Prepare release v0.14.0 (#333)

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Upgraded various container images to version `v0.14.0`, enhancing
application performance and potentially introducing new features and bug
fixes.
  
- **Bug Fixes**
- Improved version tracking for packages by updating commit hashes,
enhancing clarity and traceability.

- **Chores**
- Updated configuration files to reflect the new image versions for
components, ensuring the latest updates are utilized across the
application.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

hack/e2e.sh

@@ -309,8 +309,9 @@ kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy root-i
 kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=3 -n tenant-root sts etcd
 
 # Wait for Victoria metrics
-kubectl wait --timeout=5m --for=condition=available deploy -n tenant-root vmalert-vmalert-longterm vmalert-vmalert-shortterm vminsert-longterm vminsert-shortterm
-kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=2 -n tenant-root sts vmalertmanager-alertmanager vmselect-longterm vmselect-shortterm vmstorage-longterm vmstorage-shortterm
+kubectl wait --timeout=5m --for=jsonpath=.status.updateStatus=operational -n tenant-root vmalert/vmalert-longterm vmalert/vmalert-shortterm vmalertmanager/alertmanager
+kubectl wait --timeout=5m --for=jsonpath=.status.status=operational -n tenant-root vlogs/generic
+kubectl wait --timeout=5m --for=jsonpath=.status.clusterStatus=operational -n tenant-root vmcluster/shortterm vmcluster/longterm
 
 # Wait for grafana
 kubectl wait --timeout=5m --for=condition=ready -n tenant-root clusters.postgresql.cnpg.io grafana-db

hack/gen_versions_map.sh

@@ -24,24 +24,36 @@ resolved_miss_map=$(
       change_commit=$(git --no-pager blame -L"$line",+1 -- "$chart/Chart.yaml" | awk '{print $1}')
        
       if [ "$change_commit" = "00000000" ]; then
-        # Not commited yet, use previus commit
+        # Not committed yet, use previous commit
         line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
         commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
         if [ $(echo $commit | cut -c1) = "^" ]; then
-          # Previus commit not exists
+          # Previous commit not exists
           commit=$(echo $commit | cut -c2-)
         fi
       else
-        # Commited, but version_map wasn't updated
+        # Committed, but version_map wasn't updated
         line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
         change_commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
         if [ $(echo $change_commit | cut -c1) = "^" ]; then
-          # Previus commit not exists
+          # Previous commit not exists
           commit=$(echo $change_commit | cut -c2-)
         else
           commit=$(git describe --always "$change_commit~1")
         fi
       fi
+
+      # Check if the commit belongs to the main branch
+      if ! git merge-base --is-ancestor "$commit" main; then
+        # Find the closest parent commit that belongs to main
+        commit_in_main=$(git log --pretty=format:"%H" main -- "$chart/Chart.yaml" | head -n 1)
+        if [ -n "$commit_in_main" ]; then
+          commit="$commit_in_main"
+        else
+          # No valid commit found in main branch for $chart, skipping..."
+          continue
+        fi
+      fi
     fi
     echo "$chart $version $commit"
   done

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.12.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.14.0"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.12.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.14.0"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/clickhouse/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/clickhouse/templates/clickhouse.yaml

@@ -1,3 +1,32 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
+{{- $passwords := dict }}
+
+{{- with (index $existingSecret "data") }}
+  {{- range $k, $v := . }}
+    {{- $_ := set $passwords $k (b64dec $v) }}
+  {{- end }}
+{{- end }}
+
+{{- range $user, $u := .Values.users }}
+  {{- if $u.password }}
+    {{- $_ := set $passwords $user $u.password }}
+  {{- else if not (index $passwords $user) }}
+    {{- $_ := set $passwords $user (randAlphaNum 16) }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.users }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-credentials
+stringData:
+  {{- range $user, $u := .Values.users }}
+  {{ quote $user }}: {{ quote (index $passwords $user) }}
+  {{- end }}
+{{- end }}
+
+---
 apiVersion: "clickhouse.altinity.com/v1"
 kind: "ClickHouseInstallation"
 metadata:
@@ -12,7 +41,7 @@ spec:
     {{- with .Values.users }}
     users:
       {{- range $name, $u := . }}
-      {{ $name }}/password_sha256_hex: {{ sha256sum $u.password }}
+      {{ $name }}/password_sha256_hex: {{ sha256sum (index $passwords $name) }}
       {{ $name }}/profile: {{ ternary "readonly" "default" (index $u "readonly" | default false) }}
       {{ $name }}/networks/ip: ["::/0"]
       {{- end }}
@@ -31,7 +60,7 @@ spec:
         spec:
           accessModes:
             - ReadWriteOnce
-          {{- with .Values.stroageClass }}
+          {{- with $.Values.storageClass }}
           storageClassName: {{ . }}
           {{- end }}
           resources:

packages/apps/clickhouse/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - chi-clickhouse-test-clickhouse-0-0
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]

packages/apps/ferretdb/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.22.0"
+appVersion: "1.24.0"

packages/apps/ferretdb/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]

packages/apps/ferretdb/templates/ferretdb.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: ferretdb
-        image: ghcr.io/ferretdb/ferretdb:1.22.0
+        image: ghcr.io/ferretdb/ferretdb:1.24.0
         ports:
         - containerPort: 27017
         env:

packages/apps/ferretdb/templates/init-script.yaml

@@ -1,3 +1,30 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
+{{- $passwords := dict }}
+
+{{- with (index $existingSecret "data") }}
+  {{- range $k, $v := . }}
+    {{- $_ := set $passwords $k (b64dec $v) }}
+  {{- end }}
+{{- end }}
+
+{{- range $user, $u := .Values.users }}
+  {{- if $u.password }}
+    {{- $_ := set $passwords $user $u.password }}
+  {{- else if not (index $passwords $user) }}
+    {{- $_ := set $passwords $user (randAlphaNum 16) }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.users }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-credentials
+stringData:
+  {{- range $user, $u := .Values.users }}
+  {{ quote $user }}: {{ quote (index $passwords $user) }}
+  {{- end }}
+{{- end }}
 ---
 apiVersion: v1
 kind: Secret
@@ -13,7 +40,7 @@ stringData:
     {{- range $user, $u := .Values.users }}
     SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;'
     WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec
-    ALTER ROLE {{ $user }} WITH PASSWORD '{{ $u.password }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
+    ALTER ROLE {{ $user }} WITH PASSWORD '{{ index $passwords $user }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
     COMMENT ON ROLE {{ $user }} IS 'user managed by helm';
     {{- end }}
     EOT

packages/apps/ferretdb/templates/postgres.yaml

@@ -15,7 +15,7 @@ spec:
 
   storage:
     size: {{ required ".Values.size is required" .Values.size }}
-    {{- with .Values.stroageClass }}
+    {{- with .Values.storageClass }}
     storageClass: {{ . }}
     {{- end }}
 

packages/apps/ferretdb/values2.yaml

@@ -1,56 +0,0 @@
-## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param size Persistent Volume size
-## @param replicas Number of Postgres replicas
-##
-external: false
-size: 10Gi
-replicas: 1
-
-## Configuration for the quorum-based synchronous replication
-## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.
-## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).
-quorum:
-  minSyncReplicas: 0
-  maxSyncReplicas: 0
-
-## @section Configuration parameters
-
-## @param users [object] Users configuration
-## Example:
-## users:
-##   user1:
-##     password: strongpassword
-##   user2:
-##     password: hackme
-##
-users:
-  foo:
-    password: asd
-  bar:
-    password: asd
-  baz:
-    password: asd
-  boo:
-    password: asd
-
-## @section Backup parameters
-
-## @param backup.enabled Enable pereiodic backups
-## @param backup.s3Region The AWS S3 region where backups are stored
-## @param backup.s3Bucket The S3 bucket used for storing backups
-## @param backup.schedule Cron schedule for automated backups
-## @param backup.cleanupStrategy The strategy for cleaning up old backups
-## @param backup.s3AccessKey The access key for S3, used for authentication
-## @param backup.s3SecretKey The secret key for S3, used for authentication
-## @param backup.resticPassword The password for Restic backup encryption
-backup:
-  enabled: false
-  s3Region: us-east-1
-  s3Bucket: s3.example.org/postgres-backups
-  schedule: "0 2 * * *"
-  cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
-  s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
-  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
-  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0

packages/apps/http-cache/templates/nginx/deployment.yaml

@@ -114,7 +114,7 @@ spec:
   resources:
     requests:
       storage: "{{ $.Values.size }}"
-  {{- with $.Values.stroageClass }}
+  {{- with $.Values.storageClass }}
   storageClassName: {{ . }}
   {{- end }}
 ---

packages/apps/kafka/templates/kafka.yaml

@@ -53,7 +53,7 @@ spec:
         {{- with .Values.kafka.size }}
         size: {{ . }}
         {{- end }}
-        {{- with .Values.kafka.stroageClass }}
+        {{- with .Values.kafka.storageClass }}
         class: {{ . }}
         {{- end }}
         deleteClaim: true
@@ -64,7 +64,7 @@ spec:
       {{- with .Values.zookeeper.size }}
       size: {{ . }}
       {{- end }}
-      {{- with .Values.kafka.stroageClass }}
+      {{- with .Values.kafka.storageClass }}
       class: {{ . }}
       {{- end }}
       deleteClaim: false

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.0
+version: 0.10.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/templates/cluster.yaml

@@ -18,6 +18,8 @@ spec:
       runStrategy: Always
       template:
         metadata:
+          annotations:
+            kubevirt.io/allow-pod-bridge-network-live-migration: "true"
           labels:
             {{- range .group.roles }}
             node-role.kubernetes.io/{{ . }}: ""
@@ -38,7 +40,9 @@ spec:
                 disk:
                   bus: virtio
                   pciAddress: 0000:08:00.0
-              networkInterfaceMultiqueue: true
+              interfaces:
+              - name: default
+                bridge: {}
             memory:
               guest: {{ .group.resources.memory }}
           evictionStrategy: External
@@ -49,6 +53,9 @@ spec:
           - name: ephemeral
             emptyDisk:
               capacity: {{ .group.ephemeralStorage | default "20Gi" }}
+          networks:
+          - name: default
+            pod: {}
 {{- end }}
 ---
 apiVersion: cluster.x-k8s.io/v1beta1

packages/apps/kubernetes/templates/helmreleases/cilium.yaml

@@ -31,20 +31,8 @@ spec:
   values:
     cilium:
       tunnel: disabled
-      autoDirectNodeRoutes: false
-      bpf:
-        masquerade: true
-      cgroup:
-        autoMount:
-          enabled: true
-        hostRoot: /run/cilium/cgroupv2
       k8sServiceHost: {{ .Release.Name }}.{{ .Release.Namespace }}.svc
       k8sServicePort: 6443
-    
-      cni:
-        chainingMode: ~
-        customConf: false
-        configMap: ""
       routingMode: tunnel
       enableIPv4Masquerade: true
       ipv4NativeRoutingCIDR: ""

packages/apps/kubernetes/templates/helmreleases/csi.yaml

@@ -28,7 +28,7 @@ spec:
   upgrade:
     remediation:
       retries: -1
-  {{- with .Values.stroageClass }}
+  {{- with .Values.storageClass }}
   values:
     storageClass: "{{ . }}"
   {{- end }}

packages/apps/mysql/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.5.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/mysql/README.md

