98.404 23.915 67.98 10.35 61.497-3.217 55.015-3.5 50.55 9.825 45.331 23.151 40.113 98.05 10.73 113.88 5.05c15.828-5.679 21.319-5.883 34.789-.948 13.471 4.935 83.819 32.934 97.13 37.811 13.316 4.876 13.827 8.897.166 16.017" fill="#C6302B"/><path d="M159.283 32.757l-22.01 2.285-4.927 11.856-7.958-13.23-25.415-2.284 18.964-6.839-5.69-10.498 17.755 6.944 16.738-5.48-4.524 10.855 17.067 6.391M131.032 90.275L89.955 73.238l58.86-9.035-17.783 26.072M74.082 39.347c17.375 0 31.46 5.46 31.46 12.194 0 6.736-14.085 12.195-31.46 12.195s-31.46-5.46-31.46-12.195c0-6.734 14.085-12.194 31.46-12.194" fill="#FFF"/><path d="M185.295 35.998l34.836 13.766-34.806 13.753-.03-27.52" fill="#621B1C"/><path d="M146.755 51.243l38.54-15.245.03 27.519-3.779 1.478-34.791-13.752" fill="#9A2928"/></svg>
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear_683_3213)"/>
+<path d="M120.149 95.5491C114.586 98.4485 85.7709 110.296 79.6363 113.495C73.5016 116.693 70.0937 116.662 65.2472 114.346C60.4012 112.029 29.7364 99.6423 24.2125 97.0019C21.4519 95.6827 20 94.5687 20 93.5166V82.9809C20 82.9809 59.922 74.2901 66.3669 71.9778C72.8115 69.6656 75.0476 69.5821 80.532 71.591C86.0173 73.6008 118.812 79.5176 124.233 81.5029L124.23 91.8896C124.231 92.9311 122.98 94.0736 120.149 95.5491Z" fill="#912626"/>
+<path d="M120.147 85.0752C114.585 87.9734 85.77 99.8218 79.6354 103.02C73.5011 106.219 70.0932 106.187 65.2472 103.871C60.4007 101.555 29.7371 89.1668 24.2136 86.528C18.6901 83.8876 18.5744 82.0704 24.0003 79.9458C29.4261 77.8205 59.9215 65.8561 66.3672 63.5438C72.8118 61.2324 75.0475 61.1481 80.5319 63.1578C86.0168 65.1668 114.66 76.5676 120.079 78.5525C125.501 80.5399 125.709 82.1763 120.147 85.0752Z" fill="#C6302B"/>
+<path d="M120.149 78.502C114.586 81.4018 85.7709 93.2493 79.6363 96.4488C73.5016 99.6462 70.0937 99.6152 65.2472 97.2985C60.4008 94.983 29.7364 82.5952 24.2125 79.9547C21.4519 78.6355 20 77.5232 20 76.4707V65.9338C20 65.9338 59.922 57.2434 66.3669 54.9311C72.8115 52.6189 75.0476 52.535 80.532 54.5443C86.0177 56.5536 118.813 62.4693 124.233 64.455L124.23 74.8428C124.231 75.884 122.98 77.0264 120.149 78.502Z" fill="#912626"/>
+<path d="M120.147 68.0282C114.585 70.9271 85.77 82.7747 79.6354 85.9737C73.5011 89.1716 70.0932 89.1402 65.2472 86.8235C60.4007 84.5084 29.7371 72.1201 24.2136 69.4809C18.6901 66.8413 18.5744 65.0237 24.0003 62.8984C29.4261 60.7742 59.9219 48.809 66.3672 46.4972C72.8118 44.1853 75.0475 44.1014 80.5319 46.1108C86.0168 48.1197 114.66 59.5197 120.079 61.5055C125.501 63.4924 125.709 65.1292 120.147 68.0282Z" fill="#C6302B"/>
+<path d="M120.149 60.8224C114.586 63.7214 85.7709 75.5698 79.6363 78.7692C73.5016 81.9671 70.0937 81.9357 65.2472 79.619C60.4008 77.3035 29.7364 64.9152 24.2125 62.276C21.4519 60.9556 20 59.8428 20 58.7915V48.2542C20 48.2542 59.922 39.5642 66.3669 37.2524C72.8115 34.9397 75.0476 34.8567 80.532 36.8656C86.0177 38.8749 118.813 44.7905 124.233 46.7763L124.23 57.1637C124.231 58.204 122.98 59.3465 120.149 60.8224Z" fill="#912626"/>
+<path d="M120.147 50.349C114.585 53.2479 85.7698 65.0963 79.6352 68.2941C73.5009 71.492 70.093 71.4606 65.2469 69.1451C60.4009 66.8283 29.7369 54.4409 24.2138 51.8013C18.6899 49.1621 18.5746 47.3441 24 45.2192C29.4259 43.0946 59.9217 31.131 66.367 28.8184C72.8116 26.5061 75.0473 26.423 80.5317 28.4324C86.0166 30.4417 114.659 41.8418 120.079 43.8275C125.501 45.8128 125.709 47.45 120.147 50.349Z" fill="#C6302B"/>
+<path d="M84.8541 40.0994L75.8926 41.0298L73.8865 45.857L70.6463 40.4703L60.2983 39.5404L68.0197 36.7558L65.703 32.4814L72.9321 35.3088L79.7471 33.0775L77.9052 37.4972L84.8541 40.0994ZM73.3515 63.5184L56.6266 56.5816L80.592 52.9029L73.3515 63.5184ZM50.1637 42.7826C57.2381 42.7826 62.973 45.0057 62.973 47.7475C62.973 50.4901 57.2381 52.7128 50.1637 52.7128C43.0893 52.7128 37.3545 50.4897 37.3545 47.7475C37.3545 45.0057 43.0893 42.7826 50.1637 42.7826Z" fill="white"/>
+<path d="M95.4434 41.4174L109.627 47.0224L95.4556 52.622L95.4434 41.4174Z" fill="#621B1C"/>
+<path d="M79.7529 47.6261L95.4449 41.4189L95.4571 52.6236L93.9184 53.2254L79.7529 47.6261Z" fill="#9A2928"/>
+<defs>
+<linearGradient id="paint0_linear_683_3213" x1="189" y1="210.5" x2="0" y2="0" gradientUnits="userSpaceOnUse">
+<stop stop-color="#A80000"/>
+<stop offset="1" stop-color="#FFCFCF"/>
+</linearGradient>
+</defs>
+</svg>

packages/apps/tcp-balancer/logos/haproxy.svg

@@ -1,165 +1,79 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Generator: Adobe Illustrator 23.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 viewBox="0 0 1000 1000" style="enable-background:new 0 0 1000 1000;" xml:space="preserve">
-<style type="text/css">
-	.st0{fill:none;stroke:#284B6B;stroke-width:0.26;stroke-miterlimit:10;}
-	.st1{fill:none;stroke:#284B6B;stroke-width:0.13;stroke-miterlimit:10;}
-	.st2{fill:none;stroke:#25415E;stroke-width:0.101;stroke-miterlimit:10;}
-	.st3{fill:#286EA5;}
-	.st4{fill:#3579BC;}
-	.st5{fill:#199BD6;}
-	.st6{fill:#00A8DA;}
-</style>
-<g>
-	<g>
-		<g>
-			<path class="st0" d="M499.6,370.8L396.2,253.9"/>
-			<path class="st1" d="M173.5,280.9l80.9,118.2"/>
-			<g>
-				<path class="st0" d="M499.6,371l102.3-118.2 M623.2,501.4l121.4-102.3 M623.2,501.2L744.6,608 M603,742.9L499.6,628.2
-					 M396.2,742.9l103.4-114.6 M254.5,603.5l116.9-102.3 M254.6,398.9l116.9,102.3 M499.6,370.8l-245,28.1 M499.6,370.8l245,28.1"/>
-				<path class="st0" d="M623.2,501.2l-21.4-248.4 M623.2,501.2L603,742.8"/>
-				<path class="st0" d="M744.6,608l-245,20.2 M254.5,603.5l245,24.9"/>
-				<path class="st0" d="M396.2,742.9l-24.9-241.6 M396.2,253.9l-24.9,247.3"/>
-			</g>
-			<g>
-				<path class="st1" d="M142.1,430.4l112.4-31.5 M278.1,169.6l118.2,84.3 M423.1,116.8l-27,137.1 M423.1,116.8l178.7,136"/>
-				<path class="st1" d="M574.9,116.8l27,136 M719.9,169.6l-118.2,83.2 M825.5,280.9l-223.7-28.1 M744.6,398.9l80.9-118.2
-					 M744.6,398.9l114.6,31.5"/>
-				<path class="st1" d="M744.6,398.9L857,569.7 M574.9,116.8L396.2,253.9"/>
-				<path class="st1" d="M744.6,398.9l-24.9-229.3 M744.6,608L857,569.7"/>
-				<path class="st1" d="M744.6,608l114.6-177.6 M744.6,608l80.9,109 M744.6,608l-24.9,220.3 M603,742.9l116.9,85.4"/>
-				<path class="st1" d="M603,742.9L825.5,717 M603,742.9l-26.8,138.1 M603,742.9L423.1,880.9 M396.2,742.9l27,138.4"/>
-				<path class="st1" d="M396.2,742.9l180,138.1 M396.3,742.9l-118.2,85.4 M396.3,742.9l-222.9-24.8 M254.5,603.5l-81.1,114.6"/>
-				<path class="st1" d="M254.5,603.5l23.6,224.8 M254.5,603.5L141,568.6 M254.5,398.9L141,568.6"/>
-				<path class="st1" d="M254.5,603.5L142.1,430.4 M278.1,169.6l-23.6,229.3"/>
-				<path class="st1" d="M173.5,280.9l222.5-27"/>
-			</g>
-		</g>
-		<g>
-			<path class="st2" d="M278.1,169.6l-86.5-40.5 M278.1,169.6l-6.7-94.4 M423.1,116.8L271.4,75.2"/>
-			<path class="st2" d="M423.1,116.8L358,37 M423.1,116.8l27-95.7 M278.1,169.6L357.9,37 M574.9,116.8L450.1,21.1"/>
-			<path class="st2" d="M574.9,116.8l-28.2-98.9 M423,116.8l123.6-98.9 M574.9,116.8L640.1,37 M719.9,169.6L639.9,37"/>
-			<path class="st2" d="M719.9,169.6l7.9-94.4 M574.9,116.8l152.8-41.6 M719.9,169.6l88.6-45 M719.9,169.6l154,23.6"/>
-			<path class="st2" d="M825.5,280.9l48.3-87.7 M825.5,280.9l-16.9-156.2 M825.5,280.9l101.2-7.9 M825.5,280.9l138.4,78.7"/>
-			<path class="st2" d="M859.2,430.4L926.7,273 M859.2,430.4l104.5-70.8 M859.2,430.4L976.1,454 M857,569.7L976.1,454"/>
-			<path class="st2" d="M857,569.7l122.5-22.5 M859.2,430.4l120.3,116.9 M857,569.7l104.5,69.7 M825.5,717l136-77.6"/>
-			<path class="st2" d="M825.5,717l100,10.1 M857.1,569.7l68.4,157.3 M825.7,717l47.2,88.6 M825.7,717l-18,155.1"/>
-			<path class="st2" d="M807.5,872.1l-87.7-43.8 M719.9,828.3l6.7,98 M719.9,828.3l152.8-22.5 M719.9,828.3l-79.9,134.9"/>
-			<path class="st2" d="M576.2,880.9l63.7,82 M576.2,880.9l150.6,45 M576.2,880.9l-29.5,101.2 M576.2,880.9L450.3,982.1"/>
-			<path class="st2" d="M423.1,880.9l27,101.2 M423.1,880.9l123.5,101.2 M423.1,880.9l-64.1,82 M278.1,828.3l80.9,134.9"/>
-			<path class="st2" d="M423.1,880.9l-152.8,47.2 M278.1,828.3l-7.9,100 M278.1,828.3l-87.7,48.3 M173.5,718.1l16.9,158.5"/>
-			<path class="st2" d="M278.1,828.3l-154-21.3 M173.5,718.1L124,806.7 M173.5,718.1L72.3,728.2 M173.5,718.1L34.3,640.6 M141,568.6
-				L34.3,640.6 M141,568.6L19.6,547.3"/>
-			<path class="st2" d="M141,568.6L72.6,728.2 M142.1,430.4L19.6,547.3"/>
-			<path class="st2" d="M141,568.6L19.6,454 M142.2,430.4L37.6,360.7"/>
-			<path class="st2" d="M142.1,430.4L19.6,454 M142.1,430.4L72.5,273"/>
-			<path class="st2" d="M173.5,280.9L72.3,273 M173.5,280.9L37.6,360.7 M173.5,280.9l-48.2-83.2 M173.5,280.9l18-151.7"/>
-			<path class="st2" d="M278.1,169.6l-152.9,28.1"/>
-		</g>
-	</g>
-	<path class="st3" d="M311.3,559.6l0.8-118.2l118.2,0.8l-0.8,118.2L311.3,559.6z M439.2,429.5l0.8-118.2l118.2,0.8l-0.8,118.2
-		L439.2,429.5z M439.2,688.6l0.8-118.2l118.2,0.8l-0.8,118.2L439.2,688.6z M568.2,558.5l0.8-118.2l118.2,0.8l-0.8,118.2L568.2,558.5
-		z"/>
-	<path class="st4" d="M561.4,293.9l0.6-82l82.4,0.6l-0.6,82L561.4,293.9z M355.4,293.9l0.6-82l82.4,0.6l-0.6,82L355.4,293.9z
-		 M212.8,440l0.6-82l82.4,0.6l-0.6,82L212.8,440z M212.7,646.2l0.9-82l82.4,0.9l-0.9,82L212.7,646.2z M704,644.6l0.6-82l82.4,0.6
-		l-0.6,82L704,644.6z M705.6,440.6l0.9-82l82.4,0.9l-0.9,82L705.6,440.6z"/>
-	<path class="st5" d="M146,307.7l0.4-54l53.8,0.4l-0.4,54L146,307.7z M251.3,197.9l0.4-54l53.8,0.4l-0.4,54L251.3,197.9z
-		 M396.2,143.6l0.4-54l53.8,0.4l-0.4,54L396.2,143.6z M114.3,457.1l0.4-54l53.5,0.4l-0.4,54L114.3,457.1z M798.3,254.5l54-0.4
-		l0.4,53.8l-54,0.4L798.3,254.5z M693,142.8l54-0.4l0.4,53.8l-54,0.4L693,142.8z M547.6,89.9l54-0.4l0.4,53.8l-54,0.4L547.6,89.9z
-		 M829.7,403.7l54-0.4l0.4,53.8l-54,0.4L829.7,403.7z"/>
-	<path class="st4" d="M354.3,786.1l0.6-82l82.4,0.6l-0.6,82L354.3,786.1z M560.3,786.1l0.6-82l82.4,0.6l-0.6,82L560.3,786.1z"/>
-	<path class="st5" d="M797.9,744.6l0.4-54l53.8,0.4l-0.4,54L797.9,744.6z M693.8,855.5l0.4-54l53.8,0.4l-0.4,54L693.8,855.5z
-		 M548.9,908.7l0.4-54l53.8,0.4l-0.4,54L548.9,908.7z M829.6,595.2l0.4-54l53.8,0.4l-0.4,54L829.6,595.2z M146.1,690.6l54-0.4
-		l0.4,53.8l-54,0.4L146.1,690.6z M251.4,801.1l54-0.4l0.4,53.8l-54,0.4L251.4,801.1z M395.6,854.1l54-0.4l0.4,53.8l-54,0.4
-		L395.6,854.1z M114.7,541.4l54-0.4l0.4,53.8l-54,0.4L114.7,541.4z"/>
-	<g>
-		<g>
-			<path id="B" class="st6" d="M911.1,287.5l0.2-29.2l29.8,0.2l-0.2,29.2L911.1,287.5z"/>
-		</g>
-		<g>
-			<path class="st6" d="M949.6,375.8l0.2-29.2l29.8,0.2l-0.2,29.2L949.6,375.8z"/>
-		</g>
-		<g>
-			<path class="st6" d="M859.1,209.4l0.2-29.2l29.8,0.2l-0.2,29.2L859.1,209.4z"/>
-		</g>
-		<g>
-			<path class="st6" d="M176.6,142.6l0.2-29.2l29.8,0.2l-0.2,29.2L176.6,142.6z"/>
-		</g>
-		<g>
-			<path class="st6" d="M5.7,468.5l0.2-29.2l29.8,0.2l-0.2,29.2L5.7,468.5z"/>
-		</g>
-		<g>
-			<path class="st6" d="M793.4,142.6l0.2-29.2l29.8,0.2l-0.2,29.2L793.4,142.6z"/>
-		</g>
-		<g>
-			<path class="st6" d="M22.7,375.7l0.2-29.2l29.8,0.2l-0.2,29.2L22.7,375.7z"/>
-		</g>
-		<g>
-			<path class="st6" d="M344.1,52.1l0.2-29.2l29.8,0.2l-0.2,29.2L344.1,52.1z"/>
-		</g>
-		<g>
-			<path class="st6" d="M58.9,287.5l0.2-29.2l29.8,0.2l-0.2,29.2L58.9,287.5z"/>
-		</g>
-		<g>
-			<path class="st6" d="M112.1,208.3l0.2-29.2l29.8,0.2l-0.2,29.2L112.1,208.3z"/>
-		</g>
-		<path class="st6" d="M256.3,60.5l29.2-0.2l0.2,29.8l-29.2,0.2L256.3,60.5z M436.9,3l29.2-0.2l0.2,29.8l-29.2,0.2L436.9,3z"/>
-		<g>
-			<path class="st6" d="M714.2,90.5l0.2-29.2l29.8,0.2L744,90.7L714.2,90.5z"/>
-		</g>
-		<g>
-			<path class="st6" d="M964.3,467.4l0.2-29.2l29.8,0.2l-0.2,29.2L964.3,467.4z"/>
-		</g>
-		<path class="st6" d="M532,31.7l0.2-29.2L562,2.7l-0.2,29.2L532,31.7z"/>
-		<g>
-			<path class="st6" d="M624.8,50.9l0.2-29.2l29.8,0.2l-0.2,29.2L624.8,50.9z"/>
-		</g>
-		<g>
-			<path class="st6" d="M793.4,887.3l0.2-29.2l29.8,0.2l-0.2,29.2L793.4,887.3z"/>
-		</g>
-		<g>
-			<path class="st6" d="M964.3,561.4l0.2-29.2l29.8,0.2l-0.2,29.2L964.3,561.4z"/>
-		</g>
-		<g>
-			<path class="st6" d="M176.6,887.3l0.2-29.2l29.8,0.2l-0.2,29.2L176.6,887.3z"/>
-		</g>
-		<g>
-			<path class="st6" d="M949.6,655.5l0.2-29.2l29.8,0.2l-0.2,29.2L949.6,655.5z"/>
-		</g>
-		<g>
-			<path class="st6" d="M624.8,979l0.2-29.2l29.8,0.2l-0.2,29.2L624.8,979z"/>
-		</g>
-		<g>
-			<path class="st6" d="M911.1,743.6l0.2-29.2l29.8,0.2l-0.2,29.2L911.1,743.6z"/>
-		</g>
-		<g>
-			<path class="st6" d="M859.1,822.8l0.2-29.2l29.8,0.2l-0.2,29.2L859.1,822.8z"/>
-		</g>
-		<path class="st6" d="M713,912.6l29.2-0.2l0.2,29.8l-29.2,0.2L713,912.6z M533.5,967.7l29.2-0.2l0.2,29.8l-29.2,0.2L533.5,967.7z"
-			/>
-		<g>
-			<path class="st6" d="M256.9,942.8l0.2-29.2l29.8,0.2l-0.2,29.2L256.9,942.8z"/>
-		</g>
-		<g>
-			<path class="st6" d="M57.7,742.5l0.2-29.2l29.8,0.2l-0.2,29.2L57.7,742.5z"/>
-		</g>
-		<g>
-			<path class="st6" d="M22.6,655.3l0.2-29.2l29.8,0.2l-0.2,29.2L22.6,655.3z"/>
-		</g>
-		<g>
-			<path class="st6" d="M110.9,822.8l0.2-29.2l29.8,0.2l-0.2,29.2L110.9,822.8z"/>
-		</g>
-		<g>
-			<path class="st6" d="M5.7,561.4l0.2-29.2l29.8,0.2l-0.2,29.2L5.7,561.4z"/>
-		</g>
-		<g>
-			<path class="st6" d="M438,997.1l0.2-29.2l29.8,0.2l-0.2,29.2L438,997.1z"/>
-		</g>
-		<g>
-			<path class="st6" d="M342.9,977.9l0.2-29.2l29.8,0.2l-0.2,29.2L342.9,977.9z"/>
-		</g>
-	</g>
-</g>
-</svg>
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear_683_2985)"/>
+<path d="M72.1645 59.4243L62.5 48.498" stroke="white" stroke-width="0.26" stroke-miterlimit="10"/>
+<path d="M41.6855 51.0215L49.247 62.0693" stroke="white" stroke-width="0.13" stroke-miterlimit="10"/>
+<path d="M72.1646 59.4414L81.7263 48.3936M83.7171 71.6294L95.064 62.0678M83.7171 71.6108L95.064 81.593M81.8291 94.2017L72.1646 83.4811M62.5001 94.2017L72.1646 83.4904M49.2559 81.1724L60.1821 71.6108M60.1915 71.6108L49.2652 62.0491L72.1646 59.4227L95.064 62.0491" stroke="white" stroke-width="0.26" stroke-miterlimit="10"/>
+<path d="M81.7168 48.3936L83.717 71.6108L81.829 94.1924" stroke="white" stroke-width="0.26" stroke-miterlimit="10"/>
+<path d="M95.064 81.5925L72.1646 83.4805M49.2559 81.1719L72.1553 83.4992" stroke="white" stroke-width="0.26" stroke-miterlimit="10"/>
+<path d="M62.5012 94.2014L60.1738 71.6198M62.5012 48.4961L60.1738 71.6105" stroke="white" stroke-width="0.26" stroke-miterlimit="10"/>
+<path d="M38.75 64.9948L49.2557 62.0506M51.4615 40.6187L62.5093 48.4979M62.4906 48.4979L65.0142 35.6836L81.7168 48.3951" stroke="white" stroke-width="0.13" stroke-miterlimit="10"/>
+<path d="M79.2031 35.6836L81.7267 48.3951M92.7558 40.6187L81.708 48.3951M102.626 51.0215L81.7174 48.3951M102.626 51.0028L95.0645 62.0506L105.776 64.9948" stroke="white" stroke-width="0.13" stroke-miterlimit="10"/>
+<path d="M95.0639 62.0506L105.57 78.0148M79.2025 35.6836L62.5 48.4979" stroke="white" stroke-width="0.13" stroke-miterlimit="10"/>
+<path d="M95.0637 62.0511L92.7363 40.6191M95.0637 81.5951L105.569 78.0153" stroke="white" stroke-width="0.13" stroke-miterlimit="10"/>
+<path d="M95.065 81.5949L105.776 64.9951M95.065 81.5949L102.626 91.7828M95.065 81.5949L92.7377 102.186M81.8301 94.2035L92.7564 102.186" stroke="white" stroke-width="0.13" stroke-miterlimit="10"/>
+<path d="M81.829 94.203L102.625 91.7822M81.829 94.203L79.3241 107.111M81.829 94.203L65.0143 107.101M62.5 94.203L65.0236 107.139" stroke="white" stroke-width="0.13" stroke-miterlimit="10"/>
+<path d="M62.5012 94.2031L79.3253 107.111M51.4628 102.185L62.5105 94.2031L41.6768 91.8851L49.2569 81.1738" stroke="white" stroke-width="0.13" stroke-miterlimit="10"/>
+<path d="M51.4618 102.185L49.256 81.1731L38.6475 77.9111L49.256 62.0498" stroke="white" stroke-width="0.13" stroke-miterlimit="10"/>
+<path d="M49.2557 81.1745L38.75 64.9953M51.4615 40.6191L49.2557 62.0511" stroke="white" stroke-width="0.13" stroke-miterlimit="10"/>
+<path d="M41.6855 51.0217L62.4819 48.498" stroke="white" stroke-width="0.13" stroke-miterlimit="10"/>
+<path d="M43.376 36.8338L51.4609 40.6192L50.8346 31.7959L65.0136 35.6841" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M58.9289 28.2244L65.0136 35.6831L67.5373 26.7383L79.2019 35.6831M51.4609 40.6181L58.9196 28.2244" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M76.5667 26.4404L79.2025 35.6843L85.2966 28.2256M65.0049 35.6843L76.5574 26.4404M92.7552 40.6194L85.2779 28.2256" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M92.7549 40.6192L93.4932 31.7959M92.7549 40.6192L101.036 36.4132M92.7549 40.6192L107.149 42.825M79.2021 35.6841L93.4839 31.7959" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M102.625 51.0214L107.139 42.8244M102.625 51.0214L101.045 36.4219M102.625 51.0214L112.083 50.283M102.625 51.0214L115.56 58.3773" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M105.774 64.9949L112.083 50.2832M105.774 64.9949L115.541 58.3774M105.774 64.9949L116.7 67.2007L105.568 78.0149" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M117.019 75.9121L105.569 78.0151L115.337 84.5297L102.625 91.7827M105.775 64.9951L117.019 75.9214" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M102.625 91.7833L111.971 92.7273M105.578 78.0156L111.971 92.718M107.055 100.064L102.643 91.7833L100.961 106.28" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M100.943 106.279L92.7458 102.185M92.7551 102.185L93.3813 111.345M92.7551 102.185L107.037 100.082M92.7551 102.185L85.2871 114.794" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M79.3232 107.103L85.277 114.767M79.3232 107.103L93.3993 111.309M79.3232 107.103L76.5659 116.561M79.3232 107.103L67.5557 116.561" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M65.0136 107.102L67.5373 116.561M65.0136 107.102L76.5568 116.561M65.0136 107.102L59.0224 114.766M51.4609 102.186L59.0224 114.794" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M65.0139 107.101L50.7322 111.513M50.7228 111.532L51.4612 102.185L43.2642 106.699L41.6846 91.8848" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M51.461 102.186L37.0671 100.195M41.6844 91.886L37.0578 100.167M41.6844 91.886L32.2255 92.8301M41.6844 91.886L28.6738 84.6423L38.6467 77.9127L27.2998 75.9219" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M38.6467 77.9123L32.2536 92.8296M38.7495 64.9951L27.2998 75.9214" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M38.6467 77.9122L27.2998 67.2009M38.7589 64.9951L28.9822 58.4805" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M27.2998 67.2007L38.7495 64.9949L32.2442 50.2832" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M41.6836 51.0217L32.2247 50.2833M41.6836 51.0217L28.9814 58.4804M41.6836 51.0217L37.1785 43.2453M41.6836 51.0217L43.366 36.8428" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M51.461 40.6191L37.1699 43.2456" stroke="white" stroke-width="0.101" stroke-miterlimit="10"/>
+<path d="M54.5645 77.0702L54.6392 66.0224L65.687 66.0971L65.6123 77.1449L54.5645 77.0702ZM66.5189 64.9101L66.5937 53.8623L77.6415 53.9371L77.5667 64.9849L66.5189 64.9101ZM66.5189 89.1274L66.5937 78.0796L77.6415 78.1544L77.5667 89.2022L66.5189 89.1274ZM78.5761 76.9673L78.6509 65.9195L89.6987 65.9943L89.6239 77.0421L78.5761 76.9673Z" fill="white"/>
+<path d="M77.9406 52.2366L77.9966 44.5723L85.6983 44.6283L85.6422 52.2926L77.9406 52.2366ZM58.6864 52.2366L58.7424 44.5723L66.4441 44.6283L66.388 52.2926L58.6864 52.2366ZM45.358 65.8921L45.4141 58.2278L53.1157 58.2839L53.0597 65.9482L45.358 65.8921ZM45.3486 85.165L45.4328 77.5007L53.1344 77.5848L53.0503 85.2491L45.3486 85.165ZM91.269 85.0154L91.325 77.3511L99.0267 77.4072L98.9706 85.0715L91.269 85.0154ZM91.4185 65.9482L91.5026 58.2839L99.2043 58.368L99.1202 66.0323L91.4185 65.9482Z" fill="white"/>
+<path d="M39.1143 53.5263L39.1517 48.4791L44.1802 48.5165L44.1428 53.5637L39.1143 53.5263ZM48.9563 43.2637L48.9937 38.2164L54.0223 38.2538L53.9849 43.301L48.9563 43.2637ZM62.4997 38.1884L62.5371 33.1412L67.5656 33.1786L67.5282 38.2258L62.4997 38.1884ZM36.1514 67.4903L36.1888 62.4431L41.1892 62.4805L41.1519 67.5277L36.1514 67.4903ZM100.083 48.5539L105.13 48.5165L105.167 53.545L100.12 53.5824L100.083 48.5539ZM90.2407 38.1136L95.2879 38.0762L95.3253 43.1048L90.2781 43.1421L90.2407 38.1136ZM76.6506 33.1692L81.6978 33.1318L81.7352 38.1604L76.688 38.1977L76.6506 33.1692ZM103.018 62.4992L108.065 62.4618L108.102 67.4903L103.055 67.5277L103.018 62.4992Z" fill="white"/>
+<path d="M58.583 98.2405L58.6391 90.5762L66.3408 90.6323L66.2847 98.2965L58.583 98.2405ZM77.8372 98.2405L77.8933 90.5762L85.595 90.6323L85.5389 98.2965L77.8372 98.2405Z" fill="white"/>
+<path d="M100.045 94.3619L100.082 89.3147L105.111 89.3521L105.074 94.3993L100.045 94.3619ZM90.3152 104.727L90.3526 99.6802L95.3811 99.7176L95.3437 104.765L90.3152 104.727ZM76.7718 109.7L76.8092 104.653L81.8377 104.69L81.8004 109.737L76.7718 109.7ZM103.008 80.3979L103.045 75.3507L108.074 75.3881L108.037 80.4353L103.008 80.3979ZM39.1233 89.3147L44.1706 89.2773L44.2079 94.3058L39.1607 94.3432L39.1233 89.3147ZM48.9654 99.6428L54.0126 99.6054L54.05 104.634L49.0028 104.671L48.9654 99.6428ZM62.4433 104.597L67.4906 104.559L67.5279 109.588L62.4807 109.625L62.4433 104.597ZM36.1885 75.3694L41.2357 75.332L41.2731 80.3606L36.2259 80.3979L36.1885 75.3694Z" fill="white"/>
+<path d="M110.625 51.6384L110.644 48.9092L113.429 48.9279L113.41 51.6571L110.625 51.6384Z" fill="white"/>
+<path d="M114.224 59.8913L114.242 57.1621L117.028 57.1808L117.009 59.91L114.224 59.8913Z" fill="white"/>
+<path d="M105.767 44.3376L105.785 41.6084L108.571 41.6271L108.552 44.3563L105.767 44.3376Z" fill="white"/>
+<path d="M41.9736 38.0945L41.9923 35.3652L44.7776 35.3839L44.7589 38.1132L41.9736 38.0945Z" fill="white"/>
+<path d="M26 68.5554L26.0187 65.8262L28.804 65.8449L28.7853 68.5741L26 68.5554Z" fill="white"/>
+<path d="M99.624 38.0945L99.6427 35.3652L102.428 35.3839L102.409 38.1132L99.624 38.0945Z" fill="white"/>
+<path d="M27.5898 59.8816L27.6085 57.1523L30.3939 57.171L30.3752 59.9003L27.5898 59.8816Z" fill="white"/>
+<path d="M57.6299 29.6355L57.6486 26.9062L60.4339 26.9249L60.4152 29.6542L57.6299 29.6355Z" fill="white"/>
+<path d="M30.9727 51.6384L30.9913 48.9092L33.7767 48.9279L33.758 51.6571L30.9727 51.6384Z" fill="white"/>
+<path d="M35.9453 44.2361L35.964 41.5068L38.7493 41.5255L38.7306 44.2548L35.9453 44.2361Z" fill="white"/>
+<path d="M49.4229 30.4204L52.1521 30.4017L52.1708 33.187L49.4415 33.2057L49.4229 30.4204ZM66.303 25.046L69.0322 25.0273L69.0509 27.8127L66.3217 27.8314L66.303 25.046Z" fill="white"/>
+<path d="M92.2227 33.2244L92.2414 30.4951L95.0267 30.5138L95.008 33.243L92.2227 33.2244Z" fill="white"/>
+<path d="M115.598 68.4529L115.616 65.7236L118.402 65.7423L118.383 68.4716L115.598 68.4529Z" fill="white"/>
+<path d="M75.1914 27.7292L75.2101 25L77.9954 25.0187L77.9767 27.7479L75.1914 27.7292Z" fill="white"/>
+<path d="M83.8662 29.5232L83.8849 26.7939L86.6702 26.8126L86.6515 29.5419L83.8662 29.5232Z" fill="white"/>
+<path d="M99.624 107.7L99.6427 104.971L102.428 104.989L102.409 107.719L99.624 107.7Z" fill="white"/>
+<path d="M115.598 77.239L115.616 74.5098L118.402 74.5285L118.383 77.2577L115.598 77.239Z" fill="white"/>
+<path d="M41.9736 107.7L41.9923 104.971L44.7776 104.989L44.7589 107.719L41.9736 107.7Z" fill="white"/>
+<path d="M114.224 86.0329L114.242 83.3037L117.028 83.3224L117.009 86.0516L114.224 86.0329Z" fill="white"/>
+<path d="M83.8662 116.27L83.8849 113.541L86.6702 113.56L86.6515 116.289L83.8662 116.27Z" fill="white"/>
+<path d="M110.625 94.2683L110.644 91.5391L113.429 91.5578L113.41 94.287L110.625 94.2683Z" fill="white"/>
+<path d="M105.767 101.672L105.785 98.9424L108.571 98.9611L108.552 101.69L105.767 101.672Z" fill="white"/>
+<path d="M92.1094 110.065L94.8386 110.046L94.8573 112.831L92.128 112.85L92.1094 110.065ZM75.332 115.215L78.0613 115.196L78.08 117.981L75.3507 118L75.332 115.215Z" fill="white"/>
+<path d="M49.4785 112.886L49.4972 110.157L52.2825 110.176L52.2638 112.905L49.4785 112.886Z" fill="white"/>
+<path d="M30.8594 94.1658L30.8781 91.4365L33.6634 91.4552L33.6447 94.1845L30.8594 94.1658Z" fill="white"/>
+<path d="M27.5801 86.0144L27.5988 83.2852L30.3841 83.3039L30.3654 86.0331L27.5801 86.0144Z" fill="white"/>
+<path d="M35.832 101.672L35.8507 98.9424L38.636 98.9611L38.6173 101.69L35.832 101.672Z" fill="white"/>
+<path d="M26 77.239L26.0187 74.5098L28.804 74.5285L28.7853 77.2577L26 77.239Z" fill="white"/>
+<path d="M66.4053 117.962L66.424 115.232L69.2093 115.251L69.1906 117.98L66.4053 117.962Z" fill="white"/>
+<path d="M57.5176 116.168L57.5363 113.438L60.3216 113.457L60.3029 116.186L57.5176 116.168Z" fill="white"/>
+<defs>
+<linearGradient id="paint0_linear_683_2985" x1="10" y1="15.5" x2="144" y2="131.5" gradientUnits="userSpaceOnUse">
+<stop stop-color="#00A8DA"/>
+<stop offset="0.495" stop-color="#3579BC"/>
+<stop offset="1" stop-color="#286EA5"/>
+</linearGradient>
+</defs>
+</svg>

