Prepare release v0.13.0 (#321)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **New Features**
- Enhanced monitoring capabilities for Kubernetes deployments, including
checks for `vmalert`, `vlogs`, and `vmcluster`.

- **Updates**
- Updated container images for `cozystack` and `darkhttpd` to version
`v0.13.0`.
- Version mapping updates for `ferretdb`, `kubernetes`, and
`virtual-machine` packages.
- Updated image tags and digests for Kubeapps components to version
`v0.13.0`.
	- Updated image tag for Kamaji to version `v0.13.0`.
	- Added new pod metadata labels to the `vmalertmanager` configuration.

- **Bug Fixes**
- Improved operational status checks for Kubernetes resources using
JSONPath expressions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

hack/e2e.sh

@@ -309,8 +309,9 @@ kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy root-i
 kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=3 -n tenant-root sts etcd
 
 # Wait for Victoria metrics
-kubectl wait --timeout=5m --for=condition=available deploy -n tenant-root vmalert-vmalert-longterm vmalert-vmalert-shortterm vminsert-longterm vminsert-shortterm
-kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=2 -n tenant-root sts vmalertmanager-alertmanager vmselect-longterm vmselect-shortterm vmstorage-longterm vmstorage-shortterm
+kubectl wait --timeout=5m --for=jsonpath=.status.updateStatus=operational -n tenant-root vmalert/vmalert-longterm vmalert/vmalert-shortterm vmalertmanager/alertmanager
+kubectl wait --timeout=5m --for=jsonpath=.status.status=operational -n tenant-root vlogs/generic
+kubectl wait --timeout=5m --for=jsonpath=.status.clusterStatus=operational -n tenant-root vmcluster/shortterm vmcluster/longterm
 
 # Wait for grafana
 kubectl wait --timeout=5m --for=condition=ready -n tenant-root clusters.postgresql.cnpg.io grafana-db

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.12.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.13.0"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.12.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.13.0"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/clickhouse/templates/clickhouse.yaml

@@ -31,7 +31,7 @@ spec:
         spec:
           accessModes:
             - ReadWriteOnce
-          {{- with .Values.stroageClass }}
+          {{- with .Values.storageClass }}
           storageClassName: {{ . }}
           {{- end }}
           resources:

packages/apps/ferretdb/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.22.0"
+appVersion: "1.24.0"

packages/apps/ferretdb/templates/ferretdb.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: ferretdb
-        image: ghcr.io/ferretdb/ferretdb:1.22.0
+        image: ghcr.io/ferretdb/ferretdb:1.24.0
         ports:
         - containerPort: 27017
         env:

packages/apps/ferretdb/templates/postgres.yaml

@@ -15,7 +15,7 @@ spec:
 
   storage:
     size: {{ required ".Values.size is required" .Values.size }}
-    {{- with .Values.stroageClass }}
+    {{- with .Values.storageClass }}
     storageClass: {{ . }}
     {{- end }}
 

packages/apps/ferretdb/values2.yaml

@@ -1,56 +0,0 @@
-## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param size Persistent Volume size
-## @param replicas Number of Postgres replicas
-##
-external: false
-size: 10Gi
-replicas: 1
-
-## Configuration for the quorum-based synchronous replication
-## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.
-## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).
-quorum:
-  minSyncReplicas: 0
-  maxSyncReplicas: 0
-
-## @section Configuration parameters
-
-## @param users [object] Users configuration
-## Example:
-## users:
-##   user1:
-##     password: strongpassword
-##   user2:
-##     password: hackme
-##
-users:
-  foo:
-    password: asd
-  bar:
-    password: asd
-  baz:
-    password: asd
-  boo:
-    password: asd
-
-## @section Backup parameters
-
-## @param backup.enabled Enable pereiodic backups
-## @param backup.s3Region The AWS S3 region where backups are stored
-## @param backup.s3Bucket The S3 bucket used for storing backups
-## @param backup.schedule Cron schedule for automated backups
-## @param backup.cleanupStrategy The strategy for cleaning up old backups
-## @param backup.s3AccessKey The access key for S3, used for authentication
-## @param backup.s3SecretKey The secret key for S3, used for authentication
-## @param backup.resticPassword The password for Restic backup encryption
-backup:
-  enabled: false
-  s3Region: us-east-1
-  s3Bucket: s3.example.org/postgres-backups
-  schedule: "0 2 * * *"
-  cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
-  s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
-  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
-  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0

packages/apps/http-cache/templates/nginx/deployment.yaml

@@ -114,7 +114,7 @@ spec:
   resources:
     requests:
       storage: "{{ $.Values.size }}"
-  {{- with $.Values.stroageClass }}
+  {{- with $.Values.storageClass }}
   storageClassName: {{ . }}
   {{- end }}
 ---

packages/apps/kafka/templates/kafka.yaml

@@ -53,7 +53,7 @@ spec:
         {{- with .Values.kafka.size }}
         size: {{ . }}
         {{- end }}
-        {{- with .Values.kafka.stroageClass }}
+        {{- with .Values.kafka.storageClass }}
         class: {{ . }}
         {{- end }}
         deleteClaim: true
@@ -64,7 +64,7 @@ spec:
       {{- with .Values.zookeeper.size }}
       size: {{ . }}
       {{- end }}
-      {{- with .Values.kafka.stroageClass }}
+      {{- with .Values.kafka.storageClass }}
       class: {{ . }}
       {{- end }}
       deleteClaim: false

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.0
+version: 0.10.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/templates/cluster.yaml

@@ -18,6 +18,8 @@ spec:
       runStrategy: Always
       template:
         metadata:
+          annotations:
+            kubevirt.io/allow-pod-bridge-network-live-migration: "true"
           labels:
             {{- range .group.roles }}
             node-role.kubernetes.io/{{ . }}: ""
@@ -38,7 +40,9 @@ spec:
                 disk:
                   bus: virtio
                   pciAddress: 0000:08:00.0
-              networkInterfaceMultiqueue: true
+              interfaces:
+              - name: default
+                bridge: {}
             memory:
               guest: {{ .group.resources.memory }}
           evictionStrategy: External
@@ -49,6 +53,9 @@ spec:
           - name: ephemeral
             emptyDisk:
               capacity: {{ .group.ephemeralStorage | default "20Gi" }}
+          networks:
+          - name: default
+            pod: {}
 {{- end }}
 ---
 apiVersion: cluster.x-k8s.io/v1beta1

packages/apps/kubernetes/templates/helmreleases/cilium.yaml

@@ -31,20 +31,8 @@ spec:
   values:
     cilium:
       tunnel: disabled
-      autoDirectNodeRoutes: false
-      bpf:
-        masquerade: true
-      cgroup:
-        autoMount:
-          enabled: true
-        hostRoot: /run/cilium/cgroupv2
       k8sServiceHost: {{ .Release.Name }}.{{ .Release.Namespace }}.svc
       k8sServicePort: 6443
-    
-      cni:
-        chainingMode: ~
-        customConf: false
-        configMap: ""
       routingMode: tunnel
       enableIPv4Masquerade: true
       ipv4NativeRoutingCIDR: ""

packages/apps/kubernetes/templates/helmreleases/csi.yaml

@@ -28,7 +28,7 @@ spec:
   upgrade:
     remediation:
       retries: -1
-  {{- with .Values.stroageClass }}
+  {{- with .Values.storageClass }}
   values:
     storageClass: "{{ . }}"
   {{- end }}

packages/apps/mysql/templates/mariadb.yaml

@@ -62,7 +62,7 @@ spec:
     size: {{ .Values.size }}
     resizeInUseVolumes: true
     waitForVolumeResize: true
-    {{- with .Values.stroageClass }}
+    {{- with .Values.storageClass }}
     storageClassName: {{ . }}
     {{- end }}
 

packages/apps/postgres/templates/db.yaml

@@ -19,7 +19,7 @@ spec:
 
   storage:
     size: {{ required ".Values.size is required" .Values.size }}
-    {{- with .Values.stroageClass }}
+    {{- with .Values.storageClass }}
     storageClass: {{ . }}
     {{- end }}
 

packages/apps/rabbitmq/templates/rabbitmq.yaml

@@ -13,7 +13,7 @@ spec:
   {{- end }}
 
   persistence:
-    {{- with .Values.stroageClass }}
+    {{- with .Values.storageClass }}
     storageClassName: {{ . }}
     {{- end }}
     storage: {{ .Values.size }}

packages/apps/versions_map

@@ -5,7 +5,8 @@ clickhouse 0.2.1 5ca8823
 clickhouse 0.3.0 HEAD
 ferretdb 0.1.0 4ffa8615
 ferretdb 0.1.1 5ca8823
-ferretdb 0.2.0 HEAD
+ferretdb 0.2.0 adaf603
+ferretdb 0.3.0 HEAD
 http-cache 0.1.0 a956713
 http-cache 0.2.0 5ca8823
 http-cache 0.3.0 HEAD
@@ -25,7 +26,8 @@ kubernetes 0.7.0 ceefae03
 kubernetes 0.8.0 ac11056e
 kubernetes 0.8.1 e54608d8
 kubernetes 0.8.2 5ca8823
-kubernetes 0.9.0 HEAD
+kubernetes 0.9.0 9b6dd19
+kubernetes 0.10.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
@@ -59,7 +61,8 @@ tenant 1.4.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823
-virtual-machine 0.3.0 HEAD
+virtual-machine 0.3.0 b908400
+virtual-machine 0.4.0 HEAD
 vpn 0.1.0 f642698
 vpn 0.2.0 7151424
 vpn 0.3.0 HEAD

packages/apps/virtual-machine/Chart.yaml

@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/virtual-machine/Makefile

@@ -3,7 +3,8 @@ include ../../../scripts/package.mk
 generate:
 	readme-generator -v values.yaml -s values.schema.json.tmp -r README.md
 	cat values.schema.json.tmp | \
-		jq '.properties.image.enum = ["ubuntu", "cirros", "alpine", "fedora"]' | \
-		jq '.properties.resources.properties.memory["x-display"] = "slider"' \
+		jq '.properties.image.enum = ["ubuntu", "cirros", "alpine", "fedora", "talos"]' | \
+		jq '.properties.resources.properties.memory["x-display"] = "slider"' | \
+		jq '.properties.externalPorts.items.type = "integer"' \
 		> values.schema.json
 	rm -f values.schema.json.tmp

packages/apps/virtual-machine/README.md

@@ -9,51 +9,67 @@ The virtual machine is managed and hosted through KubeVirt, allowing you to harn
 - Docs: [KubeVirt User Guide](https://kubevirt.io/user-guide/)
 - GitHub: [KubeVirt Repository](https://github.com/kubevirt/kubevirt)
 
+## Accessing virtual machine
+
+You can access the virtual machine using the virtctl tool:
+- [KubeVirt User Guide - Virtctl Client Tool](https://kubevirt.io/user-guide/user_workloads/virtctl_client_tool/)
+
+To access the serial console:
+
+```
+virtctl console <vm>
+```
+
+To access the VM using VNC:
+
+```
+virtctl vnc <vm>
+```
+
+To SSH into the VM:
+
+```
+virtctl ssh <user>@<vm>
+```
+
 ## Parameters
 
 ### Common parameters
 
-| Name               | Description                                                                                       | Value                               |
-| ------------------ | ------------------------------------------------------------------------------------------------- | ----------------------------------- |
-| `external`         | Enable external access from outside the cluster                                                   | `false`                             |
-| `running`          | Determines if the virtual machine should be running                                               | `true`                              |
-| `image`            | The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine` and `fedora` | `ubuntu`                            |
-| `storageClass`     | StorageClass used to store the data                                                               | `replicated`                        |
-| `resources.cpu`    | The number of CPU cores allocated to the virtual machine                                          | `1`                                 |
-| `resources.memory` | The amount of memory allocated to the virtual machine                                             | `1024M`                             |
-| `resources.disk`   | The size of the disk allocated for the virtual machine                                            | `5Gi`                               |
-| `sshPwauth`        | Enable password authentication for SSH. If set to `true`, users can log in using a password       | `true`                              |
-| `disableRoot`      | Disable root login via SSH. If set to `true`, root login will be disabled                         | `true`                              |
-| `password`         | The default password for the virtual machine                                                      | `hackme`                            |
-| `chpasswdExpire`   | Set whether the password should expire                                                            | `false`                             |
-| `sshKeys`          | List of SSH public keys for authentication. Can be a single key or a list of keys                 | `["ssh-rsa ...","ssh-ed25519 ..."]` |
+| Name               | Description                                                                                                | Value            |
+| ------------------ | ---------------------------------------------------------------------------------------------------------- | ---------------- |
+| `external`         | Enable external access from outside the cluster                                                            | `false`          |
+| `externalPorts`    | Specify ports to forward from outside the cluster                                                          | `[]`             |
+| `running`          | Determines if the virtual machine should be running                                                        | `true`           |
+| `image`            | The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos` | `ubuntu`         |
+| `storageClass`     | StorageClass used to store the data                                                                        | `replicated`     |
+| `resources.cpu`    | The number of CPU cores allocated to the virtual machine                                                   | `1`              |
+| `resources.memory` | The amount of memory allocated to the virtual machine                                                      | `1024M`          |
+| `resources.disk`   | The size of the disk allocated for the virtual machine                                                     | `5Gi`            |
+| `sshKeys`          | List of SSH public keys for authentication. Can be a single key or a list of keys.                         | `[]`             |
+| `cloudInit`        | cloud-init user data config. See cloud-init documentation for more details.                                | `#cloud-config
+` |
 
 You can customize the exposed ports by specifying them under `service.ports` in the `values.yaml` file.
 