@@ -79,7 +79,7 @@ more details:
 | Name        | Description             | Value |
 | ----------- | ----------------------- | ----- |
 | `users`     | Users configuration     | `{}`  |
-| `databases` | Databases configuration | `[]`  |
+| `databases` | Databases configuration | `{}`  |
 
 ### Backup parameters
 

packages/apps/mysql/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}-primary
+  - {{ .Release.Name }}-secondary
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]

packages/apps/mysql/templates/db.yaml

@@ -1,14 +1,47 @@
-{{- range $name := .Values.databases }}
-{{ $dnsName := replace "_" "-" $name }}
+{{- range $name, $db := .Values.databases }}
+{{ $dbDNSName := replace "_" "-" $name }}
 ---
 apiVersion: k8s.mariadb.com/v1alpha1
 kind: Database
 metadata:
-  name: {{ $.Release.Name }}-{{ $dnsName }}
+  name: {{ $.Release.Name }}-{{ $dbDNSName }}
 spec:
   name: {{ $name }}
   mariaDbRef:
     name: {{ $.Release.Name }}
   characterSet: utf8
   collate: utf8_general_ci
+{{- range $user := $db.roles.admin }}
+{{ $userDNSName := replace "_" "-" $user }}
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: {{ $.Release.Name }}-{{ $dbDNSName }}-{{ $userDNSName }}
+spec:
+  mariaDbRef:
+    name: {{ $.Release.Name }}
+  privileges: ['ALL']
+  database: {{ $name }}
+  table: "*"
+  username: {{ $user }}
+  grantOption: true
+{{- end }}
+{{- range $user := $db.roles.readonly }}
+{{ $userDNSName := replace "_" "-" $user }}
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: {{ $.Release.Name }}-{{ $dbDNSName }}-{{ $userDNSName }}
+spec:
+  mariaDbRef:
+    name: {{ $.Release.Name }}
+  privileges: ['SELECT']
+  database: {{ $name }}
+  table: "*"
+  username: {{ $user }}
+  grantOption: true
+{{- end }}
+
 {{- end }}

packages/apps/mysql/templates/mariadb.yaml

@@ -4,11 +4,9 @@ kind: MariaDB
 metadata:
   name: {{ .Release.Name }}
 spec:
-  {{- if (and .Values.users.root .Values.users.root.password) }}
   rootPasswordSecretKeyRef:
-    name: {{ .Release.Name }}
-    key: root-password
-  {{- end }}
+    name: {{ .Release.Name }}-credentials
+    key: root
 
   image: "mariadb:11.0.2"
 
@@ -62,7 +60,7 @@ spec:
     size: {{ .Values.size }}
     resizeInUseVolumes: true
     waitForVolumeResize: true
-    {{- with .Values.stroageClass }}
+    {{- with .Values.storageClass }}
     storageClassName: {{ . }}
     {{- end }}
 

packages/apps/mysql/templates/secret.yaml

@@ -1,9 +1,31 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
+{{- $passwords := dict }}
+
+{{- with (index $existingSecret "data") }}
+  {{- range $k, $v := . }}
+    {{- $_ := set $passwords $k (b64dec $v) }}
+  {{- end }}
+{{- end }}
+
+{{- $usersWithRoot := .Values.users }}
+{{- if (and .Values.users.root .Values.users.root.password) }}
+  {{- $_ := set $usersWithRoot "root" dict }}
+{{- end }}
+
+{{- range $user, $u := $usersWithRoot }}
+  {{- if $u.password }}
+    {{- $_ := set $passwords $user $u.password }}
+  {{- else if not (index $passwords $user) }}
+    {{- $_ := set $passwords $user (randAlphaNum 16) }}
+  {{- end }}
+{{- end }}
+
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Release.Name }}
+  name: {{ .Release.Name }}-credentials
 stringData:
-  {{- range $name, $u := .Values.users }}
-  {{ $name }}-password: {{ $u.password }}
+  {{- range $name, $u := $usersWithRoot }}
+  {{ $name }}: {{ index $passwords $name }}
   {{- end }}

packages/apps/mysql/templates/user.yaml

@@ -11,21 +11,8 @@ spec:
   mariaDbRef:
     name: {{ $.Release.Name }}
   passwordSecretKeyRef:
-    name: {{ $.Release.Name }}
-    key: {{ $name }}-password
+    name: {{ $.Release.Name }}-credentials
+    key: {{ $name }}
   maxUserConnections: {{ $u.maxUserConnections }}
----
-apiVersion: k8s.mariadb.com/v1alpha1
-kind: Grant
-metadata:
-  name: {{ $.Release.Name }}-{{ $dnsName }}
-spec:
-  mariaDbRef:
-    name: {{ $.Release.Name }}
-  privileges: {{ $u.privileges | toJson }}
-  database: "*"
-  table: "*"
-  username: {{ $name }}
-  grantOption: true
 {{- end }}
 {{- end }}

packages/apps/mysql/values.schema.json

@@ -22,12 +22,6 @@
             "description": "StorageClass used to store the data",
             "default": ""
         },
-        "databases": {
-            "type": "array",
-            "description": "Databases configuration",
-            "default": [],
-            "items": {}
-        },
         "backup": {
             "type": "object",
             "properties": {

packages/apps/mysql/values.yaml

@@ -15,27 +15,25 @@ storageClass: ""
 ## @param users [object] Users configuration
 ## Example:
 ## users:
-##   root:
-##     password: strongpassword
 ##   user1:
-##     privileges: ['ALL']
 ##     maxUserConnections: 1000
 ##     password: hackme
 ##   user2:
-##     privileges: ['SELECT']
 ##     maxUserConnections: 1000
 ##     password: hackme
 ##
 users: {}
 
-## @param databases Databases configuration
+## @param databases [object] Databases configuration
 ## Example:
 ## databases:
-## - wordpress1
-## - wordpress2
-## - wordpress3
-## - wordpress4
-databases: []
+##   myapp1:
+##     roles:
+##       admin:
+##       - user1
+##       readonly:
+##       - user2
+databases: {}
 
 ## @section Backup parameters
 

packages/apps/postgres/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.6.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/postgres/templates/dashboard-resourcemap.yaml

@@ -8,7 +8,14 @@ rules:
   resources:
   - services
   resourceNames:
-  - postgres-service-r
-  - postgres-service-ro
-  - postgres-service-rw
+  - {{ .Release.Name }}-r
+  - {{ .Release.Name }}-ro
+  - {{ .Release.Name }}-rw
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
   verbs: ["get", "list", "watch"]

packages/apps/postgres/templates/db.yaml

@@ -19,7 +19,7 @@ spec:
 
   storage:
     size: {{ required ".Values.size is required" .Values.size }}
-    {{- with .Values.stroageClass }}
+    {{- with .Values.storageClass }}
     storageClass: {{ . }}
     {{- end }}
 

packages/apps/postgres/templates/init-script.yaml

@@ -1,3 +1,30 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
+{{- $passwords := dict }}
+
+{{- with (index $existingSecret "data") }}
+  {{- range $k, $v := . }}
+    {{- $_ := set $passwords $k (b64dec $v) }}
+  {{- end }}
+{{- end }}
+
+{{- range $user, $u := .Values.users }}
+  {{- if $u.password }}
+    {{- $_ := set $passwords $user $u.password }}
+  {{- else if not (index $passwords $user) }}
+    {{- $_ := set $passwords $user (randAlphaNum 16) }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.users }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-credentials
+stringData:
+  {{- range $user, $u := .Values.users }}
+  {{ quote $user }}: {{ quote (index $passwords $user) }}
+  {{- end }}
+{{- end }}
 ---
 apiVersion: v1
 kind: Secret
@@ -13,7 +40,7 @@ stringData:
     {{- range $user, $u := .Values.users }}
     SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;'
     WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec
-    ALTER ROLE {{ $user }} WITH PASSWORD '{{ $u.password }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
+    ALTER ROLE {{ $user }} WITH PASSWORD '{{ index $passwords $user }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
     COMMENT ON ROLE {{ $user }} IS 'user managed by helm';
     {{- end }}
     EOT

packages/apps/rabbitmq/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "3.12.2"
+appVersion: "3.13.2"

packages/apps/rabbitmq/README.md

@@ -19,3 +19,10 @@ The service utilizes official RabbitMQ operator. This ensures the reliability an
 | `size`         | Persistent Volume size                          | `10Gi`  |
 | `replicas`     | Number of RabbitMQ replicas                     | `3`     |
 | `storageClass` | StorageClass used to store the data             | `""`    |
+
+### Configuration parameters
+
+| Name     | Description                 | Value |
+| -------- | --------------------------- | ----- |
+| `users`  | Users configuration         | `{}`  |
+| `vhosts` | Virtual Hosts configuration | `{}`  |

packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-default-user
+  {{- range $name, $u := .Values.users }}
+  - {{ $.Release.Name }}-{{ kebabcase $name }}-credentials
+  {{- end }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/apps/rabbitmq/templates/rabbitmq.yaml