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.3.0
+version: 1.4.0

packages/apps/tenant/README.md

@@ -56,4 +56,5 @@ tenant-u1
 | `etcd`       | Deploy own Etcd cluster                                                                                                     | `false` |
 | `monitoring` | Deploy own Monitoring Stack                                                                                                 | `false` |
 | `ingress`    | Deploy own Ingress Controller                                                                                               | `false` |
+| `seaweedfs`  | Deploy own SeaweedFS                                                                                                        | `false` |
 | `isolated`   | Enforce tenant namespace with network policies                                                                              | `false` |

packages/apps/tenant/logos/tenant.svg

@@ -1,351 +1,17 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-<svg
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:xlink="http://www.w3.org/1999/xlink"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   width="48px"
-   height="48px"
-   id="svg2108"
-   sodipodi:version="0.32"
-   inkscape:version="0.44.1"
-   sodipodi:docbase="/Users/bdesham/Downloads"
-   sodipodi:docname="System-users.svg">
-  <defs
-     id="defs3">
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient4356">
-      <stop
-         style="stop-color:#000000;stop-opacity:1;"
-         offset="0"
-         id="stop4358" />
-      <stop
-         style="stop-color:#000000;stop-opacity:0;"
-         offset="1"
-         id="stop4360" />
-    </linearGradient>
-    <linearGradient
-       id="linearGradient4344">
-      <stop
-         style="stop-color:#727e0a;stop-opacity:1;"
-         offset="0"
-         id="stop4346" />
-      <stop
-         style="stop-color:#5b6508;stop-opacity:1.0000000;"
-         offset="1.0000000"
-         id="stop4348" />
-    </linearGradient>
-    <linearGradient
-       id="linearGradient4338">
-      <stop
-         id="stop4340"
-         offset="0.0000000"
-         style="stop-color:#e9b15e;stop-opacity:1.0000000;" />
-      <stop
-         id="stop4342"
-         offset="1.0000000"
-         style="stop-color:#966416;stop-opacity:1.0000000;" />
-    </linearGradient>
-    <linearGradient
-       id="linearGradient4163">
-      <stop
-         style="stop-color:#3b74bc;stop-opacity:1.0000000;"
-         offset="0.0000000"
-         id="stop4165" />
-      <stop
-         style="stop-color:#2d5990;stop-opacity:1.0000000;"
-         offset="1.0000000"
-         id="stop4167" />
-    </linearGradient>
-    <linearGradient
-       id="linearGradient3824">
-      <stop
-         style="stop-color:#ffffff;stop-opacity:1;"
-         offset="0"
-         id="stop3826" />
-      <stop
-         style="stop-color:#c9c9c9;stop-opacity:1.0000000;"
-         offset="1.0000000"
-         id="stop3828" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient3816">
-      <stop
-         style="stop-color:#000000;stop-opacity:1;"
-         offset="0"
-         id="stop3818" />
-      <stop
-         style="stop-color:#000000;stop-opacity:0;"
-         offset="1"
-         id="stop3820" />
-    </linearGradient>
-    <linearGradient
-       id="linearGradient3800">
-      <stop
-         style="stop-color:#f4d9b1;stop-opacity:1.0000000;"
-         offset="0.0000000"
-         id="stop3802" />
-      <stop
-         style="stop-color:#df9725;stop-opacity:1.0000000;"
-         offset="1.0000000"
-         id="stop3804" />
-    </linearGradient>
-    <radialGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient3800"
-       id="radialGradient3806"
-       cx="29.344931"
-       cy="17.064077"
-       fx="29.344931"
-       fy="17.064077"
-       r="9.1620579"
-       gradientUnits="userSpaceOnUse" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient3824"
-       id="linearGradient4175"
-       gradientUnits="userSpaceOnUse"
-       x1="30.935921"
-       y1="29.553486"
-       x2="30.935921"
-       y2="35.803486"
-       gradientTransform="translate(0.707108,0.000000)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient3824"
-       id="linearGradient4326"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(-12.41789,-7.000000)"
-       x1="30.935921"
-       y1="29.553486"
-       x2="30.935921"
-       y2="35.803486" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient3824"
-       id="linearGradient4332"
-       gradientUnits="userSpaceOnUse"
-       x1="30.935921"
-       y1="29.553486"
-       x2="30.935921"
-       y2="35.803486"
-       gradientTransform="translate(-13.12500,-7.000000)" />
-    <radialGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient4344"
-       id="radialGradient4350"
-       cx="16.214741"
-       cy="19.836468"
-       fx="16.214741"
-       fy="19.836468"
-       r="13.565360"
-       gradientTransform="matrix(1.000000,0.000000,0.000000,0.681917,0.000000,8.233773)"
-       gradientUnits="userSpaceOnUse" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient4356"
-       id="linearGradient4372"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="matrix(0.983375,0.181588,-0.181588,0.983375,-7.072120,-9.824920)"
-       x1="20.661695"
-       y1="35.817974"
-       x2="22.626925"
-       y2="36.217758" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient4356"
-       id="linearGradient4374"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="matrix(-0.977685,0.210075,0.210075,0.977685,41.80576,-11.11866)"
-       x1="22.686766"
-       y1="36.390400"
-       x2="21.408455"
-       y2="35.739632" />
-    <radialGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient3816"
-       id="radialGradient2058"
-       gradientUnits="userSpaceOnUse"
-       cx="31.112698"
-       cy="19.008621"
-       fx="31.112698"
-       fy="19.008621"
-       r="8.6620579" />
-    <radialGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient4344"
-       id="radialGradient2060"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="matrix(1,0,0,0.681917,0,8.233773)"
-       cx="16.214741"
-       cy="19.836468"
-       fx="16.214741"
-       fy="19.836468"
-       r="13.565360" />
-    <radialGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient3816"
-       id="radialGradient2062"
-       gradientUnits="userSpaceOnUse"
-       cx="31.112698"
-       cy="19.008621"
-       fx="31.112698"
-       fy="19.008621"
-       r="8.6620579" />
-    <radialGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient4338"
-       id="radialGradient2064"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="matrix(0.787998,0,0,0.787998,6.221198,3.617627)"
-       cx="29.344931"
-       cy="17.064077"
-       fx="29.344931"
-       fy="17.064077"
-       r="9.1620579" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient3824"
-       id="linearGradient2066"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(-12.41789,-7)"
-       x1="30.935921"
-       y1="29.553486"
-       x2="30.935921"
-       y2="35.803486" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient4356"
-       id="linearGradient2068"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="matrix(0.983375,0.181588,-0.181588,0.983375,-7.07212,-9.82492)"
-       x1="20.661695"
-       y1="35.817974"
-       x2="22.626925"
-       y2="36.217758" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient4356"
-       id="linearGradient2070"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="matrix(-0.977685,0.210075,0.210075,0.977685,41.80576,-11.11866)"
-       x1="22.686766"
-       y1="36.390400"
-       x2="21.408455"
-       y2="35.739632" />
-  </defs>
-  <sodipodi:namedview
-     inkscape:showpageshadow="false"
-     id="base"
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1.0"
-     inkscape:pageopacity="0.0"
-     inkscape:pageshadow="2"
-     inkscape:zoom="12.770833"
-     inkscape:cx="24"
-     inkscape:cy="24"
-     inkscape:current-layer="layer1"
-     showgrid="false"
-     inkscape:grid-bbox="true"
-     inkscape:document-units="px"
-     fill="#9db029"
-     stroke="#727e0a"
-     inkscape:window-width="1440"
-     inkscape:window-height="785"
-     inkscape:window-x="0"
-     inkscape:window-y="22" />
-  <g
-     id="layer1"
-     inkscape:label="cipek"
-     inkscape:groupmode="layer"
-     style="display:inline">
-    <g
-       id="g2045"
-       transform="matrix(1.235405,0,0,1.235405,1.932349,-1.424226)">
-      <path
-         d="M 39.774755 19.008621 A 8.6620579 8.6620579 0 1 1  22.45064,19.008621 A 8.6620579 8.6620579 0 1 1  39.774755 19.008621 z"
-         sodipodi:ry="8.6620579"
-         sodipodi:rx="8.6620579"
-         sodipodi:cy="19.008621"
-         sodipodi:cx="31.112698"
-         id="path4177"
-         style="opacity:1;color:black;fill:url(#radialGradient2058);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;marker:none;marker-start:none;marker-mid:none;marker-end:none;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;visibility:visible;display:inline;overflow:visible"
-         sodipodi:type="arc"
-         transform="matrix(1.77551,0,0,0.959183,-37.37822,11.77153)" />
-      <path
-         sodipodi:nodetypes="cczcczc"
-         id="path2329"
-         d="M 12.861174,34.636039 L 23.467776,34.636039 C 26.47298,34.636039 29.44826,33.534107 30.538843,30.393398 C 31.574482,27.410922 30.71562,21.73134 23.998106,17.135146 L 11.44696,17.135146 C 4.729446,21.377786 3.889969,27.179977 5.436553,30.570174 C 7.012148,34.023964 9.679193,34.636039 12.861174,34.636039 z "
-         style="opacity:1;color:black;fill:url(#radialGradient2060);fill-opacity:1;fill-rule:evenodd;stroke:#404604;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;marker:none;marker-start:none;marker-mid:none;marker-end:none;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;visibility:visible;display:inline;overflow:visible" />
-      <path
-         style="opacity:1;color:black;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;marker:none;marker-start:none;marker-mid:none;marker-end:none;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;visibility:visible;display:inline;overflow:visible"
-         d="M 17.932367,19.786797 C 17.932367,19.786797 15.781044,21.447132 15.966376,23.44733 C 13.92515,21.646536 13.866503,18.195806 13.866503,18.195806 L 17.932367,19.786797 z "
-         id="path3812"
-         sodipodi:nodetypes="cccc" />
-      <path
-         style="opacity:0.21518986;color:black;fill:none;fill-opacity:1;fill-rule:evenodd;stroke:white;stroke-width:0.99999976px;stroke-linecap:round;stroke-linejoin:round;marker:none;marker-start:none;marker-mid:none;marker-end:none;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;visibility:visible;display:inline;overflow:visible"
-         d="M 12.966639,33.571836 L 23.283309,33.571836 C 25.923032,33.571836 28.53647,32.603917 29.494421,29.845169 C 30.40411,27.225409 29.399699,22.236555 23.499142,18.199332 L 11.974417,18.199332 C 6.07386,21.925999 5.086477,27.022551 6.444971,30.000446 C 7.828949,33.0342 10.171638,33.571836 12.966639,33.571836 z "
-         id="path3838"
-         sodipodi:nodetypes="cczcczc" />
-      <path
-         sodipodi:nodetypes="cccc"
-         id="path3810"
-         d="M 18.910795,19.786797 C 18.910795,19.786797 21.062118,21.447132 20.876786,23.44733 C 22.918012,21.646536 22.976659,18.195806 22.976659,18.195806 L 18.910795,19.786797 z "
-         style="opacity:1;color:black;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;marker:none;marker-start:none;marker-mid:none;marker-end:none;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;visibility:visible;display:inline;overflow:visible" />
-      <path
-         transform="translate(-13.25,-3.5)"
-         sodipodi:type="arc"
-         style="opacity:1;color:black;fill:url(#radialGradient2062);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;marker:none;marker-start:none;marker-mid:none;marker-end:none;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;visibility:visible;display:inline;overflow:visible"
-         id="path3814"
-         sodipodi:cx="31.112698"
-         sodipodi:cy="19.008621"
-         sodipodi:rx="8.6620579"
-         sodipodi:ry="8.6620579"
-         d="M 39.774755 19.008621 A 8.6620579 8.6620579 0 1 1  22.45064,19.008621 A 8.6620579 8.6620579 0 1 1  39.774755 19.008621 z" />
-      <path
-         transform="translate(-13.125,-7)"
-         d="M 39.774755 19.008621 A 8.6620579 8.6620579 0 1 1  22.45064,19.008621 A 8.6620579 8.6620579 0 1 1  39.774755 19.008621 z"
-         sodipodi:ry="8.6620579"
-         sodipodi:rx="8.6620579"
-         sodipodi:cy="19.008621"
-         sodipodi:cx="31.112698"
-         id="path2327"
-         style="opacity:1;color:black;fill:url(#radialGradient2064);fill-opacity:1;fill-rule:evenodd;stroke:#6f4709;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;marker:none;marker-start:none;marker-mid:none;marker-end:none;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;visibility:visible;display:inline;overflow:visible"
-         sodipodi:type="arc" />
-      <path
-         transform="matrix(0.877095,0,0,0.877095,-9.301073,-4.663733)"
-         sodipodi:type="arc"
-         style="opacity:0.12658231;color:black;fill:none;fill-opacity:1;fill-rule:evenodd;stroke:white;stroke-width:1.14012825px;stroke-linecap:round;stroke-linejoin:round;marker:none;marker-start:none;marker-mid:none;marker-end:none;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;visibility:visible;display:inline;overflow:visible"
-         id="path3834"
-         sodipodi:cx="31.112698"
-         sodipodi:cy="19.008621"
-         sodipodi:rx="8.6620579"
-         sodipodi:ry="8.6620579"
-         d="M 39.774755 19.008621 A 8.6620579 8.6620579 0 1 1  22.45064,19.008621 A 8.6620579 8.6620579 0 1 1  39.774755 19.008621 z" />
-      <path
-         id="path4173"
-         d="M 22.583894,27.034641 L 26.826534,27.034641 L 24.351661,24.736544 L 23.821331,25.443651 L 23.291,24.913321 L 22.583894,27.034641 z "
-         style="opacity:1;color:black;fill:url(#linearGradient2066);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;marker:none;marker-start:none;marker-mid:none;marker-end:none;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;visibility:visible;display:inline;overflow:visible" />
-      <path
-         sodipodi:nodetypes="cccc"
-         id="path4368"
-         d="M 8.5479535,33.601747 C 7.3003465,33.056778 6.7419595,31.74347 6.7419595,31.74347 C 7.5832405,27.674334 10.461885,24.697254 10.461885,24.697254 C 10.461885,24.697254 8.1825635,31.108768 8.5479535,33.601747 z "
-         style="opacity:0.22784807;color:black;fill:url(#linearGradient2068);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;marker:none;marker-start:none;marker-mid:none;marker-end:none;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;visibility:visible;display:inline;overflow:visible" />
-      <path
-         style="opacity:0.22784807;color:black;fill:url(#linearGradient2070);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;marker:none;marker-start:none;marker-mid:none;marker-end:none;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;visibility:visible;display:inline;overflow:visible"
-         d="M 27.453661,32.743396 C 28.684912,32.162418 29.258041,30.741075 29.258041,30.741075 C 28.298921,26.698092 25.281892,23.898254 25.281892,23.898254 C 25.281892,23.898254 27.746485,30.240856 27.453661,32.743396 z "
-         id="path4370"
-         sodipodi:nodetypes="cccc" />
-    </g>
-  </g>
-  <g
-     inkscape:groupmode="layer"
-     id="layer2"
-     inkscape:label="dalsi cipek"
-     style="display:inline" />
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear_687_3403)"/>
+<g clip-path="url(#clip0_687_3403)">
+<path d="M72 29C66.3926 29 61.0148 31.2388 57.0497 35.224C53.0847 39.2091 50.8571 44.6141 50.8571 50.25C50.8571 55.8859 53.0847 61.2909 57.0497 65.276C61.0148 69.2612 66.3926 71.5 72 71.5C77.6074 71.5 82.9852 69.2612 86.9503 65.276C90.9153 61.2909 93.1429 55.8859 93.1429 50.25C93.1429 44.6141 90.9153 39.2091 86.9503 35.224C82.9852 31.2388 77.6074 29 72 29ZM60.9826 83.3037C60.454 82.5898 59.5951 82.1914 58.7196 82.2744C45.3897 83.7354 35 95.1074 35 108.903C35 111.726 37.2795 114 40.071 114H103.929C106.737 114 109 111.709 109 108.903C109 95.1074 98.6103 83.752 85.2638 82.291C84.3884 82.1914 83.5295 82.6064 83.0009 83.3203L74.0978 95.2402C73.0406 96.6514 70.9263 96.6514 69.8692 95.2402L60.9661 83.3203L60.9826 83.3037Z" fill="black"/>
+</g>
+<defs>
+<linearGradient id="paint0_linear_687_3403" x1="72" y1="144" x2="-1.2817e-05" y2="4" gradientUnits="userSpaceOnUse">
+<stop stop-color="#C0D6FF"/>
+<stop offset="0.3" stop-color="#C4DAFF"/>
+<stop offset="0.65" stop-color="#D3E9FF"/>
+<stop offset="1" stop-color="#E9FFFF"/>
+</linearGradient>
+<clipPath id="clip0_687_3403">
+<rect width="74" height="85" fill="white" transform="translate(35 29)"/>
+</clipPath>
+</defs>
 </svg>

packages/apps/tenant/templates/monitoring.yaml

@@ -23,9 +23,6 @@ spec:
   interval: 1m0s
   timeout: 5m0s
   values:
-    {{- with .Values.host }}
-    host: grafana.{{ . }}
-    {{- end }}
     metricsStorages:
     - name: shortterm
       retentionPeriod: "3d"

packages/apps/tenant/templates/namespace.yaml

@@ -1,3 +1,20 @@
+{{- define "cozystack.namespace-anotations" }}
+{{- $context := index . 0 }}
+{{- $existingNS := index . 1 }}
+{{- range $x := list "etcd" "monitoring" "ingress" "seaweedfs" }}
+{{- if (index $context.Values $x) }}
+namespace.cozystack.io/{{ $x }}: "{{ include "tenant.name" $context }}"
+{{- else }}
+namespace.cozystack.io/{{ $x }}: "{{ index $existingNS.metadata.annotations (printf "namespace.cozystack.io/%s" $x) | required (printf "namespace %s has no namespace.cozystack.io/%s annotation" $context.Release.Namespace $x) }}"
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- if not $existingNS }}
+{{- fail (printf "error lookup existing namespace: %s" .Release.Namespace) }}
+{{- end }}
+
 {{- if ne (include "tenant.name" .) "tenant-root" }}
 ---
 apiVersion: v1
@@ -5,22 +22,25 @@ kind: Namespace
 metadata:
   name: {{ include "tenant.name" . }}
   {{- if hasPrefix "tenant-" .Release.Namespace }}
-  {{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }}
-  {{- if $existingNS }}
   annotations:
     {{- if .Values.host }}
     namespace.cozystack.io/host: "{{ .Values.host }}"
     {{- else }}
-    {{ $parentHost := index $existingNS.metadata.annotations "namespace.cozystack.io/host" | required (printf "namespace %s has no namespace.cozystack.io/host annotation" $.Release.Namespace) }}
+    {{ $parentHost := index $existingNS.metadata.annotations "namespace.cozystack.io/host" | required (printf "namespace %s has no namespace.cozystack.io/host annotation" .Release.Namespace) }}
     namespace.cozystack.io/host: "{{ splitList "-" (include "tenant.name" .) | last }}.{{ $parentHost }}"
     {{- end }}
-    {{- range $x := list "etcd" "monitoring" "ingress" }}
-    {{- if (index $.Values $x) }}
-    namespace.cozystack.io/{{ $x }}: "{{ include "tenant.name" $ }}"
-    {{- else }}
-    namespace.cozystack.io/{{ $x }}: "{{ index $existingNS.metadata.annotations (printf "namespace.cozystack.io/%s" $x) | required (printf "namespace %s has no namespace.cozystack.io/%s annotation" $.Release.Namespace $x) }}"
+    {{- include "cozystack.namespace-anotations" (list . $existingNS) | nindent 4 }}
+  labels:
+    tenant.cozystack.io/{{ include "tenant.name" $ }}: ""
+    {{- if hasPrefix "tenant-" .Release.Namespace }}
+    {{- $parts := splitList "-" .Release.Namespace }}
+    {{- range $i, $v := $parts }}
+    {{- if ne $i 0 }}
+    tenant.cozystack.io/{{ join "-" (slice $parts 0 (add $i 1)) }}: ""
     {{- end }}
     {{- end }}
+    {{- end }}
+    {{- include "cozystack.namespace-anotations" (list $ $existingNS) | nindent 4 }}
   ownerReferences:
   - apiVersion: v1
     blockOwnerDeletion: true
@@ -28,8 +48,5 @@ metadata:
     kind: Namespace
     name: {{ .Release.Namespace }}
     uid: {{ $existingNS.metadata.uid }}
-  {{- else }}
-  {{- fail (printf "error lookup exiting namespace: %s" .Release.Namespace) }}
-  {{- end }}
   {{- end }}
 {{- end }}

packages/apps/tenant/templates/networkpolicy.yaml

@@ -29,55 +29,75 @@ spec:
       - world
 ---
 apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
+kind: CiliumClusterwideNetworkPolicy
 metadata:
-  name: allow-from-system
-  namespace: {{ include "tenant.name" . }}
+  name: {{ include "tenant.name" . }}-egress
 spec:
-  endpointSelector: {}
-  ingress:
-  - fromEntities:
-    - cluster
----
-{{- if ne (include "tenant.name" .) "tenant-root" }}
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-from-upper-tenants
-  namespace: {{ include "tenant.name" . }}
-spec:
-  endpointSelector: {}
-  ingress:
-  - fromEndpoints:
+  endpointSelector:
+    matchLabels:
+      "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}"
+  egress:
+  - toEndpoints:
     - matchLabels:
-        "kubernetes.io/metadata.name": "tenant-root"
+        "k8s:io.cilium.k8s.namespace.labels.tenant.cozystack.io/{{ include "tenant.name" . }}": ""
+  {{- if ne (include "tenant.name" .) "tenant-root" }}
+  - toEndpoints:
     {{- if hasPrefix "tenant-" .Release.Namespace }}
     {{- $parts := splitList "-" .Release.Namespace }}
     {{- range $i, $v := $parts }}
     {{- if ne $i 0 }}
     - matchLabels:
-        "kubernetes.io/metadata.name": {{ join "-" (slice $parts 0 (add $i 1)) }}
+        "k8s:io.kubernetes.pod.namespace": {{ join "-" (slice $parts 0 (add $i 1)) }}
     {{- end }}
     {{- end }}
     {{- end }}
-{{- end }}
+  {{- end }}
 ---
-{{- if not .Values.etcd }}
-{{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
+kind: CiliumClusterwideNetworkPolicy
 metadata:
-  name: allow-to-etcd
-  namespace: {{ include "tenant.name" . }}
+  name: {{ include "tenant.name" . }}-ingress
 spec:
   endpointSelector:
     matchLabels:
-      policy.cozystack.io/allow-to-etcd: "true"
-  egress:
-  - toEndpoints:
+      "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}"
+  ingress:
+  - fromEntities:
+    - kube-apiserver
+  - fromEndpoints:
+      - matchLabels:
+          "k8s:io.cilium.k8s.namespace.labels.cozystack.io/system": "true"
+  - fromEndpoints:
+      - matchLabels:
+          "k8s:io.kubernetes.pod.namespace": kube-system
+  {{- if ne (include "tenant.name" .) "tenant-root" }}
+  - fromEndpoints:
+    {{- if hasPrefix "tenant-" .Release.Namespace }}
+    {{- $parts := splitList "-" .Release.Namespace }}
+    {{- range $i, $v := $parts }}
+    {{- if ne $i 0 }}
     - matchLabels:
-        io.kubernetes.pod.namespace: "{{ index $existingNS.metadata.annotations "namespace.cozystack.io/etcd" }}"
-        cozystack.io/service: etcd
+        "k8s:io.kubernetes.pod.namespace": {{ join "-" (slice $parts 0 (add $i 1)) }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+  {{- end }}
+---
+{{- if .Values.etcd }}
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: {{ include "tenant.name" . }}-ingress-etcd
+spec:
+  endpointSelector:
+    matchLabels:
+      "k8s:io.kubernetes.pod.namespace": "{{ include "tenant.name" . }}"
+      cozystack.io/service: etcd
+  ingress:
+  - fromEndpoints:
+    - matchLabels:
+        "k8s:io.cilium.k8s.namespace.labels.namespace.cozystack.io/etcd": "{{ include "tenant.name" . }}"
+        policy.cozystack.io/allow-to-etcd: "true"
 {{- end }}
 ---
 apiVersion: cilium.io/v2
@@ -107,7 +127,7 @@ spec:
   egress:
   - toEndpoints:
     - matchLabels:
-        io.kubernetes.pod.namespace: kube-system
+        "k8s:io.kubernetes.pod.namespace": kube-system
         k8s-app: kube-dns
 ---
 apiVersion: cilium.io/v2
@@ -120,7 +140,7 @@ spec:
   egress:
   - toEndpoints:
       - matchLabels:
-          io.kubernetes.pod.namespace: cozy-dashboard
+          "k8s:io.kubernetes.pod.namespace": cozy-dashboard
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy

packages/apps/tenant/templates/seaweedfs.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.seaweedfs }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: seaweedfs
+  namespace: {{ include "tenant.name" . }}
+  annotations:
+    helm.sh/resource-policy: keep
+  labels:
+    cozystack.io/ui: "true"
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  chart:
+    spec:
+      chart: seaweedfs
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-extra
+        namespace: cozy-public
+      version: "*"
+  interval: 1m0s
+  timeout: 5m0s
+{{- end }}

packages/apps/tenant/templates/tenant.yaml

@@ -23,6 +23,12 @@ rules:
 - apiGroups: [""]
   resources: ["*"]
   verbs: ["get", "list", "watch", "create", "update", "patch"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["roles"]
+  verbs: ["get"]
 - apiGroups: ["helm.toolkit.fluxcd.io"]
   resources: ["helmreleases"]
   verbs: ["*"]

packages/apps/tenant/values.schema.json

@@ -22,6 +22,11 @@
             "description": "Deploy own Ingress Controller",
             "default": false
         },
+        "seaweedfs": {
+            "type": "boolean",
+            "description": "Deploy own SeaweedFS",
+            "default": false
+        },
         "isolated": {
             "type": "boolean",
             "description": "Enforce tenant namespace with network policies",

packages/apps/tenant/values.yaml

@@ -4,9 +4,11 @@
 ## @param etcd Deploy own Etcd cluster
 ## @param monitoring Deploy own Monitoring Stack
 ## @param ingress Deploy own Ingress Controller
+## @param seaweedfs Deploy own SeaweedFS
 ## @param isolated Enforce tenant namespace with network policies
 host: ""
 etcd: false
 monitoring: false
 ingress: false
+seaweedfs: false
 isolated: false

packages/apps/versions_map

@@ -1,3 +1,4 @@
+bucket 0.1.0 HEAD
 clickhouse 0.1.0 ca79f72
 clickhouse 0.2.0 7cd7de73
 clickhouse 0.2.1 HEAD
@@ -15,7 +16,9 @@ kubernetes 0.4.0 6cae6ce8
 kubernetes 0.5.0 6bd2d455
 kubernetes 0.6.0 4cbc8a2c
 kubernetes 0.7.0 ceefae03
-kubernetes 0.8.0 HEAD
+kubernetes 0.8.0 ac11056e
+kubernetes 0.8.1 e54608d8
+kubernetes 0.8.2 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 HEAD
@@ -37,7 +40,9 @@ tenant 0.1.5 e3ab858
 tenant 1.0.0 7cd7de7
 tenant 1.1.0 4da8ac3b
 tenant 1.2.0 15478a88
-tenant 1.3.0 HEAD
+tenant 1.3.0 ceefae03
+tenant 1.3.1 c56e5769
+tenant 1.4.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 HEAD

packages/apps/virtual-machine/logos/vm.svg

@@ -1,2 +1,21 @@
-<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
-<svg width="800px" height="800px" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg" fill="none"><path fill="url(#azure-vms-color-16__paint0_linear_2372_267)" d="M14.533 2H1.467A.467.467 0 001 2.467v8.4c0 .257.209.466.467.466h13.066a.467.467 0 00.467-.466v-8.4A.467.467 0 0014.533 2z"/><path fill="#50E6FF" d="M10.333 5.306V8.02L8 9.389V6.667l2.333-1.361z"/><path fill="#C3F1FF" d="M10.333 5.306L8 6.674 5.667 5.306 8 3.944l2.333 1.362z"/><path fill="#9CEBFF" d="M8 6.674V9.39L5.667 8.02V5.306L8 6.674z"/><path fill="#C3F1FF" d="M5.667 8.02L8 6.667v2.722L5.667 8.02z"/><path fill="#9CEBFF" d="M10.333 8.02L8 6.667v2.722l2.333-1.369z"/><path fill="url(#azure-vms-color-16__paint1_linear_2372_267)" d="M10.808 14.157c-1.385-.218-1.44-1.214-1.44-2.824H6.624c0 1.61-.046 2.606-1.43 2.824a.778.778 0 00-.693.777h7a.777.777 0 00-.692-.777z"/><defs><linearGradient id="azure-vms-color-16__paint0_linear_2372_267" x1="8" x2="8" y1="11.333" y2="2" gradientUnits="userSpaceOnUse"><stop stop-color="#0078D4"/><stop offset=".82" stop-color="#5EA0EF"/></linearGradient><linearGradient id="azure-vms-color-16__paint1_linear_2372_267" x1="8" x2="8" y1="14.934" y2="11.333" gradientUnits="userSpaceOnUse"><stop offset=".15" stop-color="#CCC"/><stop offset="1" stop-color="#707070"/></linearGradient></defs></svg>
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear_687_3454)"/>
+<g clip-path="url(#clip0_687_3454)">
+<path d="M89.5039 111.707H54.497C54.1727 111.707 54.0108 111.221 54.3349 111.059L57.2522 108.952C60.3314 106.683 61.9522 102.631 60.9797 98.7412H83.021C82.0485 102.631 83.6693 106.683 86.7485 108.952L89.6658 111.059C89.99 111.221 89.8279 111.707 89.5039 111.707Z" fill="#B0B6BB"/>
+<path d="M113.328 98.741H30.6725C27.5931 98.741 25 96.148 25 93.0687V33.1032C25 30.0239 27.5931 27.4307 30.6725 27.4307H113.328C116.407 27.4307 119 30.0237 119 33.1032V93.0687C119 96.148 116.407 98.741 113.328 98.741Z" fill="#E8EDEE"/>
+<path d="M119 84.1549H25V33.1032C25 30.0239 27.5931 27.4307 30.6725 27.4307H113.328C116.407 27.4307 119 30.0237 119 33.1032L119 84.1549Z" fill="#00B3FF"/>
+<path d="M90.6374 116.569H53.3616C52.0651 116.569 50.9307 115.435 50.9307 114.138C50.9307 112.841 52.0651 111.707 53.3616 111.707H90.6374C91.9339 111.707 93.0684 112.841 93.0684 114.138C93.0684 115.435 91.9339 116.569 90.6374 116.569Z" fill="#E8EDEE"/>
+</g>
+<path d="M72.5275 53.8367C72.4431 53.8351 72.3605 53.8122 72.2873 53.7701L56.4699 44.7934C56.3983 44.7519 56.3388 44.6923 56.2973 44.6207C56.2559 44.549 56.2338 44.4678 56.2334 44.385C56.2334 44.2169 56.3258 44.0617 56.4699 43.9785L72.1912 35.0609C72.2637 35.021 72.345 35 72.4277 35C72.5105 35 72.5918 35.021 72.6643 35.0609L88.4872 44.0395C88.5591 44.0801 88.6188 44.1392 88.66 44.2107C88.7013 44.2822 88.7227 44.3635 88.7219 44.446C88.7225 44.5285 88.701 44.6097 88.6598 44.6812C88.6185 44.7526 88.5589 44.8118 88.4872 44.8525L72.7714 53.7683C72.6972 53.8114 72.6133 53.8349 72.5275 53.8367" fill="white"/>
+<path opacity="0.7" d="M70.2553 75.6517C70.171 75.6535 70.0878 75.6317 70.0151 75.5888L54.2458 66.6417C54.1715 66.6024 54.1095 66.5436 54.0661 66.4716C54.0228 66.3997 54 66.3173 54 66.2333V48.278C54 48.108 54.0924 47.9546 54.2439 47.8696C54.3172 47.8271 54.4004 47.8047 54.4851 47.8047C54.5697 47.8047 54.6529 47.8271 54.7262 47.8696L70.4937 56.8131C70.5642 56.8565 70.6225 56.917 70.6632 56.9891C70.7039 57.0612 70.7257 57.1424 70.7265 57.2251V75.1805C70.7259 75.2628 70.7042 75.3436 70.6635 75.4151C70.6227 75.4866 70.5642 75.5464 70.4937 75.5888C70.4206 75.6291 70.3387 75.6507 70.2553 75.6517" fill="white"/>
+<path opacity="0.4" d="M74.7198 75.6511C74.6333 75.6512 74.5482 75.6296 74.4722 75.5883C74.4016 75.5461 74.3432 75.4862 74.3027 75.4147C74.2623 75.3431 74.2411 75.2622 74.2412 75.18V57.3373C74.2412 57.171 74.3336 57.0158 74.4722 56.929L90.2397 47.9855C90.3119 47.9438 90.3938 47.9219 90.4771 47.9219C90.5605 47.9219 90.6424 47.9438 90.7146 47.9855C90.7876 48.0255 90.8485 48.0842 90.8911 48.1557C90.9337 48.2272 90.9563 48.3088 90.9566 48.392V66.2328C90.957 66.3164 90.9347 66.3985 90.8921 66.4704C90.8495 66.5424 90.7881 66.6014 90.7146 66.6411L74.9526 75.5883C74.8825 75.6307 74.8018 75.6525 74.7198 75.6511" fill="white"/>
+<defs>
+<linearGradient id="paint0_linear_687_3454" x1="161" y1="180" x2="3.59284e-07" y2="4.99998" gradientUnits="userSpaceOnUse">
+<stop/>
+<stop offset="1" stop-color="#595656"/>
+</linearGradient>
+<clipPath id="clip0_687_3454">
+<rect width="94" height="94" fill="white" transform="translate(25 25)"/>
+</clipPath>
+</defs>
+</svg>