-## Example `values.yaml`
+## Example virtual machine:
 
 ```yaml
-external: false
 running: true
-image: ubuntu
+image: fedora
+storageClass: replicated
 resources:
   cpu: 1
   memory: 1024M
-  disk: 5Gi
-sshPwauth: true
-disableRoot: true
-password: hackme
-chpasswdExpire: false
-sshKeys: 
-  - YOUR_SSH_PUB_KEY_HERE
-  - ANOTHER_SSH_PUB_KEY_HERE
+  disk: 10Gi
 
-service:
-  ports:
-    - name: http
-      port: 80
-      targetPort: 80
-    - name: https
-      port: 443
-      targetPort: 443
+sshKeys:
+- ssh-rsa ...
+
+cloudInit: |
+  #cloud-config
+  user: fedora
+  password: fedora
+  chpasswd: { expire: False }
+  ssh_pwauth: True
 ```

packages/apps/virtual-machine/templates/secret.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.sshKeys }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "virtual-machine.fullname" $ }}-ssh-keys
+stringData:
+  {{- range $k, $v := .Values.sshKeys }}
+  key{{ $k }}: {{ quote $v }} 
+  {{- end }}
+{{- end }}
+{{- if .Values.cloudInit }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "virtual-machine.fullname" . }}-cloud-init
+stringData:
+  userdata: |
+    {{- .Values.cloudInit | nindent 4 }}
+{{- end }}

packages/apps/virtual-machine/templates/service.yaml

@@ -8,21 +8,14 @@ metadata:
     {{- include "virtual-machine.labels" . | nindent 4 }}
 spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
-  {{- if .Values.external }}
   externalTrafficPolicy: Local
   allocateLoadBalancerNodePorts: false
-  {{- end }}
   selector:
     {{- include "virtual-machine.labels" . | nindent 4 }}
   ports:
-    - name: ssh
-      port: 22
-      targetPort: 22
-    {{- if .Values.service.ports }}
-    {{- range .Values.service.ports }}
-    - name: {{ .name }}
-      port: {{ .port }}
-      targetPort: {{ .targetPort }}
-    {{- end }}
+    {{- range .Values.externalPorts }}
+    - name: port-{{ . }}
+      port: {{ . }}
+      targetPort: {{ . }}
     {{- end }}
 {{- end }}

packages/apps/virtual-machine/templates/vm.yaml

@@ -11,8 +11,9 @@ spec:
       name: {{ include "virtual-machine.fullname" . }}
     spec:
       pvc:
+        volumeMode: Block
         accessModes:
-        - ReadWriteOnce
+        - ReadWriteMany
         resources:
           requests:
             storage: {{ .Values.resources.disk | quote }}
@@ -28,7 +29,9 @@ spec:
           {{- else if eq .Values.image "fedora" }}
           url: https://download.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/x86_64/images/Fedora-Cloud-Base-Generic.x86_64-40-1.14.qcow2
           {{- else if eq .Values.image "alpine" }}
-          url: https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/alpine-virt-3.20.2-x86_64.iso
+          url: https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/cloud/nocloud_alpine-3.20.2-x86_64-bios-tiny-r0.qcow2
+          {{- else if eq .Values.image "talos" }}
+          url: https://github.com/siderolabs/talos/releases/download/v1.7.6/nocloud-amd64.raw.xz
           {{- end }}
   template:
     metadata:
@@ -45,34 +48,39 @@ spec:
           - disk:
               bus: scsi
             name: systemdisk
+          {{- if or .Values.sshKeys .Values.cloudInit }}
           - disk:
               bus: virtio
             name: cloudinitdisk
+          {{- end }}
+          interfaces:
+          - name: default
+            bridge: {}
         machine:
           type: ""
         resources:
           requests:
             memory: {{ .Values.resources.memory | quote }}
+      {{- with .Values.sshKeys }}
+      accessCredentials:
+      - sshPublicKey:
+          source:
+            secret:
+              secretName: {{ include "virtual-machine.fullname" $ }}-ssh-keys
+          propagationMethod:
+            noCloud: {}
+      {{- end }}
       terminationGracePeriodSeconds: 30
       volumes:
-      - dataVolume:
+      - name: systemdisk
+        dataVolume:
           name: {{ include "virtual-machine.fullname" . }}
-        name: systemdisk
-      - cloudInitNoCloud:
-          userData: |-
-            #cloud-config
-            ssh_pwauth: {{ if .Values.sshPwauth | default false }}True{{ else }}False{{ end }}
-            disable_root: {{ if .Values.disableRoot | default false }}True{{ else }}False{{ end }}
-            password: {{ .Values.password }}
-            chpasswd: { expire: {{ if .Values.chpasswdExpire | default false }}True{{ else }}False{{ end }} }
-            ssh_authorized_keys:
-            {{- if .Values.sshKeys }}
-              {{- $keys := .Values.sshKeys }}
-              {{- if not (kindIs "slice" $keys) }}
-                {{- $keys = list $keys }}
-              {{- end }}
-              {{- range $keys }}
-              - {{ . }}
-              {{- end }}
-            {{- end }}
-        name: cloudinitdisk
+      {{- if or .Values.sshKeys .Values.cloudInit }}
+      - name: cloudinitdisk
+        cloudInitNoCloud:
+          secretRef:
+            name: {{ include "virtual-machine.fullname" . }}-cloud-init
+      {{- end }}
+      networks:
+      - name: default
+        pod: {}

packages/apps/virtual-machine/values.schema.json

@@ -7,6 +7,14 @@
       "description": "Enable external access from outside the cluster",
       "default": false
     },
+    "externalPorts": {
+      "type": "array",
+      "description": "Specify ports to forward from outside the cluster",
+      "default": "[]",
+      "items": {
+        "type": "integer"
+      }
+    },
     "running": {
       "type": "boolean",
       "description": "Determines if the virtual machine should be running",
@@ -14,13 +22,14 @@
     },
     "image": {
       "type": "string",
-      "description": "The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine` and `fedora`",
+      "description": "The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos`",
       "default": "ubuntu",
       "enum": [
         "ubuntu",
         "cirros",
         "alpine",
-        "fedora"
+        "fedora",
+        "talos"
       ]
     },
     "storageClass": {
@@ -49,36 +58,18 @@
         }
       }
     },
-    "sshPwauth": {
-      "type": "boolean",
-      "description": "Enable password authentication for SSH. If set to `true`, users can log in using a password",
-      "default": true
-    },
-    "disableRoot": {
-      "type": "boolean",
-      "description": "Disable root login via SSH. If set to `true`, root login will be disabled",
-      "default": true
-    },
-    "password": {
-      "type": "string",
-      "description": "The default password for the virtual machine",
-      "default": "hackme"
-    },
-    "chpasswdExpire": {
-      "type": "boolean",
-      "description": "Set whether the password should expire",
-      "default": false
-    },
     "sshKeys": {
       "type": "array",
-      "description": "List of SSH public keys for authentication. Can be a single key or a list of keys",
-      "default": [
-        "ssh-rsa ...",
-        "ssh-ed25519 ..."
-      ],
+      "description": "List of SSH public keys for authentication. Can be a single key or a list of keys.",
+      "default": "[]",
       "items": {
         "type": "string"
       }
+    },
+    "cloudInit": {
+      "type": "string",
+      "description": "cloud-init user data config. See cloud-init documentation for more details.",
+      "default": "#cloud-config\n"
     }
   }
 }

packages/apps/virtual-machine/values.yaml

@@ -1,19 +1,18 @@
 ## @section Common parameters
 
 ## @param external Enable external access from outside the cluster
+## @param externalPorts [array] Specify ports to forward from outside the cluster
 ## @param running Determines if the virtual machine should be running
-## @param image The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine` and `fedora`
+## @param image The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos`
 ## @param storageClass StorageClass used to store the data
 ## @param resources.cpu The number of CPU cores allocated to the virtual machine
 ## @param resources.memory The amount of memory allocated to the virtual machine
 ## @param resources.disk The size of the disk allocated for the virtual machine
-## @param sshPwauth Enable password authentication for SSH. If set to `true`, users can log in using a password
-## @param disableRoot Disable root login via SSH. If set to `true`, root login will be disabled
-## @param password The default password for the virtual machine
-## @param chpasswdExpire Set whether the password should expire
-## @param sshKeys List of SSH public keys for authentication. Can be a single key or a list of keys
 
 external: false
+externalPorts:
+- 22
+
 running: true
 image: ubuntu
 storageClass: replicated
@@ -21,10 +20,24 @@ resources:
   cpu: 1
   memory: 1024M
   disk: 5Gi
-sshPwauth: true
-disableRoot: true
-password: hackme
-chpasswdExpire: false
-sshKeys:
-  - ssh-rsa ...
-  - ssh-ed25519 ...
+
+## @param sshKeys [array] List of SSH public keys for authentication. Can be a single key or a list of keys.
+## Example:
+## sshKeys:
+##   - ssh-rsa ...
+##   - ssh-ed25519 ...
+##
+sshKeys: []
+
+## @param cloudInit cloud-init user data config. See cloud-init documentation for more details.
+## - https://cloudinit.readthedocs.io/en/latest/explanation/format.html
+## - https://cloudinit.readthedocs.io/en/latest/reference/examples.html
+## Example:
+## cloudInit: |
+##   #cloud-config
+##   password: ubuntu
+##   chpasswd: { expire: False }
+##
+cloudInit: |
+  #cloud-config
+

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.12.0@sha256:0917812850fd0359d5ba78fd819c0e4ce6d7c12eed9cd46813e7284064b71d30
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.13.0@sha256:0943f277c63f20cea19bef0207dc47f47157b58309c09af18830aac7906d1416

packages/core/platform/bundles/distro-full.yaml

@@ -20,14 +20,11 @@ releases:
   namespace: cozy-cilium
   privileged: true
   dependsOn: []
+  valuesFiles:
+  - values.yaml
+  - values-talos.yaml
   values:
     cilium:
-      bpf:
-        masquerade: true
-      cni:
-        chainingMode: ~
-        customConf: false
-        configMap: ""
       enableIPv4Masquerade: true
       enableIdentityMark: true
       ipv4NativeRoutingCIDR: "{{ index $cozyConfig.data "ipv4-pod-cidr" }}"

packages/core/platform/bundles/paas-full.yaml

@@ -20,6 +20,10 @@ releases:
   namespace: cozy-cilium
   privileged: true
   dependsOn: []
+  valuesFiles:
+  - values.yaml
+  - values-talos.yaml
+  - values-kubeovn.yaml
 
 - name: kubeovn
   releaseName: kubeovn

packages/core/platform/templates/helmreleases.yaml

@@ -39,6 +39,10 @@ spec:
         kind: HelmRepository
         name: cozystack-system
         namespace: cozy-system
+      {{- with $x.valuesFiles }}
+      valuesFiles:
+      {{- toYaml $x.valuesFiles | nindent 6 }}
+      {{- end }}
   {{- $values := dict }}
   {{- with $x.values }}
   {{- $values = merge . $values }}

packages/core/testing/templates/sandbox.yaml

@@ -10,6 +10,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: cozystack-e2e-{{ .Release.Name }}
+  namespace: cozy-e2e-tests
 spec:
   replicas: 1
   selector:

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.12.0@sha256:be1693c8ce6a9522499f79b1e42b2e08c7ca80405026a095299e5e990a3ab791
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.13.0@sha256:be1693c8ce6a9522499f79b1e42b2e08c7ca80405026a095299e5e990a3ab791

packages/extra/etcd/templates/etcd-cluster.yaml

@@ -25,7 +25,7 @@ spec:
         resources:
           requests:
             storage: {{ .Values.size }}
-        {{- with .Values.stroageClass }}
+        {{- with .Values.storageClass }}
         storageClassName: {{ . }}
         {{- end }}
   security:

packages/extra/monitoring/Chart.yaml

@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.3.0
+version: 1.4.0

packages/extra/monitoring/Makefile

@@ -5,6 +5,6 @@ include ../../../scripts/package.mk
 generate:
 	readme-generator -v values.yaml -s values.schema.json.tmp -r README.md
 	cat values.schema.json.tmp | \
-		jq '.properties.metricsStorages.items.type = "object"' \
+		jq '.properties.metricsStorages.items.type = "object" | .properties.logsStorages.items.type = "object"' \
 		> values.schema.json
 	rm -f values.schema.json.tmp

packages/extra/monitoring/README.md

@@ -8,4 +8,5 @@
 | ----------------- | --------------------------------------------------------------------------------------------------------- | ------- |
 | `host`            | The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host). | `""`    |
 | `metricsStorages` | Configuration of metrics storage instances                                                                | `[]`    |
+| `logsStorages`    | Configuration of logs storage instances                                                                   | `[]`    |
 | `oncall.enabled`  | Enable Grafana OnCall                                                                                     | `false` |

packages/extra/monitoring/templates/grafana/grafana.yaml

@@ -26,11 +26,34 @@ spec:
     security:
       admin_user: user
       admin_password: ${GF_PASSWORD}
+    plugins:
+      allow_loading_unsigned_plugins: "victorialogs-datasource"
   deployment:
     spec:
       replicas: 2
       template:
         spec:
+          initContainers:
+            - name: "load-vm-ds-plugin"
+              image: "curlimages/curl:7.85.0"
+              command: [ "/bin/sh" ]
+              workingDir: "/var/lib/grafana"
+              securityContext:
+                runAsUser: 10001
+                runAsNonRoot: true
+                runAsGroup: 10001
+              args:
+                - "-c"
+                - |
+                  set -ex
+                  mkdir -p /var/lib/grafana/plugins/
+                  ver=$(curl -s https://api.github.com/repos/VictoriaMetrics/victorialogs-datasource/releases/latest | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' | head -1)
+                  curl -L https://github.com/VictoriaMetrics/victorialogs-datasource/releases/download/$ver/victorialogs-datasource-$ver.tar.gz -o /var/lib/grafana/plugins/vl-plugin.tar.gz
+                  tar -xf /var/lib/grafana/plugins/vl-plugin.tar.gz -C /var/lib/grafana/plugins/
+                  rm /var/lib/grafana/plugins/vl-plugin.tar.gz
+              volumeMounts:
+                - name: grafana-data
+                  mountPath: /var/lib/grafana
           containers:
             - name: grafana
               image: grafana/grafana:10.1.0

packages/extra/monitoring/templates/oncall/oncall-release.yaml

@@ -15,9 +15,9 @@ spec:
       reconcileStrategy: Revision
       sourceRef:
         kind: HelmRepository
-        name: cozystack-extra
-        namespace: cozy-public
-      version: 0.1.0
+        name: cozystack-system
+        namespace: cozy-system
+      version: '*'
   interval: 1m0s
   timeout: 5m0s
   values:

packages/extra/monitoring/templates/vlogs/grafana-datasource.yaml

@@ -0,0 +1,15 @@
+{{- range .Values.logsStorages }}
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDatasource
+metadata:
+  name: vlogs-{{ .name }}
+spec:
+  datasource:
+    access: proxy
+    type: victorialogs-datasource
+    name: vlogs-{{ .name }}
+    url: http://vlogs-{{ .name }}.{{ $.Release.Namespace }}.svc:9428
+  instanceSelector:
+    matchLabels:
+      dashboards: grafana
+{{- end }}

packages/extra/monitoring/templates/vlogs/vlogs.yaml

@@ -0,0 +1,15 @@
+{{- range .Values.logsStorages }}
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VLogs
+metadata:
+  name: {{ .name }}
+spec:
+  storage:
+    resources:
+      requests:
+        storage: {{ .storage }}
+    storageClassName: {{ .storageClassName }}
+    accessModes: [ReadWriteOnce]
+  retentionPeriod: "{{ .retentionPeriod }}"
+  removePvcAfterDelete: true
+{{- end }}

packages/extra/monitoring/templates/vm/grafana-datasource.yaml

@@ -4,13 +4,13 @@
 apiVersion: grafana.integreatly.org/v1beta1
 kind: GrafanaDatasource
 metadata:
-  name: {{ .name }}
+  name: vm-{{ .name }}
 spec:
   instanceSelector:
     matchLabels:
       dashboards: grafana
   datasource:
-    name: {{ .name }}
+    name: vm-{{ .name }}
     type: prometheus
     access: proxy
     url: http://vmselect-{{ .name }}.{{ $.Release.Namespace }}.svc:8481/select/0/prometheus/

packages/extra/monitoring/templates/vm/vmalertmanager.yaml

@@ -27,3 +27,6 @@ metadata:
 spec:
   replicaCount: 2
   configSecret: alertmanager
+  podMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"

packages/extra/monitoring/values.schema.json

@@ -15,6 +15,14 @@
         "type": "object"
       }
     },
+    "logsStorages": {
+      "type": "array",
+      "description": "Configuration of logs storage instances",
+      "default": "[]",
+      "items": {
+        "type": "object"
+      }
+    },
     "oncall": {
       "type": "object",
       "properties": {

packages/extra/monitoring/values.yaml

@@ -17,6 +17,14 @@ metricsStorages:
   storage: 10Gi
   storageClassName: ""
 