@@ -13,7 +13,85 @@ spec:
   {{- end }}
 
   persistence:
-    {{- with .Values.stroageClass }}
+    {{- with .Values.storageClass }}
     storageClassName: {{ . }}
     {{- end }}
     storage: {{ .Values.size }}
+
+{{- range $user, $u := .Values.users }}
+
+{{- $password := $u.password }}
+{{- if not $password }}
+{{- with (dig "data" "password" "" (lookup "v1" "Secret" $.Release.Namespace (printf "%s-%s-credentials" $.Release.Name (kebabcase $user)))) }}
+{{- $password = b64dec . }}
+{{- end }}
+{{- end }}
+{{- if not $password }}
+{{- $password = (randAlphaNum 16) }}
+{{- end }}
+
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: User
+metadata:
+  name: {{ $.Release.Name }}-{{ kebabcase $user }}
+  annotations:
+    config: '{{ printf "%s %s" $user $password | sha256sum }}'
+spec:
+  importCredentialsSecret:
+    name: {{ $.Release.Name }}-{{ $user }}-credentials
+  rabbitmqClusterReference:
+    name: {{ $.Release.Name }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $.Release.Name }}-{{ kebabcase $user }}-credentials
+type: Opaque
+stringData:
+  username: {{ $user }}
+  password: {{ $password }}
+{{- end }}
+
+{{- range $host, $h := .Values.vhosts }}
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Vhost
+metadata:
+  name: {{ $.Release.Name }}-{{ kebabcase $host }}
+spec:
+  name: {{ $host }}
+  rabbitmqClusterReference:
+    name: {{ $.Release.Name }}
+{{- range $user := $h.roles.admin }}
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Permission
+metadata:
+  name: {{ $.Release.Name }}-{{ kebabcase $host }}-{{ kebabcase $user }}
+spec:
+  vhost: "{{ $host }}"
+  user: "{{ $user }}"
+  permissions:
+    write: ".*"
+    configure: ".*"
+    read: ".*"
+  rabbitmqClusterReference:
+    name: {{ $.Release.Name }}
+{{- end }}
+{{- range $user := $h.roles.readonly }}
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Permission
+metadata:
+  name: {{ $.Release.Name }}-{{ kebabcase $host }}-{{ kebabcase $user }}
+spec:
+  vhost: "{{ $host }}"
+  user: "{{ $user }}"
+  permissions:
+    read: ".*"
+  rabbitmqClusterReference:
+    name: {{ $.Release.Name }}
+{{- end }}
+
+{{- end }}

packages/apps/rabbitmq/values.schema.json

@@ -21,6 +21,11 @@
             "type": "string",
             "description": "StorageClass used to store the data",
             "default": ""
+        },
+        "vhosts": {
+            "type": "object",
+            "description": "Virtual Hosts configuration",
+            "default": {}
         }
     }
 }

packages/apps/rabbitmq/values.yaml

@@ -9,3 +9,33 @@ external: false
 size: 10Gi
 replicas: 3
 storageClass: ""
+
+## @section Configuration parameters
+
+## @param users [object] Users configuration
+## Example:
+## users:
+##   user1:
+##     password: strongpassword
+##   user2:
+##     password: hackme
+##   user3:
+##     password: testtest
+##
+users: {}
+
+## @param vhosts Virtual Hosts configuration
+## Example:
+## vhosts:
+##   myapp:
+##     roles:
+##       admin:
+##       - user1
+##       - user2
+##       readonly:
+##       - user3
+##   test:
+##     roles:
+##       admin:
+##       - user3
+vhosts: {}

packages/apps/versions_map

@@ -2,10 +2,13 @@ bucket 0.1.0 HEAD
 clickhouse 0.1.0 ca79f72
 clickhouse 0.2.0 7cd7de73
 clickhouse 0.2.1 5ca8823
-clickhouse 0.3.0 HEAD
+clickhouse 0.3.0 b00621e
+clickhouse 0.4.0 HEAD
 ferretdb 0.1.0 4ffa8615
 ferretdb 0.1.1 5ca8823
-ferretdb 0.2.0 HEAD
+ferretdb 0.2.0 adaf603
+ferretdb 0.3.0 aa2f553
+ferretdb 0.4.0 HEAD
 http-cache 0.1.0 a956713
 http-cache 0.2.0 5ca8823
 http-cache 0.3.0 HEAD
@@ -25,11 +28,13 @@ kubernetes 0.7.0 ceefae03
 kubernetes 0.8.0 ac11056e
 kubernetes 0.8.1 e54608d8
 kubernetes 0.8.2 5ca8823
-kubernetes 0.9.0 HEAD
+kubernetes 0.9.0 9b6dd19
+kubernetes 0.10.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
-mysql 0.4.0 HEAD
+mysql 0.4.0 93018c4
+mysql 0.5.0 HEAD
 nats 0.1.0 5ca8823
 nats 0.2.0 HEAD
 postgres 0.1.0 f642698
@@ -38,10 +43,12 @@ postgres 0.2.1 4a97e297
 postgres 0.3.0 995dea6f
 postgres 0.4.0 ec283c33
 postgres 0.4.1 5ca8823
-postgres 0.5.0 HEAD
+postgres 0.5.0 c07c4bbd
+postgres 0.6.0 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 5ca8823
-rabbitmq 0.3.0 HEAD
+rabbitmq 0.3.0 9e33dc0
+rabbitmq 0.4.0 HEAD
 redis 0.1.1 f642698
 redis 0.2.0 5ca8823
 redis 0.3.0 HEAD
@@ -59,7 +66,8 @@ tenant 1.4.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823
-virtual-machine 0.3.0 HEAD
+virtual-machine 0.3.0 b908400
+virtual-machine 0.4.0 HEAD
 vpn 0.1.0 f642698
 vpn 0.2.0 7151424
 vpn 0.3.0 HEAD

packages/apps/virtual-machine/Chart.yaml

@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/virtual-machine/Makefile

@@ -3,7 +3,8 @@ include ../../../scripts/package.mk
 generate:
 	readme-generator -v values.yaml -s values.schema.json.tmp -r README.md
 	cat values.schema.json.tmp | \
-		jq '.properties.image.enum = ["ubuntu", "cirros", "alpine", "fedora"]' | \
-		jq '.properties.resources.properties.memory["x-display"] = "slider"' \
+		jq '.properties.image.enum = ["ubuntu", "cirros", "alpine", "fedora", "talos"]' | \
+		jq '.properties.resources.properties.memory["x-display"] = "slider"' | \
+		jq '.properties.externalPorts.items.type = "integer"' \
 		> values.schema.json
 	rm -f values.schema.json.tmp

packages/apps/virtual-machine/README.md

@@ -9,51 +9,67 @@ The virtual machine is managed and hosted through KubeVirt, allowing you to harn
 - Docs: [KubeVirt User Guide](https://kubevirt.io/user-guide/)
 - GitHub: [KubeVirt Repository](https://github.com/kubevirt/kubevirt)
 
+## Accessing virtual machine
+
+You can access the virtual machine using the virtctl tool:
+- [KubeVirt User Guide - Virtctl Client Tool](https://kubevirt.io/user-guide/user_workloads/virtctl_client_tool/)
+
+To access the serial console:
+
+```
+virtctl console <vm>
+```
+
+To access the VM using VNC:
+
+```
+virtctl vnc <vm>
+```
+
+To SSH into the VM:
+
+```
+virtctl ssh <user>@<vm>
+```
+
 ## Parameters
 
 ### Common parameters
 
-| Name               | Description                                                                                       | Value                               |
-| ------------------ | ------------------------------------------------------------------------------------------------- | ----------------------------------- |
-| `external`         | Enable external access from outside the cluster                                                   | `false`                             |
-| `running`          | Determines if the virtual machine should be running                                               | `true`                              |
-| `image`            | The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine` and `fedora` | `ubuntu`                            |
-| `storageClass`     | StorageClass used to store the data                                                               | `replicated`                        |
-| `resources.cpu`    | The number of CPU cores allocated to the virtual machine                                          | `1`                                 |
-| `resources.memory` | The amount of memory allocated to the virtual machine                                             | `1024M`                             |
-| `resources.disk`   | The size of the disk allocated for the virtual machine                                            | `5Gi`                               |
-| `sshPwauth`        | Enable password authentication for SSH. If set to `true`, users can log in using a password       | `true`                              |
-| `disableRoot`      | Disable root login via SSH. If set to `true`, root login will be disabled                         | `true`                              |
-| `password`         | The default password for the virtual machine                                                      | `hackme`                            |
-| `chpasswdExpire`   | Set whether the password should expire                                                            | `false`                             |
-| `sshKeys`          | List of SSH public keys for authentication. Can be a single key or a list of keys                 | `["ssh-rsa ...","ssh-ed25519 ..."]` |
+| Name               | Description                                                                                                | Value            |
+| ------------------ | ---------------------------------------------------------------------------------------------------------- | ---------------- |
+| `external`         | Enable external access from outside the cluster                                                            | `false`          |
+| `externalPorts`    | Specify ports to forward from outside the cluster                                                          | `[]`             |
+| `running`          | Determines if the virtual machine should be running                                                        | `true`           |
+| `image`            | The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos` | `ubuntu`         |
+| `storageClass`     | StorageClass used to store the data                                                                        | `replicated`     |
+| `resources.cpu`    | The number of CPU cores allocated to the virtual machine                                                   | `1`              |
+| `resources.memory` | The amount of memory allocated to the virtual machine                                                      | `1024M`          |
+| `resources.disk`   | The size of the disk allocated for the virtual machine                                                     | `5Gi`            |
+| `sshKeys`          | List of SSH public keys for authentication. Can be a single key or a list of keys.                         | `[]`             |
+| `cloudInit`        | cloud-init user data config. See cloud-init documentation for more details.                                | `#cloud-config
+` |
 
 You can customize the exposed ports by specifying them under `service.ports` in the `values.yaml` file.
 
-## Example `values.yaml`
+## Example virtual machine:
 
 ```yaml
-external: false
 running: true
-image: ubuntu
+image: fedora
+storageClass: replicated
 resources:
   cpu: 1
   memory: 1024M
-  disk: 5Gi
-sshPwauth: true
-disableRoot: true
-password: hackme
-chpasswdExpire: false
-sshKeys: 
-  - YOUR_SSH_PUB_KEY_HERE
-  - ANOTHER_SSH_PUB_KEY_HERE
+  disk: 10Gi
 
-service:
-  ports:
-    - name: http
-      port: 80
-      targetPort: 80
-    - name: https
-      port: 443
-      targetPort: 443
+sshKeys:
+- ssh-rsa ...
+
+cloudInit: |
+  #cloud-config
+  user: fedora
+  password: fedora
+  chpasswd: { expire: False }
+  ssh_pwauth: True
 ```

packages/apps/virtual-machine/templates/secret.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.sshKeys }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "virtual-machine.fullname" $ }}-ssh-keys
+stringData:
+  {{- range $k, $v := .Values.sshKeys }}
+  key{{ $k }}: {{ quote $v }} 
+  {{- end }}
+{{- end }}
+{{- if .Values.cloudInit }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "virtual-machine.fullname" . }}-cloud-init
+stringData:
+  userdata: |
+    {{- .Values.cloudInit | nindent 4 }}
+{{- end }}

packages/apps/virtual-machine/templates/service.yaml

@@ -8,21 +8,14 @@ metadata:
     {{- include "virtual-machine.labels" . | nindent 4 }}
 spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
-  {{- if .Values.external }}
   externalTrafficPolicy: Local
   allocateLoadBalancerNodePorts: false
-  {{- end }}
   selector:
     {{- include "virtual-machine.labels" . | nindent 4 }}
   ports:
-    - name: ssh
-      port: 22
-      targetPort: 22
-    {{- if .Values.service.ports }}
-    {{- range .Values.service.ports }}
-    - name: {{ .name }}
-      port: {{ .port }}
-      targetPort: {{ .targetPort }}
-    {{- end }}
+    {{- range .Values.externalPorts }}
+    - name: port-{{ . }}
+      port: {{ . }}
+      targetPort: {{ . }}
     {{- end }}
 {{- end }}