packages/apps/vpn/logos/outline.svg

@@ -1,64 +1,11 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg
-   id="Layer_1"
-   data-name="Layer 1"
-   viewBox="0 0 143.508 144"
-   version="1.1"
-   sodipodi:docname="outline.svg"
-   width="143.508"
-   height="144"
-   inkscape:version="1.1.1 (c3084ef, 2021-09-22)"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:dc="http://purl.org/dc/elements/1.1/">
-  <sodipodi:namedview
-     id="namedview852"
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1.0"
-     inkscape:pageshadow="2"
-     inkscape:pageopacity="0.0"
-     inkscape:pagecheckerboard="0"
-     showgrid="false"
-     inkscape:zoom="1.9719816"
-     inkscape:cx="138.18587"
-     inkscape:cy="77.840481"
-     inkscape:window-width="3440"
-     inkscape:window-height="1387"
-     inkscape:window-x="0"
-     inkscape:window-y="25"
-     inkscape:window-maximized="1"
-     inkscape:current-layer="Layer_1" />
-  <defs
-     id="defs826">
-    <style
-       id="style824">.cls-1{fill:#183729;}.cls-2{fill:#fff;}.cls-3{fill:#5bb193;}</style>
-  </defs>
-  <title
-     id="title828">Outline web assets</title>
-  <path
-     class="cls-1"
-     d="m 143.78,30.5 c 0,-1.11 0,-2.21 0,-3.31 A 48.29,48.29 0 0 0 143.1,20 24,24 0 0 0 140.87,13.17 22.94,22.94 0 0 0 136.63,7.35 l -5.8,-4.23 A 24.37,24.37 0 0 0 124,0.87 46.61,46.61 0 0 0 116.8,0.24 c -1.1,0 -88.47,0 -89.58,0 A 47.07,47.07 0 0 0 20,0.87 23.94,23.94 0 0 0 13.2,3.12 23.28,23.28 0 0 0 7.39,7.35 22.67,22.67 0 0 0 3.16,13.17 24,24 0 0 0 0.92,20 47,47 0 0 0 0.28,27.19 c 0,1.1 0,88.47 0,89.58 a 46.86,46.86 0 0 0 0.64,7.23 23.82,23.82 0 0 0 2.24,6.83 22.57,22.57 0 0 0 4.23,5.8 22.79,22.79 0 0 0 5.81,4.23 24,24 0 0 0 6.8,2.22 48.38,48.38 0 0 0 7.19,0.64 c 1.11,0 88.48,0 89.58,0 a 47.9,47.9 0 0 0 7.18,-0.64 24.4,24.4 0 0 0 6.85,-2.26 22.57,22.57 0 0 0 5.8,-4.23 22.84,22.84 0 0 0 4.24,-5.8 23.8,23.8 0 0 0 2.26,-6.79 48.17,48.17 0 0 0 0.66,-7.19 c 0.02,-1.15 0.04,-85.01 0.02,-86.31 z"
-     id="path830" />
-  <path
-     class="cls-2"
-     d="M 115.84,67.42 A 42.49,42.49 0 0 0 78.68,29.7 v 17.15 a 25.47,25.47 0 0 1 0,50 v 17.2 a 42.5,42.5 0 0 0 37.16,-46.63 z"
-     id="path832" />
-  <path
-     class="cls-3"
-     d="m 28.2,76.33 a 42.5,42.5 0 0 0 37.16,37.72 V 29.7 A 42.5,42.5 0 0 0 28.2,76.33 Z"
-     id="path834" />
-  <metadata
-     id="metadata934">
-    <rdf:RDF>
-      <cc:Work
-         rdf:about="">
-        <dc:title>Outline web assets</dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M143.992 30.3697C143.992 29.2556 143.992 28.1517 143.992 27.0477C143.945 24.6287 143.717 22.2166 143.309 19.8316C142.912 17.4473 142.157 15.1365 141.072 12.9769C139.97 10.818 138.534 8.84665 136.817 7.13577L130.997 2.89044C128.837 1.80289 126.527 1.04189 124.144 0.632283C121.756 0.234808 119.34 0.0234113 116.919 0C115.815 0 28.1461 0 27.0323 0C24.6047 0.0242211 22.1826 0.235609 19.7876 0.632283C17.4128 1.03851 15.1126 1.79974 12.9643 2.89044C10.813 3.99519 8.84625 5.42736 7.13436 7.13577C5.41768 8.8444 3.9848 10.8163 2.88987 12.9769C1.80086 15.136 1.04313 17.4468 0.642193 19.8316C0.243497 22.2169 0.0287998 24.6294 0 27.0477C0 28.1517 0 115.838 0 116.952C0.0261755 119.384 0.240884 121.81 0.642193 124.209C1.04044 126.594 1.79829 128.905 2.88987 131.063C3.98515 133.218 5.4181 135.183 7.13436 136.884C8.84095 138.599 10.8087 140.032 12.9643 141.13C15.1147 142.209 17.4146 142.96 19.7876 143.358C22.1731 143.751 24.5847 143.966 27.0022 144C28.116 144 115.785 144 116.889 144C119.303 143.967 121.712 143.752 124.094 143.358C126.485 142.946 128.801 142.182 130.967 141.089C133.121 139.994 135.086 138.561 136.787 136.844C138.503 135.14 139.939 133.176 141.042 131.023C142.137 128.879 142.901 126.581 143.309 124.209C143.71 121.823 143.932 119.411 143.972 116.992C143.992 115.838 144.012 31.6744 143.992 30.3697Z" fill="url(#paint0_linear_681_2818)"/>
+<path d="M115.955 67.4231C114.941 57.8234 110.701 48.8518 103.928 41.9752C97.1549 35.0986 88.2495 30.7239 78.668 29.5664V46.7786C84.4887 47.9127 89.7338 51.0362 93.5049 55.6137C97.276 60.1912 99.3381 65.9379 99.3381 71.8692C99.3381 77.8004 97.276 83.5471 93.5049 88.1246C89.7338 92.7022 84.4887 95.8256 78.668 96.9598V114.222C89.7801 112.877 99.9178 107.215 106.894 98.4601C113.869 89.7048 117.124 78.5573 115.955 67.4231Z" fill="white"/>
+<path d="M28.0155 76.3654C29.0311 85.9644 33.2718 94.9351 40.0447 101.811C46.8175 108.688 55.722 113.063 65.3028 114.222V29.5664C54.1907 30.9119 44.053 36.5731 37.0772 45.3284C30.1013 54.0837 26.8467 65.2312 28.0155 76.3654Z" fill="#5BB193"/>
+<defs>
+<linearGradient id="paint0_linear_681_2818" x1="132.5" y1="132.5" x2="-24" y2="-19" gradientUnits="userSpaceOnUse">
+<stop stop-color="#183729"/>
+<stop offset="1" stop-color="#459D75"/>
+</linearGradient>
+</defs>
 </svg>

packages/core/installer/Makefile

@@ -30,7 +30,9 @@ image-cozystack:
 		--metadata-file images/cozystack.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/cozystack:$(call settag,$(TAG))" > images/cozystack.tag
+	IMAGE="$(REGISTRY)/cozystack:$(call settag,$(TAG))@$$(yq e '."containerimage.digest"' images/cozystack.json -o json -r)" \
+		yq -i '.cozystack.image = strenv(IMAGE)' values.yaml
+	rm -f images/cozystack.json
 
 image-talos:
 	test -f ../../../_out/assets/installer-amd64.tar || make talos-installer
@@ -50,7 +52,6 @@ image-matchbox:
 		--metadata-file images/matchbox.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/matchbox:$(call settag,$(TALOS_VERSION))" > images/matchbox.tag
 
 assets: talos-iso talos-nocloud
 

packages/core/installer/images/cozystack.json

@@ -1,10 +0,0 @@
-{
-  "buildx.build.ref": "cozystack/cozystack0/zk58yqp4vkrfgx3gdjumn9k70",
-  "containerimage.descriptor": {
-    "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
-    "digest": "sha256:b92988122fa68adc85751384170a46895b5761cc5bf27e80b0b53b12b89b6d6c",
-    "size": 685
-  },
-  "containerimage.digest": "sha256:b92988122fa68adc85751384170a46895b5761cc5bf27e80b0b53b12b89b6d6c",
-  "image.name": "ghcr.io/aenix-io/cozystack/cozystack:latest"
-}

packages/core/installer/images/cozystack.tag

@@ -1 +0,0 @@
-ghcr.io/aenix-io/cozystack/cozystack:latest

packages/core/installer/images/matchbox.json

@@ -1,45 +0,0 @@
-{
-  "buildx.build.provenance": {
-    "buildType": "https://mobyproject.org/buildkit@v1",
-    "materials": [
-      {
-        "uri": "pkg:docker/quay.io/poseidon/matchbox@v0.10.0?platform=linux%2Famd64",
-        "digest": {
-          "sha256": "e14cc4a8f6e8f1182fce74d04fe949b6bfc91b04132b3944297661e2c38c9790"
-        }
-      }
-    ],
-    "invocation": {
-      "configSource": {
-        "entryPoint": "Dockerfile"
-      },
-      "parameters": {
-        "frontend": "dockerfile.v0",
-        "locals": [
-          {
-            "name": "context"
-          },
-          {
-            "name": "dockerfile"
-          }
-        ]
-      },
-      "environment": {
-        "platform": "linux/amd64"
-      }
-    }
-  },
-  "buildx.build.ref": "cozystack/cozystack0/qu2ygr61roizh7ga2l4kkmdx6",
-  "containerimage.config.digest": "sha256:94aa5abc006ac672ccdd91b8d9361fd14de6e0b286299f4e44dd09002becc3b7",
-  "containerimage.descriptor": {
-    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:b1e6084402619dde9dcdc8251cd581cbfc3940c885e938547b7b7306376a411e",
-    "size": 1488,
-    "platform": {
-      "architecture": "amd64",
-      "os": "linux"
-    }
-  },
-  "containerimage.digest": "sha256:b1e6084402619dde9dcdc8251cd581cbfc3940c885e938547b7b7306376a411e",
-  "image.name": "ghcr.io/aenix-io/cozystack/matchbox:v0.10.1,ghcr.io/aenix-io/cozystack/matchbox:v1.7.1-v0.10.1"
-}

packages/core/installer/images/matchbox.tag

@@ -1 +0,0 @@
-ghcr.io/aenix-io/cozystack/matchbox:v1.7.1

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.7.1
+version: v1.7.6
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.7.1
+    imageRef: ghcr.io/siderolabs/installer:v1.7.6
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240709
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240709
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240709
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240531
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:
   kind: initramfs
   imageOptions: {}

packages/core/installer/images/talos/profiles/installer.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.7.1
+version: v1.7.6
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.7.1
+    imageRef: ghcr.io/siderolabs/installer:v1.7.6
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240709
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240709
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240709
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240531
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:
   kind: installer
   imageOptions: {}

packages/core/installer/images/talos/profiles/iso.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.7.1
+version: v1.7.6
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.7.1
+    imageRef: ghcr.io/siderolabs/installer:v1.7.6
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240709
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240709
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240709
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240531
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:
   kind: iso
   imageOptions: {}

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.7.1
+version: v1.7.6
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.7.1
+    imageRef: ghcr.io/siderolabs/installer:v1.7.6
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240709
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240709
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240709
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240531
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:
   kind: kernel
   imageOptions: {}

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.7.1
+version: v1.7.6
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.7.1
+    imageRef: ghcr.io/siderolabs/installer:v1.7.6
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240709
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240709
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240709
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240531
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/templates/cozystack.yaml

@@ -49,7 +49,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "{{ .Files.Get "images/cozystack.tag" | trim }}@{{ index (.Files.Get "images/cozystack.json" | fromJson) "containerimage.digest" }}"
+        image: "{{ .Values.cozystack.image }}"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -68,7 +68,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "{{ .Files.Get "images/cozystack.tag" | trim }}@{{ index (.Files.Get "images/cozystack.json" | fromJson) "containerimage.digest" }}"
+        image: "{{ .Values.cozystack.image }}"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/core/installer/values.yaml

@@ -0,0 +1,2 @@
+cozystack:
+  image: ghcr.io/aenix-io/cozystack/cozystack:latest@sha256:d4335fc42d14bfca9ff768bad7d48e771bb0cbe9b1aa1141e20535b2d0d8909e

packages/core/platform/bundles/distro-full.yaml

@@ -93,13 +93,13 @@ releases:
   releaseName: kafka-operator
   chart: cozy-kafka-operator
   namespace: cozy-kafka-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: [cilium]
 
 - name: clickhouse-operator
   releaseName: clickhouse-operator
   chart: cozy-clickhouse-operator
   namespace: cozy-clickhouse-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: [cilium]
 
 - name: rabbitmq-operator
   releaseName: rabbitmq-operator
@@ -119,6 +119,18 @@ releases:
   namespace: cozy-linstor
   dependsOn: [cilium,cert-manager]
 
+- name: snapshot-controller
+  releaseName: snapshot-controller
+  chart: cozy-snapshot-controller
+  namespace: cozy-snapshot-controller
+  dependsOn: [cilium,cert-manager-issuers]
+
+- name: objectstorage-controller
+  releaseName: objectstorage-controller
+  chart: cozy-objectstorage-controller
+  namespace: cozy-objectstorage-controller
+  dependsOn: [cilium]
+
 - name: linstor
   releaseName: linstor
   chart: cozy-linstor

packages/core/platform/bundles/paas-full.yaml

@@ -155,6 +155,18 @@ releases:
   privileged: true
   dependsOn: [piraeus-operator,cilium,kubeovn,cert-manager]
 
+- name: snapshot-controller
+  releaseName: snapshot-controller
+  chart: cozy-snapshot-controller
+  namespace: cozy-snapshot-controller
+  dependsOn: [cilium,kubeovn,cert-manager-issuers]  
+
+- name: objectstorage-controller
+  releaseName: objectstorage-controller
+  chart: cozy-objectstorage-controller
+  namespace: cozy-objectstorage-controller
+  dependsOn: [cilium,kubeovn]
+
 - name: telepresence
   releaseName: traffic-manager
   chart: cozy-telepresence

packages/core/platform/templates/apps.yaml

@@ -19,6 +19,7 @@ metadata:
     namespace.cozystack.io/etcd: tenant-root
     namespace.cozystack.io/monitoring: tenant-root
     namespace.cozystack.io/ingress: tenant-root
+    namespace.cozystack.io/seaweedfs: tenant-root
     namespace.cozystack.io/host: "{{ $host }}"
   name: tenant-root
 ---

packages/extra/etcd/logos/etcd.svg

@@ -1,8 +1,10 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
-<svg width="800px" height="800px" viewBox="0 -4 256 256" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" preserveAspectRatio="xMidYMid">
-    <g>
-        <path d="M252.386416,128.063547 C251.184178,128.164306 249.976215,128.21125 248.692682,128.21125 C241.246821,128.21125 234.023088,126.465143 227.505812,123.267189 C229.675566,110.820018 230.598427,98.2801018 230.356834,85.7859855 C223.291109,75.5658167 215.215504,65.9227222 206.100249,57.0387552 C210.05504,49.6238086 215.901352,43.2439318 223.19951,38.7200816 L226.333344,36.7827608 L223.891083,34.029063 C211.309948,19.8621183 196.294566,8.90915678 179.270875,1.47703537 L175.875983,0 L175.013807,3.58839447 C172.983742,11.9513917 168.740414,19.4957219 162.914712,25.550422 C151.717868,19.5987709 140.020663,14.7886736 127.958208,11.1453196 C115.924377,14.7806586 104.247783,19.5770161 93.0555185,25.5195073 C87.253861,19.4728222 83.0208379,11.9468117 80.9987879,3.60785927 L80.1308865,0.0206097959 L76.74859,1.49077524 C59.9390115,8.81526771 44.5102892,20.0647813 32.1352518,34.0210481 L29.686121,36.7804708 L32.81652,38.7177916 C40.091778,43.224467 45.9220603,49.5665592 49.8699812,56.9414311 C40.7822062,65.7910485 32.715761,75.4032283 25.6557609,85.5764526 C25.3809637,98.0648439 26.25688,110.696359 28.4369384,123.315279 C21.9517226,126.483463 14.7680638,128.210105 7.37143701,128.210105 C6.07301986,128.210105 4.85818689,128.163161 3.67770358,128.064692 L0,127.78417 L0.344641587,131.456148 C2.14685374,150.033589 7.91530662,167.703054 17.4988617,183.979068 L19.3697732,187.155267 L22.1784304,184.7714 C28.6876909,179.250265 36.552618,175.594316 44.9156152,174.120716 C50.4287356,185.393129 56.9631859,195.984274 64.3758425,205.817437 C76.2035754,209.954281 88.5270884,213.042315 101.253637,214.880022 C102.474195,223.296834 101.5021,232.002183 98.1816328,240.051453 L96.7813116,243.462374 L100.382301,244.254706 C109.602895,246.282481 118.904783,247.315261 128.013167,247.315261 L155.636019,244.254706 L159.240443,243.462374 L157.836687,240.044583 C154.52538,231.995313 153.553284,223.279659 154.773842,214.861702 C167.450012,213.022851 179.727725,209.941686 191.511949,205.817437 C198.931475,195.976259 205.47165,185.378244 210.993931,174.090946 C219.383263,175.555387 227.292844,179.213625 233.842179,184.750791 L236.650837,187.131222 L238.512588,183.963038 C248.113318,167.666415 253.880626,149.998095 255.655358,131.450423 L256,127.785315 L252.386416,128.063547 L252.386416,128.063547 Z M167.490086,172.959697 C154.422331,176.513742 141.150767,178.307939 127.958208,178.307939 C114.730154,178.307939 101.47462,176.514887 88.3954147,172.959697 C81.2197707,161.809798 75.5463519,149.865276 71.4633223,137.289866 C67.3974676,124.772849 65.0181812,111.659294 64.327753,98.156443 C72.7743344,87.7130014 82.3796442,78.564542 92.9925442,70.8633483 C103.777192,63.019031 115.509891,56.6460241 127.958208,51.8519565 C140.385915,56.6471691 152.096859,63.011016 162.856317,70.8221287 C173.510437,78.564542 183.158111,87.7839907 191.645912,98.2926967 C190.922279,111.718834 188.514368,124.75682 184.441644,137.253226 C180.368919,149.826346 174.67718,161.808653 167.490086,172.959697 L167.490086,172.959697 Z M138.750871,109.962421 C138.750871,119.194465 146.232227,126.662081 155.451676,126.662081 C164.668834,126.662081 172.142175,119.19561 172.142175,109.962421 C172.142175,100.765872 164.668834,93.2696314 155.451676,93.2696314 C146.232227,93.2696314 138.750871,100.765872 138.750871,109.962421 L138.750871,109.962421 Z M117.172415,109.962421 C117.172415,119.194465 109.692204,126.662081 100.472755,126.662081 C91.2464364,126.662081 83.7868353,119.19561 83.7868353,109.962421 C83.7868353,100.769307 91.2475814,93.2730664 100.472755,93.2730664 C109.692204,93.2730664 117.172415,100.769307 117.172415,109.962421 L117.172415,109.962421 Z" fill="#419EDA">
-
-</path>
-    </g>
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect x="-0.00195312" width="144" height="144" rx="24" fill="url(#paint0_linear_683_2963)"/>
+<path d="M122.442 73.4729C121.959 73.5134 121.474 73.5322 120.958 73.5322C117.965 73.5322 115.061 72.8304 112.442 71.5451C113.314 66.5421 113.685 61.5019 113.588 56.4802C110.748 52.3723 107.502 48.4965 103.838 44.9257C105.428 41.9454 107.778 39.3811 110.711 37.5628L111.971 36.7842L110.989 35.6774C105.932 29.9832 99.8971 25.5809 93.0547 22.5937L91.6902 22L91.3437 23.4423C90.5277 26.8036 88.8222 29.836 86.4807 32.2695C81.9803 29.8774 77.2788 27.944 72.4305 26.4797C67.5937 27.9408 62.9005 29.8686 58.402 32.2571C56.0701 29.8268 54.3688 26.8018 53.556 23.4501L53.2072 22.0083L51.8477 22.5992C45.0914 25.5431 38.8901 30.0647 33.9162 35.6742L32.9318 36.7833L34.19 37.5619C37.1142 39.3733 39.4576 41.9224 41.0444 44.8866C37.3917 48.4435 34.1495 52.307 31.3119 56.3959C31.2014 61.4154 31.5535 66.4924 32.4297 71.5644C29.8231 72.8378 26.9358 73.5318 23.9628 73.5318C23.4409 73.5318 22.9527 73.5129 22.4782 73.4733L21 73.3606L21.1385 74.8365C21.8629 82.3033 24.1814 89.4053 28.0334 95.9471L28.7853 97.2237L29.9142 96.2656C32.5305 94.0465 35.6917 92.577 39.053 91.9847C41.2689 96.5155 43.8953 100.772 46.8747 104.725C51.6287 106.387 56.5819 107.629 61.6971 108.367C62.1877 111.75 61.797 115.249 60.4624 118.484L59.8995 119.855L61.3469 120.174C65.0529 120.989 68.7917 121.404 72.4526 121.404L83.5551 120.174L85.0039 119.855L84.4397 118.482C83.1087 115.246 82.718 111.743 83.2086 108.36C88.3036 107.621 93.2384 106.382 97.9748 104.725C100.957 100.769 103.586 96.5095 105.805 91.9728C109.177 92.5614 112.356 94.0317 114.989 96.2573L116.118 97.2141L116.866 95.9407C120.725 89.3905 123.043 82.2891 123.756 74.8342L123.895 73.361L122.442 73.4729ZM88.3197 91.5181C83.0673 92.9466 77.733 93.6677 72.4305 93.6677C67.1137 93.6677 61.7859 92.947 56.529 91.5181C53.6448 87.0366 51.3645 82.2357 49.7234 77.1812C48.0892 72.1502 47.1329 66.8795 46.8554 61.4522C50.2504 57.2547 54.111 53.5776 58.3767 50.4823C62.7114 47.3294 67.4271 44.7679 72.4305 42.841C77.4256 44.7683 82.1326 47.3262 86.4572 50.4657C90.7394 53.5776 94.6171 57.2832 98.0287 61.507C97.7378 66.9034 96.77 72.1438 95.133 77.1665C93.4961 82.22 91.2084 87.0361 88.3197 91.5181ZM76.7684 66.1974C76.7684 69.9081 79.7754 72.9096 83.481 72.9096C87.1857 72.9096 90.1895 69.9086 90.1895 66.1974C90.1895 62.501 87.1857 59.4881 83.481 59.4881C79.7754 59.4881 76.7684 62.501 76.7684 66.1974ZM68.0954 66.1974C68.0954 69.9081 65.0888 72.9096 61.3832 72.9096C57.6749 72.9096 54.6766 69.9086 54.6766 66.1974C54.6766 62.5024 57.6753 59.4894 61.3832 59.4894C65.0888 59.4894 68.0954 62.5024 68.0954 66.1974Z" fill="white"/>
+<defs>
+<linearGradient id="paint0_linear_683_2963" x1="5.5" y1="11" x2="141" y2="124.5" gradientUnits="userSpaceOnUse">
+<stop stop-color="#53B2F0"/>
+<stop offset="1" stop-color="#419EDA"/>
+</linearGradient>
+</defs>
+</svg>

packages/extra/ingress/logos/ingress-nginx.svg

@@ -1,57 +1,16 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Generator: Adobe Illustrator 24.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 viewBox="0 0 318 361" style="enable-background:new 0 0 318 361;" xml:space="preserve">
-<style type="text/css">
-	.st0{fill:#FFFFFF;}
-	.st1{fill:#989898;}
-	.st2{fill:#009639;}
-	.st3{fill:none;stroke:#FFFFFF;stroke-width:12.0483;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10;}
-	.st4{fill:none;stroke:#FFFFFF;stroke-width:8.0121;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10;}
-</style>
-<g id="Art">
-</g>
-<g id="Layer_1">
-</g>
-<g id="_x3C_Layer_x3E_">
-	<g>
-		<path class="st1" d="M300.4747,326.5712h2.2967v-5.1155h1.8168c1.201,0,2.0626,0.1171,2.5518,0.4261
-			c0.803,0.4706,1.2128,1.4796,1.2128,2.9756v1.0489l0.0515,0.391c0.0281,0.0866,0.0281,0.1217,0.0352,0.1639
-			c0.0117,0.0632,0.0164,0.0819,0.0515,0.11h2.1281l-0.0773-0.1452c-0.0632-0.0983-0.0983-0.3207-0.103-0.6649
-			c-0.0305-0.3676-0.0305-0.6813-0.0305-0.9716v-0.9692c0-0.6508-0.2434-1.3157-0.7117-2.0275
-			c-0.4823-0.6859-1.2408-1.0933-2.2663-1.2736c0.8101-0.1358,1.4469-0.3512,1.8893-0.6134
-			c0.8686-0.5478,1.2689-1.4375,1.2689-2.5753c0-1.6365-0.6461-2.7556-2.0087-3.3034c-0.7515-0.3091-1.9291-0.4659-3.5609-0.4659
-			h-4.5442V326.5712z M307.0066,319.5571c-0.4612,0.199-1.194,0.2903-2.1843,0.2903h-2.0508v-4.7362h1.9572
-			c1.2689,0,2.189,0.1803,2.7603,0.508c0.5829,0.3254,0.8639,0.9552,0.8639,1.8987
-			C308.3528,318.5246,307.9149,319.1848,307.0066,319.5571 M313.6766,311.7375c-2.3365-2.3061-5.1319-3.4485-8.4353-3.4485
-			c-3.2332,0-6.0543,1.1425-8.3369,3.4485c-2.3365,2.3131-3.4673,5.1108-3.4673,8.3954c0,3.28,1.1191,6.0894,3.4251,8.3908
-			c2.2896,2.3365,5.1154,3.4954,8.3791,3.4954c3.3034,0,6.0988-1.1589,8.4353-3.4954c2.2897-2.3131,3.4719-5.1342,3.4719-8.3908
-			C317.1485,316.8249,315.9663,314.0506,313.6766,311.7375 M312.4709,312.9152c1.9993,1.9525,2.9779,4.3874,2.9779,7.2178
-			c0,2.8024-0.9786,5.2559-2.9779,7.253c-1.969,1.9876-4.3874,3.0084-7.2296,3.0084c-2.8211,0-5.2255-1.0208-7.2202-3.0084
-			c-1.9572-1.997-2.9639-4.4506-2.9639-7.253c0-2.8305,1.0067-5.2653,2.9639-7.2178c2.0228-2.0321,4.4178-3.0295,7.2202-3.0295
-			C308.0718,309.8857,310.4785,310.883,312.4709,312.9152"/>
-		<g>
-			<g>
-				<path class="st2" d="M3.1127,270.0055c1.6927,2.9361,4.0792,5.2265,6.8321,6.7797l139.7648,80.6932l0.0044-0.0044
-					c2.7267,1.6055,5.8984,2.526,9.2883,2.526c3.3899,0,6.5659-0.9205,9.2883-2.526l139.7691-80.6932
-					c2.7529-1.5531,5.1306-3.8392,6.8277-6.7753c1.6971-2.9361,2.4868-6.1427,2.4562-9.3057V99.3134l-0.0044-0.0044
-					c0.0262-3.1586-0.7635-6.3696-2.4562-9.3057c-1.6971-2.9361-4.0835-5.2222-6.832-6.7797L168.2817,2.5304V2.526
-					C165.5594,0.9205,162.3877,0,158.9978,0c-3.3855,0-6.5572,0.9205-9.2796,2.526v0.0044L9.9535,83.2236
-					c-2.7529,1.5575-5.1393,3.8436-6.8364,6.7797c-1.6927,2.9361-2.4824,6.1471-2.4562,9.3057l-0.0044,0.0044v161.3864
-					c-0.0305,3.163,0.7591,6.3696,2.4519,9.3057"/>
-			</g>
-			<g>
-				<rect x="61.8437" y="119.0382" class="st3" width="122.8067" height="122.8067"/>
-				<rect x="220.7016" y="104.7989" class="st4" width="35.4548" height="35.4548"/>
-				<rect x="220.7016" y="162.2726" class="st4" width="35.4548" height="35.4548"/>
-				<rect x="220.7016" y="219.7462" class="st4" width="35.4548" height="35.4548"/>
-				<g>
-					<line class="st4" x1="187.4357" y1="180.4416" x2="218.6188" y2="180.4416"/>
-					<line class="st4" x1="185.7747" y1="195.1123" x2="221.1852" y2="222.0801"/>
-					<line class="st4" x1="185.7747" y1="165.7709" x2="221.1852" y2="138.803"/>
-				</g>
-			</g>
-		</g>
-	</g>
-</g>
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear_684_3229)"/>
+<path d="M86.9274 37.1074H17V107.035H86.9274V37.1074Z" stroke="white" stroke-width="6" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M127.643 29H107.455V49.1883H127.643V29Z" stroke="white" stroke-width="4" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M127.643 61.7266H107.455V81.9149H127.643V61.7266Z" stroke="white" stroke-width="4" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M127.643 94.4521H107.455V114.64H127.643V94.4521Z" stroke="white" stroke-width="4" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M88.5137 72.0713H106.27" stroke="white" stroke-width="3" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M87.5674 80.4248L107.73 95.7805" stroke="white" stroke-width="3" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>
+<path d="M87.5674 63.7181L107.73 48.3623" stroke="white" stroke-width="3" stroke-miterlimit="10" stroke-linecap="round" stroke-linejoin="round"/>
+<defs>
+<linearGradient id="paint0_linear_684_3229" x1="10" y1="15.5" x2="144" y2="131.5" gradientUnits="userSpaceOnUse">
+<stop stop-color="#00DA53"/>
+<stop offset="1" stop-color="#009639"/>
+</linearGradient>
+</defs>
 </svg>