+## @param logsStorages [array] Configuration of logs storage instances
+##
+logsStorages:
+- name: generic
+  retentionPeriod: "1"
+  storage: 10Gi
+  storageClassName: replicated
+
 ## @param oncall.enabled Enable Grafana OnCall
 ## 
 oncall:

packages/extra/seaweedfs/templates/seaweedfs.yaml

@@ -34,7 +34,7 @@ spec:
         - name: data1
           type: "persistentVolumeClaim"
           size: "{{ .Values.size }}"
-          {{- with .Values.stroageClass }}
+          {{- with .Values.storageClass }}
           storageClass: {{ . }}
           {{- end }}
           maxVolumes: 0

packages/extra/versions_map

@@ -11,6 +11,7 @@ monitoring 1.0.0 f642698
 monitoring 1.1.0 15478a88
 monitoring 1.2.0 c9e0d63b
 monitoring 1.2.1 4471b4ba
-monitoring 1.3.0 HEAD
+monitoring 1.3.0 6c5cf5b
+monitoring 1.4.0 HEAD
 seaweedfs 0.1.0 5ca8823
 seaweedfs 0.2.0 HEAD

packages/system/cilium/values-kubeovn.yaml

@@ -0,0 +1,19 @@
+cilium:
+  sctp:
+    enabled: true
+  autoDirectNodeRoutes: false
+  kubeProxyReplacement: true
+  bpf:
+    masquerade: false
+  cni:
+    chainingMode: generic-veth
+    chainingTarget: kube-ovn
+    customConf: true
+    configMap: cni-configuration
+  routingMode: native
+  enableIPv4Masquerade: false
+  enableIPv6Masquerade: false
+  enableIdentityMark: false
+  enableRuntimeDeviceDetection: true
+  forceDeviceDetection: true
+  devices: ovn0

packages/system/cilium/values-talos.yaml

@@ -0,0 +1,7 @@
+cilium:
+  cgroup:
+    autoMount:
+      enabled: false
+    hostRoot: /sys/fs/cgroup
+  k8sServiceHost: localhost
+  k8sServicePort: 7445

packages/system/cilium/values.yaml

@@ -3,34 +3,12 @@ cilium:
     enabled: false
   externalIPs:
     enabled: true
-  autoDirectNodeRoutes: false
-  kubeProxyReplacement: true
-  bpf:
-    masquerade: false
+  nodePort:
+    enabled: true
   loadBalancer:
     algorithm: maglev
-  cgroup:
-    autoMount:
-      enabled: false
-    hostRoot: /sys/fs/cgroup
   ipam:
     mode: "kubernetes"
-  k8sServiceHost: localhost
-  k8sServicePort: 7445
-  cni:
-    chainingMode: generic-veth
-    customConf: true
-    configMap: cni-configuration
-  routingMode: native
-  enableIPv4Masquerade: false
-  enableIPv6Masquerade: false
-  enableIdentityMark: false
-  enableRuntimeDeviceDetection: true
-  forceDeviceDetection: true
-  devices: ovn0
-  extraEnv:
-    - name: CILIUM_ENFORCE_DEVICE_DETECTION
-      value: "true"
   image:
     repository: ghcr.io/aenix-io/cozystack/cilium
     tag: 1.16.1

packages/system/dashboard/values.yaml

@@ -33,11 +33,11 @@ kubeapps:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: dashboard
-      tag: v0.12.0
-      digest: sha256:4818712e9fc9c57cc321512760c3226af564a04e69d4b3ec9229ab91fd39abeb
+      tag: v0.13.0
+      digest: "sha256:4818712e9fc9c57cc321512760c3226af564a04e69d4b3ec9229ab91fd39abeb"
   kubeappsapis:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: kubeapps-apis
-      tag: v0.12.0
-      digest: "sha256:5eee4c2207f23a6d5317c08bbedfd71b8b22f733b834cd370f1313fb428a22d0"
+      tag: v0.13.0
+      digest: "sha256:a8cf2b536573f4bc29d4dce323ef3007a65567d6f1fe7803490bd71f422aca88"

packages/system/kamaji/values.yaml

@@ -3,5 +3,5 @@ kamaji:
     deploy: false
   image:
     pullPolicy: IfNotPresent
-    tag: v0.12.0@sha256:197d7c36f76d4d9c09cc82eb87f9e36f05799a2b9158ae27e4729f2dd636ad0d
+    tag: v0.13.0@sha256:197d7c36f76d4d9c09cc82eb87f9e36f05799a2b9158ae27e4729f2dd636ad0d
     repository: ghcr.io/aenix-io/cozystack/kamaji

packages/system/kubeovn/values.yaml

@@ -22,4 +22,4 @@ global:
   images:
     kubeovn:
       repository: kubeovn
-      tag: v1.13.0@sha256:55b3ed5d4b628216378040e445aadc3d1cd817ff4d17eb081d884c6e00fb51e2
+      tag: v1.13.0@sha256:5c27a22f6b0a19c9a546e838a80ef73c32b863278cc209d7393555ad8a4f744a

packages/system/kubevirt-cdi/templates/cdi-cr.yaml

@@ -6,6 +6,7 @@ spec:
   config:
     featureGates:
     - HonorWaitForFirstConsumer
+    - ExpandDisks
   imagePullPolicy: IfNotPresent
   infra:
     nodeSelector:

packages/system/kubevirt/templates/kubevirt-cr.yaml

@@ -10,6 +10,7 @@ spec:
     developerConfiguration:
       featureGates:
       - HotplugVolumes
+      - ExpandDisks
   customizeComponents: {}
   imagePullPolicy: IfNotPresent
   workloadUpdateStrategy: {}

packages/system/monitoring/Makefile

@@ -15,3 +15,7 @@ update:
 	helm repo add metrics-server https://kubernetes-sigs.github.io/metrics-server/
 	helm repo update metrics-server
 	helm pull metrics-server/metrics-server --untar --untardir charts
+	# Fluent-bit
+	helm repo add fluent https://fluent.github.io/helm-charts
+	helm repo update fluent
+	helm pull fluent/fluent-bit --untar --untardir charts

packages/system/monitoring/charts/fluent-bit/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

packages/system/monitoring/charts/fluent-bit/Chart.yaml

@@ -0,0 +1,27 @@
+annotations:
+  artifacthub.io/changes: |
+    - kind: changed
+      description: "Updated Fluent Bit OCI image to v3.1.6."
+apiVersion: v1
+appVersion: 3.1.6
+description: Fast and lightweight log processor and forwarder or Linux, OSX and BSD
+  family operating systems.
+home: https://fluentbit.io/
+icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/fluentd/fluentbit/icon/fluentbit-icon-color.svg
+keywords:
+- logging
+- fluent-bit
+- fluentd
+maintainers:
+- email: eduardo@calyptia.com
+  name: edsiper
+- email: naseem@transit.app
+  name: naseemkullah
+- email: towmeykaw@gmail.com
+  name: Towmeykaw
+- email: steve.hipwell@gmail.com
+  name: stevehipwell
+name: fluent-bit
+sources:
+- https://github.com/fluent/fluent-bit/
+version: 0.47.7

packages/system/monitoring/charts/fluent-bit/README.md

@@ -0,0 +1,57 @@
+# Fluent Bit Helm chart
+
+[Fluent Bit](https://fluentbit.io) is a fast and lightweight log processor and forwarder or Linux, OSX and BSD family operating systems.
+
+## Installation
+
+To add the `fluent` helm repo, run:
+
+```sh
+helm repo add fluent https://fluent.github.io/helm-charts
+```
+
+To install a release named `fluent-bit`, run:
+
+```sh
+helm install fluent-bit fluent/fluent-bit
+```
+
+## Chart values
+
+```sh
+helm show values fluent/fluent-bit
+```
+
+## Using Lua scripts
+Fluent Bit allows us to build filter to modify the incoming records using custom [Lua scripts.](https://docs.fluentbit.io/manual/pipeline/filters/lua)
+
+### How to use Lua scripts with this Chart
+
+First, you should add your Lua scripts to `luaScripts` in values.yaml, for example:
+
+```yaml
+luaScripts:
+  filter_example.lua: |
+    function filter_name(tag, timestamp, record)
+        -- put your lua code here.
+    end
+```
+
+After that, the Lua scripts will be ready to be used as filters. So next step is to add your Fluent bit [filter](https://docs.fluentbit.io/manual/concepts/data-pipeline/filter) to `config.filters` in values.yaml, for example:
+
+```yaml
+config:
+  filters: |
+    [FILTER]
+        Name    lua
+        Match   <your-tag>
+        script  /fluent-bit/scripts/filter_example.lua
+        call    filter_name
+```
+Under the hood, the chart will:
+- Create a configmap using `luaScripts`.
+- Add a volumeMounts for each Lua scripts using the path `/fluent-bit/scripts/<script>`.
+- Add the Lua script's configmap as volume to the pod.
+
+### Note
+Remember to set the `script` attribute in the filter using `/fluent-bit/scripts/`, otherwise the file will not be found by fluent bit.

packages/system/monitoring/charts/fluent-bit/ci/ci-values.yaml

@@ -0,0 +1,7 @@
+testFramework:
+  enabled: true
+
+logLevel: debug
+
+dashboards:
+  enabled: true

packages/system/monitoring/charts/fluent-bit/templates/NOTES.txt

@@ -0,0 +1,6 @@
+Get Fluent Bit build information by running these commands:
+
+export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "fluent-bit.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 2020:2020
+curl http://127.0.0.1:2020 
+

packages/system/monitoring/charts/fluent-bit/templates/_helpers.tpl

@@ -0,0 +1,138 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "fluent-bit.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "fluent-bit.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "fluent-bit.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "fluent-bit.labels" -}}
+helm.sh/chart: {{ include "fluent-bit.chart" . }}
+{{ include "fluent-bit.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "fluent-bit.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "fluent-bit.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "fluent-bit.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "fluent-bit.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Fluent-bit image with tag/digest
+*/}}
+{{- define "fluent-bit.image" -}}
+{{- $tag := ternary "" (printf ":%s" (toString .tag)) (or (empty .tag) (eq "-" (toString .tag))) -}}
+{{- $digest := ternary "" (printf "@%s" .digest) (empty .digest) -}}
+{{- printf "%s%s%s" .repository $tag $digest -}}
+{{- end -}}
+
+{{/*
+Ingress ApiVersion according k8s version
+*/}}
+{{- define "fluent-bit.ingress.apiVersion" -}}
+{{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion) -}}
+networking.k8s.io/v1
+{{- else if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1") (semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion) -}}
+networking.k8s.io/v1beta1
+{{- else -}}
+extensions/v1beta1
+{{- end }}
+{{- end }}
+
+{{/*
+Return if ingress is stable.
+*/}}
+{{- define "fluent-bit.ingress.isStable" -}}
+  {{- eq (include "fluent-bit.ingress.apiVersion" .) "networking.k8s.io/v1" -}}
+{{- end -}}
+{{/*
+Return if ingress supports ingressClassName.
+*/}}
+{{- define "fluent-bit.ingress.supportsIngressClassName" -}}
+  {{- or (eq (include "fluent-bit.ingress.isStable" .) "true") (and (eq (include "fluent-bit.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}}
+{{- end -}}
+{{/*
+Return if ingress supports pathType.
+*/}}
+{{- define "fluent-bit.ingress.supportsPathType" -}}
+  {{- or (eq (include "fluent-bit.ingress.isStable" .) "true") (and (eq (include "fluent-bit.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}}
+{{- end -}}
+
+{{/*
+Pdb apiVersion according k8s version and capabilities
+*/}}
+{{- define "fluent-bit.pdb.apiVersion" -}}
+{{- if and (.Capabilities.APIVersions.Has "policy/v1") (semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion) -}}
+policy/v1
+{{- else -}}
+policy/v1beta1
+{{- end }}
+{{- end -}}
+
+{{/*
+HPA ApiVersion according k8s version
+Check legacy first so helm template / kustomize will default to latest version
+*/}}
+{{- define "fluent-bit.hpa.apiVersion" -}}
+{{- if and (.Capabilities.APIVersions.Has "autoscaling/v2beta2") (semverCompare "<1.23-0" .Capabilities.KubeVersion.GitVersion) -}}
+autoscaling/v2beta2
+{{- else -}}
+autoscaling/v2
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of OpenShift SecurityContextConstraints to use
+*/}}
+{{- define "fluent-bit.openShiftSccName" -}}
+{{- if not .Values.openShift.securityContextConstraints.create -}}
+{{- printf "%s" .Values.openShift.securityContextConstraints.existingName -}}
+{{- else -}}
+{{- printf "%s" (default (include "fluent-bit.fullname" .) .Values.openShift.securityContextConstraints.name) -}}
+{{- end -}}
+{{- end -}}