packages/apps/virtual-machine/templates/vm.yaml

@@ -11,8 +11,9 @@ spec:
       name: {{ include "virtual-machine.fullname" . }}
     spec:
       pvc:
+        volumeMode: Block
         accessModes:
-        - ReadWriteOnce
+        - ReadWriteMany
         resources:
           requests:
             storage: {{ .Values.resources.disk | quote }}
@@ -28,7 +29,9 @@ spec:
           {{- else if eq .Values.image "fedora" }}
           url: https://download.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/x86_64/images/Fedora-Cloud-Base-Generic.x86_64-40-1.14.qcow2
           {{- else if eq .Values.image "alpine" }}
-          url: https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/alpine-virt-3.20.2-x86_64.iso
+          url: https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/cloud/nocloud_alpine-3.20.2-x86_64-bios-tiny-r0.qcow2
+          {{- else if eq .Values.image "talos" }}
+          url: https://github.com/siderolabs/talos/releases/download/v1.7.6/nocloud-amd64.raw.xz
           {{- end }}
   template:
     metadata:
@@ -45,34 +48,39 @@ spec:
           - disk:
               bus: scsi
             name: systemdisk
+          {{- if or .Values.sshKeys .Values.cloudInit }}
           - disk:
               bus: virtio
             name: cloudinitdisk
+          {{- end }}
+          interfaces:
+          - name: default
+            bridge: {}
         machine:
           type: ""
         resources:
           requests:
             memory: {{ .Values.resources.memory | quote }}
+      {{- with .Values.sshKeys }}
+      accessCredentials:
+      - sshPublicKey:
+          source:
+            secret:
+              secretName: {{ include "virtual-machine.fullname" $ }}-ssh-keys
+          propagationMethod:
+            noCloud: {}
+      {{- end }}
       terminationGracePeriodSeconds: 30
       volumes:
-      - dataVolume:
+      - name: systemdisk
+        dataVolume:
           name: {{ include "virtual-machine.fullname" . }}
-        name: systemdisk
-      - cloudInitNoCloud:
-          userData: |-
-            #cloud-config
-            ssh_pwauth: {{ if .Values.sshPwauth | default false }}True{{ else }}False{{ end }}
-            disable_root: {{ if .Values.disableRoot | default false }}True{{ else }}False{{ end }}
-            password: {{ .Values.password }}
-            chpasswd: { expire: {{ if .Values.chpasswdExpire | default false }}True{{ else }}False{{ end }} }
-            ssh_authorized_keys:
-            {{- if .Values.sshKeys }}
-              {{- $keys := .Values.sshKeys }}
-              {{- if not (kindIs "slice" $keys) }}
-                {{- $keys = list $keys }}
-              {{- end }}
-              {{- range $keys }}
-              - {{ . }}
-              {{- end }}
-            {{- end }}
-        name: cloudinitdisk
+      {{- if or .Values.sshKeys .Values.cloudInit }}
+      - name: cloudinitdisk
+        cloudInitNoCloud:
+          secretRef:
+            name: {{ include "virtual-machine.fullname" . }}-cloud-init
+      {{- end }}
+      networks:
+      - name: default
+        pod: {}

packages/apps/virtual-machine/values.schema.json

@@ -7,6 +7,14 @@
       "description": "Enable external access from outside the cluster",
       "default": false
     },
+    "externalPorts": {
+      "type": "array",
+      "description": "Specify ports to forward from outside the cluster",
+      "default": "[]",
+      "items": {
+        "type": "integer"
+      }
+    },
     "running": {
       "type": "boolean",
       "description": "Determines if the virtual machine should be running",
@@ -14,13 +22,14 @@
     },
     "image": {
       "type": "string",
-      "description": "The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine` and `fedora`",
+      "description": "The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos`",
       "default": "ubuntu",
       "enum": [
         "ubuntu",
         "cirros",
         "alpine",
-        "fedora"
+        "fedora",
+        "talos"
       ]
     },
     "storageClass": {
@@ -49,36 +58,18 @@
         }
       }
     },
-    "sshPwauth": {
-      "type": "boolean",
-      "description": "Enable password authentication for SSH. If set to `true`, users can log in using a password",
-      "default": true
-    },
-    "disableRoot": {
-      "type": "boolean",
-      "description": "Disable root login via SSH. If set to `true`, root login will be disabled",
-      "default": true
-    },
-    "password": {
-      "type": "string",
-      "description": "The default password for the virtual machine",
-      "default": "hackme"
-    },
-    "chpasswdExpire": {
-      "type": "boolean",
-      "description": "Set whether the password should expire",
-      "default": false
-    },
     "sshKeys": {
       "type": "array",
-      "description": "List of SSH public keys for authentication. Can be a single key or a list of keys",
-      "default": [
-        "ssh-rsa ...",
-        "ssh-ed25519 ..."
-      ],
+      "description": "List of SSH public keys for authentication. Can be a single key or a list of keys.",
+      "default": "[]",
       "items": {
         "type": "string"
       }
+    },
+    "cloudInit": {
+      "type": "string",
+      "description": "cloud-init user data config. See cloud-init documentation for more details.",
+      "default": "#cloud-config\n"
     }
   }
 }

packages/apps/virtual-machine/values.yaml

@@ -1,19 +1,18 @@
 ## @section Common parameters
 
 ## @param external Enable external access from outside the cluster
+## @param externalPorts [array] Specify ports to forward from outside the cluster
 ## @param running Determines if the virtual machine should be running
-## @param image The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine` and `fedora`
+## @param image The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos`
 ## @param storageClass StorageClass used to store the data
 ## @param resources.cpu The number of CPU cores allocated to the virtual machine
 ## @param resources.memory The amount of memory allocated to the virtual machine
 ## @param resources.disk The size of the disk allocated for the virtual machine
-## @param sshPwauth Enable password authentication for SSH. If set to `true`, users can log in using a password
-## @param disableRoot Disable root login via SSH. If set to `true`, root login will be disabled
-## @param password The default password for the virtual machine
-## @param chpasswdExpire Set whether the password should expire
-## @param sshKeys List of SSH public keys for authentication. Can be a single key or a list of keys
 
 external: false
+externalPorts:
+- 22
+
 running: true
 image: ubuntu
 storageClass: replicated
@@ -21,10 +20,24 @@ resources:
   cpu: 1
   memory: 1024M
   disk: 5Gi
-sshPwauth: true
-disableRoot: true
-password: hackme
-chpasswdExpire: false
-sshKeys:
-  - ssh-rsa ...
-  - ssh-ed25519 ...
+
+## @param sshKeys [array] List of SSH public keys for authentication. Can be a single key or a list of keys.
+## Example:
+## sshKeys:
+##   - ssh-rsa ...
+##   - ssh-ed25519 ...
+##
+sshKeys: []
+
+## @param cloudInit cloud-init user data config. See cloud-init documentation for more details.
+## - https://cloudinit.readthedocs.io/en/latest/explanation/format.html
+## - https://cloudinit.readthedocs.io/en/latest/reference/examples.html
+## Example:
+## cloudInit: |
+##   #cloud-config
+##   password: ubuntu
+##   chpasswd: { expire: False }
+##
+cloudInit: |
+  #cloud-config
+

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.12.0@sha256:0917812850fd0359d5ba78fd819c0e4ce6d7c12eed9cd46813e7284064b71d30
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.14.0@sha256:5a0269683feb4fff24e9044a41453dbedbc857ad450102b275e1d05aa3aec081

packages/core/platform/bundles/distro-full.yaml

@@ -20,14 +20,11 @@ releases:
   namespace: cozy-cilium
   privileged: true
   dependsOn: []
+  valuesFiles:
+  - values.yaml
+  - values-talos.yaml
   values:
     cilium:
-      bpf:
-        masquerade: true
-      cni:
-        chainingMode: ~
-        customConf: false
-        configMap: ""
       enableIPv4Masquerade: true
       enableIdentityMark: true
       ipv4NativeRoutingCIDR: "{{ index $cozyConfig.data "ipv4-pod-cidr" }}"

packages/core/platform/bundles/paas-full.yaml

@@ -20,6 +20,10 @@ releases:
   namespace: cozy-cilium
   privileged: true
   dependsOn: []
+  valuesFiles:
+  - values.yaml
+  - values-talos.yaml
+  - values-kubeovn.yaml
 
 - name: kubeovn
   releaseName: kubeovn

packages/core/platform/templates/helmreleases.yaml

@@ -39,6 +39,10 @@ spec:
         kind: HelmRepository
         name: cozystack-system
         namespace: cozy-system
+      {{- with $x.valuesFiles }}
+      valuesFiles:
+      {{- toYaml $x.valuesFiles | nindent 6 }}
+      {{- end }}
   {{- $values := dict }}
   {{- with $x.values }}
   {{- $values = merge . $values }}

packages/core/testing/templates/sandbox.yaml

@@ -10,6 +10,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: cozystack-e2e-{{ .Release.Name }}
+  namespace: cozy-e2e-tests
 spec:
   replicas: 1
   selector:

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.12.0@sha256:be1693c8ce6a9522499f79b1e42b2e08c7ca80405026a095299e5e990a3ab791
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.14.0@sha256:be1693c8ce6a9522499f79b1e42b2e08c7ca80405026a095299e5e990a3ab791

packages/extra/etcd/templates/etcd-cluster.yaml

@@ -25,7 +25,7 @@ spec:
         resources:
           requests:
             storage: {{ .Values.size }}
-        {{- with .Values.stroageClass }}
+        {{- with .Values.storageClass }}
         storageClassName: {{ . }}
         {{- end }}
   security:

packages/extra/monitoring/Chart.yaml

@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.3.0
+version: 1.4.0

packages/extra/monitoring/Makefile

@@ -5,6 +5,6 @@ include ../../../scripts/package.mk
 generate:
 	readme-generator -v values.yaml -s values.schema.json.tmp -r README.md
 	cat values.schema.json.tmp | \
-		jq '.properties.metricsStorages.items.type = "object"' \
+		jq '.properties.metricsStorages.items.type = "object" | .properties.logsStorages.items.type = "object"' \
 		> values.schema.json
 	rm -f values.schema.json.tmp

packages/extra/monitoring/README.md

@@ -8,4 +8,5 @@
 | ----------------- | --------------------------------------------------------------------------------------------------------- | ------- |
 | `host`            | The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host). | `""`    |
 | `metricsStorages` | Configuration of metrics storage instances                                                                | `[]`    |
+| `logsStorages`    | Configuration of logs storage instances                                                                   | `[]`    |
 | `oncall.enabled`  | Enable Grafana OnCall                                                                                     | `false` |

packages/extra/monitoring/templates/grafana/grafana.yaml

@@ -26,11 +26,34 @@ spec:
     security:
       admin_user: user
       admin_password: ${GF_PASSWORD}
+    plugins:
+      allow_loading_unsigned_plugins: "victorialogs-datasource"
   deployment:
     spec:
       replicas: 2
       template:
         spec:
+          initContainers:
+            - name: "load-vm-ds-plugin"
+              image: "curlimages/curl:7.85.0"
+              command: [ "/bin/sh" ]
+              workingDir: "/var/lib/grafana"
+              securityContext:
+                runAsUser: 10001
+                runAsNonRoot: true
+                runAsGroup: 10001
+              args:
+                - "-c"
+                - |
+                  set -ex
+                  mkdir -p /var/lib/grafana/plugins/
+                  ver=$(curl -s https://api.github.com/repos/VictoriaMetrics/victorialogs-datasource/releases/latest | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' | head -1)
+                  curl -L https://github.com/VictoriaMetrics/victorialogs-datasource/releases/download/$ver/victorialogs-datasource-$ver.tar.gz -o /var/lib/grafana/plugins/vl-plugin.tar.gz
+                  tar -xf /var/lib/grafana/plugins/vl-plugin.tar.gz -C /var/lib/grafana/plugins/
+                  rm /var/lib/grafana/plugins/vl-plugin.tar.gz
+              volumeMounts:
+                - name: grafana-data
+                  mountPath: /var/lib/grafana
           containers:
             - name: grafana
               image: grafana/grafana:10.1.0

packages/extra/monitoring/templates/oncall/oncall-release.yaml

@@ -15,9 +15,9 @@ spec:
       reconcileStrategy: Revision
       sourceRef:
         kind: HelmRepository
-        name: cozystack-extra
-        namespace: cozy-public
-      version: 0.1.0
+        name: cozystack-system
+        namespace: cozy-system
+      version: '*'
   interval: 1m0s
   timeout: 5m0s
   values:

packages/extra/monitoring/templates/vlogs/grafana-datasource.yaml

@@ -0,0 +1,15 @@
+{{- range .Values.logsStorages }}
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDatasource
+metadata:
+  name: vlogs-{{ .name }}
+spec:
+  datasource:
+    access: proxy
+    type: victorialogs-datasource
+    name: vlogs-{{ .name }}
+    url: http://vlogs-{{ .name }}.{{ $.Release.Namespace }}.svc:9428
+  instanceSelector:
+    matchLabels:
+      dashboards: grafana
+{{- end }}

packages/extra/monitoring/templates/vlogs/vlogs.yaml

@@ -0,0 +1,15 @@
+{{- range .Values.logsStorages }}
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VLogs
+metadata:
+  name: {{ .name }}
+spec:
+  storage:
+    resources:
+      requests:
+        storage: {{ .storage }}
+    storageClassName: {{ .storageClassName }}
+    accessModes: [ReadWriteOnce]
+  retentionPeriod: "{{ .retentionPeriod }}"
+  removePvcAfterDelete: true
+{{- end }}

packages/extra/monitoring/templates/vm/grafana-datasource.yaml

@@ -4,13 +4,13 @@
 apiVersion: grafana.integreatly.org/v1beta1
 kind: GrafanaDatasource
 metadata:
-  name: {{ .name }}
+  name: vm-{{ .name }}
 spec:
   instanceSelector:
     matchLabels:
       dashboards: grafana
   datasource:
-    name: {{ .name }}
+    name: vm-{{ .name }}
     type: prometheus
     access: proxy
     url: http://vmselect-{{ .name }}.{{ $.Release.Namespace }}.svc:8481/select/0/prometheus/

packages/extra/monitoring/templates/vm/vmalertmanager.yaml

@@ -27,3 +27,6 @@ metadata:
 spec:
   replicaCount: 2
   configSecret: alertmanager
+  podMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"

packages/extra/monitoring/values.schema.json

@@ -15,6 +15,14 @@
         "type": "object"
       }
     },
+    "logsStorages": {
+      "type": "array",
+      "description": "Configuration of logs storage instances",
+      "default": "[]",
+      "items": {
+        "type": "object"
+      }
+    },
     "oncall": {
       "type": "object",
       "properties": {

packages/extra/monitoring/values.yaml

@@ -17,6 +17,14 @@ metricsStorages:
   storage: 10Gi
   storageClassName: ""
 
+## @param logsStorages [array] Configuration of logs storage instances
+##
+logsStorages:
+- name: generic
+  retentionPeriod: "1"
+  storage: 10Gi
+  storageClassName: replicated
+
 ## @param oncall.enabled Enable Grafana OnCall
 ## 
 oncall:

packages/extra/seaweedfs/templates/seaweedfs.yaml

@@ -34,7 +34,7 @@ spec:
         - name: data1
           type: "persistentVolumeClaim"
           size: "{{ .Values.size }}"
-          {{- with .Values.stroageClass }}
+          {{- with .Values.storageClass }}
           storageClass: {{ . }}
           {{- end }}
           maxVolumes: 0
@@ -50,7 +50,7 @@ spec:
             cert-manager.io/cluster-issuer: letsencrypt-prod
           tls:
             - hosts:
-              - {{ .Values.host | default (printf "seaweedfs.%s" $host) }}
+              - {{ .Values.host | default (printf "s3.%s" $host) }}
               secretName: {{ .Release.Name }}-s3-ingress-tls
 
       cosi:

packages/extra/versions_map

@@ -11,6 +11,7 @@ monitoring 1.0.0 f642698
 monitoring 1.1.0 15478a88
 monitoring 1.2.0 c9e0d63b
 monitoring 1.2.1 4471b4ba
-monitoring 1.3.0 HEAD
+monitoring 1.3.0 6c5cf5b
+monitoring 1.4.0 HEAD
 seaweedfs 0.1.0 5ca8823
 seaweedfs 0.2.0 HEAD

packages/system/cilium/values-kubeovn.yaml

@@ -0,0 +1,19 @@
+cilium:
+  sctp:
+    enabled: true
+  autoDirectNodeRoutes: false
+  kubeProxyReplacement: true
+  bpf:
+    masquerade: false
+  cni:
+    chainingMode: generic-veth
+    chainingTarget: kube-ovn
+    customConf: true
+    configMap: cni-configuration
+  routingMode: native
+  enableIPv4Masquerade: false
+  enableIPv6Masquerade: false
+  enableIdentityMark: false
+  enableRuntimeDeviceDetection: true
+  forceDeviceDetection: true
+  devices: ovn0

packages/system/cilium/values-talos.yaml

@@ -0,0 +1,7 @@
+cilium:
+  cgroup:
+    autoMount:
+      enabled: false
+    hostRoot: /sys/fs/cgroup
+  k8sServiceHost: localhost
+  k8sServicePort: 7445

packages/system/cilium/values.yaml

@@ -3,34 +3,12 @@ cilium:
     enabled: false
   externalIPs:
     enabled: true
-  autoDirectNodeRoutes: false
-  kubeProxyReplacement: true
-  bpf:
-    masquerade: false
+  nodePort:
+    enabled: true
   loadBalancer:
     algorithm: maglev
-  cgroup:
-    autoMount:
-      enabled: false
-    hostRoot: /sys/fs/cgroup
   ipam:
     mode: "kubernetes"
-  k8sServiceHost: localhost
-  k8sServicePort: 7445
-  cni:
-    chainingMode: generic-veth
-    customConf: true
-    configMap: cni-configuration
-  routingMode: native
-  enableIPv4Masquerade: false
-  enableIPv6Masquerade: false
-  enableIdentityMark: false
-  enableRuntimeDeviceDetection: true
-  forceDeviceDetection: true
-  devices: ovn0
-  extraEnv:
-    - name: CILIUM_ENFORCE_DEVICE_DETECTION
-      value: "true"
   image:
     repository: ghcr.io/aenix-io/cozystack/cilium
     tag: 1.16.1

packages/system/dashboard/values.yaml

@@ -33,11 +33,11 @@ kubeapps:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: dashboard
-      tag: v0.12.0
-      digest: sha256:4818712e9fc9c57cc321512760c3226af564a04e69d4b3ec9229ab91fd39abeb
+      tag: v0.14.0
+      digest: "sha256:4818712e9fc9c57cc321512760c3226af564a04e69d4b3ec9229ab91fd39abeb"
   kubeappsapis:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: kubeapps-apis
-      tag: v0.12.0
-      digest: "sha256:5eee4c2207f23a6d5317c08bbedfd71b8b22f733b834cd370f1313fb428a22d0"
+      tag: v0.14.0
+      digest: "sha256:7918268647b8f4862f312df9ba42e9edfd2f703223259e2e8b9e02da1ad71cc4"

packages/system/kamaji/values.yaml

@@ -3,5 +3,5 @@ kamaji:
     deploy: false
   image:
     pullPolicy: IfNotPresent
-    tag: v0.12.0@sha256:197d7c36f76d4d9c09cc82eb87f9e36f05799a2b9158ae27e4729f2dd636ad0d
+    tag: v0.14.0@sha256:47bf03ba0f5a4c25eb53df94a1962bbd2423b1b3d027de26945b06a363eebf2e
     repository: ghcr.io/aenix-io/cozystack/kamaji

packages/system/kubeovn/values.yaml

@@ -22,4 +22,4 @@ global:
   images:
     kubeovn:
       repository: kubeovn
-      tag: v1.13.0@sha256:55b3ed5d4b628216378040e445aadc3d1cd817ff4d17eb081d884c6e00fb51e2
+      tag: v1.13.0@sha256:5c27a22f6b0a19c9a546e838a80ef73c32b863278cc209d7393555ad8a4f744a

packages/system/kubevirt-cdi/templates/cdi-cr.yaml

@@ -6,6 +6,7 @@ spec:
   config:
     featureGates:
     - HonorWaitForFirstConsumer
+    - ExpandDisks
   imagePullPolicy: IfNotPresent
   infra:
     nodeSelector:

packages/system/kubevirt/templates/kubevirt-cr.yaml

@@ -10,6 +10,7 @@ spec:
     developerConfiguration:
       featureGates:
       - HotplugVolumes
+      - ExpandDisks
   customizeComponents: {}
   imagePullPolicy: IfNotPresent
   workloadUpdateStrategy: {}

packages/system/mariadb-operator/charts/mariadb-operator/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v0.0.28
+appVersion: v0.0.30
 description: Run and operate MariaDB in a cloud native way
 home: https://github.com/mariadb-operator/mariadb-operator
 icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb_profile.svg
@@ -10,10 +10,10 @@ keywords:
 - mariadb-operator
 - database
 - maxscale
-kubeVersion: '>= 1.16.0-0'
+kubeVersion: '>=1.26.0-0'
 maintainers:
 - email: mariadb-operator@proton.me
   name: mmontes11
 name: mariadb-operator
 type: application
-version: 0.28.1
+version: 0.30.0

packages/system/mariadb-operator/charts/mariadb-operator/README.md

@@ -6,13 +6,13 @@
 <img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator_centered_whitebg.svg" alt="mariadb" width="100%"/>
 </p>
 
