Prepare release v0.15.0 (#349)

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

.gitignore

@@ -1,3 +1,78 @@
 _out
 .git
-.idea
+.idea
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# AWS User-specific
+.idea/**/aws.xml
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+.DS_Store
+**/.DS_Store

Makefile

@@ -2,6 +2,9 @@
 
 build:
 	make -C packages/apps/http-cache image
+	make -C packages/apps/postgres image
+	make -C packages/apps/mysql image
+	make -C packages/apps/clickhouse image
 	make -C packages/apps/kubernetes image
 	make -C packages/system/cilium image
 	make -C packages/system/kubeovn image

hack/e2e.sh

@@ -309,8 +309,9 @@ kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy root-i
 kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=3 -n tenant-root sts etcd
 
 # Wait for Victoria metrics
-kubectl wait --timeout=5m --for=condition=available deploy -n tenant-root vmalert-vmalert-longterm vmalert-vmalert-shortterm vminsert-longterm vminsert-shortterm
-kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=2 -n tenant-root sts vmalertmanager-alertmanager vmselect-longterm vmselect-shortterm vmstorage-longterm vmstorage-shortterm
+kubectl wait --timeout=5m --for=jsonpath=.status.updateStatus=operational -n tenant-root vmalert/vmalert-longterm vmalert/vmalert-shortterm vmalertmanager/alertmanager
+kubectl wait --timeout=5m --for=jsonpath=.status.status=operational -n tenant-root vlogs/generic
+kubectl wait --timeout=5m --for=jsonpath=.status.clusterStatus=operational -n tenant-root vmcluster/shortterm vmcluster/longterm
 
 # Wait for grafana
 kubectl wait --timeout=5m --for=condition=ready -n tenant-root clusters.postgresql.cnpg.io grafana-db

hack/gen_versions_map.sh

@@ -24,24 +24,36 @@ resolved_miss_map=$(
       change_commit=$(git --no-pager blame -L"$line",+1 -- "$chart/Chart.yaml" | awk '{print $1}')
        
       if [ "$change_commit" = "00000000" ]; then
-        # Not commited yet, use previus commit
+        # Not committed yet, use previous commit
         line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
         commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
         if [ $(echo $commit | cut -c1) = "^" ]; then
-          # Previus commit not exists
+          # Previous commit not exists
           commit=$(echo $commit | cut -c2-)
         fi
       else
-        # Commited, but version_map wasn't updated
+        # Committed, but version_map wasn't updated
         line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
         change_commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
         if [ $(echo $change_commit | cut -c1) = "^" ]; then
-          # Previus commit not exists
+          # Previous commit not exists
           commit=$(echo $change_commit | cut -c2-)
         else
           commit=$(git describe --always "$change_commit~1")
         fi
       fi
+
+      # Check if the commit belongs to the main branch
+      if ! git merge-base --is-ancestor "$commit" main; then
+        # Find the closest parent commit that belongs to main
+        commit_in_main=$(git log --pretty=format:"%h" main -- "$chart" | head -n 1)
+        if [ -n "$commit_in_main" ]; then
+          commit="$commit_in_main"
+        else
+          # No valid commit found in main branch for $chart, skipping..."
+          continue
+        fi
+      fi
     fi
     echo "$chart $version $commit"
   done

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.12.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.15.0"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.12.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.15.0"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/clickhouse/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.5.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/clickhouse/Makefile

@@ -1,4 +1,20 @@
+CLICKHOUSE_BACKUP_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
+
+include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
+
+image:
+	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/clickhouse-backup \
+		--provenance false \
+		--tag $(REGISTRY)/clickhouse-backup:$(call settag,$(CLICKHOUSE_BACKUP_TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/clickhouse-backup:latest \
+		--cache-to type=inline \
+		--metadata-file images/clickhouse-backup.json \
+		--push=$(PUSH) \
+		--load=$(LOAD)
+	echo "$(REGISTRY)/clickhouse-backup:$(call settag,$(CLICKHOUSE_BACKUP_TAG))@$$(yq e '."containerimage.digest"' images/clickhouse-backup.json -o json -r)" \
+		> images/clickhouse-backup.tag
+	rm -f images/clickhouse-backup.json

packages/apps/clickhouse/README.md

@@ -1,5 +1,20 @@
 # Managed Clickhouse Service
 
+### How to restore backup:
+
+find snapshot:
+```
+restic -r s3:s3.example.org/clickhouse-backups/table_name snapshots
+```
+
+restore:
+```
+restic -r s3:s3.example.org/clickhouse-backups/table_name restore latest --target /tmp/
+```
+
+more details:
+- https://itnext.io/restic-effective-backup-from-stdin-4bc1e8f083c1
+
 ## Parameters
 