packages/system/monitoring/charts/fluent-bit/templates/_pod.tpl

@@ -0,0 +1,155 @@
+{{- define "fluent-bit.pod" -}}
+serviceAccountName: {{ include "fluent-bit.serviceAccountName" . }}
+{{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- if .Values.priorityClassName }}
+priorityClassName: {{ .Values.priorityClassName }}
+{{- end }}
+{{- with .Values.podSecurityContext }}
+securityContext:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with .Values.terminationGracePeriodSeconds }}
+terminationGracePeriodSeconds: {{ . }}
+{{- end }}
+hostNetwork: {{ .Values.hostNetwork }}
+dnsPolicy: {{ .Values.dnsPolicy }}
+{{- with .Values.dnsConfig }}
+dnsConfig:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with .Values.hostAliases }}
+hostAliases:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with .Values.initContainers }}
+initContainers:
+{{- if kindIs "string" . }}
+  {{- tpl . $ | nindent 2 }}
+{{- else }}
+  {{-  toYaml . | nindent 2 }}
+{{- end -}}
+{{- end }}
+containers:
+  - name: {{ .Chart.Name }}
+  {{- with .Values.securityContext }}
+    securityContext:
+      {{- toYaml . | nindent 6 }}
+  {{- end }}
+    image: {{ include "fluent-bit.image" (merge .Values.image (dict "tag" (default .Chart.AppVersion .Values.image.tag))) | quote }}
+    imagePullPolicy: {{ .Values.image.pullPolicy }}
+  {{- if or .Values.env .Values.envWithTpl }}
+    env:
+    {{- with .Values.env }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- range $item := .Values.envWithTpl }}
+      - name: {{ $item.name }}
+        value: {{ tpl $item.value $ | quote }}
+    {{- end }}
+  {{- end }}
+  {{- if .Values.envFrom }}
+    envFrom:
+      {{- toYaml .Values.envFrom | nindent 6 }}
+  {{- end }}
+  {{- with .Values.command }}
+    command:
+      {{- toYaml . | nindent 6 }}
+  {{- end }}
+  {{- if or .Values.args .Values.hotReload.enabled }}
+    args:
+      {{- toYaml .Values.args | nindent 6 }}
+    {{- if .Values.hotReload.enabled }}
+      - --enable-hot-reload
+    {{- end }}
+  {{- end}}
+    ports:
+      - name: http
+        containerPort: {{ .Values.metricsPort }}
+        protocol: TCP
+    {{- if .Values.extraPorts }}
+      {{- range .Values.extraPorts }}
+      - name: {{ .name }}
+        containerPort: {{ .containerPort }}
+        protocol: {{ .protocol }}
+      {{- end }}
+    {{- end }}
+  {{- with .Values.lifecycle }}
+    lifecycle:
+      {{- toYaml . | nindent 6 }}
+  {{- end }}
+    livenessProbe:
+      {{- toYaml .Values.livenessProbe | nindent 6 }}
+    readinessProbe:
+      {{- toYaml .Values.readinessProbe | nindent 6 }}
+  {{- with .Values.resources }}
+    resources:
+      {{- toYaml . | nindent 6 }}
+  {{- end }}
+    volumeMounts:
+      - name: config
+        mountPath: /fluent-bit/etc/conf
+    {{- if or .Values.luaScripts .Values.hotReload.enabled }}
+      - name: luascripts
+        mountPath: /fluent-bit/scripts
+    {{- end }}
+    {{- if eq .Values.kind "DaemonSet" }}
+      {{- toYaml .Values.daemonSetVolumeMounts | nindent 6 }}
+    {{- end }}
+    {{- if .Values.extraVolumeMounts }}
+      {{- toYaml .Values.extraVolumeMounts | nindent 6 }}
+    {{- end }}
+{{- if .Values.hotReload.enabled }}
+  - name: reloader
+    image: {{ include "fluent-bit.image" .Values.hotReload.image }}
+    args:
+      - {{ printf "-webhook-url=http://localhost:%s/api/v2/reload" (toString .Values.metricsPort) }}
+      - -volume-dir=/watch/config
+      - -volume-dir=/watch/scripts
+    volumeMounts:
+      - name: config
+        mountPath: /watch/config
+      - name: luascripts
+        mountPath: /watch/scripts
+    {{- with .Values.hotReload.resources }}
+    resources:
+      {{- toYaml . | nindent 12 }}
+    {{- end }}
+{{- end }}
+{{- if .Values.extraContainers }}
+  {{- if kindIs "string" .Values.extraContainers }}
+    {{- tpl .Values.extraContainers $ | nindent 2 }}
+  {{- else }}
+    {{-  toYaml .Values.extraContainers | nindent 2 }}
+  {{- end -}}
+{{- end }}
+volumes:
+  - name: config
+    configMap:
+      name: {{ default (include "fluent-bit.fullname" .) .Values.existingConfigMap }}
+{{- if or .Values.luaScripts .Values.hotReload.enabled }}
+  - name: luascripts
+    configMap:
+      name: {{ include "fluent-bit.fullname" . }}-luascripts
+{{- end }}
+{{- if eq .Values.kind "DaemonSet" }}
+  {{- toYaml .Values.daemonSetVolumes | nindent 2 }}
+{{- end }}
+{{- if .Values.extraVolumes }}
+  {{- toYaml .Values.extraVolumes | nindent 2 }}
+{{- end }}
+{{- with .Values.nodeSelector }}
+nodeSelector:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with .Values.affinity }}
+affinity:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with .Values.tolerations }}
+tolerations:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end -}}

packages/system/monitoring/charts/fluent-bit/templates/clusterrole.yaml

@@ -0,0 +1,46 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "fluent-bit.fullname" . }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+      - pods
+      {{- if .Values.rbac.nodeAccess }}
+      - nodes
+      - nodes/metrics
+      - nodes/proxy
+      {{- end }}
+      {{- if .Values.rbac.eventsAccess }}
+      - events
+      {{- end }}
+    verbs:
+      - get
+      - list
+      - watch
+  {{- if and .Values.podSecurityPolicy.create (semverCompare "<=1.25-0" .Capabilities.KubeVersion.GitVersion) }}
+  - apiGroups:
+      - policy
+    resources:
+      - podsecuritypolicies
+    resourceNames:
+      - {{ include "fluent-bit.fullname" . }}
+    verbs:
+      - use
+  {{- end }}
+  {{- if .Values.openShift.enabled }}
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - {{ include "fluent-bit.openShiftSccName" . }}
+    verbs:
+      - use
+  {{- end }}
+{{- end -}}

packages/system/monitoring/charts/fluent-bit/templates/clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "fluent-bit.fullname" . }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "fluent-bit.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "fluent-bit.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}

packages/system/monitoring/charts/fluent-bit/templates/configmap-dashboards.yaml

@@ -0,0 +1,21 @@
+
+{{- if .Values.dashboards.enabled -}}
+{{- range $path, $_ :=  .Files.Glob "dashboards/*.json" }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "fluent-bit.fullname" $ }}-dashboard-{{ trimSuffix ".json" (base $path) }}
+  namespace: {{ default $.Release.Namespace $.Values.dashboards.namespace }}
+  {{- with $.Values.dashboards.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 -}}
+  {{- end }}
+  labels:
+    {{- include "fluent-bit.labels" $ | nindent 4 }}
+    {{ $.Values.dashboards.labelKey }}: {{ $.Values.dashboards.labelValue | quote }}
+data:
+  {{ include "fluent-bit.fullname" $ }}-{{ base $path }}: |
+    {{- tpl ($.Files.Get $path) $ | nindent 4 }}
+---
+{{- end }}
+{{- end -}}

packages/system/monitoring/charts/fluent-bit/templates/configmap-luascripts.yaml

@@ -0,0 +1,13 @@
+{{- if or .Values.luaScripts .Values.hotReload.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "fluent-bit.fullname" . }}-luascripts
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+data:
+  {{ range $key, $value := .Values.luaScripts }}
+  {{ $key }}: {{ $value | quote }}
+  {{ end }}
+{{- end -}}

packages/system/monitoring/charts/fluent-bit/templates/configmap.yaml

@@ -0,0 +1,25 @@
+{{- if not .Values.existingConfigMap -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "fluent-bit.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+data:
+  custom_parsers.conf: |
+    {{- (tpl .Values.config.customParsers $) | nindent 4 }}
+  fluent-bit.conf: |
+    {{- (tpl .Values.config.service $)  | nindent 4 }}
+    {{- (tpl .Values.config.inputs $)  | nindent 4 }}
+    {{- (tpl .Values.config.filters $)  | nindent 4 }}
+    {{- (tpl .Values.config.outputs $)  | nindent 4 }}
+  {{- range $key, $val := .Values.config.upstream }}
+  {{ $key }}: |
+    {{- (tpl $val $) | nindent 4 }}
+  {{- end }}
+  {{- range $key, $val := .Values.config.extraFiles }}
+  {{ $key }}: |
+    {{- (tpl $val $) | nindent 4 }}
+  {{- end }}
+{{- end -}}

packages/system/monitoring/charts/fluent-bit/templates/daemonset.yaml

@@ -0,0 +1,48 @@
+{{- if eq .Values.kind "DaemonSet" }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "fluent-bit.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+    {{- with .Values.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "fluent-bit.selectorLabels" . | nindent 6 }}
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.minReadySeconds }}
+  minReadySeconds: {{ . }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        {{- include "fluent-bit.selectorLabels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    {{- if or (not .Values.hotReload.enabled) .Values.podAnnotations }}
+      annotations:
+      {{- if not .Values.hotReload.enabled }}
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- if .Values.luaScripts }}
+        checksum/luascripts: {{ include (print $.Template.BasePath "/configmap-luascripts.yaml") . | sha256sum }}
+      {{- end }}
+      {{- end }}
+      {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+    spec:
+      {{- include "fluent-bit.pod" . | nindent 6 }}
+{{- end }}

packages/system/monitoring/charts/fluent-bit/templates/deployment.yaml

@@ -0,0 +1,51 @@
+{{- if eq .Values.kind "Deployment" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "fluent-bit.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+    {{- with .Values.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  {{- with .Values.updateStrategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "fluent-bit.selectorLabels" . | nindent 6 }}
+  {{- with .Values.minReadySeconds }}
+  minReadySeconds: {{ . }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        {{- include "fluent-bit.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if or (not .Values.hotReload.enabled) .Values.podAnnotations }}
+      annotations:
+      {{- if not .Values.hotReload.enabled }}
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- if .Values.luaScripts }}
+        checksum/luascripts: {{ include (print $.Template.BasePath "/configmap-luascripts.yaml") . | sha256sum }}
+      {{- end }}
+      {{- end }}
+      {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- end }}
+    spec:
+      {{- include "fluent-bit.pod" . | nindent 6 }}
+{{- end }}

packages/system/monitoring/charts/fluent-bit/templates/hpa.yaml

@@ -0,0 +1,40 @@
+{{- if and  ( eq  .Values.kind "Deployment" )  .Values.autoscaling.enabled  }}
+apiVersion: {{ include "fluent-bit.hpa.apiVersion" . }}
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "fluent-bit.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+spec:
+  {{- if .Values.autoscaling.behavior }}
+  behavior:
+    {{- toYaml .Values.autoscaling.behavior | nindent 4 }}
+  {{- end }}
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "fluent-bit.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+  {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+          type: Utilization
+  {{- end }}
+  {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+          type: Utilization
+  {{- end }}
+  {{- if .Values.autoscaling.customRules -}}
+    {{- toYaml .Values.autoscaling.customRules | nindent 4}}
+  {{- end -}}
+{{- end }}

packages/system/monitoring/charts/fluent-bit/templates/ingress.yaml

@@ -0,0 +1,65 @@
+{{- $ingressApiIsStable := eq (include "fluent-bit.ingress.isStable" .) "true" -}}
+{{- $ingressSupportsIngressClassName := eq (include "fluent-bit.ingress.supportsIngressClassName" .) "true" -}}
+{{- $ingressSupportsPathType := eq (include "fluent-bit.ingress.supportsPathType" .) "true" -}}
+{{- $fullName := include "fluent-bit.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+
+{{- if and ( eq .Values.kind "Deployment" ) .Values.ingress.enabled }}
+apiVersion: {{ include "fluent-bit.ingress.apiVersion" . }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+  {{- range $key, $value := . }}
+    {{ printf "%s: %s" $key ((tpl $value $) | quote) }}
+  {{- end }}
+  {{- end }}
+spec:
+  {{- if and $ingressSupportsIngressClassName .Values.ingress.ingressClassName }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  {{- end -}}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      {{- with .secretName }}
+      secretName: {{ . }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range concat .Values.ingress.hosts .Values.ingress.extraHosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          - path: /
+            {{- if $ingressSupportsPathType }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              {{- if $ingressApiIsStable }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  {{- if .port }}
+                  number: {{ .port }}
+                  {{- else }}
+                  number: {{ $svcPort }}
+                  {{- end }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              {{- if .port }}
+              servicePort: {{ .port }}
+              {{- else }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+              {{- end }}
+    {{- end }}
+{{- end }}

packages/system/monitoring/charts/fluent-bit/templates/networkpolicy.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: "networking.k8s.io/v1"
+kind: "NetworkPolicy"
+metadata:
+  name: {{ include "fluent-bit.fullname" . | quote }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+spec:
+  policyTypes:
+    - "Ingress"
+  podSelector:
+    matchLabels:
+      {{- include "fluent-bit.selectorLabels" . | nindent 6 }}
+  ingress:
+    {{- with .Values.networkPolicy.ingress }}
+    - from:
+        {{- with .from }}{{- . | toYaml | nindent 8 }}{{- else }} []{{- end }}
+      ports:
+        - protocol: "TCP"
+          port: {{ $.Values.service.port }}
+    {{- end }}
+{{- end }}

packages/system/monitoring/charts/fluent-bit/templates/pdb.yaml

@@ -0,0 +1,21 @@
+{{- if and  ( eq  .Values.kind "Deployment" )  .Values.podDisruptionBudget.enabled  }}
+apiVersion: {{ include "fluent-bit.pdb.apiVersion" . }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "fluent-bit.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+{{- with .Values.podDisruptionBudget.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+{{- end }}
+spec:
+  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+  selector:
+    matchLabels:
+      {{- include "fluent-bit.selectorLabels" . | nindent 6 }}
+      {{- with .Values.labels }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end }}

packages/system/monitoring/charts/fluent-bit/templates/prometheusrule.yaml

@@ -0,0 +1,18 @@
+{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.prometheusRule.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ include "fluent-bit.fullname" . }}
+  namespace: {{ default $.Release.Namespace .Values.prometheusRule.namespace }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+  {{- if .Values.prometheusRule.additionalLabels }}
+    {{- toYaml .Values.prometheusRule.additionalLabels | nindent 4 }}
+  {{- end }}
+spec:
+{{- if .Values.prometheusRule.rules }}
+  groups:
+  - name: {{ template "fluent-bit.name" . }}
+    rules: {{- toYaml .Values.prometheusRule.rules | nindent 4 }}
+{{- end }}
+{{- end }}

packages/system/monitoring/charts/fluent-bit/templates/psp.yaml

@@ -0,0 +1,42 @@
+{{- if and .Values.podSecurityPolicy.create (semverCompare "<=1.25-0" .Capabilities.KubeVersion.GitVersion) -}}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "fluent-bit.fullname" . }}
+{{- if .Values.podSecurityPolicy.annotations }}
+  annotations:
+    {{- toYaml .Values.podSecurityPolicy.annotations | nindent 4 }}
+{{- end }}
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  # This is redundant with non-root + disallow privilege escalation,
+  # but we can provide it for defense in depth.
+  requiredDropCapabilities:
+    - ALL
+  volumes:
+    - '*'
+  hostNetwork: {{ .Values.hostNetwork }}
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    # TODO: Require the container to run without root privileges.
+    rule: 'RunAsAny'
+  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}