packages/extra/monitoring/logos/monitoring.svg

@@ -1,51 +1,36 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
-<svg height="800px" width="800px" version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" 
-	 viewBox="0 0 512 512" xml:space="preserve">
-<path style="fill:#B0B6BB;" d="M351.338,472.276H160.662c-1.766,0-2.648-2.648-0.883-3.531l15.89-11.476
-	c16.772-12.359,25.6-34.428,20.303-55.614h120.055l0,0c-5.297,21.186,3.531,43.255,20.303,55.614l15.89,11.476
-	C353.986,469.628,353.103,472.276,351.338,472.276"/>
-<path style="fill:#E8EDEE;" d="M481.103,401.655H30.897C14.124,401.655,0,387.531,0,370.759V44.138
-	c0-16.772,14.124-30.897,30.897-30.897h450.207c16.772,0,30.897,14.124,30.897,30.897v326.621
-	C512,387.531,497.876,401.655,481.103,401.655"/>
-<path style="fill:#38454F;" d="M512,322.207H0V44.138c0-16.772,14.124-30.897,30.897-30.897h450.207
-	c16.772,0,30.897,14.124,30.897,30.897V322.207z"/>
-<path style="fill:#E8EDEE;" d="M357.517,498.759H154.483c-7.062,0-13.241-6.179-13.241-13.241s6.179-13.241,13.241-13.241h203.034
-	c7.062,0,13.241,6.179,13.241,13.241S364.579,498.759,357.517,498.759"/>
-<path style="fill:#DD342E;" d="M158.897,75.034H44.138c-5.297,0-8.828-3.531-8.828-8.828c0-5.297,3.531-8.828,8.828-8.828h114.759
-	c5.297,0,8.828,3.531,8.828,8.828C167.724,71.503,164.193,75.034,158.897,75.034"/>
-<path style="fill:#7383BF;" d="M211.862,110.345H88.276c-5.297,0-8.828-3.531-8.828-8.828s3.531-8.828,8.828-8.828h123.586
-	c5.297,0,8.828,3.531,8.828,8.828S217.159,110.345,211.862,110.345"/>
-<path style="fill:#42B05C;" d="M52.966,110.345h-8.828c-5.297,0-8.828-3.531-8.828-8.828s3.531-8.828,8.828-8.828h8.828
-	c5.297,0,8.828,3.531,8.828,8.828S58.262,110.345,52.966,110.345"/>
-<path style="fill:#ECBA16;" d="M211.862,75.034h-17.655c-5.297,0-8.828-3.531-8.828-8.828c0-5.297,3.531-8.828,8.828-8.828h17.655
-	c5.297,0,8.828,3.531,8.828,8.828C220.69,71.503,217.159,75.034,211.862,75.034"/>
-<path style="fill:#DD342E;" d="M123.586,145.655H44.138c-5.297,0-8.828-3.531-8.828-8.828S38.841,128,44.138,128h79.448
-	c5.297,0,8.828,3.531,8.828,8.828S128.883,145.655,123.586,145.655"/>
-<path style="fill:#ECBA16;" d="M211.862,145.655h-52.966c-5.297,0-8.828-3.531-8.828-8.828S153.6,128,158.897,128h52.966
-	c5.297,0,8.828,3.531,8.828,8.828S217.159,145.655,211.862,145.655"/>
-<path style="fill:#42B05C;" d="M158.897,180.966H44.138c-5.297,0-8.828-3.531-8.828-8.828s3.531-8.828,8.828-8.828h114.759
-	c5.297,0,8.828,3.531,8.828,8.828S164.193,180.966,158.897,180.966"/>
-<path style="fill:#ECBA16;" d="M211.862,216.276H88.276c-5.297,0-8.828-3.531-8.828-8.828s3.531-8.828,8.828-8.828h123.586
-	c5.297,0,8.828,3.531,8.828,8.828S217.159,216.276,211.862,216.276"/>
-<path style="fill:#DD342E;" d="M52.966,216.276h-8.828c-5.297,0-8.828-3.531-8.828-8.828s3.531-8.828,8.828-8.828h8.828
-	c5.297,0,8.828,3.531,8.828,8.828S58.262,216.276,52.966,216.276"/>
-<path style="fill:#42B05C;" d="M123.586,251.586H44.138c-5.297,0-8.828-3.531-8.828-8.828s3.531-8.828,8.828-8.828h79.448
-	c5.297,0,8.828,3.531,8.828,8.828S128.883,251.586,123.586,251.586"/>
-<path style="fill:#7383BF;" d="M211.862,251.586h-52.966c-5.297,0-8.828-3.531-8.828-8.828s3.531-8.828,8.828-8.828h52.966
-	c5.297,0,8.828,3.531,8.828,8.828S217.159,251.586,211.862,251.586"/>
-<path style="fill:#ECBA16;" d="M158.897,286.897H44.138c-5.297,0-8.828-3.531-8.828-8.828c0-5.297,3.531-8.828,8.828-8.828h114.759
-	c5.297,0,8.828,3.531,8.828,8.828C167.724,283.366,164.193,286.897,158.897,286.897"/>
-<path style="fill:#42B05C;" d="M211.862,286.897h-17.655c-5.297,0-8.828-3.531-8.828-8.828c0-5.297,3.531-8.828,8.828-8.828h17.655
-	c5.297,0,8.828,3.531,8.828,8.828C220.69,283.366,217.159,286.897,211.862,286.897"/>
-<path style="fill:#DD342E;" d="M414.897,286.897H300.138c-5.297,0-8.828-3.531-8.828-8.828c0-5.297,3.531-8.828,8.828-8.828h114.759
-	c5.297,0,8.828,3.531,8.828,8.828C423.724,283.366,420.193,286.897,414.897,286.897"/>
-<path style="fill:#42B05C;" d="M467.862,286.897h-17.655c-5.297,0-8.828-3.531-8.828-8.828c0-5.297,3.531-8.828,8.828-8.828h17.655
-	c5.297,0,8.828,3.531,8.828,8.828C476.69,283.366,473.159,286.897,467.862,286.897"/>
-<path style="fill:#7383BF;" d="M211.862,180.966h-17.655c-5.297,0-8.828-3.531-8.828-8.828s3.531-8.828,8.828-8.828h17.655
-	c5.297,0,8.828,3.531,8.828,8.828S217.159,180.966,211.862,180.966"/>
-<path style="fill:#ECBA16;" d="M476.69,145.655c0,48.552-39.724,88.276-88.276,88.276s-88.276-39.724-88.276-88.276
-	s39.724-88.276,88.276-88.276S476.69,97.103,476.69,145.655"/>
-<path style="fill:#42B05C;" d="M300.138,145.655c0,2.648,0,6.179,0,8.828h88.276V57.379
-	C339.862,57.379,300.138,97.103,300.138,145.655"/>
-</svg>
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear_687_3268)"/>
+<g clip-path="url(#clip0_687_3268)">
+<path d="M89.5039 111.707H54.497C54.1727 111.707 54.0108 111.221 54.3349 111.059L57.2522 108.952C60.3314 106.683 61.9522 102.631 60.9797 98.7412H83.021C82.0485 102.631 83.6693 106.683 86.7485 108.952L89.6658 111.059C89.99 111.221 89.8279 111.707 89.5039 111.707Z" fill="#B0B6BB"/>
+<path d="M113.328 98.741H30.6725C27.5931 98.741 25 96.148 25 93.0687V33.1032C25 30.0239 27.5931 27.4307 30.6725 27.4307H113.328C116.407 27.4307 119 30.0237 119 33.1032V93.0687C119 96.148 116.407 98.741 113.328 98.741Z" fill="#E8EDEE"/>
+<path d="M119 84.1549H25V33.1032C25 30.0239 27.5931 27.4307 30.6725 27.4307H113.328C116.407 27.4307 119 30.0237 119 33.1032L119 84.1549Z" fill="#38454F"/>
+<path d="M90.6374 116.569H53.3616C52.0651 116.569 50.9307 115.435 50.9307 114.138C50.9307 112.841 52.0651 111.707 53.3616 111.707H90.6374C91.9339 111.707 93.0684 112.841 93.0684 114.138C93.0684 115.435 91.9339 116.569 90.6374 116.569Z" fill="#E8EDEE"/>
+<path d="M54.1722 38.7757H33.1032C32.1307 38.7757 31.4824 38.1274 31.4824 37.1549C31.4824 36.1824 32.1307 35.5342 33.1032 35.5342H54.1722C55.1447 35.5342 55.793 36.1824 55.793 37.1549C55.7928 38.1274 55.1445 38.7757 54.1722 38.7757Z" fill="#DD342E"/>
+<path d="M63.8963 45.2591H41.2067C40.2342 45.2591 39.5859 44.6108 39.5859 43.6383C39.5859 42.6658 40.2342 42.0176 41.2067 42.0176H63.8963C64.8688 42.0176 65.5171 42.6658 65.5171 43.6383C65.5171 44.6108 64.8688 45.2591 63.8963 45.2591Z" fill="#7383BF"/>
+<path d="M34.724 45.2591H33.1032C32.1307 45.2591 31.4824 44.6108 31.4824 43.6383C31.4824 42.6658 32.1307 42.0176 33.1032 42.0176H34.724C35.6964 42.0176 36.3447 42.6658 36.3447 43.6383C36.3447 44.6108 35.6963 45.2591 34.724 45.2591Z" fill="#42B05C"/>
+<path d="M63.8963 38.7757H60.6549C59.6824 38.7757 59.0342 38.1274 59.0342 37.1549C59.0342 36.1824 59.6824 35.5342 60.6549 35.5342H63.8963C64.8688 35.5342 65.5171 36.1824 65.5171 37.1549C65.5171 38.1274 64.8688 38.7757 63.8963 38.7757Z" fill="#ECBA16"/>
+<path d="M47.6893 51.7413H33.1032C32.1307 51.7413 31.4824 51.0931 31.4824 50.1206C31.4824 49.1481 32.1307 48.5 33.1032 48.5H47.6893C48.6618 48.5 49.3101 49.1483 49.3101 50.1208C49.3101 51.0933 48.6618 51.7413 47.6893 51.7413Z" fill="#DD342E"/>
+<path d="M63.8968 51.7413H54.1725C53.2 51.7413 52.5518 51.0931 52.5518 50.1206C52.5518 49.1481 53.2002 48.5 54.1727 48.5H63.8969C64.8694 48.5 65.5177 49.1483 65.5177 50.1208C65.5177 51.0933 64.8692 51.7413 63.8968 51.7413Z" fill="#ECBA16"/>
+<path d="M54.1722 58.224H33.1032C32.1307 58.224 31.4824 57.5757 31.4824 56.6032C31.4824 55.6307 32.1307 54.9824 33.1032 54.9824H54.1722C55.1447 54.9824 55.793 55.6307 55.793 56.6032C55.793 57.5757 55.1445 58.224 54.1722 58.224Z" fill="#42B05C"/>
+<path d="M63.8963 64.7074H41.2067C40.2342 64.7074 39.5859 64.0591 39.5859 63.0866C39.5859 62.1141 40.2342 61.4658 41.2067 61.4658H63.8963C64.8688 61.4658 65.5171 62.1141 65.5171 63.0866C65.5171 64.0591 64.8688 64.7074 63.8963 64.7074Z" fill="#ECBA16"/>
+<path d="M34.724 64.7074H33.1032C32.1307 64.7074 31.4824 64.0591 31.4824 63.0866C31.4824 62.1141 32.1307 61.4658 33.1032 61.4658H34.724C35.6964 61.4658 36.3447 62.1141 36.3447 63.0866C36.3447 64.0591 35.6963 64.7074 34.724 64.7074Z" fill="#DD342E"/>
+<path d="M47.6893 71.1898H33.1032C32.1307 71.1898 31.4824 70.5415 31.4824 69.569C31.4824 68.5965 32.1307 67.9482 33.1032 67.9482H47.6893C48.6618 67.9482 49.3101 68.5965 49.3101 69.569C49.3101 70.5415 48.6618 71.1898 47.6893 71.1898Z" fill="#42B05C"/>
+<path d="M63.8968 71.1898H54.1725C53.2 71.1898 52.5518 70.5415 52.5518 69.569C52.5518 68.5965 53.2 67.9482 54.1725 67.9482H63.8968C64.8692 67.9482 65.5175 68.5965 65.5175 69.569C65.5175 70.5415 64.8692 71.1898 63.8968 71.1898Z" fill="#7383BF"/>
+<path d="M54.1722 77.6722H33.1032C32.1307 77.6722 31.4824 77.0239 31.4824 76.0514C31.4824 75.0789 32.1307 74.4307 33.1032 74.4307H54.1722C55.1447 74.4307 55.793 75.0789 55.793 76.0514C55.7928 77.0239 55.1445 77.6722 54.1722 77.6722Z" fill="#ECBA16"/>
+<path d="M63.8963 77.6722H60.6549C59.6824 77.6722 59.0342 77.0239 59.0342 76.0514C59.0342 75.0789 59.6824 74.4307 60.6549 74.4307H63.8963C64.8688 74.4307 65.5171 75.0789 65.5171 76.0514C65.5171 77.0239 64.8688 77.6722 63.8963 77.6722Z" fill="#42B05C"/>
+<path d="M101.172 77.6722H80.1032C79.1307 77.6722 78.4824 77.0239 78.4824 76.0514C78.4824 75.0789 79.1307 74.4307 80.1032 74.4307H101.172C102.145 74.4307 102.793 75.0789 102.793 76.0514C102.793 77.0239 102.145 77.6722 101.172 77.6722Z" fill="#DD342E"/>
+<path d="M110.896 77.6722H107.655C106.682 77.6722 106.034 77.0239 106.034 76.0514C106.034 75.0789 106.682 74.4307 107.655 74.4307H110.896C111.869 74.4307 112.517 75.0789 112.517 76.0514C112.517 77.0239 111.869 77.6722 110.896 77.6722Z" fill="#42B05C"/>
+<path d="M63.8963 58.224H60.6549C59.6824 58.224 59.0342 57.5757 59.0342 56.6032C59.0342 55.6307 59.6824 54.9824 60.6549 54.9824H63.8963C64.8688 54.9824 65.5171 55.6307 65.5171 56.6032C65.5171 57.5757 64.8688 58.224 63.8963 58.224Z" fill="#7383BF"/>
+<path d="M112.517 51.7411C112.517 60.6549 105.224 67.948 96.3104 67.948C87.3966 67.948 80.1035 60.6549 80.1035 51.7411C80.1035 42.8273 87.3966 35.5342 96.3104 35.5342C105.224 35.5342 112.517 42.8273 112.517 51.7411Z" fill="#ECBA16"/>
+<path d="M80.1035 51.7411C80.1035 52.2273 80.1035 52.8755 80.1035 53.3619H96.3104V35.5342C87.3966 35.5342 80.1035 42.8273 80.1035 51.7411Z" fill="#42B05C"/>
+</g>
+<defs>
+<linearGradient id="paint0_linear_687_3268" x1="1.23239e-06" y1="-9.50001" x2="168" y2="162" gradientUnits="userSpaceOnUse">
+<stop stop-color="#8FDDFF"/>
+<stop offset="1" stop-color="#0075FF"/>
+</linearGradient>
+<clipPath id="clip0_687_3268">
+<rect width="94" height="94" fill="white" transform="translate(25 25)"/>
+</clipPath>
+</defs>
+</svg>

packages/extra/monitoring/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  resourceNames:
+  - grafana-ingress
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - grafana-admin-password
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - grafana-service
+  verbs: ["get", "list", "watch"]

packages/extra/monitoring/templates/grafana/db.yaml

@@ -6,3 +6,7 @@ spec:
   instances: 2
   storage:
     size: 10Gi
+
+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"

packages/extra/monitoring/templates/oncall/oncall-db.yaml

@@ -8,4 +8,8 @@ spec:
   instances: 2
   storage:
     size: 10Gi
+
+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"
 {{- end }}

packages/extra/seaweedfs/.helmignore

@@ -0,0 +1,3 @@
+.helmignore
+/logos
+/Makefile

packages/extra/seaweedfs/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+name: seaweedfs
+description: Seaweedfs
+icon: /logos/seaweedfs.svg
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "3.71"

packages/extra/seaweedfs/Makefile

@@ -0,0 +1,2 @@
+generate:
+	readme-generator -v values.yaml -s values.schema.json -r README.md

packages/extra/seaweedfs/README.md

@@ -0,0 +1,12 @@
+# Managed NATS Service
+
+## Parameters
+
+### Common parameters
+
+| Name       | Description                                                                                               | Value |
+| ---------- | --------------------------------------------------------------------------------------------------------- | ----- |
+| `host`     | The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host). | `""`  |
+| `replicas` | Persistent Volume size for NATS                                                                           | `2`   |
+| `size`     | Persistent Volume size                                                                                    | `4Gi` |
+

packages/extra/seaweedfs/logos/seaweedfs.svg

@@ -0,0 +1,50 @@
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear_679_1910)"/>
+<path d="M138.685 121.057C138.685 126.652 136.462 132.017 132.504 135.973C128.547 139.929 123.179 142.151 117.582 142.151C111.985 142.151 106.618 139.929 102.66 135.973C98.7028 132.017 96.4795 126.652 96.4795 121.057C96.4795 118.287 97.0253 115.544 98.0858 112.985C99.1463 110.425 100.701 108.1 102.66 106.141C104.62 104.182 106.946 102.629 109.507 101.569C112.067 100.509 114.811 99.9629 117.582 99.9629C120.353 99.9629 123.098 100.509 125.658 101.569C128.218 102.629 130.544 104.182 132.504 106.141C134.464 108.1 136.018 110.425 137.079 112.985C138.139 115.544 138.685 118.287 138.685 121.057Z" fill="url(#paint1_radial_679_1910)"/>
+<path d="M110.336 126.147H123.68V136.823H110.336V126.147Z" fill="#0F5E9C"/>
+<path d="M119.27 112.294C119.27 112.714 119.178 113.131 119 113.519C118.821 113.908 118.56 114.261 118.23 114.558C117.901 114.855 117.509 115.091 117.079 115.252C116.648 115.413 116.186 115.496 115.72 115.496C114.778 115.496 113.875 115.158 113.21 114.558C112.544 113.957 112.17 113.143 112.17 112.294C112.17 111.445 112.544 110.63 113.21 110.03C113.875 109.429 114.778 109.092 115.72 109.092C116.186 109.092 116.648 109.175 117.079 109.336C117.509 109.496 117.901 109.732 118.23 110.03C118.56 110.327 118.821 110.68 119 111.068C119.178 111.457 119.27 111.873 119.27 112.294Z" fill="#59686F"/>
+<path d="M128.11 114.103C128.11 114.953 127.736 115.767 127.07 116.368C126.404 116.968 125.501 117.305 124.56 117.305C124.094 117.305 123.632 117.223 123.201 117.062C122.771 116.901 122.379 116.665 122.05 116.368C121.72 116.07 121.458 115.717 121.28 115.329C121.102 114.94 121.01 114.524 121.01 114.103C121.01 113.683 121.102 113.266 121.28 112.878C121.458 112.49 121.72 112.137 122.05 111.839C122.379 111.542 122.771 111.306 123.201 111.145C123.632 110.984 124.094 110.901 124.56 110.901C125.501 110.901 126.404 111.239 127.07 111.839C127.736 112.44 128.11 113.254 128.11 114.103Z" fill="#59686F"/>
+<path d="M122.333 118.976C122.333 119.826 121.958 120.64 121.293 121.241C120.627 121.841 119.724 122.178 118.782 122.178C118.316 122.178 117.855 122.096 117.424 121.935C116.993 121.774 116.602 121.538 116.272 121.241C115.943 120.943 115.681 120.59 115.503 120.202C115.324 119.813 115.232 119.397 115.232 118.976C115.232 118.556 115.324 118.14 115.503 117.751C115.681 117.363 115.943 117.01 116.272 116.712C116.602 116.415 116.993 116.179 117.424 116.018C117.855 115.857 118.316 115.774 118.782 115.774C119.724 115.774 120.627 116.112 121.293 116.712C121.958 117.313 122.333 118.127 122.333 118.976Z" fill="#59686F"/>
+<path d="M115.308 121.905C113.735 121.426 115.707 120.68 115.429 120.573C114.653 120.276 115.73 119.333 116.74 118.539C117.628 117.841 117.659 117.839 117.892 118.468C118.024 118.823 118.371 119.206 118.665 119.319C119.289 119.558 120.951 119.269 120.951 118.835C120.951 118.223 121.415 118.699 121.794 119.531C122.457 120.987 122.437 122.472 121.45 122.472C120.859 122.472 120.31 122.691 120.19 123.147C115.046 124.6 116.471 123.284 115.308 121.905ZM123.094 118.054C121.609 117.466 120.547 114.838 120.547 113.309C120.547 111.323 122.541 109.095 124.317 109.095C128.315 109.095 130.684 112.261 128.838 118.409C128.385 119.919 123.933 118.387 123.094 118.054ZM125.866 115.649C127.544 114.474 125.857 111.755 123.981 112.61C122.479 113.294 123.119 116.115 124.77 116.164C124.961 116.169 125.454 115.938 125.866 115.649ZM124.339 114.579C123.771 114.381 123.803 113.256 124.383 113.034C124.902 112.835 125.604 113.398 125.604 114.014C125.604 114.489 124.936 114.787 124.339 114.579ZM112.319 116.98C109.96 115.67 110.286 111.006 112.417 108.965C114.396 107.069 118.778 107.103 119.764 109.462C120.415 111.021 120.228 112.6 119.398 114.077C118.194 116.219 114.242 118.049 112.319 116.98ZM116.56 113.593C117.325 112.901 117.297 112.06 116.572 111.259C115.777 110.379 114.692 110.345 114.035 111.347C113.524 112.127 113.431 112.528 113.943 113.309C114.58 114.28 115.67 114.399 116.56 113.593ZM114.374 112.34C114.128 111.698 114.985 110.981 115.68 111.247C115.974 111.36 116.164 111.718 116.102 112.044C115.961 112.785 114.632 113.012 114.374 112.34Z" fill="#D3D6DA"/>
+<path d="M118.463 121.008L117.945 120.78C117.51 120.685 117.231 121.107 117.136 121.543L116.881 122.709C116.786 123.145 117.061 123.571 117.496 123.666L118.447 123.874C118.882 123.969 119.311 123.694 119.406 123.259L119.685 121.556C119.78 121.12 119.479 121.228 119.043 121.133L118.628 121.043C118.573 121.321 118.516 121.613 118.471 121.833C118.438 121.998 118.407 122.148 118.379 122.282C118.351 122.415 118.327 122.533 118.305 122.635C118.282 122.738 118.262 122.825 118.245 122.897C118.228 122.969 118.214 123.025 118.202 123.068C118.196 123.089 118.193 123.107 118.188 123.121C118.183 123.135 118.178 123.145 118.175 123.152C118.173 123.155 118.172 123.156 118.171 123.158C118.17 123.159 118.168 123.16 118.167 123.16L118.165 123.158C118.164 123.156 118.163 123.152 118.163 123.148C118.162 123.14 118.162 123.129 118.163 123.115C118.163 123.1 118.163 123.083 118.165 123.061C118.168 123.018 118.175 122.961 118.183 122.891C118.192 122.82 118.203 122.736 118.216 122.64C118.229 122.543 118.246 122.431 118.264 122.308C118.281 122.185 118.301 122.051 118.323 121.903C118.346 121.755 118.37 121.592 118.397 121.419C118.416 121.299 118.442 121.14 118.463 121.008Z" fill="#98C6D8"/>
+<path d="M103.581 116.367C103.479 116.103 103.622 115.699 103.898 115.469C104.303 115.133 104.504 115.155 104.93 115.581C105.22 115.871 105.355 116.276 105.23 116.479C104.902 117.009 103.798 116.934 103.581 116.367Z" fill="#98C6D8"/>
+<path d="M106.038 112.281C105.68 111.849 105.702 111.66 106.165 111.197C106.689 110.674 106.764 110.674 107.287 111.197C107.751 111.66 107.773 111.849 107.415 112.281C107.176 112.568 106.866 112.803 106.726 112.803C106.586 112.803 106.277 112.568 106.038 112.281Z" fill="#98C6D8"/>
+<path d="M106.038 107.224C105.682 106.795 105.694 106.612 106.106 106.201C106.65 105.657 107.738 105.88 107.738 106.536C107.738 106.97 107.072 107.747 106.7 107.747C106.575 107.747 106.277 107.512 106.038 107.224Z" fill="#98C6D8"/>
+<path d="M117.955 136.541C114.578 136.111 110.087 134.881 109.41 134.274C108.123 133.119 108.942 127.879 110.466 126.54C111.387 125.731 115.039 124.663 117.182 125.169C119.642 125.749 123.932 128.648 124.25 129.508C124.625 130.522 124.048 134.541 123.323 135.536C122.694 136.399 120.325 136.843 117.955 136.541ZM120.54 134.084C121.297 133.399 121.342 131.842 120.627 131.126C119.49 129.989 117.112 130.869 117.112 132.428C117.112 134.304 119.189 135.307 120.54 134.084ZM118.582 133.125C118.311 132.419 118.68 131.608 119.272 131.608C120 131.608 120.228 132.173 119.812 132.949C119.381 133.755 118.853 133.83 118.582 133.125ZM116.422 133.143C117.094 132.333 116.711 131.176 115.681 130.902C114.581 130.61 114.052 131.183 114.869 131.78C115.683 132.375 115.551 132.679 114.533 132.557C113.327 132.413 112.833 131.566 113.254 130.362C113.681 129.142 115.197 128.863 115.753 129.902C116.193 130.725 116.627 130.793 116.9 130.083C117.229 129.224 115.914 128.237 114.44 128.237C111.993 128.237 110.816 131.074 112.546 132.803C113.5 133.758 115.749 133.955 116.422 133.143Z" fill="#7BA9B9"/>
+<path d="M120.118 138.592C118.751 137.297 121.916 136.096 123.606 138.283C124.469 139.322 122.853 139.976 120.118 138.592ZM106.12 135.658C104.751 134.289 106.963 133.904 108.581 135.23L109.941 135.92L108.059 136.061C107.215 136.062 106.343 135.881 106.12 135.658V135.658ZM125.363 127.866C125.082 127.41 128.333 126.267 128.688 126.486C128.846 126.584 128.975 127.337 128.975 128.161C128.975 129.239 128.84 129.658 128.49 129.658C128.222 129.658 125.476 128.047 125.363 127.866ZM118.641 121.095C114.871 120.753 115.378 119.327 116.361 118.499C116.928 118.021 117.34 117.779 117.913 117.667C117.913 117.667 117.872 119.046 118.666 119.319C119.297 119.536 120.278 119.064 120.471 118.675C122.188 115.201 121.415 118.699 121.794 119.532C123.238 124.007 120.188 121.73 118.641 121.095ZM104.912 121.23C104.242 120.487 103.693 119.729 103.693 119.544C103.693 119.116 104.746 119.112 105.863 119.537C106.593 119.814 110.347 120.006 110.347 121.153C110.347 121.899 108.89 123.762 108.726 123.762C108.563 123.762 105.583 121.972 104.912 121.23Z" fill="#A6B3C2"/>
+<path d="M118.463 121.008C118.442 121.14 118.416 121.299 118.397 121.419C118.37 121.592 118.345 121.755 118.323 121.903C118.3 122.051 118.281 122.185 118.263 122.308C118.245 122.431 118.229 122.542 118.216 122.639C118.203 122.736 118.191 122.82 118.183 122.89C118.175 122.961 118.168 123.018 118.165 123.061C118.163 123.083 118.164 123.1 118.163 123.115C118.162 123.129 118.162 123.14 118.163 123.148C118.163 123.152 118.164 123.156 118.165 123.158L118.167 123.16C118.168 123.16 118.17 123.159 118.171 123.158C118.172 123.157 118.173 123.155 118.175 123.152C118.178 123.145 118.182 123.135 118.187 123.121C118.192 123.107 118.196 123.089 118.202 123.067C118.213 123.025 118.228 122.969 118.245 122.897C118.262 122.825 118.282 122.738 118.305 122.635C118.327 122.533 118.351 122.415 118.379 122.281C118.406 122.148 118.438 121.998 118.471 121.833C118.516 121.613 118.573 121.321 118.628 121.043L118.463 121.008Z" fill="#4C9CBB"/>
+<path d="M30.9986 142.673C26.4489 140.916 21.4664 136.805 18.7921 132.603C15.4053 127.281 14.4052 123.419 15.0636 118.203C15.6806 113.315 17.3558 110.557 22.2232 106.413C29.0417 100.608 34.4846 97.9799 40.5947 97.5415C49.8212 96.8794 55.0978 99.8109 57.6465 107.015C58.5043 109.439 58.6856 115.57 58.0544 120.809C57.8311 122.663 57.4789 126.055 57.2718 128.348C56.5467 136.375 54.4147 140.417 49.6253 142.843C48.2979 143.516 47.7199 143.561 40.6924 143.539C33.5151 143.516 33.081 143.478 30.9986 142.673ZM0.0795765 104.965C0.0815723 103.853 0.144403 103.438 0.219427 104.044C0.294451 104.65 0.292899 105.56 0.215996 106.067C0.139079 106.573 0.0776838 106.078 0.0795765 104.965ZM0.00173351 102.24C0.0178992 101.848 0.0977897 101.768 0.205398 102.037C0.302772 102.28 0.290797 102.571 0.178787 102.683C0.0667748 102.795 -0.0129021 102.596 0.00173351 102.24ZM0.0283444 75.1326C0.0283444 74.6691 0.104857 74.4795 0.198369 74.7112C0.291884 74.943 0.291884 75.3222 0.198369 75.5539C0.104857 75.7857 0.0283444 75.5961 0.0283444 75.1326Z" fill="url(#paint2_radial_679_1910)"/>
+<path d="M35.3133 112.544L37.9 111.091L39.3517 121.46L39.248 128.926L35.3703 130.851L32.9229 126.437L35.3133 112.544Z" fill="#3060AD"/>
+<path d="M38.7295 116.69L39.3516 124.571L43.2919 125.919L43.3956 109.225L40.1812 110.054L38.7295 116.69Z" fill="#606368"/>
+<path d="M35.3699 130.851C33.0324 129.73 29.7301 126.408 28.6621 124.103C28.0332 122.745 27.6397 122.31 26.8923 122.146C25.7879 121.903 25.8084 121.971 26.3218 120.258C26.5936 119.35 26.9032 118.954 27.3406 118.954C27.6862 118.954 29.1597 117.841 30.6149 116.48C32.0702 115.119 33.7226 113.677 34.2869 113.275L35.3129 112.544L35.6767 114.241C37.0443 120.618 37.027 124.266 35.6198 126.243C34.5521 127.744 34.8417 128.393 36.5791 128.393C37.397 128.393 37.8222 128.185 38.1305 127.634C38.6748 126.663 38.6315 120.968 38.0454 116.426C37.3446 110.995 37.3127 111.167 39.1578 110.398C40.036 110.031 40.818 109.797 40.8955 109.877C40.9731 109.956 40.8191 111.235 40.5534 112.718C39.6067 118.003 39.9315 123.238 41.2752 124.353C41.6851 124.693 41.7233 123.969 41.5452 119.232C41.3156 113.123 41.5174 110.919 42.4075 109.82C42.9198 109.188 43.213 109.116 44.4959 109.31C46.9566 109.682 46.9506 109.668 46.2099 113.254C45.8496 114.999 45.4483 117.224 45.318 118.2L45.0812 119.973L45.9446 119.645C46.4195 119.465 47.4413 118.994 48.2153 118.599L49.6226 117.881L49.3893 118.67C49.261 119.105 49.0672 120.701 48.9587 122.218L48.7614 124.976L47.1095 124.325C46.201 123.967 45.3116 123.674 45.1331 123.674C44.941 123.674 44.8085 125.532 44.8085 128.224C44.8085 131.891 44.7171 132.775 44.3386 132.775C41.0198 132.295 38.7842 132.458 35.3699 130.851Z" fill="#EEC23B"/>
+<path d="M41.1639 132.418C41.1639 132.283 41.3408 130.515 41.6692 128.145C41.9977 125.775 42.3577 122.961 42.4692 121.893C42.5808 120.824 42.7969 120.027 42.9495 120.121C43.6443 120.551 44.2938 129.375 44.0474 131.42C43.8909 132.719 43.6595 132.737 43.3019 132.677C42.6602 132.57 41.9101 132.513 41.1639 132.418ZM32.5969 122.735C31.6813 122.583 30.8242 121.442 30.8242 120.374C30.8242 119.407 32.2381 117.937 33.1685 117.937C34.6666 117.937 35.8392 120.513 34.9484 121.847C34.5517 122.441 33.4147 122.87 32.5969 122.735Z" fill="white"/>
+<path d="M114.021 137.498C107.318 135.74 106.273 134.104 106.609 125.891C106.716 123.281 106.885 120.539 106.986 119.797C107.545 115.664 108.342 112.173 109.086 110.599C109.744 109.206 109.842 108.712 109.535 108.342C108.45 107.035 110.371 104.995 111.91 105.819C112.457 106.111 112.918 106.077 113.945 105.665C117.062 104.419 123.117 105.571 126.814 108.115C128.149 109.033 128.485 109.136 129.038 108.791C130.523 107.863 132.451 110.573 131.25 111.9C130.787 112.412 130.755 112.705 131.065 113.596C131.85 115.846 131.794 116.104 128.006 127.719C125.58 135.16 124.543 137.365 123.264 137.811C121.653 138.373 116.723 138.206 114.021 137.498ZM122.541 135.229C123.003 134.541 123.359 133.313 123.513 131.878C123.794 129.25 123.819 129.283 120.317 127.601C117.685 126.338 113.833 125.972 111.855 126.798C110.829 127.227 110.595 127.556 110.059 129.327C109.116 132.443 109.703 134.308 111.832 134.958C113.139 135.357 120.09 136.43 120.98 136.37C121.504 136.335 122.082 135.912 122.541 135.229ZM119.451 122.42C119.63 122.081 119.685 121.556 119.685 121.556C120.156 121.654 120.48 121.683 120.726 121.719C121.105 121.774 121.564 121.587 121.745 121.303C122.149 120.671 120.474 117.701 119.548 117.408C118.668 117.128 115.935 118.827 115.935 119.653C115.935 120.022 116.553 120.411 116.831 120.518C116.982 120.576 117.252 120.738 117.576 120.938C117.38 121.351 117.346 121.478 117.312 121.724C117.204 122.498 117.435 122.686 118.416 122.912C119.151 122.991 119.25 122.845 119.451 122.42ZM127.265 116.836C130.933 113.475 127.074 107.41 122.705 109.67C121.626 110.228 120.654 112.019 120.654 113.449C120.654 115.664 122.831 117.937 124.957 117.941C125.733 117.943 126.414 117.617 127.265 116.836ZM117.141 115.622C119.035 114.468 119.804 111.795 118.802 109.857C118.082 108.464 117.008 107.83 115.366 107.83C111.508 107.83 109.485 113.234 112.465 115.578C113.57 116.448 115.754 116.468 117.141 115.622Z" fill="#0996D1"/>
+<path opacity="0.9" d="M33.1757 26L32.381 27.219C31.9449 27.889 31.2836 29.3248 30.9091 30.4088C30.5347 31.4928 29.9922 32.9701 29.7043 33.6928C29.4163 34.4154 29.1733 36.115 29.1638 37.47C29.1436 40.353 28.7494 41.8888 27.6364 43.4225C26.9212 44.408 26.6751 44.5223 25.4532 44.441C23.8995 44.3377 22.8153 45.0815 21.217 47.3481C20.7165 48.058 20.1367 48.6393 19.9289 48.6393C19.7211 48.6393 19.1805 48.2319 18.7262 47.7351C18.2719 47.2382 17.9944 47.0115 18.111 47.2298C18.49 47.9396 17.5904 53.2615 16.8378 54.7642C15.967 56.5028 14.3872 57.7233 12.5354 58.0843C11.0059 58.3826 11.2283 58.09 8.71795 63.0946C6.66334 67.1907 5.96935 67.8264 2.65533 68.6542C1.49717 68.9434 0.458759 69.7142 0 70.5287V72.8263C0.356193 72.7473 0.828728 72.6203 1.61499 72.3873C2.99486 71.9782 4.82348 71.4806 5.6781 71.2806C7.72934 70.8006 9.39351 69.2195 9.92279 67.2467C10.2424 66.0554 10.7033 65.4241 11.9992 64.4058C13.284 63.3962 13.7565 62.7546 14.0671 61.5969C14.3739 60.4532 14.7011 60.004 15.4407 59.7063C17.0153 59.0724 20.6444 55.8655 21.2363 54.5858C21.5373 53.9349 22.1198 52.5399 22.5287 51.4862C23.2634 49.5932 25.0195 47.3261 25.7501 47.3261C25.9574 47.3261 27.109 46.7248 28.3093 45.9908C31.2376 44.2003 31.5991 43.4136 31.5991 38.8614C31.5991 35.6814 31.687 35.1557 32.3468 34.3684C33.0037 33.5847 33.0997 33.0249 33.1351 29.7391L33.1757 26ZM24.3338 63.5958C24.2037 63.6135 24.0738 63.6618 23.9258 63.7362C22.9397 64.2315 22.6136 64.9102 21.5973 68.586C21.0179 70.6815 20.4212 72.0819 19.8798 72.6178C19.4235 73.0695 18.9383 73.8823 18.801 74.4242C18.181 76.8715 16.7454 78.6073 14.4495 79.6871C12.4555 80.6249 10.6407 82.1179 9.11102 84.0798C8.32109 85.0929 7.48752 86.029 7.25678 86.1609C6.76164 86.444 5.70899 88.8941 4.60785 92.328C3.71092 95.125 1.71065 97.4682 0.478514 97.1658C0.254931 97.1109 0.106911 97.1137 0 97.2901V104.492C0.556411 103.664 1.2342 102.629 2.56347 100.54C4.34511 97.7397 6.46385 94.4867 7.27173 93.3124C8.0796 92.1381 9.35687 90.1488 10.1086 88.8916C11.2342 87.0092 12.1016 86.1243 15.0284 83.8833L18.5831 81.1627L20.4053 75.9881C23.1895 68.0817 23.9585 67.1997 27.7624 67.5515C29.4605 67.7085 30.6334 67.6196 32.0734 67.2267C34.1826 66.6512 34.4799 66.1872 33.3551 65.2318C32.6554 64.6376 31.3153 64.64 28.2388 65.2418C27.3397 65.4177 26.9343 65.2757 25.8932 64.4178C25.1051 63.7684 24.7241 63.5426 24.3338 63.5958ZM31.7166 83.2598C31.6605 83.2749 31.5921 83.3126 31.5115 83.3721C31.2709 83.55 30.6536 83.79 30.1379 83.9054C29.3876 84.0734 29.0498 84.4932 28.4482 86.0045C28.0347 87.0432 27.4915 88.1153 27.2412 88.3863C26.9909 88.6573 26.475 89.551 26.0941 90.3732C24.9422 92.8592 23.5282 94.0618 19.9011 95.6421C16.6107 97.0756 16.567 97.1086 15.6671 98.9802C15.1027 100.154 14.6792 101.757 14.5499 103.205C14.2731 106.302 13.5962 107.031 9.52118 108.616C5.91497 110.019 3.57702 111.745 3.41583 113.123C3.24041 114.623 2.59813 115.084 0.92926 114.907C0.539529 114.866 0.244332 114.851 0 114.881V121C1.02658 119.658 2.71922 118.361 6.22497 116.206C10.3604 113.665 12.7065 111.575 13.5779 109.654C13.926 108.887 14.6547 107.393 15.1971 106.334C15.7395 105.275 16.2845 103.901 16.4084 103.281C16.7324 101.66 18.3032 100.349 20.6659 99.726C25.177 98.5372 25.7461 98.0163 26.3525 94.5354C26.8561 91.6452 28.612 88.0661 30.5267 86.0246C31.3095 85.19 31.9495 84.18 31.9495 83.7791C31.9495 83.3766 31.8849 83.2146 31.7166 83.2598Z" fill="#359136"/>
+<path d="M8.08177 74.4083C6.03419 73.8705 5.89443 73.7302 6.04271 72.3615C6.13025 71.5533 6.24017 70.8575 6.28696 70.8154C6.33376 70.7733 7.70443 71.0687 9.33292 71.4719C11.9768 72.1264 12.4866 72.1238 14.0947 71.4474C16.4041 70.476 17.2383 68.7753 16.4022 66.7431C15.9424 65.6257 14.9204 64.8281 12.2384 63.494C7.6417 61.2075 6.53062 59.999 6.27465 57.0076C5.89337 52.5519 8.84689 49.9836 14.3522 49.9836C15.9733 49.9836 17.8487 50.1937 18.5196 50.4505C19.6368 50.8781 19.6937 51.0399 19.1945 52.3712C18.7182 53.6416 18.5027 53.7688 17.4861 53.3796C15.5199 52.627 12.1948 52.8554 11.0058 53.8247C9.79058 54.8153 9.55736 56.9252 10.5324 58.1079C10.8727 58.5207 12.9087 59.779 15.0569 60.9041C18.4628 62.6881 19.082 63.2214 19.8951 65.0719C21.1152 67.8487 20.6788 70.3437 18.6078 72.4323C16.1607 74.9002 12.5413 75.5796 8.08177 74.4083ZM28.9328 74.3823C25.2365 72.9958 23.7138 70.5405 23.7138 65.9667C23.7138 62.5034 24.5588 60.4697 26.8333 58.4593C28.3964 57.0776 28.9867 56.8686 31.3268 56.8686C32.8168 56.8686 34.6821 57.2129 35.5005 57.6389C37.3169 58.5846 38.8319 61.7426 38.8466 64.6143L38.8573 66.7044H32.9423H27.0273L27.342 68.0569C27.515 68.8007 28.3354 70.0391 29.165 70.809C30.5773 72.1196 30.8949 72.1979 34.1547 72.0385C37.3938 71.8801 37.6463 71.9409 37.784 72.9122C37.9626 74.1725 37.1882 74.5236 33.5242 74.8434C31.8085 74.9932 30.1056 74.8222 28.9328 74.3823ZM35.0881 62.5242C34.9558 60.673 33.3644 59.3276 31.3072 59.3276C29.7086 59.3276 28.7281 60.0909 27.662 62.1655C26.7457 63.9486 27.412 64.2965 31.4488 64.1425L35.1936 63.9996L35.0881 62.5242ZM44.3914 74.3708C42.5711 73.5468 41.7059 72.1286 41.6421 69.8647C41.5416 66.2944 44.111 64.1468 49.2576 63.4994C51.8414 63.1744 52.0495 63.0577 51.7593 62.0969C50.965 59.4666 48.2423 58.5644 44.9276 59.8331C43.4303 60.4063 43.4868 60.4313 43.0514 59.0032C42.7801 58.1135 42.9982 57.8511 44.395 57.387C46.9364 56.5427 51.3745 56.6342 52.7779 57.56C54.9392 58.9857 55.3751 60.6019 55.5487 67.8328L55.7106 74.5745L54.123 74.574C53.0377 74.5733 52.5353 74.3396 52.5353 73.8354C52.5353 72.9066 52.0528 72.9024 50.752 73.8196C49.2013 74.913 46.1697 75.1757 44.3914 74.3708ZM50.9477 70.8175C51.7099 69.9735 52.0468 68.986 52.0468 67.5966V65.5929L49.8182 65.8458C45.719 66.311 43.8749 69.5118 46.5058 71.5953C48.0371 72.8079 49.3594 72.5763 50.9477 70.8175ZM92.002 74.5788C88.4024 73.4864 86.2419 70.2466 86.2419 65.941C86.2419 60.4042 89.5211 56.8325 94.641 56.7925C98.6989 56.7609 101.263 59.4679 101.503 64.0366L101.63 66.4585L96.2562 66.5885C93.3007 66.66 90.6158 66.816 90.2897 66.9351C89.3818 67.2668 90.4788 69.947 92.0306 71.1886C93.1599 72.0921 93.771 72.1912 96.8178 71.965C100.193 71.7144 100.318 71.7449 100.531 72.8684C100.73 73.9133 100.509 74.0835 98.3579 74.548C95.6103 75.1412 93.8829 75.1496 92.002 74.5788ZM97.9659 63.0823C97.9659 61.1231 96.1858 59.3276 94.2434 59.3276C92.2494 59.3276 90.1499 61.2562 90.1499 63.0878C90.1499 64.207 90.2797 64.2455 94.0579 64.2455C97.8414 64.2455 97.9659 64.2084 97.9659 63.0823ZM110.042 74.47C106.149 73.43 103.93 69.4029 104.54 64.4862C105.166 59.4442 107.951 56.8736 112.792 56.8705C115.374 56.869 115.805 57.0249 117.26 58.49C118.878 60.1185 119.941 62.8343 119.946 65.352L119.949 66.7044H114.087C108.488 66.7044 108.225 66.7501 108.225 67.7203C108.225 70.7122 110.952 72.3442 115.357 71.9882C118.136 71.7637 118.423 71.8315 118.667 72.7674C118.998 74.0443 118.968 74.072 116.69 74.6043C114.367 75.147 112.43 75.1078 110.042 74.47ZM116.119 62.7701C115.864 60.8787 114.159 59.3276 112.335 59.3276C110.566 59.3276 108.224 61.6014 108.224 63.3195C108.224 64.2128 108.527 64.2746 112.255 64.1424C116.241 64.0011 116.283 63.9862 116.119 62.7701ZM126.894 74.247C124.826 73.2208 123.532 71.3589 122.894 68.4889C121.975 64.3605 123.074 60.4914 125.83 58.1567C127.827 56.4657 131.838 56.3305 133.805 57.8879L135.092 58.9072V53.9536V49H137.046H139V61.7865V74.5731H137.29C135.762 74.5731 135.58 74.4331 135.58 73.2579V71.9427L134.481 72.9792C132.233 75.0998 129.525 75.5523 126.894 74.247ZM133.664 70.6766C134.976 69.3557 135.092 68.9537 135.092 65.7209C135.092 62.4572 134.985 62.0945 133.607 60.7076C132.365 59.4575 131.865 59.2622 130.554 59.5154C126.144 60.3672 124.835 68.1423 128.598 71.1229C130.348 72.5081 131.988 72.3635 133.664 70.6766ZM61.4107 66.0584C60.022 61.3754 58.8859 57.3919 58.8859 57.2062C58.8859 57.0206 59.7274 56.8686 60.7559 56.8686H62.6259L64.2551 63.8766C65.1512 67.731 65.956 70.6633 66.0437 70.3929C66.1313 70.1224 67.0557 67.0241 68.0978 63.5078L69.9926 57.1145H71.5969H73.2012L74.8865 63.2619C75.8134 66.643 76.6832 69.7412 76.8194 70.147C76.9557 70.5527 77.8419 67.731 78.789 63.8766L80.5109 56.8686H82.4517C83.9517 56.8686 84.3303 57.0316 84.119 57.586C83.9686 57.9806 82.6956 61.9641 81.2902 66.4382L78.7349 74.5731H76.9635H75.1921L73.5812 68.7945C72.6952 65.6163 71.8585 62.6841 71.7217 62.2783C71.4465 61.4616 71.5911 61.0733 69.1114 69.2863L67.5152 74.5731H65.7254H63.9356L61.4107 66.0584Z" fill="white"/>
+<path d="M19.9746 119.274C19.0158 118.119 20.3381 116.166 21.5604 116.932C22.7632 117.686 22.3305 119.761 20.9704 119.761C20.645 119.761 20.1969 119.542 19.9746 119.274Z" fill="url(#paint3_radial_679_1910)"/>
+<path d="M23.836 112.63C22.1152 111.689 21.8029 109.797 23.1465 108.453C24.0857 107.514 25.21 107.394 26.2507 108.123C27.8571 109.249 27.4655 112.013 25.6079 112.66C25.6079 112.66 24.4745 112.973 23.836 112.63Z" fill="url(#paint4_radial_679_1910)"/>
+<path d="M33.7855 120.036C33.7855 120.188 33.7557 120.338 33.6976 120.479C33.6395 120.619 33.5544 120.746 33.4471 120.853C33.3398 120.961 33.2124 121.046 33.0723 121.104C32.9321 121.162 32.7818 121.192 32.6301 121.192C32.4783 121.192 32.3281 121.162 32.1879 121.104C32.0477 121.046 31.9203 120.961 31.813 120.853C31.7057 120.746 31.6206 120.619 31.5626 120.479C31.5045 120.338 31.4746 120.188 31.4746 120.036C31.4746 119.73 31.5963 119.436 31.813 119.219C32.0297 119.003 32.3236 118.881 32.6301 118.881C32.9365 118.881 33.2304 119.003 33.4471 119.219C33.6638 119.436 33.7855 119.73 33.7855 120.036Z" fill="black"/>
+<path d="M120.721 118.276C120.721 118.623 120.565 118.956 120.287 119.201C120.009 119.446 119.632 119.584 119.239 119.584C118.846 119.584 118.469 119.446 118.191 119.201C117.913 118.956 117.757 118.623 117.757 118.276C117.757 118.105 117.795 117.935 117.87 117.776C117.944 117.617 118.053 117.473 118.191 117.352C118.329 117.23 118.492 117.134 118.672 117.068C118.851 117.003 119.044 116.969 119.239 116.969C119.433 116.969 119.626 117.003 119.806 117.068C119.986 117.134 120.149 117.23 120.287 117.352C120.424 117.473 120.533 117.617 120.608 117.776C120.682 117.935 120.721 118.105 120.721 118.276Z" fill="#59686F"/>
+<defs>
+<linearGradient id="paint0_linear_679_1910" x1="11" y1="-4.77768e-07" x2="164.5" y2="150.5" gradientUnits="userSpaceOnUse">
+<stop stop-color="#64B7FF"/>
+<stop offset="1" stop-color="#005DAD"/>
+</linearGradient>
+<radialGradient id="paint1_radial_679_1910" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(124.904 128.636) rotate(-0.048552) scale(36.2802 31.4032)">
+<stop stop-color="#1177CE"/>
+<stop offset="1" stop-color="#7EC7FF" stop-opacity="0"/>
+</radialGradient>
+<radialGradient id="paint2_radial_679_1910" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(39.3512 121.46) rotate(-0.0573) scale(50.2276 51.3091)">
+<stop stop-color="#1177CE"/>
+<stop offset="1" stop-color="#7EC7FF" stop-opacity="0"/>
+</radialGradient>
+<radialGradient id="paint3_radial_679_1910" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(20.9548 118.26) scale(1.30929 1.50127)">
+<stop stop-color="#88A3D0"/>
+<stop offset="1" stop-color="#5D83BF"/>
+</radialGradient>
+<radialGradient id="paint4_radial_679_1910" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(24.7843 110.221) scale(2.47277 2.56954)">
+<stop stop-color="#88A3D0"/>
+<stop offset="1" stop-color="#5D83BF"/>
+</radialGradient>
+</defs>
+</svg>