-![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.28.1](https://img.shields.io/badge/Version-0.28.1-informational?style=flat-square) ![AppVersion: v0.0.28](https://img.shields.io/badge/AppVersion-v0.0.28-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.30.0](https://img.shields.io/badge/Version-0.30.0-informational?style=flat-square) ![AppVersion: v0.0.30](https://img.shields.io/badge/AppVersion-v0.0.30-informational?style=flat-square)
 
 Run and operate MariaDB in a cloud native way
 
 ## Installing
 ```bash
-helm repo add mariadb-operator https://mariadb-operator.github.io/mariadb-operator
+helm repo add mariadb-operator https://helm.mariadb.com/mariadb-operator
 helm install mariadb-operator mariadb-operator/mariadb-operator
 ```
 
@@ -36,7 +36,7 @@ helm uninstall mariadb-operator
 | certController.ha.enabled | bool | `false` | Enable high availability |
 | certController.ha.replicas | int | `3` | Number of replicas |
 | certController.image.pullPolicy | string | `"IfNotPresent"` |  |
-| certController.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
+| certController.image.repository | string | `"docker-registry3.mariadb.com/mariadb-operator/mariadb-operator"` |  |
 | certController.image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
 | certController.imagePullSecrets | list | `[]` |  |
 | certController.lookaheadValidity | string | `"2160h"` | Duration used to verify whether a certificate is valid or not. |
@@ -59,13 +59,14 @@ helm uninstall mariadb-operator
 | clusterName | string | `"cluster.local"` | Cluster DNS name |
 | extrArgs | list | `[]` | Extra arguments to be passed to the controller entrypoint |
 | extraEnv | list | `[]` | Extra environment variables to be passed to the controller |
+| extraEnvFrom | list | `[]` | Extra environment variables from preexiting ConfigMap / Secret objects used by the controller using envFrom |
 | extraVolumeMounts | list | `[]` | Extra volumes to mount to the container. |
 | extraVolumes | list | `[]` | Extra volumes to pass to pod. |
 | fullnameOverride | string | `""` |  |
 | ha.enabled | bool | `false` | Enable high availability |
 | ha.replicas | int | `3` | Number of replicas |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
-| image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
+| image.repository | string | `"docker-registry3.mariadb.com/mariadb-operator/mariadb-operator"` |  |
 | image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
 | imagePullSecrets | list | `[]` |  |
 | logLevel | string | `"INFO"` | Controller log level |
@@ -78,6 +79,7 @@ helm uninstall mariadb-operator
 | nodeSelector | object | `{}` | Node selectors to add to controller Pod |
 | podAnnotations | object | `{}` | Annotations to add to controller Pod |
 | podSecurityContext | object | `{}` | Security context to add to controller Pod |
+| rbac.aggregation.enabled | bool | `true` | Specifies whether the cluster roles aggrate to view and edit predefinied roles |
 | rbac.enabled | bool | `true` | Specifies whether RBAC resources should be created |
 | resources | object | `{}` | Resources to add to controller container |
 | securityContext | object | `{}` | Security context to add to controller container |
@@ -89,12 +91,14 @@ helm uninstall mariadb-operator
 | tolerations | list | `[]` | Tolerations to add to controller Pod |
 | webhook.affinity | object | `{}` | Affinity to add to controller Pod |
 | webhook.annotations | object | `{}` | Annotations for webhook configurations. |
-| webhook.cert.caPath | string | `"/tmp/k8s-webhook-server/certificate-authority"` | Path where the CA certificate will be mounted. |
+| webhook.cert.ca.key | string | `""` | File under 'ca.path' that contains the full CA trust chain. |
+| webhook.cert.ca.path | string | `""` | Path that contains the full CA trust chain. |
 | webhook.cert.certManager.duration | string | `""` | Duration to be used in the Certificate resource, |
 | webhook.cert.certManager.enabled | bool | `false` | Whether to use cert-manager to issue and rotate the certificate. If set to false, mariadb-operator's cert-controller will be used instead. |
 | webhook.cert.certManager.issuerRef | object | `{}` | Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used. |
 | webhook.cert.certManager.renewBefore | string | `""` | Renew before duration to be used in the Certificate resource. |
-| webhook.cert.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. |
+| webhook.cert.certManager.revisionHistoryLimit | int | `3` | The maximum number of CertificateRequest revisions that are maintained in the Certificate’s history. |
+| webhook.cert.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. 'tls.crt' and 'tls.key' certificates files should be under this path. |
 | webhook.cert.secretAnnotations | object | `{}` | Annotatioms to be added to webhook TLS secret. |
 | webhook.cert.secretLabels | object | `{}` | Labels to be added to webhook TLS secret. |
 | webhook.extrArgs | list | `[]` | Extra arguments to be passed to the webhook entrypoint |
@@ -104,7 +108,7 @@ helm uninstall mariadb-operator
 | webhook.ha.replicas | int | `3` | Number of replicas |
 | webhook.hostNetwork | bool | `false` | Expose the webhook server in the host network |
 | webhook.image.pullPolicy | string | `"IfNotPresent"` |  |
-| webhook.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` |  |
+| webhook.image.repository | string | `"docker-registry3.mariadb.com/mariadb-operator/mariadb-operator"` |  |
 | webhook.image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
 | webhook.imagePullSecrets | list | `[]` |  |
 | webhook.nodeSelector | object | `{}` | Node selectors to add to controller Pod |

packages/system/mariadb-operator/charts/mariadb-operator/README.md.gotmpl

@@ -1,4 +1,4 @@
-{{ $chartRepo := "https://mariadb-operator.github.io/mariadb-operator" }}
+{{ $chartRepo := "https://helm.mariadb.com/mariadb-operator" }}
 {{ $org := "mariadb-operator" }}
 {{ $release := "mariadb-operator" }}
 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)

packages/system/mariadb-operator/charts/mariadb-operator/templates/_helpers.tpl

@@ -70,6 +70,34 @@ app.kubernetes.io/name: {{ include "mariadb-operator.name" . }}-webhook
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Webhook CA path to use cert-controller issued certificates
+*/}}
+{{- define "mariadb-operator-webhook.certControllerCAPath" -}}
+{{ .Values.webhook.cert.ca.path | default "/tmp/k8s-webhook-server/certificate-authority" }}
+{{- end }}
+
+{{/*
+Webhook CA full path to use cert-controller issued certificates
+*/}}
+{{- define "mariadb-operator-webhook.certControllerFullCAPath" -}}
+{{- printf "%s/%s" (include "mariadb-operator-webhook.certControllerCAPath" .) (.Values.webhook.cert.ca.key | default "tls.crt") }}
+{{- end }}
+
+{{/*
+Webhook CA path to use cert-manager issued certificates
+*/}}
+{{- define "mariadb-operator-webhook.certManagerCAPath" -}}
+{{ .Values.webhook.cert.ca.path | default .Values.webhook.cert.path }}
+{{- end }}
+
+{{/*
+Webhook CA full path to use cert-manager issued certificates
+*/}}
+{{- define "mariadb-operator-webhook.certManagerFullCAPath" -}}
+{{- printf "%s/%s" (include "mariadb-operator-webhook.certManagerCAPath" .) (.Values.webhook.cert.ca.key | default "ca.crt") }}
+{{- end }}
+
 {{/*
 Cert-controller common labels
 */}}

packages/system/mariadb-operator/charts/mariadb-operator/templates/configmap.yaml

@@ -1,13 +1,12 @@
 apiVersion: v1
 data:
-  MARIADB_GALERA_AGENT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.28
-  MARIADB_GALERA_INIT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.28
+  MARIADB_ENTRYPOINT_VERSION: "11.4"
   MARIADB_GALERA_LIB_PATH: /usr/lib/galera/libgalera_smm.so
-  MARIADB_OPERATOR_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.28
+  MARIADB_OPERATOR_IMAGE: docker-registry3.mariadb.com/mariadb-operator/mariadb-operator:v0.0.30
   RELATED_IMAGE_EXPORTER: prom/mysqld-exporter:v0.15.1
-  RELATED_IMAGE_EXPORTER_MAXSCALE: mariadb/maxscale-prometheus-exporter-ubi:latest
-  RELATED_IMAGE_MARIADB: mariadb:10.11.7
-  RELATED_IMAGE_MAXSCALE: mariadb/maxscale:23.08
+  RELATED_IMAGE_EXPORTER_MAXSCALE: docker-registry2.mariadb.com/mariadb/maxscale-prometheus-exporter-ubi:v0.0.1
+  RELATED_IMAGE_MARIADB: docker-registry1.mariadb.com/library/mariadb:11.4.3
+  RELATED_IMAGE_MAXSCALE: docker-registry2.mariadb.com/mariadb/maxscale:23.08.5
 kind: ConfigMap
 metadata:
   creationTimestamp: null

packages/system/mariadb-operator/charts/mariadb-operator/templates/deployment.yaml

@@ -63,6 +63,9 @@ spec:
           envFrom:
             - configMapRef:
                 name: mariadb-operator-env
+            {{- with .Values.extraEnvFrom }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
           env:
             - name: CLUSTER_NAME
               value: {{ .Values.clusterName }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/rbac-user.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.rbac.enabled -}}
+{{ $fullName := include "mariadb-operator.fullname" . }}
+# the mariadb-view ClusterRole allows viewing all k8s.mariadb.com resources
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $fullName }}-view
+  {{- if .Values.rbac.aggregation.enabled }}
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  {{- end }}
+rules:
+- apiGroups: ["k8s.mariadb.com"]
+  resources: ["*"]
+  verbs: ["get", "list", "watch"]
+---
+# the mariadb-edit ClusterRole allows editing k8s.mariadb.com resources
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $fullName }}-edit
+  {{- if .Values.rbac.aggregation.enabled }}
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  {{- end }}
+rules:
+- apiGroups: ["k8s.mariadb.com"]
+  resources: ["*"]
+  verbs: ["create", "update", "patch", "delete"]
+{{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/rbac.yaml