packages/system/monitoring/charts/fluent-bit/templates/scc.yaml

@@ -0,0 +1,41 @@
+{{- if and .Values.openShift.enabled .Values.openShift.securityContextConstraints.create }}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{ include "fluent-bit.openShiftSccName" . }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+  {{- with .Values.openShift.securityContextConstraints.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+allowPrivilegedContainer: true
+allowPrivilegeEscalation: true
+allowHostDirVolumePlugin: true
+defaultAllowPrivilegeEscalation: false
+# forbid host namespaces
+allowHostNetwork: false
+allowHostIPC: false
+allowHostPorts: false
+allowHostPID: false
+allowedCapabilities: []
+forbiddenSysctls:
+  - "*"
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+  - MKNOD
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - hostPath
+  - persistentVolumeClaim
+  - projected
+  - secret
+{{- end }}

packages/system/monitoring/charts/fluent-bit/templates/service.yaml

@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "fluent-bit.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+    {{- with .Values.service.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  {{- if and (eq .Values.service.type "ClusterIP") (.Values.service.clusterIP) }}
+  clusterIP: {{ .Values.service.clusterIP }}
+  {{- end }}
+  {{- if .Values.service.externalIPs }}
+  externalIPs: {{- toYaml .Values.service.externalIPs | nindent 4 }}
+  {{- end }}
+  {{- if (eq .Values.kind "DaemonSet") }}
+  {{- with .Values.service.internalTrafficPolicy }}
+  internalTrafficPolicy: {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if (eq .Values.service.type "LoadBalancer")}}
+  {{- with .Values.service.loadBalancerClass}}
+  loadBalancerClass: {{ . }}
+  {{- end }}
+  {{- with .Values.service.loadBalancerSourceRanges}}
+  loadBalancerSourceRanges:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- end }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+      {{- if and (eq .Values.service.type "NodePort") (.Values.service.nodePort) }}
+      nodePort: {{ .Values.service.nodePort }}
+      {{- end }}
+  {{- if .Values.extraPorts }}
+    {{- range .Values.extraPorts }}
+    - name: {{ .name }}
+      targetPort: {{ .name }}
+      protocol: {{ .protocol }}
+      port: {{ .port }}
+      {{- if and (eq $.Values.service.type "NodePort") (.nodePort) }}
+      nodePort: {{ .nodePort }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+  selector:
+    {{- include "fluent-bit.selectorLabels" . | nindent 4 }}

packages/system/monitoring/charts/fluent-bit/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "fluent-bit.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

packages/system/monitoring/charts/fluent-bit/templates/servicemonitor.yaml

@@ -0,0 +1,51 @@
+{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "fluent-bit.fullname" . }}
+  namespace: {{ default .Release.Namespace .Values.serviceMonitor.namespace }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+    {{- with .Values.serviceMonitor.selector }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  jobLabel: app.kubernetes.io/instance
+  endpoints:
+    - port: http
+      path: {{ default "/api/v2/metrics/prometheus" .Values.serviceMonitor.path }}
+      {{- with .Values.serviceMonitor.interval }}
+      interval: {{ . }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.metricRelabelings }}
+      metricRelabelings:
+      {{- if kindIs "string" . }}
+        {{- tpl . $ | nindent 8 }}
+      {{- else }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.relabelings }}
+      relabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.serviceMonitor.scheme }}
+      scheme: {{ .Values.serviceMonitor.scheme }}
+      {{- end }}
+      {{- if .Values.serviceMonitor.tlsConfig }}
+      tlsConfig:
+        {{- toYaml .Values.serviceMonitor.tlsConfig | nindent 8 }}
+      {{- end }}
+    {{- with .Values.serviceMonitor.additionalEndpoints }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "fluent-bit.selectorLabels" . | nindent 6 }}
+{{- end }}

packages/system/monitoring/charts/fluent-bit/templates/tests/test-connection.yaml

@@ -0,0 +1,26 @@
+{{- if .Values.testFramework.enabled }}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "fluent-bit.fullname" . }}-test-connection"
+  namespace: {{ default .Release.Namespace .Values.testFramework.namespace }}
+  labels:
+    helm.sh/chart: {{ include "fluent-bit.chart" . }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  annotations:
+    helm.sh/hook: test
+    helm.sh/hook-delete-policy: hook-succeeded
+spec:
+  containers:
+    - name: wget
+      image: {{ include "fluent-bit.image" .Values.testFramework.image | quote }}
+      imagePullPolicy: {{ .Values.testFramework.image.pullPolicy }}
+      command: ["sh"]
+      args: ["-c", "wget -O- {{ include "fluent-bit.fullname" . }}:{{ .Values.service.port }}"]
+  {{- with .Values.imagePullSecrets }}
+  imagePullSecrets:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  restartPolicy: Never
+{{- end }}

packages/system/monitoring/charts/fluent-bit/templates/vpa.yaml

@@ -0,0 +1,39 @@
+{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1/VerticalPodAutoscaler") .Values.autoscaling.vpa.enabled }}
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: {{ include "fluent-bit.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+  {{- with .Values.autoscaling.vpa.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  resourcePolicy:
+    containerPolicies:
+    - containerName: {{ .Chart.Name }}
+      {{- with .Values.autoscaling.vpa.controlledResources }}
+      controlledResources: 
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.autoscaling.vpa.maxAllowed }}
+      maxAllowed:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.autoscaling.vpa.minAllowed }}
+      minAllowed:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+  targetRef:
+    apiVersion: apps/v1
+    kind: {{ .Values.kind }}
+    name: {{ include "fluent-bit.fullname" . }}
+  {{- if .Values.autoscaling.vpa.updatePolicy }}
+  updatePolicy:
+    {{- with .Values.autoscaling.vpa.updatePolicy.updateMode }}
+    updateMode: {{ . }}
+    {{- end }}
+  {{- end }}
+{{- end }}

packages/system/monitoring/charts/fluent-bit/values.yaml

@@ -0,0 +1,511 @@
+# Default values for fluent-bit.
+
+# kind -- DaemonSet or Deployment
+kind: DaemonSet
+
+# replicaCount -- Only applicable if kind=Deployment
+replicaCount: 1
+
+image:
+  repository: cr.fluentbit.io/fluent/fluent-bit
+  # Overrides the image tag whose default is {{ .Chart.AppVersion }}
+  # Set to "-" to not use the default value
+  tag:
+  digest:
+  pullPolicy: IfNotPresent
+
+testFramework:
+  enabled: true
+  namespace:
+  image:
+    repository: busybox
+    pullPolicy: Always
+    tag: latest
+    digest:
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  create: true
+  annotations: {}
+  name:
+
+rbac:
+  create: true
+  nodeAccess: false
+  eventsAccess: false
+
+# Configure podsecuritypolicy
+# Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+# from Kubernetes 1.25, PSP is deprecated
+# See: https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/#pod-security-changes
+# We automatically disable PSP if Kubernetes version is 1.25 or higher
+podSecurityPolicy:
+  create: false
+  annotations: {}
+
+# OpenShift-specific configuration
+openShift:
+  enabled: false
+  securityContextConstraints:
+    # Create SCC for Fluent-bit and allow use it
+    create: true
+    name: ""
+    annotations: {}
+    # Use existing SCC in cluster, rather then create new one
+    existingName: ""
+
+podSecurityContext: {}
+#   fsGroup: 2000
+
+hostNetwork: false
+dnsPolicy: ClusterFirst
+
+dnsConfig: {}
+#   nameservers:
+#     - 1.2.3.4
+#   searches:
+#     - ns1.svc.cluster-domain.example
+#     - my.dns.search.suffix
+#   options:
+#     - name: ndots
+#       value: "2"
+#     - name: edns0
+
+hostAliases: []
+#   - ip: "1.2.3.4"
+#     hostnames:
+#     - "foo.local"
+#     - "bar.local"
+
+securityContext: {}
+#   capabilities:
+#     drop:
+#     - ALL
+#   readOnlyRootFilesystem: true
+#   runAsNonRoot: true
+#   runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 2020
+  internalTrafficPolicy:
+  loadBalancerClass:
+  loadBalancerSourceRanges: []
+  labels: {}
+  # nodePort: 30020
+  # clusterIP: 172.16.10.1
+  annotations: {}
+#   prometheus.io/path: "/api/v1/metrics/prometheus"
+#   prometheus.io/port: "2020"
+#   prometheus.io/scrape: "true"
+  externalIPs: []
+  # externalIPs:
+  #  - 2.2.2.2
+
+
+serviceMonitor:
+  enabled: false
+  #   namespace: monitoring
+  #   interval: 10s
+  #   scrapeTimeout: 10s
+  #   selector:
+  #    prometheus: my-prometheus
+  #  ## metric relabel configs to apply to samples before ingestion.
+  #  ##
+  #  metricRelabelings:
+  #    - sourceLabels: [__meta_kubernetes_service_label_cluster]
+  #      targetLabel: cluster
+  #      regex: (.*)
+  #      replacement: ${1}
+  #      action: replace
+  #  ## relabel configs to apply to samples after ingestion.
+  #  ##
+  #  relabelings:
+  #    - sourceLabels: [__meta_kubernetes_pod_node_name]
+  #      separator: ;
+  #      regex: ^(.*)$
+  #      targetLabel: nodename
+  #      replacement: $1
+  #      action: replace
+  #  scheme: ""
+  #  tlsConfig: {}
+
+  ## Bear in mind if you want to collect metrics from a different port
+  ## you will need to configure the new ports on the extraPorts property.
+  additionalEndpoints: []
+  # - port: metrics
+  #   path: /metrics
+  #   interval: 10s
+  #   scrapeTimeout: 10s
+  #   scheme: ""
+  #   tlsConfig: {}
+  #   # metric relabel configs to apply to samples before ingestion.
+  #   #
+  #   metricRelabelings:
+  #     - sourceLabels: [__meta_kubernetes_service_label_cluster]
+  #       targetLabel: cluster
+  #       regex: (.*)
+  #       replacement: ${1}
+  #       action: replace
+  #   # relabel configs to apply to samples after ingestion.
+  #   #
+  #   relabelings:
+  #     - sourceLabels: [__meta_kubernetes_pod_node_name]
+  #       separator: ;
+  #       regex: ^(.*)$
+  #       targetLabel: nodename
+  #       replacement: $1
+  #       action: replace
+
+prometheusRule:
+  enabled: false
+#   namespace: ""
+#   additionalLabels: {}
+#   rules:
+#   - alert: NoOutputBytesProcessed
+#     expr: rate(fluentbit_output_proc_bytes_total[5m]) == 0
+#     annotations:
+#       message: |
+#         Fluent Bit instance {{ $labels.instance }}'s output plugin {{ $labels.name }} has not processed any
+#         bytes for at least 15 minutes.
+#       summary: No Output Bytes Processed
+#     for: 15m
+#     labels:
+#       severity: critical
+
+dashboards:
+  enabled: false
+  labelKey: grafana_dashboard
+  labelValue: 1
+  annotations: {}
+  namespace: ""
+
+lifecycle: {}
+#   preStop:
+#     exec:
+#       command: ["/bin/sh", "-c", "sleep 20"]
+
+livenessProbe:
+  httpGet:
+    path: /
+    port: http
+
+readinessProbe:
+  httpGet:
+    path: /api/v1/health
+    port: http
+
+resources: {}
+#   limits:
+#     cpu: 100m
+#     memory: 128Mi
+#   requests:
+#     cpu: 100m
+#     memory: 128Mi
+
+## only available if kind is Deployment
+ingress:
+  enabled: false
+  ingressClassName: ""
+  annotations: {}
+  #  kubernetes.io/ingress.class: nginx
+  #  kubernetes.io/tls-acme: "true"
+  hosts: []
+  # - host: fluent-bit.example.tld
+  extraHosts: []
+  # - host: fluent-bit-extra.example.tld
+  ## specify extraPort number
+  #   port: 5170
+  tls: []
+  #  - secretName: fluent-bit-example-tld
+  #    hosts:
+  #      - fluent-bit.example.tld
+
+## only available if kind is Deployment
+autoscaling:
+  vpa:
+    enabled: false
+
+    annotations: {}
+
+    # List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
+    controlledResources: []
+
+    # Define the max allowed resources for the pod
+    maxAllowed: {}
+    # cpu: 200m
+    # memory: 100Mi
+    # Define the min allowed resources for the pod
+    minAllowed: {}
+    # cpu: 200m
+    # memory: 100Mi
+
+    updatePolicy:
+      # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates
+      # are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto".
+      updateMode: Auto
+
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 3
+  targetCPUUtilizationPercentage: 75
+  #  targetMemoryUtilizationPercentage: 75
+  ## see https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics
+  customRules: []
+  #     - type: Pods
+  #       pods:
+  #         metric:
+  #           name: packets-per-second
+  #         target:
+  #           type: AverageValue
+  #           averageValue: 1k
+  ## see https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-configurable-scaling-behavior
+  behavior: {}
+#      scaleDown:
+#        policies:
+#          - type: Pods
+#            value: 4
+#            periodSeconds: 60
+#          - type: Percent
+#            value: 10
+#            periodSeconds: 60
+
+## only available if kind is Deployment
+podDisruptionBudget:
+  enabled: false
+  annotations: {}
+  maxUnavailable: "30%"
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+labels: {}
+
+annotations: {}
+
+podAnnotations: {}
+
+podLabels: {}
+
+## How long (in seconds) a pods needs to be stable before progressing the deployment
+##
+minReadySeconds:
+
+## How long (in seconds) a pod may take to exit (useful with lifecycle hooks to ensure lb deregistration is done)
+##
+terminationGracePeriodSeconds:
+
+priorityClassName: ""
+
+env: []
+#  - name: FOO
+#    value: "bar"
+
+# The envWithTpl array below has the same usage as "env", but is using the tpl function to support templatable string.
+# This can be useful when you want to pass dynamic values to the Chart using the helm argument "--set <variable>=<value>"
+# https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function
+envWithTpl: []
+#  - name: FOO_2
+#    value: "{{ .Values.foo2 }}"
+#
+# foo2: bar2
+
+envFrom: []
+
+# This supports either a structured array or a templatable string
+extraContainers: []
+
+# Array mode
+# extraContainers:
+#   - name: do-something
+#     image: busybox
+#     command: ['do', 'something']
+
+# String mode
+# extraContainers: |-
+#   - name: do-something
+#     image: bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}
+#     command: ['kubectl', 'version']
+
+flush: 1
+
+metricsPort: 2020
+
+extraPorts: []
+#   - port: 5170
+#     containerPort: 5170
+#     protocol: TCP
+#     name: tcp
+#     nodePort: 30517
+
+extraVolumes: []
+
+extraVolumeMounts: []
+
+updateStrategy: {}
+#   type: RollingUpdate
+#   rollingUpdate:
+#     maxUnavailable: 1
+
+# Make use of a pre-defined configmap instead of the one templated here
+existingConfigMap: ""
+
+networkPolicy:
+  enabled: false
+#   ingress:
+#     from: []
+
+luaScripts: {}
+
+## https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/classic-mode/configuration-file
+config:
+  service: |
+    [SERVICE]
+        Daemon Off
+        Flush {{ .Values.flush }}
+        Log_Level {{ .Values.logLevel }}
+        Parsers_File /fluent-bit/etc/parsers.conf
+        Parsers_File /fluent-bit/etc/conf/custom_parsers.conf
+        HTTP_Server On
+        HTTP_Listen 0.0.0.0
+        HTTP_Port {{ .Values.metricsPort }}
+        Health_Check On
+
+  ## https://docs.fluentbit.io/manual/pipeline/inputs
+  inputs: |
+    [INPUT]
+        Name tail
+        Path /var/log/containers/*.log
+        multiline.parser docker, cri
+        Tag kube.*
+        Mem_Buf_Limit 5MB
+        Skip_Long_Lines On
+
+    [INPUT]
+        Name systemd
+        Tag host.*
+        Systemd_Filter _SYSTEMD_UNIT=kubelet.service
+        Read_From_Tail On
+
+  ## https://docs.fluentbit.io/manual/pipeline/filters
+  filters: |
+    [FILTER]
+        Name kubernetes
+        Match kube.*
+        Merge_Log On
+        Keep_Log Off
+        K8S-Logging.Parser On
+        K8S-Logging.Exclude On
+
+  ## https://docs.fluentbit.io/manual/pipeline/outputs
+  outputs: |
+    [OUTPUT]
+        Name es
+        Match kube.*
+        Host elasticsearch-master
+        Logstash_Format On
+        Retry_Limit False
+
+    [OUTPUT]
+        Name es
+        Match host.*
+        Host elasticsearch-master
+        Logstash_Format On
+        Logstash_Prefix node
+        Retry_Limit False
+
+  ## https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/classic-mode/upstream-servers
+  ## This configuration is deprecated, please use `extraFiles` instead.
+  upstream: {}
+
+  ## https://docs.fluentbit.io/manual/pipeline/parsers
+  customParsers: |
+    [PARSER]
+        Name docker_no_time
+        Format json
+        Time_Keep Off
+        Time_Key time
+        Time_Format %Y-%m-%dT%H:%M:%S.%L
+
+  # This allows adding more files with arbitrary filenames to /fluent-bit/etc/conf by providing key/value pairs.
+  # The key becomes the filename, the value becomes the file content.
+  extraFiles: {}
+#     upstream.conf: |
+#       [UPSTREAM]
+#           upstream1
+#
+#       [NODE]
+#           name       node-1
+#           host       127.0.0.1
+#           port       43000
+#     example.conf: |
+#       [OUTPUT]
+#           Name example
+#           Match foo.*
+#           Host bar
+
+# The config volume is mounted by default, either to the existingConfigMap value, or the default of "fluent-bit.fullname"
+volumeMounts:
+  - name: config
+    mountPath: /fluent-bit/etc/conf
+
+daemonSetVolumes:
+  - name: varlog
+    hostPath:
+      path: /var/log
+  - name: varlibdockercontainers
+    hostPath:
+      path: /var/lib/docker/containers
+  - name: etcmachineid
+    hostPath:
+      path: /etc/machine-id
+      type: File
+
+daemonSetVolumeMounts:
+  - name: varlog
+    mountPath: /var/log
+  - name: varlibdockercontainers
+    mountPath: /var/lib/docker/containers
+    readOnly: true
+  - name: etcmachineid
+    mountPath: /etc/machine-id
+    readOnly: true
+
+command:
+  - /fluent-bit/bin/fluent-bit
+
+args:
+  - --workdir=/fluent-bit/etc
+  - --config=/fluent-bit/etc/conf/fluent-bit.conf
+
+# This supports either a structured array or a templatable string
+initContainers: []
+
+# Array mode
+# initContainers:
+#   - name: do-something
+#     image: bitnami/kubectl:1.22
+#     command: ['kubectl', 'version']
+
+# String mode
+# initContainers: |-
+#   - name: do-something
+#     image: bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}
+#     command: ['kubectl', 'version']
+
+logLevel: info
+
+hotReload:
+  enabled: false
+  image:
+    repository: ghcr.io/jimmidyson/configmap-reload
+    tag: v0.11.1
+    digest:
+    pullPolicy: IfNotPresent
+  resources: {}