packages/extra/seaweedfs/templates/seaweedfs.yaml

@@ -0,0 +1,55 @@
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-system
+spec:
+  chart:
+    spec:
+      chart: cozy-seaweedfs
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '*'
+  interval: 1m0s
+  timeout: 5m0s
+  values:
+    global:
+      serviceAccountName: "{{ .Release.Namespace }}-seaweedfs"
+
+    seaweedfs:
+      
+      volume:
+        replicas: {{ .Values.replicas }}
+
+        # TODO: workaround for non-working online resize
+        podAnnotations:
+          volume-size: "{{ .Values.size }}"
+      
+        dataDirs:
+        - name: data1
+          type: "persistentVolumeClaim"
+          size: "{{ .Values.size }}"
+          maxVolumes: 0
+      
+      s3:
+        ingress:
+          className: {{ $ingress }}
+          host: {{ .Values.host | default (printf "s3.%s" $host) }}
+          annotations:
+            nginx.ingress.kubernetes.io/proxy-body-size: "0"
+            nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+            acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
+            cert-manager.io/cluster-issuer: letsencrypt-prod
+          tls:
+            - hosts:
+              - {{ .Values.host | default (printf "seaweedfs.%s" $host) }}
+              secretName: {{ .Release.Name }}-s3-ingress-tls
+
+      cosi:
+        driverName: "{{ .Release.Namespace }}.seaweedfs.objectstorage.k8s.io"
+        bucketClassName: "{{ .Release.Namespace }}"

packages/extra/seaweedfs/values.schema.json

@@ -0,0 +1,21 @@
+{
+    "title": "Chart Values",
+    "type": "object",
+    "properties": {
+        "host": {
+            "type": "string",
+            "description": "The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host).",
+            "default": ""
+        },
+        "replicas": {
+            "type": "number",
+            "description": "Persistent Volume size for NATS",
+            "default": 2
+        },
+        "size": {
+            "type": "string",
+            "description": "Persistent Volume size",
+            "default": "4Gi"
+        }
+    }
+}

packages/extra/seaweedfs/values.yaml

@@ -0,0 +1,10 @@
+## @section Common parameters
+
+## @param host The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host).
+host: ""
+
+## @param replicas Persistent Volume size for NATS
+## @param size Persistent Volume size
+##
+replicas: 2
+size: 10Gi

packages/extra/versions_map

@@ -9,3 +9,4 @@ ingress 1.2.0 HEAD
 monitoring 1.0.0 f642698
 monitoring 1.1.0 15478a88
 monitoring 1.2.0 HEAD
+seaweedfs 0.1.0 HEAD

packages/system/cert-manager-issuers/templates/cluster-issuers.yaml

@@ -26,3 +26,10 @@ spec:
     - http01:
         ingress:
           class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-cluster-issuer
+spec:
+  selfSigned: {}

packages/system/cilium/Makefile

@@ -10,9 +10,7 @@ update:
 	rm -rf charts
 	helm repo add cilium https://helm.cilium.io/
 	helm repo update cilium
-	helm pull cilium/cilium --untar --untardir charts --version 1.15
-	ln -s ../../images charts/cilium/images
-	sed -i 's/include "cilium.image" .Values.image/include "cilium.image" ./g' charts/cilium/templates/cilium-agent/daemonset.yaml
+	helm pull cilium/cilium --untar --untardir charts --version 1.16
 	sed -i -e '/Used in iptables/d' -e '/SYS_MODULE/d' charts/cilium/values.yaml
 	version=$$(awk '$$1 == "version:" {print $$2}' charts/cilium/Chart.yaml) && \
 	sed -i "s/ARG VERSION=.*/ARG VERSION=v$${version}/" images/cilium/Dockerfile
@@ -27,4 +25,10 @@ image:
 		--metadata-file images/cilium.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/cilium:$(call settag,$(CILIUM_TAG))" > images/cilium.tag
+	REPOSITORY="$(REGISTRY)/cilium" \
+		yq -i '.cilium.image.repository = strenv(REPOSITORY)' values.yaml
+	TAG=$(call settag,$(CILIUM_TAG)) \
+		yq -i '.cilium.image.tag = strenv(TAG)' values.yaml
+	DIGEST=$$(yq e '."containerimage.digest"' images/cilium.json -o json -r) \
+		yq -i '.cilium.image.digest = strenv(DIGEST)' values.yaml
+	rm -f images/cilium.json

packages/system/cilium/charts/cilium/Chart.yaml

@@ -79,7 +79,7 @@ annotations:
     Pod IP Pool\n  description: |\n    CiliumPodIPPool defines an IP pool that can
     be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n"
 apiVersion: v2
-appVersion: 1.15.5
+appVersion: 1.16.0
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
@@ -91,8 +91,8 @@ keywords:
 - Security
 - Observability
 - Troubleshooting
-kubeVersion: '>= 1.16.0-0'
+kubeVersion: '>= 1.21.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.15.5
+version: 1.16.0

packages/system/cilium/charts/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.15.5](https://img.shields.io/badge/Version-1.15.5-informational?style=flat-square) ![AppVersion: 1.15.5](https://img.shields.io/badge/AppVersion-1.15.5-informational?style=flat-square)
+![Version: 1.16.0](https://img.shields.io/badge/Version-1.16.0-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -18,7 +18,7 @@ efficient and flexible.
 