@@ -57,15 +57,6 @@ rules:
   - ""
   resources:
   - endpoints
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - watch
-- apiGroups:
-  - ""
-  resources:
   - endpoints/restricted
   verbs:
   - create
@@ -77,6 +68,9 @@ rules:
   - ""
   resources:
   - events
+  - secrets
+  - serviceaccounts
+  - services
   verbs:
   - create
   - list
@@ -104,30 +98,9 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - secrets
+  - pods/log
   verbs:
-  - create
-  - list
-  - patch
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  verbs:
-  - create
-  - list
-  - patch
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - create
-  - list
-  - patch
-  - watch
+  - get
 - apiGroups:
   - apps
   resources:
@@ -183,6 +156,14 @@ rules:
   - k8s.mariadb.com
   resources:
   - backups
+  - connections
+  - databases
+  - grants
+  - mariadbs
+  - maxscales
+  - restores
+  - sqljobs
+  - users
   verbs:
   - create
   - delete
@@ -195,248 +176,41 @@ rules:
   - k8s.mariadb.com
   resources:
   - backups/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - backups/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - connections
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - connections
-  - grants
-  - maxscale
-  - restores
-  - users
-  verbs:
-  - create
-  - list
-  - patch
-  - watch
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - connections
-  - grants
-  - users
-  verbs:
-  - create
-  - list
-  - patch
-  - watch
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
   - connections/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - connections/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - databases
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
   - databases/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - databases/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - grants
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
   - grants/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - grants/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - mariadbs
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
   - mariadbs/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - mariadbs/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - maxscales
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
   - maxscales/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - maxscales/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - restores
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
   - restores/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - restores/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - sqljobs
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
   - sqljobs/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - sqljobs/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
-  - users
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - k8s.mariadb.com
-  resources:
   - users/finalizers
   verbs:
   - update
 - apiGroups:
   - k8s.mariadb.com
   resources:
+  - backups/status
+  - connections/status
+  - databases/status
+  - grants/status
+  - mariadbs/status
+  - maxscales/status
+  - restores/status
+  - sqljobs/status
   - users/status
   verbs:
   - get
   - patch
   - update
+- apiGroups:
+  - k8s.mariadb.com
+  resources:
+  - maxscale
+  verbs:
+  - create
+  - list
+  - patch
+  - watch
 - apiGroups:
   - monitoring.coreos.com
   resources:

packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-certificate.yaml

@@ -36,7 +36,11 @@ spec:
   {{- with .Values.webhook.cert.certManager.renewBefore }}
   renewBefore: {{ . | quote }}
   {{- end }}
+  {{- with .Values.webhook.cert.certManager.revisionHistoryLimit }}
+  revisionHistoryLimit: {{ . }}
+  {{- end }}
   secretName: {{ include "mariadb-operator.fullname" . }}-webhook-cert
+  {{- if or (.Values.webhook.cert.secretLabels) (.Values.webhook.cert.secretAnnotations) }}
   secretTemplate:
     {{- with .Values.webhook.cert.secretLabels }}
     labels:
@@ -44,6 +48,7 @@ spec:
     {{- end }}
     {{- with .Values.webhook.cert.secretAnnotations }}
     annotations:
-      {{- toYaml . | nindent 4 }}
+      {{- toYaml . | nindent 6 }}
     {{- end }}
+  {{- end }}
 {{ end }}

packages/system/mariadb-operator/charts/mariadb-operator/templates/webhook-deployment.yaml

@@ -51,9 +51,9 @@ spec:
           args:
             - webhook
             {{- if .Values.webhook.cert.certManager.enabled }}
-            - --ca-cert-path={{ .Values.webhook.cert.path }}/ca.crt
+            - --ca-cert-path={{ include "mariadb-operator-webhook.certManagerFullCAPath" . }}
             {{- else }}
-            - --ca-cert-path={{ .Values.webhook.cert.caPath }}/tls.crt
+            - --ca-cert-path={{ include "mariadb-operator-webhook.certControllerFullCAPath" . }}
             {{- end }}
             - --cert-dir={{ .Values.webhook.cert.path }}
             - --dns-name={{ $fullName }}-webhook.{{ .Release.Namespace }}.svc
@@ -76,7 +76,7 @@ spec:
               name: health
           volumeMounts:
             {{- if not .Values.webhook.cert.certManager.enabled }}
-            - mountPath: {{ .Values.webhook.cert.caPath }}
+            - mountPath: {{ include "mariadb-operator-webhook.certControllerCAPath" . }}
               name: ca
               readOnly: true
             {{- end }}

packages/system/mariadb-operator/charts/mariadb-operator/values.yaml

@@ -2,7 +2,7 @@ nameOverride: ""
 fullnameOverride: ""
 
 image:
-  repository: ghcr.io/mariadb-operator/mariadb-operator
+  repository: docker-registry3.mariadb.com/mariadb-operator/mariadb-operator
   pullPolicy: IfNotPresent
   # -- Image tag to use. By default the chart appVersion is used
   tag: ""
@@ -51,12 +51,20 @@ rbac:
   # -- Specifies whether RBAC resources should be created
   enabled: true
 
+  aggregation:
+
+    # -- Specifies whether the cluster roles aggrate to view and edit predefinied roles
+    enabled: true
+
 # -- Extra arguments to be passed to the controller entrypoint
 extrArgs: []
 
 # -- Extra environment variables to be passed to the controller
 extraEnv: []
 
+# -- Extra environment variables from preexiting ConfigMap / Secret objects used by the controller using envFrom
+extraEnvFrom: []
+
 # -- Extra volumes to pass to pod.
 extraVolumes: []
 
@@ -89,7 +97,7 @@ affinity: {}
 
 webhook:
   image:
-    repository: ghcr.io/mariadb-operator/mariadb-operator
+    repository: docker-registry3.mariadb.com/mariadb-operator/mariadb-operator
     pullPolicy: IfNotPresent
     # -- Image tag to use. By default the chart appVersion is used
     tag: ""
@@ -105,17 +113,22 @@ webhook:
       enabled: false
       # -- Issuer reference to be used in the Certificate resource. If not provided, a self-signed issuer will be used.
       issuerRef: {}
-       # -- Duration to be used in the Certificate resource,
+      # -- Duration to be used in the Certificate resource,
       duration: ""
-       # -- Renew before duration to be used in the Certificate resource.
+      # -- Renew before duration to be used in the Certificate resource.
       renewBefore: ""
+      # -- The maximum number of CertificateRequest revisions that are maintained in the Certificate’s history.
+      revisionHistoryLimit: 3
     # -- Annotatioms to be added to webhook TLS secret.
     secretAnnotations: {}
     # -- Labels to be added to webhook TLS secret.
     secretLabels: {}
-    # -- Path where the CA certificate will be mounted.
-    caPath: /tmp/k8s-webhook-server/certificate-authority
-    # -- Path where the certificate will be mounted.
+    ca:
+      # -- Path that contains the full CA trust chain.
+      path: ""
+      # -- File under 'ca.path' that contains the full CA trust chain.
+      key: ""
+    # -- Path where the certificate will be mounted. 'tls.crt' and 'tls.key' certificates files should be under this path.
     path: /tmp/k8s-webhook-server/serving-certs
   # -- Port to be used by the webhook server
   port: 9443
@@ -173,7 +186,7 @@ certController:
   # -- Specifies whether the cert-controller should be created.
   enabled: true
   image:
-    repository: ghcr.io/mariadb-operator/mariadb-operator
+    repository: docker-registry3.mariadb.com/mariadb-operator/mariadb-operator
     pullPolicy: IfNotPresent
     # -- Image tag to use. By default the chart appVersion is used
     tag: ""

packages/system/mariadb-operator/values.yaml

@@ -1,4 +1,5 @@
 mariadb-operator:
+  clusterName: cozy.local
   metrics:
     enabled: true
   webhook:

packages/system/monitoring/Makefile

@@ -15,3 +15,7 @@ update:
 	helm repo add metrics-server https://kubernetes-sigs.github.io/metrics-server/
 	helm repo update metrics-server
 	helm pull metrics-server/metrics-server --untar --untardir charts
+	# Fluent-bit
+	helm repo add fluent https://fluent.github.io/helm-charts
+	helm repo update fluent
+	helm pull fluent/fluent-bit --untar --untardir charts

packages/system/monitoring/charts/fluent-bit/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

packages/system/monitoring/charts/fluent-bit/Chart.yaml

@@ -0,0 +1,27 @@
+annotations:
+  artifacthub.io/changes: |
+    - kind: changed
+      description: "Updated Fluent Bit OCI image to v3.1.6."
+apiVersion: v1
+appVersion: 3.1.6
+description: Fast and lightweight log processor and forwarder or Linux, OSX and BSD
+  family operating systems.
+home: https://fluentbit.io/
+icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/fluentd/fluentbit/icon/fluentbit-icon-color.svg
+keywords:
+- logging
+- fluent-bit
+- fluentd
+maintainers:
+- email: eduardo@calyptia.com
+  name: edsiper
+- email: naseem@transit.app
+  name: naseemkullah
+- email: towmeykaw@gmail.com
+  name: Towmeykaw
+- email: steve.hipwell@gmail.com
+  name: stevehipwell
+name: fluent-bit
+sources:
+- https://github.com/fluent/fluent-bit/
+version: 0.47.7

packages/system/monitoring/charts/fluent-bit/README.md

@@ -0,0 +1,57 @@
+# Fluent Bit Helm chart
+
+[Fluent Bit](https://fluentbit.io) is a fast and lightweight log processor and forwarder or Linux, OSX and BSD family operating systems.
+
+## Installation
+
+To add the `fluent` helm repo, run:
+
+```sh
+helm repo add fluent https://fluent.github.io/helm-charts
+```
+
+To install a release named `fluent-bit`, run:
+
+```sh
+helm install fluent-bit fluent/fluent-bit
+```
+
+## Chart values
+
+```sh
+helm show values fluent/fluent-bit
+```
+
+## Using Lua scripts
+Fluent Bit allows us to build filter to modify the incoming records using custom [Lua scripts.](https://docs.fluentbit.io/manual/pipeline/filters/lua)
+
+### How to use Lua scripts with this Chart
+
+First, you should add your Lua scripts to `luaScripts` in values.yaml, for example:
+
+```yaml
+luaScripts:
+  filter_example.lua: |
+    function filter_name(tag, timestamp, record)
+        -- put your lua code here.
+    end
+```
+
+After that, the Lua scripts will be ready to be used as filters. So next step is to add your Fluent bit [filter](https://docs.fluentbit.io/manual/concepts/data-pipeline/filter) to `config.filters` in values.yaml, for example:
+
+```yaml
+config:
+  filters: |
+    [FILTER]
+        Name    lua
+        Match   <your-tag>
+        script  /fluent-bit/scripts/filter_example.lua
+        call    filter_name
+```
+Under the hood, the chart will:
+- Create a configmap using `luaScripts`.
+- Add a volumeMounts for each Lua scripts using the path `/fluent-bit/scripts/<script>`.
+- Add the Lua script's configmap as volume to the pod.
+
+### Note
+Remember to set the `script` attribute in the filter using `/fluent-bit/scripts/`, otherwise the file will not be found by fluent bit.