packages/system/monitoring/charts/kube-state-metrics/Chart.yaml

@@ -4,7 +4,7 @@ annotations:
     - name: Chart Source
       url: https://github.com/prometheus-community/helm-charts
 apiVersion: v2
-appVersion: 2.10.1
+appVersion: 2.13.0
 description: Install kube-state-metrics to generate and expose cluster-level metrics
 home: https://github.com/kubernetes/kube-state-metrics/
 keywords:
@@ -23,4 +23,4 @@ name: kube-state-metrics
 sources:
 - https://github.com/kubernetes/kube-state-metrics/
 type: application
-version: 5.15.2
+version: 5.25.1

packages/system/monitoring/charts/kube-state-metrics/templates/_helpers.tpl

@@ -66,7 +66,7 @@ app.kubernetes.io/part-of: {{ template "kube-state-metrics.name" . }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 {{- if .Values.customLabels }}
-{{ toYaml .Values.customLabels }}
+{{ tpl (toYaml .Values.customLabels) . }}
 {{- end }}
 {{- if .Values.releaseLabel }}
 release: {{ .Release.Name }}

packages/system/monitoring/charts/kube-state-metrics/templates/deployment.yaml

@@ -31,11 +31,15 @@ spec:
     metadata:
       labels:
         {{- include "kube-state-metrics.labels" . | indent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- if .Values.podAnnotations }}
       annotations:
-{{ toYaml .Values.podAnnotations | indent 8 }}
+      {{ toYaml .Values.podAnnotations | nindent 8 }}
       {{- end }}
     spec:
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       hostNetwork: {{ .Values.hostNetwork }}
       serviceAccountName: {{ template "kube-state-metrics.serviceAccountName" . }}
       {{- if .Values.securityContext.enabled }}
@@ -49,10 +53,10 @@ spec:
       {{- toYaml . | nindent 6 }}
       {{- end }}
       containers:
-      {{- $httpPort := ternary 9090 (.Values.service.port | default 8080) .Values.kubeRBACProxy.enabled}}
+      {{- $servicePort := ternary 9090 (.Values.service.port | default 8080) .Values.kubeRBACProxy.enabled}}
       {{- $telemetryPort := ternary 9091 (.Values.selfMonitor.telemetryPort | default 8081) .Values.kubeRBACProxy.enabled}}
       - name: {{ template "kube-state-metrics.name" . }}
-        {{- if .Values.autosharding.enabled }}
+        {{- if  .Values.autosharding.enabled }}
         env:
         - name: POD_NAME
           valueFrom:
@@ -67,7 +71,7 @@ spec:
         {{-  if .Values.extraArgs  }}
         {{- .Values.extraArgs | toYaml | nindent 8 }}
         {{-  end  }}
-        - --port={{ $httpPort }}
+        - --port={{ $servicePort }}
         {{-  if .Values.collectors  }}
         - --resources={{ .Values.collectors | join "," }}
         {{-  end  }}
@@ -115,10 +119,10 @@ spec:
         {{- if .Values.selfMonitor.telemetryPort }}
         - --telemetry-port={{ $telemetryPort }}
         {{- end }}
+        {{- end }}
         {{- if .Values.customResourceState.enabled }}
         - --custom-resource-state-config-file=/etc/customresourcestate/config.yaml
         {{- end }}
-        {{- end }}
         {{- if or (.Values.kubeconfig.enabled) (.Values.customResourceState.enabled) (.Values.volumeMounts) }}
         volumeMounts:
         {{- if .Values.kubeconfig.enabled }}
@@ -146,22 +150,64 @@ spec:
           name: "metrics"
         {{- end }}
         {{- end }}
-        livenessProbe:
+        {{- if .Values.startupProbe.enabled }}
+        startupProbe:
+          failureThreshold: {{ .Values.startupProbe.failureThreshold }}
           httpGet:
+            {{- if .Values.hostNetwork }}
+            host: 127.0.0.1
+            {{- end }}
+            httpHeaders:
+            {{- range $_, $header := .Values.startupProbe.httpGet.httpHeaders }}
+            - name: {{ $header.name }}
+              value: {{ $header.value }}
+            {{- end }}
             path: /healthz
-            port: {{ $httpPort }}
-          initialDelaySeconds: 5
-          timeoutSeconds: 5
-        readinessProbe:
+            port: {{ $servicePort }}
+            scheme: {{ upper .Values.startupProbe.httpGet.scheme }}
+          initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.startupProbe.periodSeconds }}
+          successThreshold: {{ .Values.startupProbe.successThreshold }}
+          timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
+        {{- end }}
+        livenessProbe:
+          failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
           httpGet:
-            path: /
-            port: {{ $httpPort }}
-          initialDelaySeconds: 5
-          timeoutSeconds: 5
-        {{- if .Values.resources }}
+            {{- if .Values.hostNetwork }}
+            host: 127.0.0.1
+            {{- end }}
+            httpHeaders:
+            {{- range $_, $header := .Values.livenessProbe.httpGet.httpHeaders }}
+            - name: {{ $header.name }}
+              value: {{ $header.value }}
+            {{- end }}
+            path: /livez
+            port: {{ $servicePort }}
+            scheme: {{ upper .Values.livenessProbe.httpGet.scheme }}
+          initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+          successThreshold: {{ .Values.livenessProbe.successThreshold }}
+          timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+        readinessProbe:
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          httpGet:
+            {{- if .Values.hostNetwork }}
+            host: 127.0.0.1
+            {{- end }}
+            httpHeaders:
+            {{- range $_, $header := .Values.readinessProbe.httpGet.httpHeaders }}
+            - name: {{ $header.name }}
+              value: {{ $header.value }}
+            {{- end }}
+            path: /readyz
+            port: {{ $servicePort }}
+            scheme: {{ upper .Values.readinessProbe.httpGet.scheme }}
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
         resources:
 {{ toYaml .Values.resources | indent 10 }}
-{{- end }}
 {{- if .Values.containerSecurityContext }}
         securityContext:
 {{ toYaml .Values.containerSecurityContext | indent 10 }}
@@ -173,7 +219,7 @@ spec:
         {{- .Values.kubeRBACProxy.extraArgs | toYaml | nindent 8 }}
         {{-  end  }}
         - --secure-listen-address=:{{ .Values.service.port | default 8080}}
-        - --upstream=http://127.0.0.1:{{ $httpPort }}/
+        - --upstream=http://127.0.0.1:{{ $servicePort }}/
         - --proxy-endpoints-port=8888
         - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml
         volumeMounts:

packages/system/monitoring/charts/kube-state-metrics/templates/service.yaml

@@ -14,6 +14,10 @@ metadata:
     {{- end }}
 spec:
   type: "{{ .Values.service.type }}"
+  {{- if .Values.service.ipDualStack.enabled }}
+  ipFamilies: {{ toYaml .Values.service.ipDualStack.ipFamilies | nindent 4 }}
+  ipFamilyPolicy: {{ .Values.service.ipDualStack.ipFamilyPolicy }}
+  {{- end }}
   ports:
   - name: "http"
     protocol: TCP

packages/system/monitoring/charts/kube-state-metrics/templates/serviceaccount.yaml

@@ -1,6 +1,7 @@
 {{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 metadata:
   labels:
     {{- include "kube-state-metrics.labels" . | indent 4 }}
@@ -10,6 +11,8 @@ metadata:
   annotations:
 {{ toYaml .Values.serviceAccount.annotations | indent 4 }}
 {{- end }}
+{{- if or .Values.serviceAccount.imagePullSecrets .Values.global.imagePullSecrets }}
 imagePullSecrets:
   {{- include "kube-state-metrics.imagePullSecrets" (dict "Values" .Values "imagePullSecrets" .Values.serviceAccount.imagePullSecrets) | indent 2 }}
+{{- end }}
 {{- end -}}

packages/system/monitoring/charts/kube-state-metrics/templates/servicemonitor.yaml