 ## Prerequisites
 
-* Kubernetes: `>= 1.16.0-0`
+* Kubernetes: `>= 1.21.0-0`
 * Helm: `>= 3.0`
 
 ## Getting Started
@@ -53,7 +53,7 @@ contributors across the globe, there is almost always someone available to help.
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| MTU | int | `0` | Configure the underlying network MTU to overwrite auto-detected MTU. |
+| MTU | int | `0` | Configure the underlying network MTU to overwrite auto-detected MTU. This value doesn't change the host network interface MTU i.e. eth0 or ens0. It changes the MTU for cilium_net@cilium_host, cilium_host@cilium_net, cilium_vxlan and lxc_health interfaces. |
 | affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-agent. |
 | agent | bool | `true` | Install the cilium agent resources. |
 | agentNotReadyTaintKey | string | `"node.cilium.io/agent-not-ready"` | Configure the key of the taint indicating that Cilium is not ready on the node. When set to a value starting with `ignore-taint.cluster-autoscaler.kubernetes.io/`, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up. |
@@ -73,7 +73,7 @@ contributors across the globe, there is almost always someone available to help.
 | authentication.mutual.spire.enabled | bool | `false` | Enable SPIRE integration (beta) |
 | authentication.mutual.spire.install.agent.affinity | object | `{}` | SPIRE agent affinity configuration |
 | authentication.mutual.spire.install.agent.annotations | object | `{}` | SPIRE agent annotations |
-| authentication.mutual.spire.install.agent.image | object | `{"digest":"sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.5","useDigest":true}` | SPIRE agent image |
+| authentication.mutual.spire.install.agent.image | object | `{"digest":"sha256:5106ac601272a88684db14daf7f54b9a45f31f77bb16a906bd5e87756ee7b97c","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.9.6","useDigest":true}` | SPIRE agent image |
 | authentication.mutual.spire.install.agent.labels | object | `{}` | SPIRE agent labels |
 | authentication.mutual.spire.install.agent.nodeSelector | object | `{}` | SPIRE agent nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | authentication.mutual.spire.install.agent.podSecurityContext | object | `{}` | Security context to be added to spire agent pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod |
@@ -83,7 +83,7 @@ contributors across the globe, there is almost always someone available to help.
 | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
 | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true |
 | authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. |
-| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server |
+| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server |
 | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into |
 | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration |
 | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations |
@@ -93,7 +93,7 @@ contributors across the globe, there is almost always someone available to help.
 | authentication.mutual.spire.install.server.dataStorage.enabled | bool | `true` | Enable SPIRE server data storage |
 | authentication.mutual.spire.install.server.dataStorage.size | string | `"1Gi"` | Size of the SPIRE server data storage |
 | authentication.mutual.spire.install.server.dataStorage.storageClass | string | `nil` | StorageClass of the SPIRE server data storage |
-| authentication.mutual.spire.install.server.image | object | `{"digest":"sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.5","useDigest":true}` | SPIRE server image |
+| authentication.mutual.spire.install.server.image | object | `{"digest":"sha256:59a0b92b39773515e25e68a46c40d3b931b9c1860bc445a79ceb45a805cab8b4","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.9.6","useDigest":true}` | SPIRE server image |
 | authentication.mutual.spire.install.server.initContainers | list | `[]` | SPIRE server init containers |
 | authentication.mutual.spire.install.server.labels | object | `{}` | SPIRE server labels |
 | authentication.mutual.spire.install.server.nodeSelector | object | `{}` | SPIRE server nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -126,6 +126,13 @@ contributors across the globe, there is almost always someone available to help.
 | bpf.autoMount.enabled | bool | `true` | Enable automatic mount of BPF filesystem When `autoMount` is enabled, the BPF filesystem is mounted at `bpf.root` path on the underlying host and inside the cilium agent pod. If users disable `autoMount`, it's expected that users have mounted bpffs filesystem at the specified `bpf.root` volume, and then the volume will be mounted inside the cilium agent pod at the same path. |
 | bpf.ctAnyMax | int | `262144` | Configure the maximum number of entries for the non-TCP connection tracking table. |
 | bpf.ctTcpMax | int | `524288` | Configure the maximum number of entries in the TCP connection tracking table. |
+| bpf.datapathMode | string | `veth` | Mode for Pod devices for the core datapath (veth, netkit, netkit-l2, lb-only) |
+| bpf.disableExternalIPMitigation | bool | `false` | Disable ExternalIP mitigation (CVE-2020-8554) |
+| bpf.enableTCX | bool | `true` | Attach endpoint programs using tcx instead of legacy tc hooks on supported kernels. |
+| bpf.events | object | `{"drop":{"enabled":true},"policyVerdict":{"enabled":true},"trace":{"enabled":true}}` | Control events generated by the Cilium datapath exposed to Cilium monitor and Hubble. |
+| bpf.events.drop.enabled | bool | `true` | Enable drop events. |
+| bpf.events.policyVerdict.enabled | bool | `true` | Enable policy verdict events. |
+| bpf.events.trace.enabled | bool | `true` | Enable trace events. |
 | bpf.hostLegacyRouting | bool | `false` | Configure whether direct routing mode should route traffic via host stack (true) or directly and more efficiently out of BPF (false) if the kernel supports it. The latter has the implication that it will also bypass netfilter in the host namespace. |
 | bpf.lbExternalClusterIP | bool | `false` | Allow cluster external access to ClusterIP services. |
 | bpf.lbMapMax | int | `65536` | Configure the maximum number of service entries in the load balancer maps. |
@@ -143,7 +150,7 @@ contributors across the globe, there is almost always someone available to help.
 | bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. |
 | bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. |
 | bpfClockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. |
-| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:bbc5e65e9dc65bc6b58967fe536b7f3b54e12332908aeb0a96a36866b4372b4e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.12","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. |
+| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:169d93fd8f2f9009db3b9d5ccd37c2b753d0989e1e7cd8fe79f9160c459eef4f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.2.0","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. |
 | certgen.affinity | object | `{}` | Affinity for certgen |
 | certgen.annotations | object | `{"cronJob":{},"job":{}}` | Annotations to be added to the hubble-certgen initial Job and CronJob |
 | certgen.extraVolumeMounts | list | `[]` | Additional certgen volumeMounts. |
@@ -155,28 +162,34 @@ contributors across the globe, there is almost always someone available to help.
 | cgroup.autoMount.enabled | bool | `true` | Enable auto mount of cgroup2 filesystem. When `autoMount` is enabled, cgroup2 filesystem is mounted at `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod. If users disable `autoMount`, it's expected that users have mounted cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the volume will be mounted inside the cilium agent pod at the same path. |
 | cgroup.autoMount.resources | object | `{}` | Init Container Cgroup Automount resource limits & requests |
 | cgroup.hostRoot | string | `"/run/cilium/cgroupv2"` | Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) |
+| ciliumEndpointSlice.enabled | bool | `false` | Enable Cilium EndpointSlice feature. |
+| ciliumEndpointSlice.rateLimits | list | `[{"burst":20,"limit":10,"nodes":0},{"burst":15,"limit":7,"nodes":100},{"burst":10,"limit":5,"nodes":500}]` | List of rate limit options to be used for the CiliumEndpointSlice controller. Each object in the list must have the following fields: nodes: Count of nodes at which to apply the rate limit. limit: The sustained request rate in requests per second. The maximum rate that can be configured is 50. burst: The burst request rate in requests per second. The maximum burst that can be configured is 100. |
 | cleanBpfState | bool | `false` | Clean all eBPF datapath state from the initContainer of the cilium-agent DaemonSet.  WARNING: Use with care! |
 | cleanState | bool | `false` | Clean all local Cilium state from the initContainer of the cilium-agent DaemonSet. Implies cleanBpfState: true.  WARNING: Use with care! |
 | cluster.id | int | `0` | Unique ID of the cluster. Must be unique across all connected clusters and in the range of 1 to 255. Only required for Cluster Mesh, may be 0 if Cluster Mesh is not used. |
-| cluster.name | string | `"default"` | Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. |
+| cluster.name | string | `"default"` | Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. It must respect the following constraints: * It must contain at most 32 characters; * It must begin and end with a lower case alphanumeric character; * It may contain lower case alphanumeric characters and dashes between. The "default" name cannot be used if the Cluster ID is different from 0. |
 | clustermesh.annotations | object | `{}` | Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config) |
-| clustermesh.apiserver.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"clustermesh-apiserver"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for clustermesh.apiserver |
+| clustermesh.apiserver.affinity | object | `{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchLabels":{"k8s-app":"clustermesh-apiserver"}},"topologyKey":"kubernetes.io/hostname"},"weight":100}]}}` | Affinity for clustermesh.apiserver |
 | clustermesh.apiserver.etcd.init.extraArgs | list | `[]` | Additional arguments to `clustermesh-apiserver etcdinit`. |
 | clustermesh.apiserver.etcd.init.extraEnv | list | `[]` | Additional environment variables to `clustermesh-apiserver etcdinit`. |
 | clustermesh.apiserver.etcd.init.resources | object | `{}` | Specifies the resources for etcd init container in the apiserver |
 | clustermesh.apiserver.etcd.lifecycle | object | `{}` | lifecycle setting for the etcd container |
 | clustermesh.apiserver.etcd.resources | object | `{}` | Specifies the resources for etcd container in the apiserver |
-| clustermesh.apiserver.etcd.securityContext | object | `{}` | Security context to be added to clustermesh-apiserver etcd containers |
+| clustermesh.apiserver.etcd.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | Security context to be added to clustermesh-apiserver etcd containers |
+| clustermesh.apiserver.etcd.storageMedium | string | `"Disk"` | Specifies whether etcd data is stored in a temporary volume backed by the node's default medium, such as disk, SSD or network storage (Disk), or RAM (Memory). The Memory option enables improved etcd read and write performance at the cost of additional memory usage, which counts against the memory limits of the container. |
 | clustermesh.apiserver.extraArgs | list | `[]` | Additional clustermesh-apiserver arguments. |
 | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.5","useDigest":true}` | Clustermesh API server image. |
-| clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
+| clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:a1597b7de97cfa03f1330e6b784df1721eb69494cd9efb0b3a6930680dfe7a8e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.0","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
 | clustermesh.apiserver.kvstoremesh.extraVolumeMounts | list | `[]` | Additional KVStoreMesh volumeMounts. |
+| clustermesh.apiserver.kvstoremesh.healthPort | int | `9881` | TCP port for the KVStoreMesh health API. |
 | clustermesh.apiserver.kvstoremesh.lifecycle | object | `{}` | lifecycle setting for the KVStoreMesh container |
+| clustermesh.apiserver.kvstoremesh.readinessProbe | object | `{}` | Configuration for the KVStoreMesh readiness probe. |
 | clustermesh.apiserver.kvstoremesh.resources | object | `{}` | Resource requests and limits for the KVStoreMesh container |
 | clustermesh.apiserver.kvstoremesh.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | KVStoreMesh Security context |
 | clustermesh.apiserver.lifecycle | object | `{}` | lifecycle setting for the apiserver container |
@@ -205,14 +218,18 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number/percentage of pods that may be made unavailable |
 | clustermesh.apiserver.podDisruptionBudget.minAvailable | string | `nil` | Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by `maxUnavailable: null` |
 | clustermesh.apiserver.podLabels | object | `{}` | Labels to be added to clustermesh-apiserver pods |
-| clustermesh.apiserver.podSecurityContext | object | `{}` | Security context to be added to clustermesh-apiserver pods |
+| clustermesh.apiserver.podSecurityContext | object | `{"fsGroup":65532,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532}` | Security context to be added to clustermesh-apiserver pods |
 | clustermesh.apiserver.priorityClassName | string | `""` | The priority class to use for clustermesh-apiserver |
+| clustermesh.apiserver.readinessProbe | object | `{}` | Configuration for the clustermesh-apiserver readiness probe. |
 | clustermesh.apiserver.replicas | int | `1` | Number of replicas run for the clustermesh-apiserver deployment. |
 | clustermesh.apiserver.resources | object | `{}` | Resource requests and limits for the clustermesh-apiserver |
-| clustermesh.apiserver.securityContext | object | `{}` | Security context to be added to clustermesh-apiserver containers |
-| clustermesh.apiserver.service.annotations | object | `{}` | Annotations for the clustermesh-apiserver For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 |
-| clustermesh.apiserver.service.externalTrafficPolicy | string | `nil` | The externalTrafficPolicy of service used for apiserver access. |
-| clustermesh.apiserver.service.internalTrafficPolicy | string | `nil` | The internalTrafficPolicy of service used for apiserver access. |
+| clustermesh.apiserver.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | Security context to be added to clustermesh-apiserver containers |
+| clustermesh.apiserver.service.annotations | object | `{}` | Annotations for the clustermesh-apiserver For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: "true" |
+| clustermesh.apiserver.service.enableSessionAffinity | string | `"HAOnly"` | Defines when to enable session affinity. Each replica in a clustermesh-apiserver deployment runs its own discrete etcd cluster. Remote clients connect to one of the replicas through a shared Kubernetes Service. A client reconnecting to a different backend will require a full resync to ensure data integrity. Session affinity can reduce the likelihood of this happening, but may not be supported by all cloud providers. Possible values:  - "HAOnly" (default) Only enable session affinity for deployments with more than 1 replica.  - "Always" Always enable session affinity.  - "Never" Never enable session affinity. Useful in environments where            session affinity is not supported, but may lead to slightly            degraded performance due to more frequent reconnections. |
+| clustermesh.apiserver.service.externalTrafficPolicy | string | `"Cluster"` | The externalTrafficPolicy of service used for apiserver access. |
+| clustermesh.apiserver.service.internalTrafficPolicy | string | `"Cluster"` | The internalTrafficPolicy of service used for apiserver access. |
+| clustermesh.apiserver.service.loadBalancerClass | string | `nil` | Configure a loadBalancerClass. Allows to configure the loadBalancerClass on the clustermesh-apiserver LB service in case the Service type is set to LoadBalancer (requires Kubernetes 1.24+). |
+| clustermesh.apiserver.service.loadBalancerIP | string | `nil` | Configure a specific loadBalancerIP. Allows to configure a specific loadBalancerIP on the clustermesh-apiserver LB service in case the Service type is set to LoadBalancer. |
 | clustermesh.apiserver.service.nodePort | int | `32379` | Optional port to use as the node port for apiserver access.  WARNING: make sure to configure a different NodePort in each cluster if kube-proxy replacement is enabled, as Cilium is currently affected by a known bug (#24692) when NodePorts are handled by the KPR implementation. If a service with the same NodePort exists both in the local and the remote cluster, all traffic originating from inside the cluster and targeting the corresponding NodePort will be redirected to a local backend, regardless of whether the destination node belongs to the local or the remote cluster. |
 | clustermesh.apiserver.service.type | string | `"NodePort"` | The type of service used for apiserver access. |
 | clustermesh.apiserver.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for the clustermesh-apiserver deployment |
@@ -223,17 +240,20 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. |
 | clustermesh.apiserver.tls.auto.enabled | bool | `true` | When set to true, automatically generate a CA and certificates to enable mTLS between clustermesh-apiserver and external workload instances. If set to false, the certs to be provided by setting appropriate values below. |
 | clustermesh.apiserver.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver client certificate and private key. Used if 'auto' is not enabled. |
+| clustermesh.apiserver.tls.enableSecrets | bool | `true` | Allow users to provide their own certificates Users may need to provide their certificates using a mechanism that requires they provide their own secrets. This setting does not apply to any of the auto-generated mechanisms below, it only restricts the creation of secrets via the `tls-provided` templates. |
 | clustermesh.apiserver.tls.remote | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key. Used if 'auto' is not enabled. |
 | clustermesh.apiserver.tls.server | object | `{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}` | base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. Used if 'auto' is not enabled. |
 | clustermesh.apiserver.tls.server.extraDnsNames | list | `[]` | Extra DNS names added to certificate when it's auto generated |
 | clustermesh.apiserver.tls.server.extraIpAddresses | list | `[]` | Extra IP addresses added to certificate when it's auto generated |
 | clustermesh.apiserver.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
 | clustermesh.apiserver.topologySpreadConstraints | list | `[]` | Pod topology spread constraints for clustermesh-apiserver |
-| clustermesh.apiserver.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | clustermesh-apiserver update strategy |
+| clustermesh.apiserver.updateStrategy | object | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | clustermesh-apiserver update strategy |
 | clustermesh.config | object | `{"clusters":[],"domain":"mesh.cilium.io","enabled":false}` | Clustermesh explicit configuration. |
 | clustermesh.config.clusters | list | `[]` | List of clusters to be peered in the mesh. |
 | clustermesh.config.domain | string | `"mesh.cilium.io"` | Default dns domain for the Clustermesh API servers This is used in the case cluster addresses are not provided and IPs are used. |
 | clustermesh.config.enabled | bool | `false` | Enable the Clustermesh explicit configuration. |
+| clustermesh.enableEndpointSliceSynchronization | bool | `false` | Enable the synchronization of Kubernetes EndpointSlices corresponding to the remote endpoints of appropriately-annotated global services through ClusterMesh |
+| clustermesh.enableMCSAPISupport | bool | `false` | Enable Multi-Cluster Services API support |
 | clustermesh.maxConnectedClusters | int | `255` | The maximum number of clusters to support in a ClusterMesh. This value cannot be changed on running clusters, and all clusters in a ClusterMesh must be configured with the same value. Values > 255 will decrease the maximum allocatable cluster-local identities. Supported values are 255 and 511. |
 | clustermesh.useAPIServer | bool | `false` | Deploy clustermesh-apiserver for clustermesh |
 | cni.binPath | string | `"/opt/cni/bin"` | Configure the path to the CNI binary directory on the host. |
@@ -243,6 +263,7 @@ contributors across the globe, there is almost always someone available to help.
 | cni.confPath | string | `"/etc/cni/net.d"` | Configure the path to the CNI configuration directory on the host. |
 | cni.configMapKey | string | `"cni-config"` | Configure the key in the CNI ConfigMap to read the contents of the CNI configuration from. |
 | cni.customConf | bool | `false` | Skip writing of the CNI configuration. This can be used if writing of the CNI configuration is performed by external automation. |
+| cni.enableRouteMTUForCNIChaining | bool | `false` | Enable route MTU for pod netns when CNI chaining is used |
 | cni.exclusive | bool | `true` | Make Cilium take ownership over the `/etc/cni/net.d` directory on the node, renaming all non-Cilium CNI configurations to `*.cilium_bak`. This ensures no Pods can be scheduled using other CNI plugins during Cilium agent downtime. |
 | cni.hostConfDirMountPath | string | `"/host/etc/cni/net.d"` | Configure the path to where the CNI configuration directory is mounted inside the agent pod. |
 | cni.install | bool | `true` | Install the CNI configuration and binary files into the filesystem. |
@@ -251,8 +272,6 @@ contributors across the globe, there is almost always someone available to help.
 | cni.uninstall | bool | `false` | Remove the CNI configuration and binary files on agent shutdown. Enable this if you're removing Cilium from the cluster. Disable this to prevent the CNI configuration file from being removed during agent upgrade, which can cause nodes to go unmanageable. |
 | conntrackGCInterval | string | `"0s"` | Configure how frequently garbage collection should occur for the datapath connection tracking table. |
 | conntrackGCMaxInterval | string | `""` | Configure the maximum frequency for the garbage collection of the connection tracking table. Only affects the automatic computation for the frequency and has no effect when 'conntrackGCInterval' is set. This can be set to more frequently clean up unused identities created from ToFQDN policies. |
-| containerRuntime | object | `{"integration":"none"}` | Configure container runtime specific integration. Deprecated in favor of bpf.autoMount.enabled. To be removed in 1.15. |
-| containerRuntime.integration | string | `"none"` | Enables specific integrations for container runtimes. Supported values: - crio - none |
 | crdWaitTimeout | string | `"5m"` | Configure timeout in which Cilium will exit if CRDs are not available |
 | customCalls | object | `{"enabled":false}` | Tail call hooks for custom eBPF programs. |
 | customCalls.enabled | bool | `false` | Enable tail call hooks for custom eBPF programs. |
@@ -263,6 +282,7 @@ contributors across the globe, there is almost always someone available to help.
 | dashboards | object | `{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}` | Grafana dashboards for cilium-agent grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards |
 | debug.enabled | bool | `false` | Enable debug logging |
 | debug.verbose | string | `nil` | Configure verbosity levels for debug logging This option is used to enable debug messages for operations related to such sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is for enabling debug messages emitted per request, message and connection. Multiple values can be set via a space-separated string (e.g. "datapath envoy").  Applicable values: - flow - kvstore - envoy - datapath - policy |
+| directRoutingSkipUnreachable | bool | `false` | Enable skipping of PodCIDR routes between worker nodes if the worker nodes are in a different L2 network segment. |
 | disableEndpointCRD | bool | `false` | Disable the usage of CiliumEndpoint CRD. |
 | dnsPolicy | string | `""` | DNS policy for Cilium agent pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy |
 | dnsProxy.dnsRejectResponseCode | string | `"refused"` | DNS response code for rejecting DNS requests, available options are '[nameError refused]'. |
@@ -274,10 +294,10 @@ contributors across the globe, there is almost always someone available to help.
 | dnsProxy.preCache | string | `""` | DNS cache data at this path is preloaded on agent startup. |
 | dnsProxy.proxyPort | int | `0` | Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. |
 | dnsProxy.proxyResponseMaxDelay | string | `"100ms"` | The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. |
+| dnsProxy.socketLingerTimeout | int | `10` | Timeout (in seconds) when closing the connection between the DNS proxy and the upstream server. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background. |
 | egressGateway.enabled | bool | `false` | Enables egress gateway to redirect and SNAT the traffic that leaves the cluster. |
-| egressGateway.installRoutes | bool | `false` | Deprecated without a replacement necessary. |
 | egressGateway.reconciliationTriggerInterval | string | `"1s"` | Time between triggers of egress gateway state reconciliations |
-| enableCiliumEndpointSlice | bool | `false` | Enable CiliumEndpointSlice feature. |
+| enableCiliumEndpointSlice | bool | `false` | Enable CiliumEndpointSlice feature (deprecated, please use `ciliumEndpointSlice.enabled` instead). |
 | enableCriticalPriorityClass | bool | `true` | Explicitly enable or disable priority class. .Capabilities.KubeVersion is unsettable in `helm template` calls, it depends on k8s libraries version that Helm was compiled against. This option allows to explicitly disable setting the priority class, which is useful for rendering charts for gke clusters in advance. |
 | enableIPv4BIGTCP | bool | `false` | Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods |
 | enableIPv4Masquerade | bool | `true` | Enables masquerading of IPv4 traffic leaving the node from endpoints. |
@@ -285,30 +305,26 @@ contributors across the globe, there is almost always someone available to help.
 | enableIPv6Masquerade | bool | `true` | Enables masquerading of IPv6 traffic leaving the node from endpoints. |
 | enableK8sTerminatingEndpoint | bool | `true` | Configure whether to enable auto detect of terminating state for endpoints in order to support graceful termination. |
 | enableMasqueradeRouteSource | bool | `false` | Enables masquerading to the source of the route for traffic leaving the node from endpoints. |
-| enableRuntimeDeviceDetection | bool | `false` | Enables experimental support for the detection of new and removed datapath devices. When devices change the eBPF datapath is reloaded and services updated. If "devices" is set then only those devices, or devices matching a wildcard will be considered. |
+| enableRuntimeDeviceDetection | bool | `true` | Enables experimental support for the detection of new and removed datapath devices. When devices change the eBPF datapath is reloaded and services updated. If "devices" is set then only those devices, or devices matching a wildcard will be considered.  This option has been deprecated and is a no-op. |
 | enableXTSocketFallback | bool | `true` | Enables the fallback compatibility solution for when the xt_socket kernel module is missing and it is needed for the datapath L7 redirection to work properly. See documentation for details on when this can be disabled: https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. |
 | encryption.enabled | bool | `false` | Enable transparent network encryption. |
-| encryption.interface | string | `""` | Deprecated in favor of encryption.ipsec.interface. To be removed in 1.15. The interface to use for encrypted traffic. This option is only effective when encryption.type is set to ipsec. |
+| encryption.ipsec.encryptedOverlay | bool | `false` | Enable IPsec encrypted overlay |
 | encryption.ipsec.interface | string | `""` | The interface to use for encrypted traffic. |
-| encryption.ipsec.keyFile | string | `""` | Name of the key file inside the Kubernetes secret configured via secretName. |
+| encryption.ipsec.keyFile | string | `"keys"` | Name of the key file inside the Kubernetes secret configured via secretName. |
 | encryption.ipsec.keyRotationDuration | string | `"5m"` | Maximum duration of the IPsec key rotation. The previous key will be removed after that delay. |
 | encryption.ipsec.keyWatcher | bool | `true` | Enable the key watcher. If disabled, a restart of the agent will be necessary on key rotations. |
-| encryption.ipsec.mountPath | string | `""` | Path to mount the secret inside the Cilium pod. |
-| encryption.ipsec.secretName | string | `""` | Name of the Kubernetes secret containing the encryption keys. |
-| encryption.keyFile | string | `"keys"` | Deprecated in favor of encryption.ipsec.keyFile. To be removed in 1.15. Name of the key file inside the Kubernetes secret configured via secretName. This option is only effective when encryption.type is set to ipsec. |
-| encryption.mountPath | string | `"/etc/ipsec"` | Deprecated in favor of encryption.ipsec.mountPath. To be removed in 1.15. Path to mount the secret inside the Cilium pod. This option is only effective when encryption.type is set to ipsec. |
+| encryption.ipsec.mountPath | string | `"/etc/ipsec"` | Path to mount the secret inside the Cilium pod. |
+| encryption.ipsec.secretName | string | `"cilium-ipsec-keys"` | Name of the Kubernetes secret containing the encryption keys. |
 | encryption.nodeEncryption | bool | `false` | Enable encryption for pure node to node traffic. This option is only effective when encryption.type is set to "wireguard". |
-| encryption.secretName | string | `"cilium-ipsec-keys"` | Deprecated in favor of encryption.ipsec.secretName. To be removed in 1.15. Name of the Kubernetes secret containing the encryption keys. This option is only effective when encryption.type is set to ipsec. |
 | encryption.strictMode | object | `{"allowRemoteNodeIdentities":false,"cidr":"","enabled":false}` | Configure the WireGuard Pod2Pod strict mode. |
 | encryption.strictMode.allowRemoteNodeIdentities | bool | `false` | Allow dynamic lookup of remote node identities. This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. |
 | encryption.strictMode.cidr | string | `""` | CIDR for the WireGuard Pod2Pod strict mode. |
 | encryption.strictMode.enabled | bool | `false` | Enable WireGuard Pod2Pod strict mode. |
 | encryption.type | string | `"ipsec"` | Encryption method. Can be either ipsec or wireguard. |
-| encryption.wireguard.persistentKeepalive | string | `"0s"` | Controls Wireguard PersistentKeepalive option. Set 0s to disable. |
-| encryption.wireguard.userspaceFallback | bool | `false` | Enables the fallback to the user-space implementation. |
+| encryption.wireguard.persistentKeepalive | string | `"0s"` | Controls WireGuard PersistentKeepalive option. Set 0s to disable. |
+| encryption.wireguard.userspaceFallback | bool | `false` | Enables the fallback to the user-space implementation (deprecated). |
 | endpointHealthChecking.enabled | bool | `true` | Enable connectivity health checking between virtual endpoints. |
 | endpointRoutes.enabled | bool | `false` | Enable use of per endpoint routes instead of routing via the cilium_host interface. |
-| endpointStatus | object | `{"enabled":false,"status":""}` | Enable endpoint status. Status can be: policy, health, controllers, log and / or state. For 2 or more options use a space. |
 | eni.awsEnablePrefixDelegation | bool | `false` | Enable ENI prefix delegation |
 | eni.awsReleaseExcessIPs | bool | `false` | Release IPs not used from the ENI |
 | eni.ec2APIEndpoint | string | `""` | EC2 API endpoint to use |
@@ -323,9 +339,12 @@ contributors across the globe, there is almost always someone available to help.
 | eni.updateEC2AdapterLimitViaAPI | bool | `true` | Update ENI Adapter limits from the EC2 API |
 | envoy.affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"cilium.io/no-schedule","operator":"NotIn","values":["true"]}]}]}},"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-envoy. |
 | envoy.annotations | object | `{}` | Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) |
+| envoy.baseID | int | `0` |  Set Envoy'--base-id' to use when allocating shared memory regions. Only needs to be changed if multiple Envoy instances will run on the same node and may have conflicts. Supported values: 0 - 4294967295. Defaults to '0' |
 | envoy.connectTimeoutSeconds | int | `2` | Time in seconds after which a TCP connection attempt times out |
+| envoy.debug.admin.enabled | bool | `false` | Enable admin interface for cilium-envoy. This is useful for debugging and should not be enabled in production. |
+| envoy.debug.admin.port | int | `9901` | Port number (bound to loopback interface). kubectl port-forward can be used to access the admin interface. |
 | envoy.dnsPolicy | string | `nil` | DNS policy for Cilium envoy pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy |
-| envoy.enabled | bool | `false` | Enable Envoy Proxy in standalone DaemonSet. |
+| envoy.enabled | string | `true` for new installation | Enable Envoy Proxy in standalone DaemonSet. This field is enabled by default for new installation. |
 | envoy.extraArgs | list | `[]` | Additional envoy container arguments. |
 | envoy.extraContainers | list | `[]` | Additional containers added to the cilium Envoy DaemonSet. |
 | envoy.extraEnv | list | `[]` | Additional envoy container environment variables. |
@@ -334,7 +353,7 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:bc8dcc3bc008e3a5aab98edb73a0985e6ef9469bda49d5bb3004c001c995c380","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.28.3-31ec52ec5f2e4d28a8e19a0bfb872fa48cf7a515","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51","useDigest":true}` | Envoy container image. |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
 | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
@@ -360,7 +379,8 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.readinessProbe.periodSeconds | int | `30` | interval between checks of the readiness probe |
 | envoy.resources | object | `{}` | Envoy resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
 | envoy.rollOutPods | bool | `false` | Roll out cilium envoy pods automatically when configmap is updated. |
-| envoy.securityContext.capabilities.envoy | list | `["NET_ADMIN","SYS_ADMIN"]` | Capabilities for the `cilium-envoy` container |
+| envoy.securityContext.capabilities.envoy | list | `["NET_ADMIN","SYS_ADMIN"]` | Capabilities for the `cilium-envoy` container. Even though granted to the container, the cilium-envoy-starter wrapper drops all capabilities after forking the actual Envoy process. `NET_BIND_SERVICE` is the only capability that can be passed to the Envoy process by setting `envoy.securityContext.capabilities.keepNetBindService=true` (in addition to granting the capability to the container). Note: In case of embedded envoy, the capability must  be granted to the cilium-agent container. |
+| envoy.securityContext.capabilities.keepCapNetBindService | bool | `false` | Keep capability `NET_BIND_SERVICE` for Envoy process. |
 | envoy.securityContext.privileged | bool | `false` | Run the pod with elevated privileges |
 | envoy.securityContext.seLinuxOptions | object | `{"level":"s0","type":"spc_t"}` | SELinux options for the `cilium-envoy` container |
 | envoy.startupProbe.failureThreshold | int | `105` | failure threshold of startup probe. 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) |
@@ -371,32 +391,13 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.xffNumTrustedHopsL7PolicyEgress | int | `0` | Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. |
 | envoy.xffNumTrustedHopsL7PolicyIngress | int | `0` | Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. |
 | envoyConfig.enabled | bool | `false` | Enable CiliumEnvoyConfig CRD CiliumEnvoyConfig CRD can also be implicitly enabled by other options. |
+| envoyConfig.retryInterval | string | `"15s"` | Interval in which an attempt is made to reconcile failed EnvoyConfigs. If the duration is zero, the retry is deactivated. |
 | envoyConfig.secretsNamespace | object | `{"create":true,"name":"cilium-secrets"}` | SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from. |
 | envoyConfig.secretsNamespace.create | bool | `true` | Create secrets namespace for CiliumEnvoyConfig CRDs. |
 | envoyConfig.secretsNamespace.name | string | `"cilium-secrets"` | The name of the secret namespace to which Cilium agents are given read access. |
-| etcd.annotations | object | `{}` | Annotations to be added to all top-level etcd-operator objects (resources under templates/etcd-operator) |
-| etcd.clusterDomain | string | `"cluster.local"` | Cluster domain for cilium-etcd-operator. |
 | etcd.enabled | bool | `false` | Enable etcd mode for the agent. |
-| etcd.endpoints | list | `["https://CHANGE-ME:2379"]` | List of etcd endpoints (not needed when using managed=true). |
-| etcd.extraArgs | list | `[]` | Additional cilium-etcd-operator container arguments. |
-| etcd.extraVolumeMounts | list | `[]` | Additional cilium-etcd-operator volumeMounts. |
-| etcd.extraVolumes | list | `[]` | Additional cilium-etcd-operator volumes. |
-| etcd.image | object | `{"digest":"sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7","useDigest":true}` | cilium-etcd-operator image. |
-| etcd.k8sService | bool | `false` | If etcd is behind a k8s service set this option to true so that Cilium does the service translation automatically without requiring a DNS to be running. |
-| etcd.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-etcd-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
-| etcd.podAnnotations | object | `{}` | Annotations to be added to cilium-etcd-operator pods |
-| etcd.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
-| etcd.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number/percentage of pods that may be made unavailable |
-| etcd.podDisruptionBudget.minAvailable | string | `nil` | Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by `maxUnavailable: null` |
-| etcd.podLabels | object | `{}` | Labels to be added to cilium-etcd-operator pods |
-| etcd.podSecurityContext | object | `{}` | Security context to be added to cilium-etcd-operator pods |
-| etcd.priorityClassName | string | `""` | The priority class to use for cilium-etcd-operator |
-| etcd.resources | object | `{}` | cilium-etcd-operator resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
-| etcd.securityContext | object | `{}` | Security context to be added to cilium-etcd-operator pods |
-| etcd.ssl | bool | `false` | Enable use of TLS/SSL for connectivity to etcd. (auto-enabled if managed=true) |
-| etcd.tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for cilium-etcd-operator scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
-| etcd.topologySpreadConstraints | list | `[]` | Pod topology spread constraints for cilium-etcd-operator |
-| etcd.updateStrategy | object | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":1},"type":"RollingUpdate"}` | cilium-etcd-operator update strategy |
+| etcd.endpoints | list | `["https://CHANGE-ME:2379"]` | List of etcd endpoints |
+| etcd.ssl | bool | `false` | Enable use of TLS/SSL for connectivity to etcd. |
 | externalIPs.enabled | bool | `false` | Enable ExternalIPs service support. |
 | externalWorkloads | object | `{"enabled":false}` | Configure external workloads support |
 | externalWorkloads.enabled | bool | `false` | Enable support for external workloads, such as VMs (false by default). |
@@ -405,13 +406,23 @@ contributors across the globe, there is almost always someone available to help.
 | extraContainers | list | `[]` | Additional containers added to the cilium DaemonSet. |
 | extraEnv | list | `[]` | Additional agent container environment variables. |
 | extraHostPathMounts | list | `[]` | Additional agent hostPath mounts. |
+| extraInitContainers | list | `[]` | Additional initContainers added to the cilium Daemonset. |
 | extraVolumeMounts | list | `[]` | Additional agent volumeMounts. |
 | extraVolumes | list | `[]` | Additional agent volumes. |
+| forceDeviceDetection | bool | `false` | Forces the auto-detection of devices, even if specific devices are explicitly listed |
+| gatewayAPI.enableAlpn | bool | `false` | Enable ALPN for all listeners configured with Gateway API. ALPN will attempt HTTP/2, then HTTP 1.1. Note that this will also enable `appProtocol` support, and services that wish to use HTTP/2 will need to indicate that via their `appProtocol`. |
+| gatewayAPI.enableAppProtocol | bool | `false` | Enable Backend Protocol selection support (GEP-1911) for Gateway API via appProtocol. |
+| gatewayAPI.enableProxyProtocol | bool | `false` | Enable proxy protocol for all GatewayAPI listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled. |
 | gatewayAPI.enabled | bool | `false` | Enable support for Gateway API in cilium This will automatically set enable-envoy-config as well. |
+| gatewayAPI.externalTrafficPolicy | string | `"Cluster"` | Control how traffic from external sources is routed to the LoadBalancer Kubernetes Service for all Cilium GatewayAPI Gateway instances. Valid values are "Cluster" and "Local". Note that this value will be ignored when `hostNetwork.enabled == true`. ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#external-traffic-policy |
+| gatewayAPI.gatewayClass.create | string | `"auto"` | Enable creation of GatewayClass resource The default value is 'auto' which decides according to presence of gateway.networking.k8s.io/v1/GatewayClass in the cluster. Other possible values are 'true' and 'false', which will either always or never create the GatewayClass, respectively. |
+| gatewayAPI.hostNetwork.enabled | bool | `false` | Configure whether the Envoy listeners should be exposed on the host network. |
+| gatewayAPI.hostNetwork.nodes.matchLabels | object | `{}` | Specify the labels of the nodes where the Ingress listeners should be exposed  matchLabels:   kubernetes.io/os: linux   kubernetes.io/hostname: kind-worker |
 | gatewayAPI.secretsNamespace | object | `{"create":true,"name":"cilium-secrets","sync":true}` | SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. |
 | gatewayAPI.secretsNamespace.create | bool | `true` | Create secrets namespace for Gateway API. |
 | gatewayAPI.secretsNamespace.name | string | `"cilium-secrets"` | Name of Gateway API secret namespace. |
 | gatewayAPI.secretsNamespace.sync | bool | `true` | Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. If disabled, TLS secrets must be maintained externally. |
+| gatewayAPI.xffNumTrustedHops | int | `0` | The number of additional GatewayAPI proxy hops from the right side of the HTTP header to trust when determining the origin client's IP address. |
 | gke.enabled | bool | `false` | Enable Google Kubernetes Engine integration |
 | healthChecking | bool | `true` | Enable connectivity health checking. |
 | healthPort | int | `9879` | TCP port for the agent health API. This is not the port for cilium-health. |
@@ -421,6 +432,9 @@ contributors across the globe, there is almost always someone available to help.
 | hostFirewall.enabled | bool | `false` | Enables the enforcement of host policies in the eBPF datapath. |
 | hostPort.enabled | bool | `false` | Enable hostPort service support. |
 | hubble.annotations | object | `{}` | Annotations to be added to all top-level hubble objects (resources under templates/hubble) |
+| hubble.dropEventEmitter | object | `{"enabled":false,"interval":"2m","reasons":["auth_required","policy_denied"]}` | Emit v1.Events related to pods on detection of packet drops.    This feature is alpha, please provide feedback at https://github.com/cilium/cilium/issues/33975. |
+| hubble.dropEventEmitter.interval | string | `"2m"` | - Minimum time between emitting same events. |
+| hubble.dropEventEmitter.reasons | list | `["auth_required","policy_denied"]` | - Drop reasons to emit events for. ref: https://docs.cilium.io/en/stable/_api/v1/flow/README/#dropreason |
 | hubble.enabled | bool | `true` | Enable Hubble (true by default). |
 | hubble.export | object | `{"dynamic":{"config":{"configMapName":"cilium-flowlog-config","content":[{"excludeFilters":[],"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log","includeFilters":[],"name":"all"}],"createConfigMap":true},"enabled":false},"fileMaxBackups":5,"fileMaxSizeMb":10,"static":{"allowList":[],"denyList":[],"enabled":false,"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log"}}` | Hubble flows export. |
 | hubble.export.dynamic | object | `{"config":{"configMapName":"cilium-flowlog-config","content":[{"excludeFilters":[],"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log","includeFilters":[],"name":"all"}],"createConfigMap":true},"enabled":false}` | - Dynamic exporters configuration. Dynamic exporters may be reconfigured without a need of agent restarts. |
@@ -431,7 +445,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.export.fileMaxSizeMb | int | `10` | - Defines max file size of output file before it gets rotated. |
 | hubble.export.static | object | `{"allowList":[],"denyList":[],"enabled":false,"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log"}` | - Static exporter configuration. Static exporter is bound to agent lifecycle. |
 | hubble.listenAddress | string | `":4244"` | An additional address for Hubble to listen to. Set this field ":4244" if you are enabling Hubble Relay, as it assumes that Hubble is listening on port 4244. |
-| hubble.metrics | object | `{"dashboards":{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null},"enableOpenMetrics":false,"enabled":null,"port":9965,"serviceAnnotations":{},"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]}}` | Hubble metrics configuration. See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics for more comprehensive documentation about Hubble metrics. |
+| hubble.metrics | object | `{"dashboards":{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null},"enableOpenMetrics":false,"enabled":null,"port":9965,"serviceAnnotations":{},"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"tlsConfig":{}},"tls":{"enabled":false,"server":{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":{"enabled":false,"key":"ca.crt","name":null,"useSecret":false}}}}` | Hubble metrics configuration. See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics for more comprehensive documentation about Hubble metrics. |
 | hubble.metrics.dashboards | object | `{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}` | Grafana dashboards for hubble grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards |
 | hubble.metrics.enableOpenMetrics | bool | `false` | Enables exporting hubble metrics in OpenMetrics format. |
 | hubble.metrics.enabled | string | `nil` | Configures the list of metrics to collect. If empty or null, metrics are disabled. Example:    enabled:   - dns:query;ignoreAAAA   - drop   - tcp   - flow   - icmp   - http  You can specify the list of metrics from the helm CLI:    --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}"  |
@@ -444,6 +458,13 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.metrics.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor hubble |
 | hubble.metrics.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor hubble |
 | hubble.metrics.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor hubble |
+| hubble.metrics.tls.server.cert | string | `""` | base64 encoded PEM values for the Hubble metrics server certificate. |
+| hubble.metrics.tls.server.extraDnsNames | list | `[]` | Extra DNS names added to certificate when it's auto generated |
+| hubble.metrics.tls.server.extraIpAddresses | list | `[]` | Extra IP addresses added to certificate when it's auto generated |
+| hubble.metrics.tls.server.key | string | `""` | base64 encoded PEM values for the Hubble metrics server key. |
+| hubble.metrics.tls.server.mtls | object | `{"enabled":false,"key":"ca.crt","name":null,"useSecret":false}` | Configure mTLS for the Hubble metrics server. |
+| hubble.metrics.tls.server.mtls.key | string | `"ca.crt"` | Entry of the ConfigMap containing the CA. |
+| hubble.metrics.tls.server.mtls.name | string | `nil` | Name of the ConfigMap containing the CA to validate client certificates against. If mTLS is enabled and this is unspecified, it will default to the same CA used for Hubble metrics server certificates. |
 | hubble.peerService.clusterDomain | string | `"cluster.local"` | The cluster domain to use to query the Hubble Peer service. It should be the local cluster. |
 | hubble.peerService.targetPort | int | `4244` | Target Port for the Peer service, must match the hubble.listenAddress' port. |
 | hubble.preferIpv6 | bool | `false` | Whether Hubble should prefer to announce IPv6 or IPv4 addresses if both are available. |
@@ -462,7 +483,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.5","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:33fca7776fc3d7b2abe08873319353806dc1c5e07e12011d7da4da05f836ce8d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.0","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -492,7 +513,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.service.nodePort | int | `31234` | - The port to use when the service type is set to NodePort. |
 | hubble.relay.service.type | string | `"ClusterIP"` | - The type of service used for Hubble Relay access, either ClusterIP or NodePort. |
 | hubble.relay.sortBufferDrainTimeout | string | `nil` | When the per-request flows sort buffer is not full, a flow is drained every time this timeout is reached (only affects requests in follow-mode) (e.g. "1s"). |
-| hubble.relay.sortBufferLenMax | string | `nil` | Max number of flows that can be buffered for sorting before being sent to the client (per request) (e.g. 100). |
+| hubble.relay.sortBufferLenMax | int | `nil` | Max number of flows that can be buffered for sorting before being sent to the client (per request) (e.g. 100). |
 | hubble.relay.terminationGracePeriodSeconds | int | `1` | Configure termination grace period for hubble relay Deployment. |
 | hubble.relay.tls | object | `{"client":{"cert":"","key":""},"server":{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}}` | TLS configuration for Hubble Relay |
 | hubble.relay.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values for the hubble-relay client certificate and private key This keypair is presented to Hubble server instances for mTLS authentication and is required when hubble.tls.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false. |
@@ -520,7 +541,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. |
 | hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. |
 | hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. |
-| hubble.ui.backend.image | object | `{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}` | Hubble-ui backend image. |
+| hubble.ui.backend.image | object | `{"digest":"sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.1","useDigest":true}` | Hubble-ui backend image. |
 | hubble.ui.backend.livenessProbe.enabled | bool | `false` | Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) |
 | hubble.ui.backend.readinessProbe.enabled | bool | `false` | Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) |
 | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. |
@@ -530,7 +551,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. |
 | hubble.ui.frontend.extraVolumeMounts | list | `[]` | Additional hubble-ui frontend volumeMounts. |
 | hubble.ui.frontend.extraVolumes | list | `[]` | Additional hubble-ui frontend volumes. |
-| hubble.ui.frontend.image | object | `{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}` | Hubble-ui frontend image. |
+| hubble.ui.frontend.image | object | `{"digest":"sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.1","useDigest":true}` | Hubble-ui frontend image. |
 | hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. |
 | hubble.ui.frontend.securityContext | object | `{}` | Hubble-ui frontend security context. |
 | hubble.ui.frontend.server.ipv6 | object | `{"enabled":true}` | Controls server listener for ipv6 |
@@ -557,23 +578,27 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.5","useDigest":true}` | Agent container image. |
-| imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
+| image | object | `{"digest":"sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0","useDigest":true}` | Agent container image. |
+| imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
 | ingressController.defaultSecretNamespace | string | `nil` | Default secret namespace for ingresses without .spec.tls[].secretName set. |
 | ingressController.enableProxyProtocol | bool | `false` | Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled. |
 | ingressController.enabled | bool | `false` | Enable cilium ingress controller This will automatically set enable-envoy-config as well. |
 | ingressController.enforceHttps | bool | `true` | Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. |
-| ingressController.ingressLBAnnotationPrefixes | list | `["service.beta.kubernetes.io","service.kubernetes.io","cloud.google.com"]` | IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service |
-| ingressController.loadbalancerMode | string | `"dedicated"` | Default ingress load balancer mode Supported values: shared, dedicated For granular control, use the following annotations on the ingress resource ingress.cilium.io/loadbalancer-mode: shared|dedicated, |
+| ingressController.hostNetwork.enabled | bool | `false` | Configure whether the Envoy listeners should be exposed on the host network. |
+| ingressController.hostNetwork.nodes.matchLabels | object | `{}` | Specify the labels of the nodes where the Ingress listeners should be exposed  matchLabels:   kubernetes.io/os: linux   kubernetes.io/hostname: kind-worker |
+| ingressController.hostNetwork.sharedListenerPort | int | `8080` | Configure a specific port on the host network that gets used for the shared listener. |
+| ingressController.ingressLBAnnotationPrefixes | list | `["lbipam.cilium.io","nodeipam.cilium.io","service.beta.kubernetes.io","service.kubernetes.io","cloud.google.com"]` | IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service |
+| ingressController.loadbalancerMode | string | `"dedicated"` | Default ingress load balancer mode Supported values: shared, dedicated For granular control, use the following annotations on the ingress resource: "ingress.cilium.io/loadbalancer-mode: dedicated" (or "shared"). |
 | ingressController.secretsNamespace | object | `{"create":true,"name":"cilium-secrets","sync":true}` | SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. |
 | ingressController.secretsNamespace.create | bool | `true` | Create secrets namespace for Ingress. |
 | ingressController.secretsNamespace.name | string | `"cilium-secrets"` | Name of Ingress secret namespace. |
 | ingressController.secretsNamespace.sync | bool | `true` | Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. If disabled, TLS secrets must be maintained externally. |
-| ingressController.service | object | `{"allocateLoadBalancerNodePorts":null,"annotations":{},"insecureNodePort":null,"labels":{},"loadBalancerClass":null,"loadBalancerIP":null,"name":"cilium-ingress","secureNodePort":null,"type":"LoadBalancer"}` | Load-balancer service in shared mode. This is a single load-balancer service for all Ingress resources. |
+| ingressController.service | object | `{"allocateLoadBalancerNodePorts":null,"annotations":{},"externalTrafficPolicy":"Cluster","insecureNodePort":null,"labels":{},"loadBalancerClass":null,"loadBalancerIP":null,"name":"cilium-ingress","secureNodePort":null,"type":"LoadBalancer"}` | Load-balancer service in shared mode. This is a single load-balancer service for all Ingress resources. |
 | ingressController.service.allocateLoadBalancerNodePorts | string | `nil` | Configure if node port allocation is required for LB service ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation |
 | ingressController.service.annotations | object | `{}` | Annotations to be added for the shared LB service |
+| ingressController.service.externalTrafficPolicy | string | `"Cluster"` | Control how traffic from external sources is routed to the LoadBalancer Kubernetes Service for Cilium Ingress in shared mode. Valid values are "Cluster" and "Local". ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#external-traffic-policy |
 | ingressController.service.insecureNodePort | string | `nil` | Configure a specific nodePort for insecure HTTP traffic on the shared LB service |
 | ingressController.service.labels | object | `{}` | Labels to be added for the shared LB service |
 | ingressController.service.loadBalancerClass | string | `nil` | Configure a specific loadBalancerClass on the shared LB service (requires Kubernetes 1.24+) |
@@ -591,18 +616,20 @@ contributors across the globe, there is almost always someone available to help.
 | ipam.operator.clusterPoolIPv4PodCIDRList | list | `["10.0.0.0/8"]` | IPv4 CIDR list range to delegate to individual nodes for IPAM. |
 | ipam.operator.clusterPoolIPv6MaskSize | int | `120` | IPv6 CIDR mask size to delegate to individual nodes for IPAM. |
 | ipam.operator.clusterPoolIPv6PodCIDRList | list | `["fd00::/104"]` | IPv6 CIDR list range to delegate to individual nodes for IPAM. |
-| ipam.operator.externalAPILimitBurstSize | string | `20` | The maximum burst size when rate limiting access to external APIs. Also known as the token bucket capacity. |
-| ipam.operator.externalAPILimitQPS | string | `4.0` | The maximum queries per second when rate limiting access to external APIs. Also known as the bucket refill rate, which is used to refill the bucket up to the burst size capacity. |
+| ipam.operator.externalAPILimitBurstSize | int | `20` | The maximum burst size when rate limiting access to external APIs. Also known as the token bucket capacity. |
+| ipam.operator.externalAPILimitQPS | float | `4.0` | The maximum queries per second when rate limiting access to external APIs. Also known as the bucket refill rate, which is used to refill the bucket up to the burst size capacity. |
 | ipv4.enabled | bool | `true` | Enable IPv4 support. |
 | ipv4NativeRoutingCIDR | string | `""` | Allows to explicitly specify the IPv4 CIDR for native routing. When specified, Cilium assumes networking for this CIDR is preconfigured and hands traffic destined for that range to the Linux network stack without applying any SNAT. Generally speaking, specifying a native routing CIDR implies that Cilium can depend on the underlying networking stack to route packets to their destination. To offer a concrete example, if Cilium is configured to use direct routing and the Kubernetes CIDR is included in the native routing CIDR, the user must configure the routes to reach pods, either manually or by setting the auto-direct-node-routes flag. |
 | ipv6.enabled | bool | `false` | Enable IPv6 support. |
 | ipv6NativeRoutingCIDR | string | `""` | Allows to explicitly specify the IPv6 CIDR for native routing. When specified, Cilium assumes networking for this CIDR is preconfigured and hands traffic destined for that range to the Linux network stack without applying any SNAT. Generally speaking, specifying a native routing CIDR implies that Cilium can depend on the underlying networking stack to route packets to their destination. To offer a concrete example, if Cilium is configured to use direct routing and the Kubernetes CIDR is included in the native routing CIDR, the user must configure the routes to reach pods, either manually or by setting the auto-direct-node-routes flag. |
-| k8s | object | `{}` | Configure Kubernetes specific configuration |
+| k8s | object | `{"requireIPv4PodCIDR":false,"requireIPv6PodCIDR":false}` | Configure Kubernetes specific configuration |
+| k8s.requireIPv4PodCIDR | bool | `false` | requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR range via the Kubernetes node resource |
+| k8s.requireIPv6PodCIDR | bool | `false` | requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR range via the Kubernetes node resource |
 | k8sClientRateLimit | object | `{"burst":null,"qps":null}` | Configure the client side rate limit for the agent and operator  If the amount of requests to the Kubernetes API server exceeds the configured rate limit, the agent and operator will start to throttle requests by delaying them until there is budget or the request times out. |
 | k8sClientRateLimit.burst | int | 10 for k8s up to 1.26. 20 for k8s version 1.27+ | The burst request rate in requests per second. The rate limiter will allow short bursts with a higher rate. |
 | k8sClientRateLimit.qps | int | 5 for k8s up to 1.26. 10 for k8s version 1.27+ | The sustained request rate in requests per second. |
 | k8sNetworkPolicy.enabled | bool | `true` | Enable support for K8s NetworkPolicy |
-| k8sServiceHost | string | `""` | Kubernetes service host |
+| k8sServiceHost | string | `""` | Kubernetes service host - use "auto" for automatic lookup from the cluster-info ConfigMap (kubeadm-based clusters only) |
 | k8sServicePort | string | `""` | Kubernetes service port |
 | keepDeprecatedLabels | bool | `false` | Keep the deprecated selector labels when deploying Cilium DaemonSet. |
 | keepDeprecatedProbes | bool | `false` | Keep the deprecated probes when deploying Cilium DaemonSet |
@@ -632,13 +659,16 @@ contributors across the globe, there is almost always someone available to help.
 | name | string | `"cilium"` | Agent container name. |
 | nat46x64Gateway | object | `{"enabled":false}` | Configure standalone NAT46/NAT64 gateway |
 | nat46x64Gateway.enabled | bool | `false` | Enable RFC8215-prefixed translation |
-| nodePort | object | `{"autoProtectPortRange":true,"bindProtection":true,"enableHealthCheck":true,"enableHealthCheckLoadBalancerIP":false,"enabled":false}` | Configure N-S k8s service loadbalancing |
+| nodeIPAM.enabled | bool | `false` | Configure Node IPAM ref: https://docs.cilium.io/en/stable/network/node-ipam/ |
+| nodePort | object | `{"addresses":null,"autoProtectPortRange":true,"bindProtection":true,"enableHealthCheck":true,"enableHealthCheckLoadBalancerIP":false,"enabled":false}` | Configure N-S k8s service loadbalancing |
+| nodePort.addresses | string | `nil` | List of CIDRs for choosing which IP addresses assigned to native devices are used for NodePort load-balancing. By default this is empty and the first suitable, preferably private, IPv4 and IPv6 address assigned to each device is used.  Example:    addresses: ["192.168.1.0/24", "2001::/64"]  |
 | nodePort.autoProtectPortRange | bool | `true` | Append NodePort range to ip_local_reserved_ports if clash with ephemeral ports is detected. |
 | nodePort.bindProtection | bool | `true` | Set to true to prevent applications binding to service ports. |
 | nodePort.enableHealthCheck | bool | `true` | Enable healthcheck nodePort server for NodePort services |
 | nodePort.enableHealthCheckLoadBalancerIP | bool | `false` | Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs EnableHealthCheck to be enabled |
 | nodePort.enabled | bool | `false` | Enable the Cilium NodePort service implementation. |
 | nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for cilium-agent. |
+| nodeSelectorLabels | bool | `false` | Enable/Disable use of node label based identity |
 | nodeinit.affinity | object | `{}` | Affinity for cilium-nodeinit |
 | nodeinit.annotations | object | `{}` | Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit) |
 | nodeinit.bootstrapFile | string | `"/tmp/cilium-bootstrap.d/cilium-bootstrap-time"` | bootstrapFile is the location of the file where the bootstrap timestamp is written by the node-init DaemonSet |
@@ -646,7 +676,7 @@ contributors across the globe, there is almost always someone available to help.
 | nodeinit.extraEnv | list | `[]` | Additional nodeinit environment variables. |
 | nodeinit.extraVolumeMounts | list | `[]` | Additional nodeinit volumeMounts. |
 | nodeinit.extraVolumes | list | `[]` | Additional nodeinit volumes. |
-| nodeinit.image | object | `{"digest":"sha256:820155cb3b7f00c8d61c1cffa68c44440906cb046bdbad8ff544f5deb1103456","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"19fb149fb3d5c7a37d3edfaf10a2be3ab7386661","useDigest":true}` | node-init image. |
+| nodeinit.image | object | `{"digest":"sha256:8d7b41c4ca45860254b3c19e20210462ef89479bb6331d6760c4e609d651b29c","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"c54c7edeab7fde4da68e59acd319ab24af242c3f","useDigest":true}` | node-init image. |
 | nodeinit.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | nodeinit.podAnnotations | object | `{}` | Annotations to be added to node-init pods. |
 | nodeinit.podLabels | object | `{}` | Labels to be added to node-init pods. |
@@ -670,9 +700,10 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraHostPathMounts | list | `[]` | Additional cilium-operator hostPath mounts. |
 | operator.extraVolumeMounts | list | `[]` | Additional cilium-operator volumeMounts. |
 | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
+| operator.hostNetwork | bool | `true` | HostNetwork setting |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:d76d45e308f23398b786f1f05504863759849046c20c741ebb64ad80613f8fd3","awsDigest":"sha256:f9c0eaea023ce5a75b3ed1fc4b783f390c5a3c7dc1507a2dc4dbc667b80d1bd9","azureDigest":"sha256:0a56f2cfdcdf13da21b7fdcc870e29fef82e71e599cd8dd74eb65c377e035522","genericDigest":"sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.5","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:d2d9f450f2fc650d74d4b3935f4c05736e61145b9c6927520ea52e1ebcf4f3ea","awsDigest":"sha256:8dbe47a77ba8e1a5b111647a43db10c213d1c7dfc9f9aab5ef7279321ad21a2f","azureDigest":"sha256:dd7562e20bc72b55c65e2110eb98dca1dd2bbf6688b7d8cea2bc0453992c121d","genericDigest":"sha256:d6621c11c4e4943bf2998af7febe05be5ed6fdcf812b27ad4388f47022190316","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.0","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -700,7 +731,6 @@ contributors across the globe, there is almost always someone available to help.
 | operator.securityContext | object | `{}` | Security context to be added to cilium-operator pods |
 | operator.setNodeNetworkStatus | bool | `true` | Set Node condition NetworkUnavailable to 'false' with the reason 'CiliumIsUp' for nodes that have a healthy Cilium pod. |
 | operator.setNodeTaints | string | same as removeNodeTaints | Taint nodes where Cilium is scheduled but not running. This prevents pods from being scheduled to nodes where Cilium is not the default CNI provider. |
-| operator.skipCNPStatusStartupClean | bool | `false` | Skip CNP node status clean up at operator startup. |
 | operator.skipCRDCreation | bool | `false` | Skip CRDs creation for cilium-operator |
 | operator.tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for cilium-operator scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
 | operator.topologySpreadConstraints | list | `[]` | Pod topology spread constraints for cilium-operator |
@@ -723,7 +753,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.5","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:46ffa4ef3cf6d8885dcc4af5963b0683f7d59daa90d49ed9fb68d3b1627fe058","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.0","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
@@ -732,11 +762,13 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.podLabels | object | `{}` | Labels to be added to the preflight pod. |
 | preflight.podSecurityContext | object | `{}` | Security context to be added to preflight pods. |
 | preflight.priorityClassName | string | `""` | The priority class to use for the preflight pod. |
+| preflight.readinessProbe.initialDelaySeconds | int | `5` | For how long kubelet should wait before performing the first probe |
+| preflight.readinessProbe.periodSeconds | int | `5` | interval between checks of the readiness probe |
 | preflight.resources | object | `{}` | preflight resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
 | preflight.securityContext | object | `{}` | Security context to be added to preflight pods |
 | preflight.terminationGracePeriodSeconds | int | `1` | Configure termination grace period for preflight Deployment and DaemonSet. |
 | preflight.tofqdnsPreCache | string | `""` | Path to write the `--tofqdns-pre-cache` file to. |
-| preflight.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | Node tolerations for preflight scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
+| preflight.tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for preflight scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
 | preflight.updateStrategy | object | `{"type":"RollingUpdate"}` | preflight update strategy |
 | preflight.validateCNPs | bool | `true` | By default we should always validate the installed CNPs before upgrading Cilium. This will make sure the user will have the policies deployed in the cluster with the right schema. |
 | priorityClassName | string | `""` | The priority class to use for cilium-agent. |
@@ -751,14 +783,9 @@ contributors across the globe, there is almost always someone available to help.
 | prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor cilium-agent |
 | prometheus.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor cilium-agent |
 | prometheus.serviceMonitor.trustCRDsExist | bool | `false` | Set to `true` and helm will not check for monitoring.coreos.com/v1 CRDs before deploying |
-| proxy | object | `{"prometheus":{"enabled":true,"port":null},"sidecarImageRegex":"cilium/istio_proxy"}` | Configure Istio proxy options. |
-| proxy.prometheus.enabled | bool | `true` | Deprecated in favor of envoy.prometheus.enabled |
-| proxy.prometheus.port | string | `nil` | Deprecated in favor of envoy.prometheus.port |
-| proxy.sidecarImageRegex | string | `"cilium/istio_proxy"` | Regular expression matching compatible Istio sidecar istio-proxy container image names |
 | rbac.create | bool | `true` | Enable creation of Resource-Based Access Control configuration. |
 | readinessProbe.failureThreshold | int | `3` | failure threshold of readiness probe |
 | readinessProbe.periodSeconds | int | `30` | interval between checks of the readiness probe |
-| remoteNodeIdentity | bool | `true` | Enable use of the remote node identity. ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity Deprecated without replacement in 1.15. To be removed in 1.16. |
 | resourceQuotas | object | `{"cilium":{"hard":{"pods":"10k"}},"enabled":false,"operator":{"hard":{"pods":"15"}}}` | Enable resource quotas for priority classes used in the cluster. |
 | resources | object | `{}` | Agent resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
 | rollOutCiliumPods | bool | `false` | Roll out cilium agent pods automatically when configmap is updated. |
@@ -783,6 +810,8 @@ contributors across the globe, there is almost always someone available to help.
 | startupProbe.periodSeconds | int | `2` | interval between checks of the startup probe |
 | svcSourceRangeCheck | bool | `true` | Enable check of service source ranges (currently, only for LoadBalancer). |
 | synchronizeK8sNodes | bool | `true` | Synchronize Kubernetes nodes to kvstore and perform CNP GC. |
+| sysctlfix | object | `{"enabled":true}` | Configure sysctl override described in #20072. |
+| sysctlfix.enabled | bool | `true` | Enable the sysctl override. When enabled, the init container will mount the /proc of the host so that the `sysctlfix` utility can execute. |
 | terminationGracePeriodSeconds | int | `1` | Configure termination grace period for cilium-agent DaemonSet. |
 | tls | object | `{"ca":{"cert":"","certValidityDuration":1095,"key":""},"caBundle":{"enabled":false,"key":"ca.crt","name":"cilium-root-ca.crt","useSecret":false},"secretsBackend":"local"}` | Configure TLS configuration in the agent. |
 | tls.ca | object | `{"cert":"","certValidityDuration":1095,"key":""}` | Base64 encoded PEM values for the CA certificate and private key. This can be used as common CA to generate certificates used by hubble and clustermesh components. It is neither required nor used when cert-manager is used to generate the certificates. |
@@ -799,6 +828,7 @@ contributors across the globe, there is almost always someone available to help.
 | tunnelPort | int | Port 8472 for VXLAN, Port 6081 for Geneve | Configure VXLAN and Geneve tunnel port. |
 | tunnelProtocol | string | `"vxlan"` | Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. Possible values:   - ""   - vxlan   - geneve |
 | updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}` | Cilium agent update strategy |
+| upgradeCompatibility | string | `nil` | upgradeCompatibility helps users upgrading to ensure that the configMap for Cilium will not change critical values to ensure continued operation This flag is not required for new installations. For example: '1.7', '1.8', '1.9' |
 | vtep.cidr | string | `""` | A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24" |
 | vtep.enabled | bool | `false` | Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel. |
 | vtep.endpoint | string | `""` | A space separated list of VTEP device endpoint IPs, for example "1.1.1.1  1.1.2.1" |