packages/system/monitoring/charts/fluent-bit/ci/ci-values.yaml

@@ -0,0 +1,7 @@
+testFramework:
+  enabled: true
+
+logLevel: debug
+
+dashboards:
+  enabled: true

packages/system/monitoring/charts/fluent-bit/templates/NOTES.txt

@@ -0,0 +1,6 @@
+Get Fluent Bit build information by running these commands:
+
+export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "fluent-bit.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 2020:2020
+curl http://127.0.0.1:2020 
+

packages/system/monitoring/charts/fluent-bit/templates/_helpers.tpl

@@ -0,0 +1,138 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "fluent-bit.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "fluent-bit.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "fluent-bit.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "fluent-bit.labels" -}}
+helm.sh/chart: {{ include "fluent-bit.chart" . }}
+{{ include "fluent-bit.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "fluent-bit.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "fluent-bit.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "fluent-bit.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "fluent-bit.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Fluent-bit image with tag/digest
+*/}}
+{{- define "fluent-bit.image" -}}
+{{- $tag := ternary "" (printf ":%s" (toString .tag)) (or (empty .tag) (eq "-" (toString .tag))) -}}
+{{- $digest := ternary "" (printf "@%s" .digest) (empty .digest) -}}
+{{- printf "%s%s%s" .repository $tag $digest -}}
+{{- end -}}
+
+{{/*
+Ingress ApiVersion according k8s version
+*/}}
+{{- define "fluent-bit.ingress.apiVersion" -}}
+{{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion) -}}
+networking.k8s.io/v1
+{{- else if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1") (semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion) -}}
+networking.k8s.io/v1beta1
+{{- else -}}
+extensions/v1beta1
+{{- end }}
+{{- end }}
+
+{{/*
+Return if ingress is stable.
+*/}}
+{{- define "fluent-bit.ingress.isStable" -}}
+  {{- eq (include "fluent-bit.ingress.apiVersion" .) "networking.k8s.io/v1" -}}
+{{- end -}}
+{{/*
+Return if ingress supports ingressClassName.
+*/}}
+{{- define "fluent-bit.ingress.supportsIngressClassName" -}}
+  {{- or (eq (include "fluent-bit.ingress.isStable" .) "true") (and (eq (include "fluent-bit.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}}
+{{- end -}}
+{{/*
+Return if ingress supports pathType.
+*/}}
+{{- define "fluent-bit.ingress.supportsPathType" -}}
+  {{- or (eq (include "fluent-bit.ingress.isStable" .) "true") (and (eq (include "fluent-bit.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}}
+{{- end -}}
+
+{{/*
+Pdb apiVersion according k8s version and capabilities
+*/}}
+{{- define "fluent-bit.pdb.apiVersion" -}}
+{{- if and (.Capabilities.APIVersions.Has "policy/v1") (semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion) -}}
+policy/v1
+{{- else -}}
+policy/v1beta1
+{{- end }}
+{{- end -}}
+
+{{/*
+HPA ApiVersion according k8s version
+Check legacy first so helm template / kustomize will default to latest version
+*/}}
+{{- define "fluent-bit.hpa.apiVersion" -}}
+{{- if and (.Capabilities.APIVersions.Has "autoscaling/v2beta2") (semverCompare "<1.23-0" .Capabilities.KubeVersion.GitVersion) -}}
+autoscaling/v2beta2
+{{- else -}}
+autoscaling/v2
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of OpenShift SecurityContextConstraints to use
+*/}}
+{{- define "fluent-bit.openShiftSccName" -}}
+{{- if not .Values.openShift.securityContextConstraints.create -}}
+{{- printf "%s" .Values.openShift.securityContextConstraints.existingName -}}
+{{- else -}}
+{{- printf "%s" (default (include "fluent-bit.fullname" .) .Values.openShift.securityContextConstraints.name) -}}
+{{- end -}}
+{{- end -}}

packages/system/monitoring/charts/fluent-bit/templates/_pod.tpl

@@ -0,0 +1,155 @@
+{{- define "fluent-bit.pod" -}}
+serviceAccountName: {{ include "fluent-bit.serviceAccountName" . }}
+{{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- if .Values.priorityClassName }}
+priorityClassName: {{ .Values.priorityClassName }}
+{{- end }}
+{{- with .Values.podSecurityContext }}
+securityContext:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with .Values.terminationGracePeriodSeconds }}
+terminationGracePeriodSeconds: {{ . }}
+{{- end }}
+hostNetwork: {{ .Values.hostNetwork }}
+dnsPolicy: {{ .Values.dnsPolicy }}
+{{- with .Values.dnsConfig }}
+dnsConfig:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with .Values.hostAliases }}
+hostAliases:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with .Values.initContainers }}
+initContainers:
+{{- if kindIs "string" . }}
+  {{- tpl . $ | nindent 2 }}
+{{- else }}
+  {{-  toYaml . | nindent 2 }}
+{{- end -}}
+{{- end }}
+containers:
+  - name: {{ .Chart.Name }}
+  {{- with .Values.securityContext }}
+    securityContext:
+      {{- toYaml . | nindent 6 }}
+  {{- end }}
+    image: {{ include "fluent-bit.image" (merge .Values.image (dict "tag" (default .Chart.AppVersion .Values.image.tag))) | quote }}
+    imagePullPolicy: {{ .Values.image.pullPolicy }}
+  {{- if or .Values.env .Values.envWithTpl }}
+    env:
+    {{- with .Values.env }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- range $item := .Values.envWithTpl }}
+      - name: {{ $item.name }}
+        value: {{ tpl $item.value $ | quote }}
+    {{- end }}
+  {{- end }}
+  {{- if .Values.envFrom }}
+    envFrom:
+      {{- toYaml .Values.envFrom | nindent 6 }}
+  {{- end }}
+  {{- with .Values.command }}
+    command:
+      {{- toYaml . | nindent 6 }}
+  {{- end }}
+  {{- if or .Values.args .Values.hotReload.enabled }}
+    args:
+      {{- toYaml .Values.args | nindent 6 }}
+    {{- if .Values.hotReload.enabled }}
+      - --enable-hot-reload
+    {{- end }}
+  {{- end}}
+    ports:
+      - name: http
+        containerPort: {{ .Values.metricsPort }}
+        protocol: TCP
+    {{- if .Values.extraPorts }}
+      {{- range .Values.extraPorts }}
+      - name: {{ .name }}
+        containerPort: {{ .containerPort }}
+        protocol: {{ .protocol }}
+      {{- end }}
+    {{- end }}
+  {{- with .Values.lifecycle }}
+    lifecycle:
+      {{- toYaml . | nindent 6 }}
+  {{- end }}
+    livenessProbe:
+      {{- toYaml .Values.livenessProbe | nindent 6 }}
+    readinessProbe:
+      {{- toYaml .Values.readinessProbe | nindent 6 }}
+  {{- with .Values.resources }}
+    resources:
+      {{- toYaml . | nindent 6 }}
+  {{- end }}
+    volumeMounts:
+      - name: config
+        mountPath: /fluent-bit/etc/conf
+    {{- if or .Values.luaScripts .Values.hotReload.enabled }}
+      - name: luascripts
+        mountPath: /fluent-bit/scripts
+    {{- end }}
+    {{- if eq .Values.kind "DaemonSet" }}
+      {{- toYaml .Values.daemonSetVolumeMounts | nindent 6 }}
+    {{- end }}
+    {{- if .Values.extraVolumeMounts }}
+      {{- toYaml .Values.extraVolumeMounts | nindent 6 }}
+    {{- end }}
+{{- if .Values.hotReload.enabled }}
+  - name: reloader
+    image: {{ include "fluent-bit.image" .Values.hotReload.image }}
+    args:
+      - {{ printf "-webhook-url=http://localhost:%s/api/v2/reload" (toString .Values.metricsPort) }}
+      - -volume-dir=/watch/config
+      - -volume-dir=/watch/scripts
+    volumeMounts:
+      - name: config
+        mountPath: /watch/config
+      - name: luascripts
+        mountPath: /watch/scripts
+    {{- with .Values.hotReload.resources }}
+    resources:
+      {{- toYaml . | nindent 12 }}
+    {{- end }}
+{{- end }}
+{{- if .Values.extraContainers }}
+  {{- if kindIs "string" .Values.extraContainers }}
+    {{- tpl .Values.extraContainers $ | nindent 2 }}
+  {{- else }}
+    {{-  toYaml .Values.extraContainers | nindent 2 }}
+  {{- end -}}
+{{- end }}
+volumes:
+  - name: config
+    configMap:
+      name: {{ default (include "fluent-bit.fullname" .) .Values.existingConfigMap }}
+{{- if or .Values.luaScripts .Values.hotReload.enabled }}
+  - name: luascripts
+    configMap:
+      name: {{ include "fluent-bit.fullname" . }}-luascripts
+{{- end }}
+{{- if eq .Values.kind "DaemonSet" }}
+  {{- toYaml .Values.daemonSetVolumes | nindent 2 }}
+{{- end }}
+{{- if .Values.extraVolumes }}
+  {{- toYaml .Values.extraVolumes | nindent 2 }}
+{{- end }}
+{{- with .Values.nodeSelector }}
+nodeSelector:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with .Values.affinity }}
+affinity:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with .Values.tolerations }}
+tolerations:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end -}}

packages/system/monitoring/charts/fluent-bit/templates/clusterrole.yaml

@@ -0,0 +1,46 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "fluent-bit.fullname" . }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+      - pods
+      {{- if .Values.rbac.nodeAccess }}
+      - nodes
+      - nodes/metrics
+      - nodes/proxy
+      {{- end }}
+      {{- if .Values.rbac.eventsAccess }}
+      - events
+      {{- end }}
+    verbs:
+      - get
+      - list
+      - watch
+  {{- if and .Values.podSecurityPolicy.create (semverCompare "<=1.25-0" .Capabilities.KubeVersion.GitVersion) }}
+  - apiGroups:
+      - policy
+    resources:
+      - podsecuritypolicies
+    resourceNames:
+      - {{ include "fluent-bit.fullname" . }}
+    verbs:
+      - use
+  {{- end }}
+  {{- if .Values.openShift.enabled }}
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - {{ include "fluent-bit.openShiftSccName" . }}
+    verbs:
+      - use
+  {{- end }}
+{{- end -}}

packages/system/monitoring/charts/fluent-bit/templates/clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "fluent-bit.fullname" . }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "fluent-bit.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "fluent-bit.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}