@@ -40,79 +40,79 @@ spec:
     {{- end }}
   endpoints:
     - port: http
-    {{- if .Values.prometheus.monitor.interval }}
-      interval: {{ .Values.prometheus.monitor.interval }}
+    {{- if or .Values.prometheus.monitor.http.interval .Values.prometheus.monitor.interval }}
+      interval: {{ .Values.prometheus.monitor.http.interval | default .Values.prometheus.monitor.interval }}
     {{- end }}
-    {{- if .Values.prometheus.monitor.scrapeTimeout }}
-      scrapeTimeout: {{ .Values.prometheus.monitor.scrapeTimeout }}
+    {{- if or .Values.prometheus.monitor.http.scrapeTimeout .Values.prometheus.monitor.scrapeTimeout }}
+      scrapeTimeout: {{ .Values.prometheus.monitor.http.scrapeTimeout | default .Values.prometheus.monitor.scrapeTimeout }}
     {{- end }}
-    {{- if .Values.prometheus.monitor.proxyUrl }}
-      proxyUrl: {{ .Values.prometheus.monitor.proxyUrl}}
+    {{- if or .Values.prometheus.monitor.http.proxyUrl .Values.prometheus.monitor.proxyUrl }}
+      proxyUrl: {{ .Values.prometheus.monitor.http.proxyUrl | default .Values.prometheus.monitor.proxyUrl }}
     {{- end }}
-    {{- if .Values.prometheus.monitor.enableHttp2 }}
-      enableHttp2: {{ .Values.prometheus.monitor.enableHttp2}}
+    {{- if or .Values.prometheus.monitor.http.enableHttp2 .Values.prometheus.monitor.enableHttp2 }}
+      enableHttp2: {{ .Values.prometheus.monitor.http.enableHttp2 | default .Values.prometheus.monitor.enableHttp2 }}
     {{- end }}
-    {{- if .Values.prometheus.monitor.honorLabels }}
+    {{- if or .Values.prometheus.monitor.http.honorLabels .Values.prometheus.monitor.honorLabels }}
       honorLabels: true
     {{- end }}
-    {{- if .Values.prometheus.monitor.metricRelabelings }}
+    {{- if or .Values.prometheus.monitor.http.metricRelabelings .Values.prometheus.monitor.metricRelabelings }}
       metricRelabelings:
-        {{- toYaml .Values.prometheus.monitor.metricRelabelings | nindent 8 }}
+        {{- toYaml (.Values.prometheus.monitor.http.metricRelabelings | default .Values.prometheus.monitor.metricRelabelings) | nindent 8 }}
     {{- end }}
-    {{- if .Values.prometheus.monitor.relabelings }}
+    {{- if or .Values.prometheus.monitor.http.relabelings .Values.prometheus.monitor.relabelings }}
       relabelings:
-        {{- toYaml .Values.prometheus.monitor.relabelings | nindent 8 }}
+        {{- toYaml (.Values.prometheus.monitor.http.relabelings | default .Values.prometheus.monitor.relabelings) | nindent 8 }}
     {{- end }}
-    {{- if .Values.prometheus.monitor.scheme }}
-      scheme: {{ .Values.prometheus.monitor.scheme }}
+    {{- if or .Values.prometheus.monitor.http.scheme .Values.prometheus.monitor.scheme }}
+      scheme: {{ .Values.prometheus.monitor.http.scheme | default .Values.prometheus.monitor.scheme }}
     {{- end }}
-    {{- if .Values.prometheus.monitor.tlsConfig }}
+    {{- if or .Values.prometheus.monitor.http.tlsConfig .Values.prometheus.monitor.tlsConfig }}
       tlsConfig:
-        {{- toYaml .Values.prometheus.monitor.tlsConfig | nindent 8 }}
+        {{- toYaml (.Values.prometheus.monitor.http.tlsConfig | default .Values.prometheus.monitor.tlsConfig) | nindent 8 }}
     {{- end }}
-    {{- if .Values.prometheus.monitor.bearerTokenFile }}
-      bearerTokenFile: {{ .Values.prometheus.monitor.bearerTokenFile }}
+    {{- if or .Values.prometheus.monitor.http.bearerTokenFile .Values.prometheus.monitor.bearerTokenFile }}
+      bearerTokenFile: {{ .Values.prometheus.monitor.http.bearerTokenFile | default .Values.prometheus.monitor.bearerTokenFile }}
     {{- end }}
-    {{- with .Values.prometheus.monitor.bearerTokenSecret }}
+    {{- with (.Values.prometheus.monitor.http.bearerTokenSecret | default .Values.prometheus.monitor.bearerTokenSecret) }}
       bearerTokenSecret:
         {{- toYaml . | nindent 8 }}
     {{- end }}
   {{- if .Values.selfMonitor.enabled }}
     - port: metrics
-    {{- if .Values.prometheus.monitor.interval }}
-      interval: {{ .Values.prometheus.monitor.interval }}
+    {{- if or .Values.prometheus.monitor.metrics.interval .Values.prometheus.monitor.interval }}
+      interval: {{ .Values.prometheus.monitor.metrics.interval | default .Values.prometheus.monitor.interval }}
     {{- end }}
-    {{- if .Values.prometheus.monitor.scrapeTimeout }}
-      scrapeTimeout: {{ .Values.prometheus.monitor.scrapeTimeout }}
+    {{- if or .Values.prometheus.monitor.metrics.scrapeTimeout .Values.prometheus.monitor.scrapeTimeout }}
+      scrapeTimeout: {{ .Values.prometheus.monitor.metrics.scrapeTimeout | default .Values.prometheus.monitor.scrapeTimeout }}
     {{- end }}
-    {{- if .Values.prometheus.monitor.proxyUrl }}
-      proxyUrl: {{ .Values.prometheus.monitor.proxyUrl}}
+    {{- if or .Values.prometheus.monitor.metrics.proxyUrl .Values.prometheus.monitor.proxyUrl }}
+      proxyUrl: {{ .Values.prometheus.monitor.metrics.proxyUrl | default .Values.prometheus.monitor.proxyUrl }}
     {{- end }}
-    {{- if .Values.prometheus.monitor.enableHttp2 }}
-      enableHttp2: {{ .Values.prometheus.monitor.enableHttp2}}
+    {{- if or .Values.prometheus.monitor.metrics.enableHttp2 .Values.prometheus.monitor.enableHttp2 }}
+      enableHttp2: {{ .Values.prometheus.monitor.metrics.enableHttp2 | default .Values.prometheus.monitor.enableHttp2 }}
     {{- end }}
-    {{- if .Values.prometheus.monitor.honorLabels }}
+    {{- if or .Values.prometheus.monitor.metrics.honorLabels .Values.prometheus.monitor.honorLabels }}
       honorLabels: true
     {{- end }}
-    {{- if .Values.prometheus.monitor.metricRelabelings }}
+    {{- if or .Values.prometheus.monitor.metrics.metricRelabelings .Values.prometheus.monitor.metricRelabelings }}
       metricRelabelings:
-        {{- toYaml .Values.prometheus.monitor.metricRelabelings | nindent 8 }}
+        {{- toYaml (.Values.prometheus.monitor.metrics.metricRelabelings | default .Values.prometheus.monitor.metricRelabelings) | nindent 8 }}
     {{- end }}
-    {{- if .Values.prometheus.monitor.relabelings }}
+    {{- if or .Values.prometheus.monitor.metrics.relabelings .Values.prometheus.monitor.relabelings }}
       relabelings:
-        {{- toYaml .Values.prometheus.monitor.relabelings | nindent 8 }}
+        {{- toYaml (.Values.prometheus.monitor.metrics.relabelings | default .Values.prometheus.monitor.relabelings) | nindent 8 }}
     {{- end }}
-    {{- if .Values.prometheus.monitor.scheme }}
-      scheme: {{ .Values.prometheus.monitor.scheme }}
+    {{- if or .Values.prometheus.monitor.metrics.scheme .Values.prometheus.monitor.scheme }}
+      scheme: {{ .Values.prometheus.monitor.metrics.scheme | default .Values.prometheus.monitor.scheme }}
     {{- end }}
-    {{- if .Values.prometheus.monitor.tlsConfig }}
+    {{- if or .Values.prometheus.monitor.metrics.tlsConfig .Values.prometheus.monitor.tlsConfig }}
       tlsConfig:
-        {{- toYaml .Values.prometheus.monitor.tlsConfig | nindent 8 }}
+        {{- toYaml (.Values.prometheus.monitor.metrics.tlsConfig | default .Values.prometheus.monitor.tlsConfig) | nindent 8 }}
     {{- end }}
-    {{- if .Values.prometheus.monitor.bearerTokenFile }}
-      bearerTokenFile: {{ .Values.prometheus.monitor.bearerTokenFile }}
+    {{- if or .Values.prometheus.monitor.metrics.bearerTokenFile .Values.prometheus.monitor.bearerTokenFile }}
+      bearerTokenFile: {{ .Values.prometheus.monitor.metrics.bearerTokenFile | default .Values.prometheus.monitor.bearerTokenFile }}
     {{- end }}
-    {{- with .Values.prometheus.monitor.bearerTokenSecret }}
+    {{- with (.Values.prometheus.monitor.metrics.bearerTokenSecret | default .Values.prometheus.monitor.bearerTokenSecret) }}
       bearerTokenSecret:
         {{- toYaml . | nindent 8 }}
     {{- end }}

packages/system/monitoring/charts/kube-state-metrics/values.yaml

@@ -37,7 +37,10 @@ autosharding:
 
 replicas: 1
 
-# Change the deployment strategy when autosharding is disabled
+# Change the deployment strategy when autosharding is disabled.
+# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+# The default is "RollingUpdate" as per Kubernetes defaults.
+# During a release, 'RollingUpdate' can lead to two running instances for a short period of time while 'Recreate' can create a small gap in data.
 # updateStrategy: Recreate
 
 # Number of old history to retain to allow rollback
@@ -49,10 +52,17 @@ revisionHistoryLimit: 10
 # all the possible args can be found here: https://github.com/kubernetes/kube-state-metrics/blob/master/docs/cli-arguments.md
 extraArgs: []
 
+# If false then the user will opt out of automounting API credentials.
+automountServiceAccountToken: true
+
 service:
   port: 8080
   # Default to clusterIP for backward compatibility
   type: ClusterIP
+  ipDualStack:
+    enabled: false
+    ipFamilies: ["IPv6", "IPv4"]
+    ipFamilyPolicy: "PreferDualStack"
   nodePort: 0
   loadBalancerIP: ""
   # Only allow access to the loadBalancerIP from these IPs
@@ -96,7 +106,7 @@ kubeRBACProxy:
   image:
     registry: quay.io
     repository: brancz/kube-rbac-proxy
-    tag: v0.14.0
+    tag: v0.18.0
     sha: ""
     pullPolicy: IfNotPresent
 
@@ -108,7 +118,12 @@ kubeRBACProxy:
   ## Specify security settings for a Container
   ## Allows overrides and additional options compared to (Pod) securityContext
   ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
-  containerSecurityContext: {}
+  containerSecurityContext:
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
 
   resources: {}
     # We usually recommend not to specify default resources and to leave this as a conscious
@@ -142,6 +157,8 @@ serviceAccount:
   # Use case: AWS EKS IAM roles for service accounts
   # ref: https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html
   annotations: {}
+  # If false then the user will opt out of automounting API credentials.
+  automountServiceAccountToken: true
 
 prometheus:
   monitor:
@@ -153,7 +170,6 @@ prometheus:
     jobLabel: ""
     targetLabels: []
     podTargetLabels: []
-    interval: ""
     ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted.
     ##
     sampleLimit: 0
@@ -173,24 +189,49 @@ prometheus:
     ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer.
     ##
     labelValueLengthLimit: 0
-    scrapeTimeout: ""
-    proxyUrl: ""
-    ## Whether to enable HTTP2 for servicemonitor
-    # enableHttp2: false
     selectorOverride: {}
-    honorLabels: false
-    metricRelabelings: []
-    relabelings: []
-    scheme: ""
-    ## File to read bearer token for scraping targets
-    bearerTokenFile: ""
-    ## Secret to mount to read bearer token for scraping targets. The secret needs
-    ## to be in the same namespace as the service monitor and accessible by the
-    ## Prometheus Operator
-    bearerTokenSecret: {}
-      # name: secret-name
-      # key:  key-name
-    tlsConfig: {}
+
+    ## kube-state-metrics endpoint
+    http:
+      interval: ""
+      scrapeTimeout: ""
+      proxyUrl: ""
+      ## Whether to enable HTTP2 for servicemonitor
+      enableHttp2: false
+      honorLabels: false
+      metricRelabelings: []
+      relabelings: []
+      scheme: ""
+      ## File to read bearer token for scraping targets
+      bearerTokenFile: ""
+      ## Secret to mount to read bearer token for scraping targets. The secret needs
+      ## to be in the same namespace as the service monitor and accessible by the
+      ## Prometheus Operator
+      bearerTokenSecret: {}
+        # name: secret-name
+        # key:  key-name
+      tlsConfig: {}
+
+    ## selfMonitor endpoint
+    metrics:
+      interval: ""
+      scrapeTimeout: ""
+      proxyUrl: ""
+      ## Whether to enable HTTP2 for servicemonitor
+      enableHttp2: false
+      honorLabels: false
+      metricRelabelings: []
+      relabelings: []
+      scheme: ""
+      ## File to read bearer token for scraping targets
+      bearerTokenFile: ""
+      ## Secret to mount to read bearer token for scraping targets. The secret needs
+      ## to be in the same namespace as the service monitor and accessible by the
+      ## Prometheus Operator
+      bearerTokenSecret: {}
+        # name: secret-name
+        # key:  key-name
+      tlsConfig: {}
 
 ## Specify if a Pod Security Policy for kube-state-metrics must be created
 ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
@@ -245,6 +286,7 @@ securityContext:
 ## Allows overrides and additional options compared to (Pod) securityContext
 ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
 containerSecurityContext:
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   capabilities:
     drop:
@@ -272,6 +314,9 @@ annotations: {}
 # Annotations to be added to the pod
 podAnnotations: {}
 
+# Labels to be added to the pod
+podLabels: {}
+
 ## Assign a PriorityClassName to pods if set
 # priorityClassName: ""
 
@@ -454,3 +499,44 @@ containers: []
 initContainers: []
   # - name: crd-sidecar
   #   image: kiwigrid/k8s-sidecar:latest
+
+## Settings for startup, liveness and readiness probes
+## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+##
+
+## Startup probe can optionally be enabled.
+##
+startupProbe:
+  enabled: false
+  failureThreshold: 3
+  httpGet:
+    httpHeaders: []
+    scheme: http
+  initialDelaySeconds: 0
+  periodSeconds: 10
+  successThreshold: 1
+  timeoutSeconds: 5
+
+## Liveness probe
+##
+livenessProbe:
+  failureThreshold: 3
+  httpGet:
+    httpHeaders: []
+    scheme: http
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  successThreshold: 1
+  timeoutSeconds: 5
+
+## Readiness probe
+##
+readinessProbe:
+  failureThreshold: 3
+  httpGet:
+    httpHeaders: []
+    scheme: http
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  successThreshold: 1
+  timeoutSeconds: 5