packages/system/cilium/charts/cilium/files/cilium-agent/dashboards/cilium-dashboard.json

@@ -4691,21 +4691,21 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "sum(rate(cilium_policy_l7_denied_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m]))",
+          "expr": "sum(rate(cilium_policy_l7_total{k8s_app=\"cilium\", pod=~\"$pod\", rule=\"denied\"}[1m]))",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "denied",
           "refId": "A"
         },
         {
-          "expr": "sum(rate(cilium_policy_l7_forwarded_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m]))",
+          "expr": "sum(rate(cilium_policy_l7_total{k8s_app=\"cilium\", pod=~\"$pod\", rule=\"forwarded\"}[1m]))",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "forwarded",
           "refId": "B"
         },
         {
-          "expr": "sum(rate(cilium_policy_l7_received_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m]))",
+          "expr": "sum(rate(cilium_policy_l7_total{k8s_app=\"cilium\", pod=~\"$pod\", rule=\"received\"}[1m]))",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "received",
@@ -4857,7 +4857,7 @@
       "aliasColors": {
         "Max per node processingTime": "#e24d42",
         "Max per node upstreamTime": "#58140c",
-        "avg(cilium_policy_l7_parse_errors_total{pod=~\"cilium.*\"})": "#bf1b00",
+        "avg(cilium_policy_l7_total{pod=~\"cilium.*\", rule=\"parse_errors\"})": "#bf1b00",
         "parse errors": "#bf1b00"
       },
       "bars": true,
@@ -4916,7 +4916,7 @@
           "yaxis": 2
         },
         {
-          "alias": "avg(cilium_policy_l7_parse_errors_total{pod=~\"cilium.*\"})",
+          "alias": "avg(cilium_policy_l7_total{pod=~\"cilium.*\", rule=\"parse_errors\"})",
           "yaxis": 2
         },
         {
@@ -4937,7 +4937,7 @@
           "refId": "A"
         },
         {
-          "expr": "avg(cilium_policy_l7_parse_errors_total{k8s_app=\"cilium\", pod=~\"$pod\"}) by (pod)",
+          "expr": "avg(cilium_policy_l7_total{k8s_app=\"cilium\", pod=~\"$pod\", rule=\"parse_errors\"}) by (pod)",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "parse errors",
@@ -5295,7 +5295,7 @@
           "refId": "B"
         },
         {
-          "expr": "max(rate(cilium_policy_l7_parse_errors_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m])) by (pod)",
+          "expr": "max(rate(cilium_policy_l7_total{k8s_app=\"cilium\", pod=~\"$pod\", rule=\"parse_errors\"}[1m])) by (pod)",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "parse errors",

packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json

@@ -5,13 +5,13 @@
   },
   "staticResources": {
     "listeners": [
-      {{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled }}
+      {{- if .Values.envoy.prometheus.enabled }}
       {
         "name": "envoy-prometheus-metrics-listener",
         "address": {
           "socket_address": {
             "address": "0.0.0.0",
-            "port_value": {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
+            "port_value": {{ .Values.envoy.prometheus.port }}
           }
         },
         "filter_chains": [
@@ -60,6 +60,73 @@
         ]
       },
       {{- end }}
+      {{- if and .Values.envoy.debug.admin.enabled }}
+      {
+        "name": "envoy-admin-listener",
+        "address": {
+          "socket_address": {
+            "address": {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }},
+            "port_value": {{ .Values.envoy.debug.admin.port }}
+          }
+        },
+        {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }}
+        "additional_addresses": [
+          {
+            "address": {
+              "socket_address": {
+                "address": "::1",
+                "port_value": {{ .Values.envoy.debug.admin.port }}
+              }
+            }
+          }
+        ],
+        {{- end }}
+        "filter_chains": [
+          {
+            "filters": [
+              {
+                "name": "envoy.filters.network.http_connection_manager",
+                "typed_config": {
+                  "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
+                  "stat_prefix": "envoy-admin-listener",
+                  "route_config": {
+                    "virtual_hosts": [
+                      {
+                        "name": "admin_route",
+                        "domains": [
+                          "*"
+                        ],
+                        "routes": [
+                          {
+                            "name": "admin_route",
+                            "match": {
+                              "prefix": "/"
+                            },
+                            "route": {
+                              "cluster": "/envoy-admin",
+                              "prefix_rewrite": "/"
+                            }
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "http_filters": [
+                    {
+                      "name": "envoy.filters.http.router",
+                      "typed_config": {
+                        "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+                      }
+                    }
+                  ],
+                  "stream_idle_timeout": "0s"
+                }
+              }
+            ]
+          }
+        ]
+      },
+      {{- end }}
       {
         "name": "envoy-health-listener",
         "address": {

packages/system/cilium/charts/cilium/files/cilium-operator/dashboards/cilium-operator-dashboard.json

@@ -1,9 +1,22 @@
 {
+  "__inputs": [
+    {
+      "name": "DS_PROMETHEUS",
+      "label": "prometheus",
+      "description": "",
+      "type": "datasource",
+      "pluginId": "prometheus",
+      "pluginName": "Prometheus"
+    }
+  ],
   "annotations": {
     "list": [
       {
         "builtIn": 1,
-        "datasource": "-- Grafana --",
+        "datasource": {
+          "type": "datasource",
+          "uid": "grafana"
+        },
         "enable": true,
         "hide": true,
         "iconColor": "rgba(0, 211, 255, 1)",
@@ -25,7 +38,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fieldConfig": {
         "defaults": {
           "custom": {}
@@ -151,7 +167,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fieldConfig": {
         "defaults": {
           "custom": {}
@@ -281,7 +300,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fieldConfig": {
         "defaults": {
           "custom": {}
@@ -378,7 +400,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fieldConfig": {
         "defaults": {
           "custom": {}
@@ -475,7 +500,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fieldConfig": {
         "defaults": {
           "custom": {}
@@ -572,7 +600,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fieldConfig": {
         "defaults": {
           "custom": {}
@@ -669,7 +700,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fieldConfig": {
         "defaults": {
           "custom": {}
@@ -766,7 +800,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fieldConfig": {
         "defaults": {
           "custom": {}
@@ -863,7 +900,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fieldConfig": {
         "defaults": {
           "custom": {}

packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dashboard.json

@@ -1,4 +1,14 @@
 {
+  "__inputs": [
+    {   
+      "name": "DS_PROMETHEUS",
+      "label": "prometheus",
+      "description": "",
+      "type": "datasource",
+      "pluginId": "prometheus",
+      "pluginName": "Prometheus"
+    }
+  ],
   "annotations": {
     "list": [
       {
@@ -36,7 +46,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -151,7 +164,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -237,7 +253,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -323,7 +342,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -422,7 +444,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -508,7 +533,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -594,7 +622,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -681,7 +712,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -773,7 +807,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -906,7 +943,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -1014,7 +1054,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -1139,7 +1182,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -1247,7 +1293,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -1367,7 +1416,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -1462,7 +1514,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -1548,7 +1603,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -1648,7 +1706,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 4,
@@ -1734,7 +1795,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 4,
@@ -1820,7 +1884,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -1906,7 +1973,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -2005,7 +2075,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 6,
@@ -2092,7 +2165,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 6,
@@ -2179,7 +2255,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -2265,7 +2344,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -2351,7 +2433,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -2451,7 +2536,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -2537,7 +2625,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -2658,7 +2749,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -2752,7 +2846,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -2839,7 +2936,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -2926,7 +3026,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -3013,7 +3116,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 5,
@@ -3103,7 +3209,10 @@
       "bars": false,
       "dashLength": 10,
       "dashes": false,
-      "datasource": "prometheus",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
       "fill": 1,
       "gridPos": {
         "h": 6,
@@ -3194,7 +3303,23 @@
   "style": "dark",
   "tags": [],
   "templating": {
-    "list": []
+    "list": [
+      {
+        "current": {},
+        "hide": 0,
+        "includeAll": false,
+        "label": "Prometheus",
+        "multi": false,
+        "name": "DS_PROMETHEUS",
+        "options": [],
+        "query": "prometheus",
+        "queryValue": "",
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "type": "datasource"
+      }
+    ]
   },
   "time": {
     "from": "now-6h",

packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dns-namespace.json

@@ -484,7 +484,7 @@
           "includeAll": false,
           "label": "Data Source",
           "multi": false,
-          "name": "prometheus_datasource",
+          "name": "DS_PROMETHEUS",
           "options": [],
           "query": "prometheus",
           "queryValue": "",

packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-l7-http-metrics-by-workload.json

@@ -1,5 +1,14 @@
 {
-  "__inputs": [],
+  "__inputs": [
+    {
+      "name": "DS_PROMETHEUS",
+      "label": "prometheus",
+      "description": "",
+      "type": "datasource",
+      "pluginId": "prometheus",
+      "pluginName": "Prometheus"
+    }
+  ],
   "__elements": {},
   "__requires": [
     {

packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-network-overview-namespace.json

@@ -883,7 +883,7 @@
           "includeAll": false,
           "label": "Data Source",
           "multi": false,
-          "name": "prometheus_datasource",
+          "name": "DS_PROMETHEUS",
           "options": [],
           "query": "prometheus",
           "queryValue": "",

packages/system/cilium/charts/cilium/images

@@ -1 +0,0 @@
-../../images

packages/system/cilium/charts/cilium/templates/_extensions.tpl

@@ -0,0 +1,50 @@
+{{/*
+_extensions.tpl contains template blocks that are intended to allow packagers
+to modify or extend the default chart behaviors.
+*/}}
+
+{{/*
+Intentionally empty to allow downstream chart packagers to add extra
+containers to hubble-relay without having to modify the deployment manifest
+directly.
+*/}}
+{{- define "hubble-relay.containers.extra" }}
+{{- end }}
+
+{{/*
+Allow packagers to add extra volumes to relay.
+*/}}
+{{- define "hubble-relay.volumes.extra" }}
+{{- end }}
+
+{{/*
+Allow packagers to modify how hubble-relay TLS is configured.
+
+A packager may want to change when TLS is enabled or prevent users from
+disabling TLS. This means the template needs to allow overriding, not just
+adding, which is why this template is not empty by default, like the ones
+above.
+*/}}
+{{- define "hubble-relay.config.tls" }}
+{{- if and .Values.hubble.tls.enabled .Values.hubble.relay.tls.server.enabled }}
+tls-relay-server-cert-file: /var/lib/hubble-relay/tls/server.crt
+tls-relay-server-key-file: /var/lib/hubble-relay/tls/server.key
+{{- if .Values.hubble.relay.tls.server.mtls }}
+tls-relay-client-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt
+{{- end }}
+{{- else }}
+disable-server-tls: true
+{{- end }}
+{{- end }}
+
+{{- define "hubble-relay.config.listenAddress" -}}
+{{- .Values.hubble.relay.listenHost }}:{{- include "hubble-relay.config.listenPort" . -}}
+{{- end }}
+
+{{- define "hubble-relay.config.listenPort" -}}
+{{- .Values.hubble.relay.listenPort }}
+{{- end }}
+
+{{- define "hubble-relay.service.targetPort" -}}
+grpc
+{{- end }}

packages/system/cilium/charts/cilium/templates/_helpers.tpl

@@ -43,62 +43,7 @@ where:
 {{- if $priorityClass }}
   {{- $priorityClass }}
 {{- else if and $root.Values.enableCriticalPriorityClass $criticalPriorityClass -}}
-  {{- if and (eq $root.Release.Namespace "kube-system") (semverCompare ">=1.10-0" $root.Capabilities.KubeVersion.Version) -}}
-    {{- $criticalPriorityClass }}
-  {{- else if semverCompare ">=1.17-0" $root.Capabilities.KubeVersion.Version -}}
-    {{- $criticalPriorityClass }}
-  {{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Return the appropriate apiVersion for ingress.
-*/}}
-{{- define "ingress.apiVersion" -}}
-{{- if semverCompare ">=1.16-0, <1.19-0" .Capabilities.KubeVersion.Version -}}
-{{- print "networking.k8s.io/v1beta1" -}}
-{{- else if semverCompare "^1.19-0" .Capabilities.KubeVersion.Version -}}
-{{- print "networking.k8s.io/v1" -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Return the appropriate backend for Hubble UI ingress.
-*/}}
-{{- define "ingress.paths" -}}
-{{ if semverCompare ">=1.4-0, <1.19-0" .Capabilities.KubeVersion.Version -}}
-backend:
-  serviceName: hubble-ui
-  servicePort: http
-{{- else if semverCompare "^1.19-0" .Capabilities.KubeVersion.Version -}}
-pathType: Prefix
-backend:
-  service:
-    name: hubble-ui
-    port:
-      name: http
-{{- end -}}
-{{- end -}}
-
-{{/*
-Return the appropriate apiVersion for cronjob.
-*/}}
-{{- define "cronjob.apiVersion" -}}
-{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version -}}
-{{- print "batch/v1" -}}
-{{- else -}}
-{{- print "batch/v1beta1" -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Return the appropriate apiVersion for podDisruptionBudget.
-*/}}
-{{- define "podDisruptionBudget.apiVersion" -}}
-{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version -}}
-{{- print "policy/v1" -}}
-{{- else -}}
-{{- print "policy/v1beta1" -}}
+  {{- $criticalPriorityClass }}
 {{- end -}}
 {{- end -}}
 
@@ -154,3 +99,61 @@ Validate duration field, return validated duration, 0s when provided duration is
 0s
 {{- end }}
 {{- end }}
+
+{{/*
+Convert a map to a comma-separated string: key1=value1,key2=value2
+*/}}
+{{- define "mapToString" -}}
+{{- $list := list -}}
+{{- range $k, $v := . -}}
+{{- $list = append $list (printf "%s=%s" $k $v) -}}
+{{- end -}}
+{{ join "," $list }}
+{{- end -}}
+
+{{/*
+Enable automatic lookup of k8sServiceHost from the cluster-info ConfigMap (kubeadm-based clusters only)
+*/}}
+{{- define "k8sServiceHost" }}
+  {{- if eq .Values.k8sServiceHost "auto" }}
+    {{- $configmap := (lookup "v1" "ConfigMap" "kube-public" "cluster-info") }}
+    {{- $kubeconfig := get $configmap.data "kubeconfig" }}
+    {{- $k8sServer := get ($kubeconfig | fromYaml) "clusters" | mustFirst | dig "cluster" "server" "" }}
+    {{- $uri := (split "https://" $k8sServer)._1 | trim }}
+    {{- (split ":" $uri)._0 | quote }}
+  {{- else }}
+    {{- .Values.k8sServiceHost | quote }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Enable automatic lookup of k8sServicePort from the cluster-info ConfigMap (kubeadm-based clusters only)
+*/}}
+{{- define "k8sServicePort" }}
+  {{- if eq .Values.k8sServiceHost "auto" }}
+    {{- $configmap := (lookup "v1" "ConfigMap" "kube-public" "cluster-info") }}
+    {{- $kubeconfig := get $configmap.data "kubeconfig" }}
+    {{- $k8sServer := get ($kubeconfig | fromYaml) "clusters" | mustFirst | dig "cluster" "server" "" }}
+    {{- $uri := (split "https://" $k8sServer)._1 | trim }}
+    {{- (split ":" $uri)._1 | quote }}
+  {{- else }}
+    {{- .Values.k8sServicePort | quote }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Return user specify envoy.enabled or default value based on the upgradeCompatibility
+*/}}
+{{- define "envoyDaemonSetEnabled" }}
+  {{- if not .Values.l7Proxy }}
+    {{- false }}
+  {{- else if (not (kindIs "invalid" .Values.envoy.enabled)) }}
+    {{- .Values.envoy.enabled }}
+  {{- else }}
+    {{- if semverCompare ">=1.16" (default "1.16" .Values.upgradeCompatibility) }}
+      {{- true }}
+    {{- else }}
+      {{- false }}
+    {{- end }}
+  {{- end }}
+{{- end }}

packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrole.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.agent (not .Values.preflight.enabled) }}
+{{- if and .Values.agent (not .Values.preflight.enabled) .Values.rbac.create }}
 {{- /*
 Keep file in sync with cilium-preflight/clusterrole.yaml
 */ -}}
@@ -41,6 +41,15 @@ rules:
   - get
   - list
   - watch
+{{- if and .Values.hubble.enabled .Values.hubble.dropEventEmitter.enabled }}
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+{{- end }}
 {{- if .Values.annotateK8sNode }}
 - apiGroups:
   - ""
@@ -139,8 +148,6 @@ rules:
 - apiGroups:
   - cilium.io
   resources:
-  - ciliumnetworkpolicies/status
-  - ciliumclusterwidenetworkpolicies/status
   - ciliumendpoints/status
   - ciliumendpoints
   - ciliuml2announcementpolicies/status

packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create }}
+{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml

@@ -9,6 +9,7 @@
 {{- end -}}
 
 {{- $kubeProxyReplacement := (coalesce .Values.kubeProxyReplacement "false") -}}
+{{- $envoyDS := eq (include "envoyDaemonSetEnabled" .) "true" -}}
 
 ---
 apiVersion: apps/v1
@@ -94,7 +95,7 @@ spec:
       {{- end }}
       containers:
       - name: cilium-agent
-        image: {{ include "cilium.image" . | quote }}
+        image: {{ include "cilium.image" .Values.image | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- if .Values.sleepAfterInit }}
         command:
@@ -116,17 +117,12 @@ spec:
             - "true"
         {{- else }}
         command:
-        # Workaround: https://github.com/cilium/cilium/pull/27561
-        - /bin/sh
-        - -c
-        - |
-          rm -rf /run/cilium/cgroupv2
-          ln -sf /sys/fs/cgroup /run/cilium/cgroupv2
-          exec cilium-agent --config-dir=/tmp/cilium/config-map
+        - cilium-agent
+        args:
+        - --config-dir=/tmp/cilium/config-map
         {{- with .Values.extraArgs }}
         {{- toYaml . | trim | nindent 8 }}
         {{- end }}
-        {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }}
         startupProbe:
           httpGet:
             host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
@@ -140,7 +136,6 @@ spec:
           periodSeconds: {{ .Values.startupProbe.periodSeconds }}
           successThreshold: 1
           initialDelaySeconds: 5
-        {{- end }}
         livenessProbe:
           {{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }}
           exec:
@@ -158,14 +153,6 @@ spec:
             - name: "brief"
               value: "true"
           {{- end }}
-          {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
-          # The initial delay for the liveness probe is intentionally large to
-          # avoid an endless kill & restart cycle if in the event that the initial
-          # bootstrapping takes longer than expected.
-          # Starting from Kubernetes 1.20, we are using startupProbe instead
-          # of this field.
-          initialDelaySeconds: 120
-          {{- end }}
           periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
           successThreshold: 1
           failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
@@ -187,9 +174,6 @@ spec:
             - name: "brief"
               value: "true"
           {{- end }}
-          {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
-          initialDelaySeconds: 5
-          {{- end }}
           periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
           successThreshold: 1
           failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
@@ -215,11 +199,9 @@ spec:
               divisor: '1'
         {{- if .Values.k8sServiceHost }}
         - name: KUBERNETES_SERVICE_HOST
-          value: {{ .Values.k8sServiceHost | quote }}
-        {{- end }}
-        {{- if .Values.k8sServicePort }}
+          value: {{ include "k8sServiceHost" . }}
         - name: KUBERNETES_SERVICE_PORT
-          value: {{ .Values.k8sServicePort | quote }}
+          value: {{ include "k8sServicePort" . }}
         {{- end }}
         {{- with .Values.extraEnv }}
         {{- toYaml . | trim | nindent 8 }}
@@ -255,10 +237,16 @@ spec:
           containerPort: {{ .Values.prometheus.port }}
           hostPort: {{ .Values.prometheus.port }}
           protocol: TCP
-        {{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled (not .Values.envoy.enabled) }}
+        {{- if and .Values.envoy.prometheus.enabled (not $envoyDS) }}
         - name: envoy-metrics
-          containerPort: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
-          hostPort: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
+          containerPort: {{ .Values.envoy.prometheus.port }}
+          hostPort: {{ .Values.envoy.prometheus.port }}
+          protocol: TCP
+        {{- end }}
+        {{- if and .Values.envoy.debug.admin.port (not $envoyDS) }}
+        - name: envoy-admin
+          containerPort: {{ .Values.envoy.debug.admin.port }}
+          hostPort: {{ .Values.envoy.debug.admin.port }}
           protocol: TCP
         {{- end }}
         {{- end }}
@@ -292,7 +280,7 @@ spec:
           mountPath: {{ dir .Values.authentication.mutual.spire.adminSocketPath }}
           readOnly: false
         {{- end }}
-        {{- if .Values.envoy.enabled }}
+        {{- if $envoyDS }}
         - name: envoy-sockets
           mountPath: /var/run/cilium/envoy/sockets
           readOnly: false
@@ -307,8 +295,7 @@ spec:
         - mountPath: /host/proc/sys/kernel
           name: host-proc-sys-kernel
         {{- end}}
-        {{- /* CRI-O already mounts the BPF filesystem */ -}}
-        {{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }}
+        {{- if .Values.bpf.autoMount.enabled }}
         - name: bpf-maps
           mountPath: /sys/fs/bpf
           {{- if .Values.securityContext.privileged }}
@@ -328,13 +315,20 @@ spec:
         {{- end}}
         - name: cilium-run
           mountPath: /var/run/cilium
+        {{- /* mount the directory if socketLB.enabled is true and socketLB.terminatePodConnections is not explicitly set to false */ -}}
+        {{- if or (and (kindIs "invalid" .Values.socketLB.terminatePodConnections) .Values.socketLB.enabled)
+                  (and .Values.socketLB.enabled .Values.socketLB.terminatePodConnections)  }}
+        - name: cilium-netns
+          mountPath: /var/run/cilium/netns
+          mountPropagation: HostToContainer
+        {{- end}}
         - name: etc-cni-netd
           mountPath: {{ .Values.cni.hostConfDirMountPath }}
         {{- if .Values.etcd.enabled }}
         - name: etcd-config-path
           mountPath: /var/lib/etcd-config
           readOnly: true
-        {{- if or .Values.etcd.ssl .Values.etcd.managed }}
+        {{- if .Values.etcd.ssl }}
         - name: etcd-secrets
           mountPath: /var/lib/etcd-secrets
           readOnly: true
@@ -361,7 +355,7 @@ spec:
           mountPath: /run/xtables.lock
         {{- if and .Values.encryption.enabled (eq .Values.encryption.type "ipsec") }}
         - name: cilium-ipsec-secrets
-          mountPath: {{ .Values.encryption.ipsec.mountPath | default .Values.encryption.mountPath }}
+          mountPath: {{ .Values.encryption.ipsec.mountPath }}
         {{- end }}
         {{- if .Values.kubeConfigPath }}
         - name: kube-config
@@ -373,6 +367,11 @@ spec:
           mountPath: /var/lib/cilium/bgp
           readOnly: true
         {{- end }}
+        {{- if and .Values.hubble.enabled .Values.hubble.metrics.enabled .Values.hubble.metrics.tls.enabled }}
+        - name: hubble-metrics-tls
+          mountPath: /var/lib/cilium/tls/hubble-metrics
+          readOnly: true
+        {{- end }}
         {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (hasKey .Values.hubble "listenAddress") }}
         - name: hubble-tls
           mountPath: /var/lib/cilium/tls/hubble
@@ -398,7 +397,7 @@ spec:
         {{- end }}
       {{- if .Values.monitor.enabled }}
       - name: cilium-monitor
-        image: {{ include "cilium.image" . | quote }}
+        image: {{ include "cilium.image" .Values.image | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command:
         - /bin/bash
@@ -430,7 +429,7 @@ spec:
       {{- end }}
       initContainers:
       - name: config
-        image: {{ include "cilium.image" . | quote }}
+        image: {{ include "cilium.image" .Values.image | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command:
         - cilium-dbg
@@ -460,11 +459,9 @@ spec:
               fieldPath: metadata.namespace
         {{- if .Values.k8sServiceHost }}
         - name: KUBERNETES_SERVICE_HOST
-          value: {{ .Values.k8sServiceHost | quote }}
-        {{- end }}
-        {{- if .Values.k8sServicePort }}
+          value: {{ include "k8sServiceHost" . }}
         - name: KUBERNETES_SERVICE_PORT
-          value: {{ .Values.k8sServicePort | quote }}
+          value: {{ include "k8sServicePort" . }}
         {{- end }}
         {{- with .Values.extraEnv }}
         {{- toYaml . | nindent 8 }}
@@ -485,7 +482,7 @@ spec:
       # Required to mount cgroup2 filesystem on the underlying Kubernetes node.
       # We use nsenter command with host's cgroup and mount namespaces enabled.
       - name: mount-cgroup
-        image: {{ include "cilium.image" . | quote }}
+        image: {{ include "cilium.image" .Values.image | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         env:
         - name: CGROUP_ROOT
@@ -530,8 +527,10 @@ spec:
             drop:
               - ALL
           {{- end}}
+      {{- end }}
+      {{- if .Values.sysctlfix.enabled }}
       - name: apply-sysctl-overwrites
-        image: {{ include "cilium.image" . | quote }}
+        image: {{ include "cilium.image" .Values.image | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- with .Values.initResources }}
         resources:
@@ -580,7 +579,7 @@ spec:
       # from a privileged container because the mount propagation bidirectional
       # only works from privileged containers.
       - name: mount-bpf-fs
-        image: {{ include "cilium.image" . | quote }}
+        image: {{ include "cilium.image" .Values.image | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- with .Values.initResources }}
         resources:
@@ -595,8 +594,7 @@ spec:
         terminationMessagePolicy: FallbackToLogsOnError
         securityContext:
           privileged: true
-      {{- /* CRI-O already mounts the BPF filesystem */ -}}
-      {{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }}
+      {{- if and .Values.bpf.autoMount.enabled }}
         volumeMounts:
         - name: bpf-maps
           mountPath: /sys/fs/bpf
@@ -605,7 +603,7 @@ spec:
       {{- end }}
       {{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }}
       - name: wait-for-node-init
-        image: {{ include "cilium.image" . | quote }}
+        image: {{ include "cilium.image" .Values.image | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- with .Values.initResources }}
         resources:
@@ -625,7 +623,7 @@ spec:
           mountPath: "/tmp/cilium-bootstrap.d"
       {{- end }}
       - name: clean-cilium-state
-        image: {{ include "cilium.image" . | quote }}
+        image: {{ include "cilium.image" .Values.image | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command:
         - /init-container.sh
@@ -650,11 +648,9 @@ spec:
               optional: true
         {{- if .Values.k8sServiceHost }}
         - name: KUBERNETES_SERVICE_HOST
-          value: {{ .Values.k8sServiceHost | quote }}
-        {{- end }}
-        {{- if .Values.k8sServicePort }}
+          value: {{ include "k8sServiceHost" . }}
         - name: KUBERNETES_SERVICE_PORT
-          value: {{ .Values.k8sServicePort | quote }}
+          value: {{ include "k8sServicePort" . }}
         {{- end }}
         {{- with .Values.extraEnv }}
         {{- toYaml . | nindent 8 }}
@@ -677,8 +673,7 @@ spec:
               - ALL
           {{- end}}
         volumeMounts:
-        {{- /* CRI-O already mounts the BPF filesystem */ -}}
-        {{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }}
+        {{- if .Values.bpf.autoMount.enabled}}
         - name: bpf-maps
           mountPath: /sys/fs/bpf
         {{- end }}
@@ -697,7 +692,7 @@ spec:
         {{- end }}
       {{- if and .Values.waitForKubeProxy (and (ne (toString $kubeProxyReplacement) "strict") (ne (toString $kubeProxyReplacement) "true"))  }}
       - name: wait-for-kube-proxy
-        image: {{ include "cilium.image" . | quote }}
+        image: {{ include "cilium.image" .Values.image | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         {{- with .Values.initResources }}
         resources:
@@ -735,7 +730,7 @@ spec:
       {{- if .Values.cni.install }}
       # Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent
       - name: install-cni-binaries
-        image: {{ include "cilium.image" . | quote }}
+        image: {{ include "cilium.image" .Values.image | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command:
           - "/install-plugin.sh"
@@ -760,18 +755,16 @@ spec:
           - name: cni-path
             mountPath: /host/opt/cni/bin
       {{- end }} # .Values.cni.install
+      {{- if .Values.extraInitContainers }}
+      {{- toYaml .Values.extraInitContainers | nindent 6 }}
+      {{- end }}
       restartPolicy: Always
       priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }}
-      serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }}
       serviceAccountName: {{ .Values.serviceAccounts.cilium.name | quote }}
       automountServiceAccountToken: {{ .Values.serviceAccounts.cilium.automount }}
       terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
       hostNetwork: true
-      {{- if and .Values.etcd.managed (not .Values.etcd.k8sService) }}
-      # In managed etcd mode, Cilium must be able to resolve the DNS name of
-      # the etcd service
-      dnsPolicy: ClusterFirstWithHostNet
-      {{- else if .Values.dnsPolicy }}
+      {{- if .Values.dnsPolicy }}
       dnsPolicy: {{ .Values.dnsPolicy }}
       {{- end }}
       {{- with .Values.affinity }}
@@ -804,16 +797,23 @@ spec:
         hostPath:
           path: {{ .Values.daemon.runPath }}
           type: DirectoryOrCreate
-      {{- /* CRI-O already mounts the BPF filesystem */ -}}
-      {{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }}
+      {{- if or (and (kindIs "invalid" .Values.socketLB.terminatePodConnections) .Values.socketLB.enabled)
+                (and .Values.socketLB.enabled .Values.socketLB.terminatePodConnections)  }}
+        # To exec into pod network namespaces
+      - name: cilium-netns
+        hostPath:
+          path: /var/run/netns
+          type: DirectoryOrCreate
+      {{- end }}
+      {{- if .Values.bpf.autoMount.enabled }}
         # To keep state between restarts / upgrades for bpf maps
       - name: bpf-maps
         hostPath:
           path: /sys/fs/bpf
           type: DirectoryOrCreate
       {{- end }}
-      {{- if .Values.cgroup.autoMount.enabled }}
-      # To mount cgroup2 filesystem on the host
+      {{- if or .Values.cgroup.autoMount.enabled .Values.sysctlfix.enabled }}
+      # To mount cgroup2 filesystem on the host or apply sysctlfix
       - name: hostproc
         hostPath:
           path: /proc
@@ -849,7 +849,7 @@ spec:
           path: {{ dir .Values.authentication.mutual.spire.adminSocketPath }}
           type: DirectoryOrCreate
       {{- end }}
-      {{- if .Values.envoy.enabled }}
+      {{- if $envoyDS }}
       # Sharing socket with Cilium Envoy on the same node by using a host path
       - name: envoy-sockets
         hostPath:
@@ -879,7 +879,7 @@ spec:
           - key: etcd-config
             path: etcd.config
         # To read the k8s etcd secrets in case the user might want to use TLS
-      {{- if or .Values.etcd.ssl .Values.etcd.managed }}
+      {{- if .Values.etcd.ssl }}
       - name: etcd-secrets
         secret:
           secretName: cilium-etcd-secrets
@@ -920,6 +920,29 @@ spec:
               - key: {{ .Values.tls.caBundle.key }}
                 path: common-etcd-client-ca.crt
           {{- end }}
+          # note: we configure the volume for the kvstoremesh-specific certificate
+          # regardless of whether KVStoreMesh is enabled or not, so that it can be
+          # automatically mounted in case KVStoreMesh gets subsequently enabled,
+          # without requiring an agent restart.
+          - secret:
+              name: clustermesh-apiserver-local-cert
+              optional: true
+              items:
+              - key: tls.key
+                path: local-etcd-client.key
+              - key: tls.crt
+                path: local-etcd-client.crt
+          {{- if not .Values.tls.caBundle.enabled }}
+              - key: ca.crt
+                path: local-etcd-client-ca.crt
+          {{- else }}
+          - {{ .Values.tls.caBundle.useSecret | ternary "secret" "configMap" }}:
+              name: {{ .Values.tls.caBundle.name }}
+              optional: true
+              items:
+              - key: {{ .Values.tls.caBundle.key }}
+                path: local-etcd-client-ca.crt
+          {{- end }}
       {{- if and .Values.ipMasqAgent .Values.ipMasqAgent.enabled }}
       - name: ip-masq-agent
         configMap:
@@ -932,7 +955,7 @@ spec:
       {{- if and .Values.encryption.enabled (eq .Values.encryption.type "ipsec") }}
       - name: cilium-ipsec-secrets
         secret:
-          secretName: {{ .Values.encryption.ipsec.secretName | default .Values.encryption.secretName }}
+          secretName: {{ .Values.encryption.ipsec.secretName }}
       {{- end }}
       {{- if .Values.cni.configMap }}
       - name: cni-configuration
@@ -980,6 +1003,45 @@ spec:
                 path: client-ca.crt
           {{- end }}
       {{- end }}
+      {{- if and .Values.hubble.enabled .Values.hubble.metrics.enabled .Values.hubble.metrics.tls.enabled }}
+      - name: hubble-metrics-tls
+        projected:
+          # note: the leading zero means this number is in octal representation: do not remove it
+          defaultMode: 0400
+          sources:
+          - secret:
+              name: hubble-metrics-server-certs
+              optional: true
+              items:
+              - key: tls.crt
+                path: server.crt
+              - key: tls.key
+                path: server.key
+          {{- if .Values.hubble.metrics.tls.server.mtls.enabled }}
+          {{- if .Values.hubble.metrics.tls.server.mtls.name }}
+          {{/* Use the client CA specified by the user if they configured one */}}
+          - {{ .Values.hubble.metrics.tls.server.mtls.useSecret | ternary "secret" "configMap" }}:
+              name: {{ .Values.hubble.metrics.tls.server.mtls.name }}
+              optional: false
+              items:
+              - key: {{ .Values.hubble.metrics.tls.server.mtls.key }}
+                path: client-ca.crt
+          {{/* If the CA bundle isn't configured use the server CA as the client CA */}}
+          {{- else if not .Values.tls.caBundle.enabled }}
+              - key: ca.crt
+                path: client-ca.crt
+          {{/* Fall back to the caBundle CA if it's been configured */}}
+          {{- else }}
+          - {{ .Values.tls.caBundle.useSecret | ternary "secret" "configMap" }}:
+              name: {{ .Values.tls.caBundle.name }}
+              optional: true
+              items:
+              - key: {{ .Values.tls.caBundle.key }}
+                path: client-ca.crt
+          {{- end }}
+          {{- end }}
+
+      {{- end }}
       {{- if .Values.hubble.export.dynamic.enabled }}
       - name: hubble-flowlog-config
         configMap:

packages/system/cilium/charts/cilium/templates/cilium-agent/service.yaml

@@ -1,3 +1,4 @@
+{{- $envoyDS := eq (include "envoyDaemonSetEnabled" .) "true" -}}
 {{- if and .Values.agent (not .Values.preflight.enabled) .Values.prometheus.enabled }}
 {{- if .Values.prometheus.serviceMonitor.enabled }}
 apiVersion: v1
@@ -23,13 +24,13 @@ spec:
     port: {{ .Values.prometheus.port }}
     protocol: TCP
     targetPort: prometheus
-  {{- if not .Values.envoy.enabled }}
+  {{- if not $envoyDS }}
   - name: envoy-metrics
-    port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
+    port: {{ .Values.envoy.prometheus.port }}
     protocol: TCP
     targetPort: envoy-metrics
   {{- end }}
-{{- else if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled (not .Values.envoy.enabled) }}
+{{- else if and .Values.envoy.prometheus.enabled (not $envoyDS) }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -37,7 +38,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   annotations:
     prometheus.io/scrape: "true"
-    prometheus.io/port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port | quote }}
+    prometheus.io/port: {{ .Values.envoy.prometheus.port | quote }}
   labels:
     k8s-app: cilium
     app.kubernetes.io/name: cilium-agent
@@ -49,7 +50,7 @@ spec:
     k8s-app: cilium
   ports:
   - name: envoy-metrics
-    port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
+    port: {{ .Values.envoy.prometheus.port }}
     protocol: TCP
     targetPort: envoy-metrics
 {{- end }}

packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml

@@ -1,4 +1,4 @@
-{{- if and (.Values.agent) (not .Values.preflight.enabled) }}
+{{- if and ( or (.Values.agent) (.Values.operator.enabled) .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) (not .Values.preflight.enabled) }}
 {{- /*  Default values with backwards compatibility */ -}}
 {{- $defaultBpfMapDynamicSizeRatio := 0.0 -}}
 {{- $defaultBpfMasquerade := "false" -}}
@@ -15,6 +15,7 @@
 {{- $defaultK8sClientQPS := 5 -}}
 {{- $defaultK8sClientBurst := 10 -}}
 {{- $defaultDNSProxyEnableTransparentMode := "false" -}}
+{{- $envoyDS := eq (include "envoyDaemonSetEnabled" .) "true" -}}
 
 {{- /* Default values when 1.8 was initially deployed */ -}}
 {{- if semverCompare ">=1.8" (default "1.8" .Values.upgradeCompatibility) -}}
@@ -66,8 +67,8 @@
   {{- $stringValueKPR = "" -}}
 {{- end}}
 {{- $kubeProxyReplacement := (coalesce $stringValueKPR $defaultKubeProxyReplacement) -}}
-{{- if and (ne $kubeProxyReplacement "disabled") (ne $kubeProxyReplacement "partial") (ne $kubeProxyReplacement "strict") (ne $kubeProxyReplacement "true") (ne $kubeProxyReplacement "false") }}
-  {{ fail "kubeProxyReplacement must be explicitly set to a valid value (true, false, disabled (deprecated), partial (deprecated), or strict (deprecated)) to continue." }}
+{{- if and (ne $kubeProxyReplacement "true") (ne $kubeProxyReplacement "false") }}
+  {{ fail "kubeProxyReplacement must be explicitly set to a valid value (true or false) to continue." }}
 {{- end }}
 {{- $azureUsePrimaryAddress = (coalesce .Values.azure.usePrimaryAddress $azureUsePrimaryAddress) -}}
 {{- $socketLB := (coalesce .Values.socketLB .Values.hostServices) -}}
@@ -92,28 +93,19 @@ metadata:
 data:
 {{- if .Values.etcd.enabled }}
   # The kvstore configuration is used to enable use of a kvstore for state
-  # storage. This can either be provided with an external kvstore or with the
-  # help of cilium-etcd-operator which operates an etcd cluster automatically.
+  # storage. This can be provided with an external kvstore.
   kvstore: etcd
-  {{- if .Values.etcd.k8sService }}
-  kvstore-opt: '{"etcd.config": "/var/lib/etcd-config/etcd.config", "etcd.operator": "true"}'
-  {{- else }}
   kvstore-opt: '{"etcd.config": "/var/lib/etcd-config/etcd.config"}'
-  {{- end }}
 
   # This etcd-config contains the etcd endpoints of your cluster. If you use
   # TLS please make sure you follow the tutorial in https://cilium.link/etcd-config
   etcd-config: |-
     ---
     endpoints:
-      {{- if .Values.etcd.managed }}
-      - https://cilium-etcd-client.{{ .Release.Namespace }}.svc:2379
-      {{- else }}
       {{- range .Values.etcd.endpoints }}
       - {{ . }}
       {{- end }}
-      {{- end }}
-    {{- if or .Values.etcd.ssl .Values.etcd.managed }}
+    {{- if .Values.etcd.ssl }}
     trusted-ca-file: '/var/lib/etcd-secrets/etcd-client-ca.crt'
     key-file: '/var/lib/etcd-secrets/etcd-client.key'
     cert-file: '/var/lib/etcd-secrets/etcd-client.crt'
@@ -148,10 +140,6 @@ data:
   cilium-endpoint-gc-interval: {{ include "validateDuration" .Values.operator.endpointGCInterval | quote }}
   nodes-gc-interval: {{ include "validateDuration" .Values.operator.nodeGCInterval | quote }}
 
-{{- if hasKey .Values.operator "skipCNPStatusStartupClean" }}
-  skip-cnp-status-startup-clean: "{{ .Values.operator.skipCNPStatusStartupClean }}"
-{{- end }}
-
 {{- if eq .Values.disableEndpointCRD true }}
   # Disable the usage of CiliumEndpoint CRD
   disable-endpoint-crd: "true"
@@ -226,11 +214,15 @@ data:
   {{- end }}
 {{- end }}
 
-{{- if not .Values.envoy.enabled }}
+{{- if not $envoyDS }}
   # Port to expose Envoy metrics (e.g. "9964"). Envoy metrics listener will be disabled if this
   # field is not set.
-  {{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled }}
-  proxy-prometheus-port: "{{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}"
+  {{- if .Values.envoy.prometheus.enabled }}
+  proxy-prometheus-port: "{{ .Values.envoy.prometheus.port }}"
+  {{- end }}
+
+  {{- if and .Values.envoy.debug.admin.enabled .Values.envoy.debug.admin.port }}
+  proxy-admin-port: "{{ .Values.envoy.debug.admin.port }}"
   {{- end }}
 {{- end }}
 
@@ -249,6 +241,7 @@ data:
 
 {{- if or .Values.envoyConfig.enabled .Values.ingressController.enabled .Values.gatewayAPI.enabled (and (hasKey .Values "loadBalancer") (eq .Values.loadBalancer.l7.backend "envoy")) }}
   enable-envoy-config: "true"
+  envoy-config-retry-interval: {{ include "validateDuration" .Values.envoyConfig.retryInterval | quote }}
   {{- if .Values.envoyConfig.enabled }}
   envoy-secrets-namespace: {{ .Values.envoyConfig.secretsNamespace.name | quote }}
   {{- end }}
@@ -267,12 +260,22 @@ data:
   ingress-default-secret-namespace: {{ .Values.ingressController.defaultSecretNamespace | quote }}
   ingress-default-secret-name: {{ .Values.ingressController.defaultSecretName | quote }}
   {{- end }}
+  ingress-hostnetwork-enabled: {{ .Values.ingressController.hostNetwork.enabled | quote }}
+  ingress-hostnetwork-shared-listener-port: {{ .Values.ingressController.hostNetwork.sharedListenerPort | quote }}
+  ingress-hostnetwork-nodelabelselector: {{ include "mapToString" .Values.ingressController.hostNetwork.nodes.matchLabels | quote }}
 {{- end }}
 
 {{- if .Values.gatewayAPI.enabled }}
   enable-gateway-api: "true"
   enable-gateway-api-secrets-sync: {{ .Values.gatewayAPI.secretsNamespace.sync | quote }}
+  enable-gateway-api-proxy-protocol: {{ .Values.gatewayAPI.enableProxyProtocol | quote }}
+  enable-gateway-api-app-protocol: {{ or .Values.gatewayAPI.enableAppProtocol .Values.gatewayAPI.enableAlpn | quote }}
+  enable-gateway-api-alpn: {{ .Values.gatewayAPI.enableAlpn | quote }}
+  gateway-api-xff-num-trusted-hops: {{ .Values.gatewayAPI.xffNumTrustedHops | quote }}
+  gateway-api-service-externaltrafficpolicy: {{ .Values.gatewayAPI.externalTrafficPolicy | quote }}
   gateway-api-secrets-namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }}
+  gateway-api-hostnetwork-enabled: {{ .Values.gatewayAPI.hostNetwork.enabled | quote }}
+  gateway-api-hostnetwork-nodelabelselector: {{ include "mapToString" .Values.gatewayAPI.hostNetwork.nodes.matchLabels | quote }}
 {{- end }}
 
 {{- if hasKey .Values "loadBalancer" }}
@@ -419,6 +422,10 @@ data:
   bpf-lb-external-clusterip: {{ .Values.bpf.lbExternalClusterIP | quote }}
 {{- end }}
 
+  bpf-events-drop-enabled: {{ .Values.bpf.events.drop.enabled | quote }}
+  bpf-events-policy-verdict-enabled: {{ .Values.bpf.events.policyVerdict.enabled | quote }}
+  bpf-events-trace-enabled: {{ .Values.bpf.events.trace.enabled | quote }}
+
   # Pre-allocation of map entries allows per-packet latency to be reduced, at
   # the expense of up-front memory allocation for the entries in the maps. The
   # default value below will minimize memory usage in the default installation;
@@ -436,10 +443,6 @@ data:
   # 1.4 or later, then it may cause one-time disruptions during the upgrade.
   preallocate-bpf-maps: "{{ .Values.bpf.preallocateMaps }}"
 
-  # Regular expression matching compatible Istio sidecar istio-proxy
-  # container image names
-  sidecar-istio-proxy-image: "{{ .Values.proxy.sidecarImageRegex }}"
-
   # Name of the cluster. Only relevant when building a mesh of clusters.
   cluster-name: {{ .Values.cluster.name }}
 
@@ -491,7 +494,9 @@ data:
 {{- end }}
 
 {{- if .Values.eni.enabled }}
+  {{- if not .Values.endpointRoutes.enabled }}
   enable-endpoint-routes: "true"
+  {{- end }}
   auto-create-cilium-node-resource: "true"
 {{- if .Values.eni.updateEC2AdapterLimitViaAPI }}
   update-ec2-adapter-limit-via-api: "true"
@@ -569,6 +574,14 @@ data:
   enable-ipv6-big-tcp: {{ .Values.enableIPv6BIGTCP | quote }}
   enable-ipv6-masquerade: {{ .Values.enableIPv6Masquerade | quote }}
 
+{{- if hasKey .Values.bpf "enableTCX" }}
+  enable-tcx: {{ .Values.bpf.enableTCX | quote }}
+{{- end }}
+
+{{- if hasKey .Values.bpf "datapathMode" }}
+  datapath-mode: {{ .Values.bpf.datapathMode | quote }}
+{{- end }}
+
 {{- if (not (kindIs "invalid" .Values.bpf.masquerade)) }}
   enable-bpf-masquerade: {{ .Values.bpf.masquerade | quote }}
 {{- else if eq $defaultBpfMasquerade "true" }}
@@ -588,13 +601,9 @@ data:
 
     {{- if and .Values.encryption.ipsec.mountPath .Values.encryption.ipsec.keyFile }}
   ipsec-key-file: {{ .Values.encryption.ipsec.mountPath }}/{{ .Values.encryption.ipsec.keyFile }}
-    {{- else }}
-  ipsec-key-file: {{ .Values.encryption.mountPath }}/{{ .Values.encryption.keyFile }}
     {{- end }}
     {{- if .Values.encryption.ipsec.interface }}
   encrypt-interface: {{ .Values.encryption.ipsec.interface }}
-    {{- else if .Values.encryption.interface }}
-  encrypt-interface: {{ .Values.encryption.interface }}
     {{- end }}
     {{- if hasKey .Values.encryption.ipsec "keyWatcher" }}
   enable-ipsec-key-watcher: {{ .Values.encryption.ipsec.keyWatcher | quote }}
@@ -602,6 +611,7 @@ data:
     {{- if .Values.encryption.ipsec.keyRotationDuration }}
   ipsec-key-rotation-duration: {{ include "validateDuration" .Values.encryption.ipsec.keyRotationDuration | quote }}
     {{- end }}
+  enable-ipsec-encrypted-overlay: {{ .Values.encryption.ipsec.encryptedOverlay | quote }}
   {{- else if eq .Values.encryption.type "wireguard" }}
   enable-wireguard: {{ .Values.encryption.enabled | quote }}
     {{- if .Values.encryption.wireguard.userspaceFallback }}
@@ -640,6 +650,7 @@ data:
 {{- end }}
 
   auto-direct-node-routes: {{ .Values.autoDirectNodeRoutes | quote }}
+  direct-routing-skip-unreachable: {{ .Values.directRoutingSkipUnreachable | quote }}
 
 {{- if hasKey .Values "bandwidthManager" }}
 {{- if .Values.bandwidthManager.enabled }}
@@ -688,6 +699,10 @@ data:
   enable-runtime-device-detection: "true"
 {{- end }}
 
+{{- if .Values.forceDeviceDetection }}
+  force-device-detection: "true"
+{{- end }}
+
   kube-proxy-replacement: {{ $kubeProxyReplacement | quote }}
 
 {{- if ne $kubeProxyReplacement "disabled" }}
@@ -697,10 +712,14 @@ data:
 {{- if $socketLB }}
 {{- if hasKey $socketLB "enabled" }}
   bpf-lb-sock: {{ $socketLB.enabled | quote }}
+  bpf-lb-sock-terminate-pod-connections: {{ $socketLB.enabled | quote }}
 {{- end }}
 {{- if hasKey $socketLB "hostNamespaceOnly" }}
   bpf-lb-sock-hostns-only: {{ $socketLB.hostNamespaceOnly | quote }}
 {{- end }}
+{{- if hasKey $socketLB "terminatePodConnections" }}
+  bpf-lb-sock-terminate-pod-connections: {{ $socketLB.terminatePodConnections | quote }}
+{{- end }}
 {{- end }}
 
 {{- if hasKey .Values "hostPort" }}
@@ -720,6 +739,9 @@ data:
 {{- if hasKey .Values.nodePort "range" }}
   node-port-range: {{ get .Values.nodePort "range" | quote }}
 {{- end }}
+{{- if hasKey .Values.nodePort "addresses" }}
+  nodeport-addresses: {{ get .Values.nodePort "addresses" | join "," | quote }}
+{{- end }}
 {{- if hasKey .Values.nodePort "directRoutingDevice" }}
   direct-routing-device: {{ .Values.nodePort.directRoutingDevice | quote }}
 {{- end }}
@@ -799,13 +821,10 @@ data:
 {{- if hasKey .Values.k8s "requireIPv6PodCIDR" }}
   k8s-require-ipv6-pod-cidr: {{ .Values.k8s.requireIPv6PodCIDR | quote }}
 {{- end }}
-{{- if .Values.endpointStatus.enabled }}
-  endpoint-status: {{ required "endpointStatus.status required: policy, health, controllers, log and / or state. For 2 or more options use a space: \"policy health\"" .Values.endpointStatus.status | quote }}
-{{- end }}
 {{- if and .Values.endpointRoutes .Values.endpointRoutes.enabled }}
   enable-endpoint-routes: {{ .Values.endpointRoutes.enabled | quote }}
 {{- end }}
-{{- if and .Values.k8sNetworkPolicy .Values.k8sNetworkPolicy.enabled }}
+{{- if hasKey .Values.k8sNetworkPolicy "enabled" }}
   enable-k8s-networkpolicy: {{ .Values.k8sNetworkPolicy.enabled | quote }}
 {{- end }}
 {{- if .Values.cni.configMap }}
@@ -832,6 +851,9 @@ data:
 {{- if (not (kindIs "invalid" .Values.cni.externalRouting)) }}
   cni-external-routing: {{ .Values.cni.externalRouting | quote }}
 {{- end}}
+{{- if .Values.cni.enableRouteMTUForCNIChaining }}
+  enable-route-mtu-for-cni-chaining: {{ .Values.cni.enableRouteMTUForCNIChaining | quote }}
+{{- end }}
 {{- if .Values.kubeConfigPath }}
   k8s-kubeconfig-path: {{ .Values.kubeConfigPath | quote }}
 {{- end }}
@@ -844,12 +866,12 @@ data:
 {{- if hasKey .Values "healthChecking" }}
   enable-health-checking: {{ .Values.healthChecking | quote }}
 {{- end }}
-{{- if or .Values.wellKnownIdentities.enabled .Values.etcd.managed }}
+{{- if .Values.wellKnownIdentities.enabled }}
   enable-well-known-identities: "true"
 {{- else }}
   enable-well-known-identities: "false"
 {{- end }}
-  enable-remote-node-identity: {{ .Values.remoteNodeIdentity | quote }}
+  enable-node-selector-labels: {{ .Values.nodeSelectorLabels | quote }}
 
 {{- if hasKey .Values "synchronizeK8sNodes" }}
   synchronize-k8s-nodes: {{ .Values.synchronizeK8sNodes | quote }}
@@ -881,6 +903,14 @@ data:
   # Address to expose Hubble metrics (e.g. ":7070"). Metrics server will be disabled if this
   # field is not set.
   hubble-metrics-server: ":{{ .Values.hubble.metrics.port }}"
+  hubble-metrics-server-enable-tls: "{{ .Values.hubble.metrics.tls.enabled }}"
+  {{- if .Values.hubble.metrics.tls.enabled }}
+  hubble-metrics-server-tls-cert-file: /var/lib/cilium/tls/hubble-metrics/server.crt
+  hubble-metrics-server-tls-key-file: /var/lib/cilium/tls/hubble-metrics/server.key
+  {{- if .Values.hubble.metrics.tls.server.mtls.enabled }}
+  hubble-metrics-server-tls-client-ca-files: /var/lib/cilium/tls/hubble-metrics/client-ca.crt
+  {{- end }}
+  {{- end }}
   # A space separated list of metrics to enable. See [0] for available metrics.
   #
   # https://github.com/cilium/hubble/blob/master/Documentation/metrics.md
@@ -944,6 +974,11 @@ data:
   hubble-disable-tls: "true"
 {{- end }}
 {{- end }}
+{{- if .Values.hubble.dropEventEmitter.enabled }}
+  hubble-drop-events: "true"
+  hubble-drop-events-interval: {{ .Values.hubble.dropEventEmitter.interval | quote }}
+  hubble-drop-events-reasons: {{ .Values.hubble.dropEventEmitter.reasons | join " " | quote }}
+{{- end }}
 {{- if .Values.hubble.preferIpv6 }}
   hubble-prefer-ipv6: "true"
 {{- end }}
@@ -1007,6 +1042,10 @@ data:
   limit-ipam-api-qps: {{ .Values.ipam.operator.externalAPILimitQPS | quote }}
 {{- end }}
 
+{{- if .Values.nodeIPAM.enabled }}
+  enable-node-ipam: "true"
+{{- end }}
+
 {{- if .Values.apiRateLimit }}
   api-rate-limit: {{ .Values.apiRateLimit | quote }}
 {{- end }}
@@ -1014,9 +1053,6 @@ data:
 {{- if .Values.egressGateway.enabled }}
   enable-ipv4-egress-gateway: "true"
 {{- end }}
-{{- if .Values.egressGateway.installRoutes }}
-  install-egress-gateway-routes: "true"
-{{- end }}
 {{- if hasKey .Values.egressGateway "reconciliationTriggerInterval" }}
   egress-gateway-reconciliation-trigger-interval: {{ .Values.egressGateway.reconciliationTriggerInterval | quote }}
 {{- end }}
@@ -1092,8 +1128,6 @@ data:
 {{- if .Values.bgpControlPlane.enabled }}
   enable-bgp-control-plane: "true"
   bgp-secrets-namespace: {{ .Values.bgpControlPlane.secretsNamespace.name | quote }}
-{{- else }}
-  enable-bgp-control-plane: "false"
 {{- end }}
 
 {{- if .Values.pmtuDiscovery.enabled }}
@@ -1117,8 +1151,15 @@ data:
   vlan-bpf-bypass: {{ .Values.bpf.vlanBypass | join " " | quote }}
 {{- end }}
 
-{{- if .Values.enableCiliumEndpointSlice }}
+{{- if .Values.bpf.disableExternalIPMitigation }}
+  disable-external-ip-mitigation: {{ .Values.bpf.disableExternalIPMitigation | quote }}
+{{- end }}
+
+{{- if or .Values.ciliumEndpointSlice.enabled .Values.enableCiliumEndpointSlice }}
   enable-cilium-endpoint-slice: "true"
+  {{- if .Values.ciliumEndpointSlice.rateLimits }}
+  ces-rate-limits: {{ .Values.ciliumEndpointSlice.rateLimits | toJson | quote }}
+  {{- end }}
 {{- end }}
 
 {{- if hasKey .Values "enableK8sTerminatingEndpoint" }}
@@ -1171,6 +1212,9 @@ data:
   # default DNS proxy to transparent mode in non-chaining modes
   dnsproxy-enable-transparent-mode: {{ $defaultDNSProxyEnableTransparentMode | quote }}
   {{- end }}
+  {{- if (not (kindIs "invalid" .Values.dnsProxy.socketLingerTimeout)) }}
+  dnsproxy-socket-linger-timeout: {{ .Values.dnsProxy.socketLingerTimeout | quote }}
+  {{- end }}
   {{- if .Values.dnsProxy.dnsRejectResponseCode }}
   tofqdns-dns-reject-response-code: {{ .Values.dnsProxy.dnsRejectResponseCode | quote }}
   {{- end }}
@@ -1231,15 +1275,20 @@ data:
   proxy-max-connection-duration-seconds: {{ .Values.envoy.maxConnectionDurationSeconds | quote }}
   proxy-idle-timeout-seconds: {{ .Values.envoy.idleTimeoutDurationSeconds | quote }}
 
-  external-envoy-proxy: {{ .Values.envoy.enabled | quote }}
+  external-envoy-proxy: {{ include "envoyDaemonSetEnabled" . | quote }}
+  envoy-base-id: {{ .Values.envoy.baseID | quote }}
 
 {{- if .Values.envoy.log.path }}
   envoy-log: {{ .Values.envoy.log.path | quote }}
 {{- end }}
 
+  envoy-keep-cap-netbindservice: {{ .Values.envoy.securityContext.capabilities.keepCapNetBindService | quote }}
+
 {{- if hasKey .Values.clustermesh "maxConnectedClusters" }}
   max-connected-clusters: {{ .Values.clustermesh.maxConnectedClusters | quote }}
 {{- end }}
+  clustermesh-enable-endpoint-sync: {{ .Values.clustermesh.enableEndpointSliceSynchronization | quote }}
+  clustermesh-enable-mcs-api: {{ .Values.clustermesh.enableMCSAPISupport | quote }}
 
 # Extra config allows adding arbitrary properties to the cilium config.
 # By putting it at the end of the ConfigMap, it's also possible to override existing properties.

packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml

@@ -1,4 +1,5 @@
-{{- if and .Values.envoy.enabled (not .Values.preflight.enabled) }}
+{{- $envoyDS := eq (include "envoyDaemonSetEnabled" .) "true" -}}
+{{- if and $envoyDS (not .Values.preflight.enabled) }}
 
 ---
 apiVersion: v1

packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml

@@ -1,5 +1,5 @@
-{{- if and .Values.envoy.enabled (not .Values.preflight.enabled) }}
-
+{{- $envoyDS := eq (include "envoyDaemonSetEnabled" .) "true" -}}
+{{- if (and $envoyDS (not .Values.preflight.enabled)) }}
 ---
 apiVersion: apps/v1
 kind: DaemonSet
@@ -26,8 +26,8 @@ spec:
   template:
     metadata:
       annotations:
-        {{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled (not .Values.envoy.prometheus.serviceMonitor.enabled) }}
-        prometheus.io/port: "{{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}"
+        {{- if and .Values.envoy.prometheus.enabled (not .Values.envoy.prometheus.serviceMonitor.enabled) }}
+        prometheus.io/port: "{{ .Values.envoy.prometheus.port }}"
         prometheus.io/scrape: "true"
         {{- end }}
         {{- if .Values.envoy.rollOutPods }}
@@ -74,8 +74,12 @@ spec:
         command:
         - /usr/bin/cilium-envoy-starter
         args:
+        {{- if .Values.envoy.securityContext.capabilities.keepCapNetBindService }}
+        - '--keep-cap-net-bind-service'
+        {{- end }}
+        - '--'
         - '-c /var/run/cilium/envoy/bootstrap-config.json'
-        - '--base-id 0'
+        - '--base-id {{ int .Values.envoy.baseID }}'
         {{- if and (.Values.debug.enabled) (hasKey .Values.debug "verbose") (.Values.debug.verbose) (has "envoy" ( splitList " " .Values.debug.verbose )) }}
         - '--log-level trace'
         {{- else if and (.Values.debug.enabled) (hasKey .Values.debug "verbose") (.Values.debug.verbose) (has "flow" ( splitList " " .Values.debug.verbose )) }}
@@ -90,7 +94,6 @@ spec:
         {{- with .Values.envoy.extraArgs }}
         {{- toYaml . | trim | nindent 8 }}
         {{- end }}
-        {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }}
         startupProbe:
           httpGet:
             host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
@@ -101,21 +104,12 @@ spec:
           periodSeconds: {{ .Values.envoy.startupProbe.periodSeconds }}
           successThreshold: 1
           initialDelaySeconds: 5
-        {{- end }}
         livenessProbe:
           httpGet:
             host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
             path: /healthz
             port: {{ .Values.envoy.healthPort }}
             scheme: HTTP
-          {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
-          # The initial delay for the liveness probe is intentionally large to
-          # avoid an endless kill & restart cycle if in the event that the initial
-          # bootstrapping takes longer than expected.
-          # Starting from Kubernetes 1.20, we are using startupProbe instead
-          # of this field.
-          initialDelaySeconds: 120
-          {{- end }}
           periodSeconds: {{ .Values.envoy.livenessProbe.periodSeconds }}
           successThreshold: 1
           failureThreshold: {{ .Values.envoy.livenessProbe.failureThreshold }}
@@ -126,9 +120,6 @@ spec:
             path: /healthz
             port: {{ .Values.envoy.healthPort }}
             scheme: HTTP
-          {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
-          initialDelaySeconds: 5
-          {{- end }}
           periodSeconds: {{ .Values.envoy.readinessProbe.periodSeconds }}
           successThreshold: 1
           failureThreshold: {{ .Values.envoy.readinessProbe.failureThreshold }}
@@ -146,11 +137,9 @@ spec:
               fieldPath: metadata.namespace
         {{- if .Values.k8sServiceHost }}
         - name: KUBERNETES_SERVICE_HOST
-          value: {{ .Values.k8sServiceHost | quote }}
-        {{- end }}
-        {{- if .Values.k8sServicePort }}
+          value: {{ include "k8sServiceHost" . }}
         - name: KUBERNETES_SERVICE_PORT
-          value: {{ .Values.k8sServicePort | quote }}
+          value: {{ include "k8sServicePort" . }}
         {{- end }}
         {{- with .Values.envoy.extraEnv }}
         {{- toYaml . | trim | nindent 8 }}
@@ -159,12 +148,18 @@ spec:
         resources:
           {{- toYaml . | trim | nindent 10 }}
         {{- end }}
-        {{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled }}
+        {{- if .Values.envoy.prometheus.enabled }}
         ports:
         - name: envoy-metrics
-          containerPort: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
-          hostPort: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
+          containerPort: {{ .Values.envoy.prometheus.port }}
+          hostPort: {{ .Values.envoy.prometheus.port }}
           protocol: TCP
+        {{- if and .Values.envoy.debug.admin.enabled .Values.envoy.debug.admin.port }}
+        - name: envoy-admin
+          containerPort: {{ .Values.envoy.debug.admin.port }}
+          hostPort: {{ .Values.envoy.debug.admin.port }}
+          protocol: TCP
+        {{- end }}
         {{- end }}
         securityContext:
           {{- if .Values.envoy.securityContext.privileged }}
@@ -214,7 +209,6 @@ spec:
       {{- end }}
       restartPolicy: Always
       priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.envoy.priorityClassName "system-node-critical") }}
-      serviceAccount: {{ .Values.serviceAccounts.envoy.name | quote }}
       serviceAccountName: {{ .Values.serviceAccounts.envoy.name | quote }}
       automountServiceAccountToken: {{ .Values.serviceAccounts.envoy.automount }}
       terminationGracePeriodSeconds: {{ .Values.envoy.terminationGracePeriodSeconds }}