packages/system/monitoring/charts/metrics-server/CHANGELOG.md

@@ -0,0 +1,149 @@
+# Metrics Server Helm Chart Changelog
+
+> [!NOTE]
+> All notable changes to this project will be documented in this file; the format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+<!--
+### Added - For new features.
+### Changed - For changes in existing functionality.
+### Deprecated - For soon-to-be removed features.
+### Removed - For now removed features.
+### Fixed - For any bug fixes.
+### Security - In case of vulnerabilities.
+-->
+
+## [UNRELEASED]
+
+## [3.12.1] - TBC
+
+### Changed
+
+- Updated the _Metrics Server_ OCI image to [v0.7.1](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.1). ([#1461](https://github.com/kubernetes-sigs/metrics-server/pull/1461)) _@stevehipwell_
+
+## [3.12.0] - 2024-02-07
+
+### Changed
+
+- Updated the _Metrics Server_ OCI image to [v0.7.0](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.0). ([#1414](https://github.com/kubernetes-sigs/metrics-server/pull/1414)) [@stevehipwell](https://github.com/stevehipwell)
+- Updated the _addon-resizer_ OCI image to [v1.8.20](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.20). ([#1414](https://github.com/kubernetes-sigs/metrics-server/pull/1414)) [@stevehipwell](https://github.com/stevehipwell)
+
+## [3.11.0] - 2023-08-03
+
+### Added
+
+- Added default _Metrics Server_ resource requests.
+
+### Changed
+
+- Updated the _Metrics Server_ OCI image to [v0.6.4](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.4).
+- Updated the _addon-resizer_ OCI image to [v1.8.19](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.19).
+
+## [3.10.0] - 2023-04-12
+
+### Added
+
+- Added support for running under PodSecurity restricted.
+
+### Fixed
+
+- Fixed `auth-reader` role binding namespace to always use `kube-system`.
+- Fixed addon-resizer configuration.
+- Fixed container port default not having been updated to `10250`.
+
+## [3.9.0] - 2023-03-28
+
+### Added
+
+- Added autoscaling support via the addon-resizer.
+
+### Changed
+
+- Updated the _Metrics Server_ OCI image to [v0.6.3](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.3).
+
+### Fixed
+
+- Fixed service labels/annotations.
+
+## [3.8.4] - 2023-03-06
+
+### Changed
+
+- Changed the image registry location to `registry.k8s.io`.
+
+## [3.8.3] - 2022-12-08
+
+### Added
+
+- Added support for topologySpreadConstraints.
+- Always set resource namespaces explicitly.
+- Allow configuring TLS on the APIService.
+- Enabled service monitor relabelling.
+- Added ability to set the scheduler name.
+- Added support for common labels.
+
+### Changed
+
+- Updated the _Metrics Server_ OCI image to [v0.6.2](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.2).
+
+## [3.8.2] - 2022-02-23
+
+### Changed
+
+- Changed chart to allow probes to be turned off completely (this is not advised unless you know what you're doing).
+
+## [3.8.1] - 2022-02-09
+
+### Changed
+
+- Updated the _Metrics Server_ OCI image to [v0.6.1](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.1).
+
+## [3.8.0] - 2022-02-08
+
+### Added
+
+- Added support for unauthenticated access to the /metrics endpoint.
+- Added optional _Prometheus Operator_ `ServiceMonitor`.
+
+### Changed
+
+- Updated the _Metrics Server_ OCI image to [v0.6.0](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.6.0).
+
+## [3.7.0] - 2021-11-18
+
+### Changed
+
+- Updated the _Metrics Server_ OCI image to [v0.5.2](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.2).
+
+## [3.6.0] - 2021-10-18
+
+### Added
+
+- Added new `defaultArgs`` value to enable overriding the default arguments.
+
+### Changed
+
+- Updated the _Metrics Server_ OCI image to [v0.5.1](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.5.1).
+
+## [3.5.0] - 2021-10-07
+
+### Added
+
+- Added initial Helm chart release from official repo.
+
+<!--
+RELEASE LINKS
+-->
+[UNRELEASED]: https://github.com/kubernetes-sigs/metrics-server/tree/master/charts/metrics-server
+[3.12.1]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.12.1
+[3.12.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.12.0
+[3.11.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.11.0
+[3.10.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.10.0
+[3.9.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.9.0
+[3.8.4]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.8.4
+[3.8.3]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.8.3
+[3.8.2]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.8.2
+[3.8.1]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.8.1
+[3.8.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.8.0
+[3.7.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.7.0
+[3.6.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.6.0
+[3.5.0]: https://github.com/kubernetes-sigs/metrics-server/releases/tag/metrics-server-helm-chart-3.5.0

packages/system/monitoring/charts/metrics-server/Chart.yaml

@@ -1,15 +1,9 @@
 annotations:
   artifacthub.io/changes: |
-    - kind: added
-      description: "Added default Metrics Server resource requests."
     - kind: changed
-      description: "Updated the Metrics Server OCI image to v0.6.3."
-    - kind: changed
-      description: "Updated the addon resizer OCI image to v1.8.19."
-    - kind: changed
-      description: "Changed the default addon resizer nanny resource configuration to match the documented Metrics Server autoscaling values."
+      description: "Updated the _Metrics Server_ OCI image to [v0.7.1](https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.1)."
 apiVersion: v2
-appVersion: 0.6.4
+appVersion: 0.7.1
 description: Metrics Server is a scalable, efficient source of container resource
   metrics for Kubernetes built-in autoscaling pipelines.
 home: https://github.com/kubernetes-sigs/metrics-server
@@ -29,4 +23,4 @@ name: metrics-server
 sources:
 - https://github.com/kubernetes-sigs/metrics-server
 type: application
-version: 3.11.0
+version: 3.12.1

packages/system/monitoring/charts/metrics-server/README.md

@@ -2,8 +2,6 @@
 
 [Metrics Server](https://github.com/kubernetes-sigs/metrics-server/) is a scalable, efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines.
 
-<!-- Trigger release -->
-
 ## Installing the Chart
 
 Before you can install the chart you will need to add the `metrics-server` repo to [Helm](https://helm.sh/).
@@ -33,12 +31,12 @@ The following table lists the configurable parameters of the _Metrics Server_ ch
 | `serviceAccount.create`              | If `true`, create a new service account.                                                                                                                                                                                                                         | `true`                                                                         |
 | `serviceAccount.annotations`         | Annotations to add to the service account.                                                                                                                                                                                                                       | `{}`                                                                           |
 | `serviceAccount.name`                | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the full name template.                                                                                                                                  | `nil`                                                                          |
-| `serviceAccount.secrets`             | The list of secrets mountable by this service account. See https://kubernetes.io/docs/reference/labels-annotations-taints/#enforce-mountable-secrets                                                                                                             | `[]`                                                                           |
+| `serviceAccount.secrets`             | The list of secrets mountable by this service account. See <https://kubernetes.io/docs/reference/labels-annotations-taints/#enforce-mountable-secrets>                                                                                                             | `[]`                                                                           |
 | `rbac.create`                        | If `true`, create the RBAC resources.                                                                                                                                                                                                                            | `true`                                                                         |
 | `rbac.pspEnabled`                    | If `true`, create a pod security policy resource.                                                                                                                                                                                                                | `false`                                                                        |
 | `apiService.create`                  | If `true`, create the `v1beta1.metrics.k8s.io` API service. You typically want this enabled! If you disable API service creation you have to manage it outside of this chart for e.g horizontal pod autoscaling to work with this release.                       | `true`                                                                         |
 | `apiService.annotations`             | Annotations to add to the API service                                                                                                                                                                                                                            | `{}`                                                                           |
-| `apiService.insecureSkipTLSVerify`   | Specifies whether to skip TLS verification                                                                                                                                                                                                                       | `true`                                                                         |
+| `apiService.insecureSkipTLSVerify`   | Specifies whether to skip TLS verification (NOTE: this setting is not a proxy for the `--kubelet-insecure-tls` metrics-server flag)                             | `true`                                          |
 | `apiService.caBundle`                | The PEM encoded CA bundle for TLS verification                                                                                                                                                                                                                   | `""`                                                                           |
 | `commonLabels`                       | Labels to add to each object of the chart.                                                                                                                                                                                                                       | `{}`                                                                           |
 | `podLabels`                          | Labels to add to the pod.                                                                                                                                                                                                                                        | `{}`                                                                           |
@@ -49,10 +47,11 @@ The following table lists the configurable parameters of the _Metrics Server_ ch
 | `containerPort`                      | port for the _metrics-server_ container.                                                                                                                                                                                                                         | `10250`                                                                        |
 | `hostNetwork.enabled`                | If `true`, start _metric-server_ in hostNetwork mode. You would require this enabled if you use alternate overlay networking for pods and API server unable to communicate with metrics-server. As an example, this is required if you use Weave network on EKS. | `false`                                                                        |
 | `replicas`                           | Number of replicas to run.                                                                                                                                                                                                                                       | `1`                                                                            |
+| `revisionHistoryLimit`               | Number of revisions to keep.                                                                                                                                                                                                                                     | `nil`                                                                           |
 | `updateStrategy`                     | Customise the default update strategy.                                                                                                                                                                                                                           | `{}`                                                                           |
 | `podDisruptionBudget.enabled`        | If `true`, create `PodDisruptionBudget` resource.                                                                                                                                                                                                                | `{}`                                                                           |
-| `podDisruptionBudget.minAvailable`   | Set the `PodDisruptionBugdet` minimum available pods.                                                                                                                                                                                                            | `nil`                                                                          |
-| `podDisruptionBudget.maxUnavailable` | Set the `PodDisruptionBugdet` maximum unavailable pods.                                                                                                                                                                                                          | `nil`                                                                          |
+| `podDisruptionBudget.minAvailable`   | Set the `PodDisruptionBudget` minimum available pods.                                                                                                                                                                                                            | `nil`                                                                          |
+| `podDisruptionBudget.maxUnavailable` | Set the `PodDisruptionBudget` maximum unavailable pods.                                                                                                                                                                                                          | `nil`                                                                          |
 | `defaultArgs`                        | Default arguments to pass to the _metrics-server_ command.                                                                                                                                                                                                       | See _values.yaml_                                                              |
 | `args`                               | Additional arguments to pass to the _metrics-server_ command.                                                                                                                                                                                                    | `[]`                                                                           |
 | `livenessProbe`                      | Liveness probe.                                                                                                                                                                                                                                                  | See _values.yaml_                                                              |
@@ -62,6 +61,7 @@ The following table lists the configurable parameters of the _Metrics Server_ ch
 | `service.annotations`                | Annotations to add to the service.                                                                                                                                                                                                                               | `{}`                                                                           |
 | `service.labels`                     | Labels to add to the service.                                                                                                                                                                                                                                    | `{}`                                                                           |
 | `addonResizer.enabled`               | If `true`, run the addon-resizer as a sidecar to automatically scale resource requests with cluster size.                                                                                                                                                        | `false`                                                                        |
+| `addonResizer.securityContext`       | Security context for the _metrics_server_container.       |                                                                                                                                             _See values.yaml |
 | `addonResizer.image.repository`      | addon-resizer image repository                                                                                                                                                                                                                                   | `registry.k8s.io/autoscaling/addon-resizer`                                    |
 | `addonResizer.image.tag`             | addon-resizer image tag                                                                                                                                                                                                                                          | `1.8.19`                                                                       |
 | `addonResizer.resources`             | Resource requests and limits for the _nanny_ container.                                                                                                                                                                                                          | `{ requests: { cpu: 40m, memory: 25Mi }, limits: { cpu: 40m, memory: 25Mi } }` |
@@ -79,7 +79,7 @@ The following table lists the configurable parameters of the _Metrics Server_ ch
 | `serviceMonitor.relabelings`         | _Prometheus_ relabeling.                                                                                                                                                                                                                                         | `[]`                                                                           |
 | `serviceMonitor.interval`            | _Prometheus_ scrape frequency.                                                                                                                                                                                                                                   | `1m`                                                                           |
 | `serviceMonitor.scrapeTimeout`       | _Prometheus_ scrape timeout.                                                                                                                                                                                                                                     | `10s`                                                                          |
-| `resources`                          | Resource requests and limits for the _metrics-server_ container. See https://github.com/kubernetes-sigs/metrics-server#scaling                                                                                                                                   | `{ requests: { cpu: 100m, memory: 200Mi }}`                                    |
+| `resources`                          | Resource requests and limits for the _metrics-server_ container. See <https://github.com/kubernetes-sigs/metrics-server#scaling>                                                                                                                                   | `{ requests: { cpu: 100m, memory: 200Mi }}`                                    |
 | `extraVolumeMounts`                  | Additional volume mounts for the _metrics-server_ container.                                                                                                                                                                                                     | `[]`                                                                           |
 | `extraVolumes`                       | Additional volumes for the pod.                                                                                                                                                                                                                                  | `[]`                                                                           |
 | `nodeSelector`                       | Node labels for pod assignment.                                                                                                                                                                                                                                  | `{}`                                                                           |
@@ -88,3 +88,5 @@ The following table lists the configurable parameters of the _Metrics Server_ ch
 | `topologySpreadConstraints`          | Pod Topology Spread Constraints.                                                                                                                                                                                                                                 | `[]`                                                                           |
 | `deploymentAnnotations`              | Annotations to add to the deployment.                                                                                                                                                                                                                            | `{}`                                                                           |
 | `schedulerName`                      | scheduler to set to the deployment.                                                                                                                                                                                                                              | `""`                                                                           |
+| `dnsConfig`                          | Set the dns configuration options for the deployment.                                                                                                                                                                                                            | `{}`                                                                           |
+| `tmpVolume`                          | Volume to be mounted in Pods for temporary files.                                                                                                                                                                                                                | `{"emptyDir":{}}`                                                              |

packages/system/monitoring/charts/metrics-server/RELEASE.md

@@ -0,0 +1 @@
+

packages/system/monitoring/charts/metrics-server/templates/deployment.yaml

@@ -11,6 +11,9 @@ metadata:
   {{- end }}
 spec:
   replicas: {{ .Values.replicas }}
+  {{- if or (kindIs "float64" .Values.revisionHistoryLimit) (kindIs "int64" .Values.revisionHistoryLimit) }}
+  revisionHistoryLimit: {{ .Values.revisionHistoryLimit | int64 }}
+  {{- end }}
   {{- with .Values.updateStrategy }}
   strategy:
     {{- toYaml . | nindent 4 }}
@@ -46,6 +49,10 @@ spec:
       {{- if .Values.hostNetwork.enabled }}
       hostNetwork: true
       {{- end }}
+      {{- with .Values.dnsConfig }}
+      dnsConfig:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: metrics-server
           {{- with .Values.securityContext }}
@@ -89,6 +96,10 @@ spec:
           {{- end }}
         {{- if .Values.addonResizer.enabled }}
         - name: metrics-server-nanny
+          {{- with .Values.addonResizer.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           image: {{ include "metrics-server.addonResizer.image" . }}
           env:
             - name: MY_POD_NAME
@@ -119,7 +130,7 @@ spec:
         {{- end }}
       volumes:
         - name: tmp
-          emptyDir: {}
+          {{- toYaml .Values.tmpVolume | nindent 10 }}
       {{- if .Values.addonResizer.enabled }}
         - name: nanny-config-volume
           configMap:

packages/system/monitoring/charts/metrics-server/values.yaml

@@ -76,6 +76,8 @@ hostNetwork:
 
 replicas: 1
 
+revisionHistoryLimit:
+
 updateStrategy: {}
 #   type: RollingUpdate
 #   rollingUpdate:
@@ -127,7 +129,17 @@ addonResizer:
   enabled: false
   image:
     repository: registry.k8s.io/autoscaling/addon-resizer
-    tag: 1.8.19
+    tag: 1.8.20
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 1000
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+        - ALL
   resources:
     requests:
       cpu: 40m
@@ -176,7 +188,12 @@ affinity: {}
 
 topologySpreadConstraints: []
 
+dnsConfig: {}
+
 # Annotations to add to the deployment
 deploymentAnnotations: {}
 
 schedulerName: ""
+
+tmpVolume:
+  emptyDir: {}

packages/system/monitoring/charts/prometheus-node-exporter/Chart.yaml

@@ -4,7 +4,7 @@ annotations:
     - name: Chart Source
       url: https://github.com/prometheus-community/helm-charts
 apiVersion: v2
-appVersion: 1.7.0
+appVersion: 1.8.2
 description: A Helm chart for prometheus node-exporter
 home: https://github.com/prometheus/node_exporter/
 keywords:
@@ -22,4 +22,4 @@ name: prometheus-node-exporter
 sources:
 - https://github.com/prometheus/node_exporter/
 type: application
-version: 4.24.0
+version: 4.39.0

packages/system/monitoring/charts/prometheus-node-exporter/ci/common-labels-values.yaml

@@ -0,0 +1,4 @@
+---
+commonLabels:
+  foo: bar
+  baz: '{{ include "prometheus-node-exporter.fullname" . }}'

packages/system/monitoring/charts/prometheus-node-exporter/ci/default-values.yaml

@@ -0,0 +1 @@
+## Default values test case