 ### Common parameters
@@ -16,3 +31,16 @@
 | Name    | Description         | Value |
 | ------- | ------------------- | ----- |
 | `users` | Users configuration | `{}`  |
+
+### Backup parameters
+
+| Name                     | Description                                    | Value                                                  |
+| ------------------------ | ---------------------------------------------- | ------------------------------------------------------ |
+| `backup.enabled`         | Enable pereiodic backups                       | `false`                                                |
+| `backup.s3Region`        | The AWS S3 region where backups are stored     | `us-east-1`                                            |
+| `backup.s3Bucket`        | The S3 bucket used for storing backups         | `s3.example.org/clickhouse-backups`                    |
+| `backup.schedule`        | Cron schedule for automated backups            | `0 2 * * *`                                            |
+| `backup.cleanupStrategy` | The strategy for cleaning up old backups       | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.s3AccessKey`     | The access key for S3, used for authentication | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3SecretKey`     | The secret key for S3, used for authentication | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.resticPassword`  | The password for Restic backup encryption      | `ChaXoveekoh6eigh4siesheeda2quai0`                     |

packages/apps/clickhouse/images/clickhouse-backup.tag

@@ -0,0 +1 @@
+ghcr.io/aenix-io/cozystack/clickhouse-backup:0.5.0@sha256:dda84420cb8648721299221268a00d72a05c7af5b7fb452619bac727068b9e61

packages/apps/clickhouse/images/clickhouse-backup/Dockerfile

@@ -0,0 +1,2 @@
+FROM clickhouse/clickhouse-server:24.8.4-alpine
+RUN apk add --no-cache restic uuidgen

packages/apps/clickhouse/templates/backup-cronjob.yaml

@@ -0,0 +1,95 @@
+{{- if .Values.backup.enabled }}
+{{ $image := .Files.Get "images/backup.json" | fromJson }}
+
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ .Release.Name }}-backup
+spec:
+  schedule: "{{ .Values.backup.schedule }}"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 2
+      template:
+        spec:
+          restartPolicy: OnFailure
+      template:
+        metadata:
+          annotations:
+            checksum/config: {{ include (print $.Template.BasePath "/backup-script.yaml") . | sha256sum }}
+            checksum/secret: {{ include (print $.Template.BasePath "/backup-secret.yaml") . | sha256sum }}
+        spec:
+          imagePullSecrets:
+          - name: {{ .Release.Name }}-regsecret
+          restartPolicy: Never
+          containers:
+          - name: clickhouse-backup
+            image: "{{ $.Files.Get "images/clickhouse-backup.tag" | trim }}"
+            command:
+            - /bin/sh
+            - -x
+            - /scripts/backup.sh
+            env:
+            - name: REPO_PREFIX
+              value: {{ required "s3Bucket is not specified!" .Values.backup.s3Bucket | quote }}
+            - name: CLEANUP_STRATEGY
+              value: {{ required "cleanupPolicy is not specified!" .Values.backup.cleanupStrategy | quote }}
+            - name: CLICKHOUSE_USER
+              value: backup
+            - name: CLICKHOUSE_HOST
+              value: chi-{{ .Release.Name }}-clickhouse-0-0
+            - name: CLICKHOUSE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-credentials
+                  key: backup
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-backup
+                  key: s3AccessKey
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-backup
+                  key: s3SecretKey
+            - name: AWS_DEFAULT_REGION
+              value: {{ .Values.backup.s3Region }}
+            - name: RESTIC_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-backup
+                  key: resticPassword
+            volumeMounts:
+            - mountPath: /scripts
+              name: scripts
+            - mountPath: /tmp
+              name: tmp
+            - mountPath: /.cache
+              name: cache
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsNonRoot: true
+          volumes:
+          - name: scripts
+            secret:
+              secretName: {{ .Release.Name }}-backup-script
+          - name: tmp
+            emptyDir: {}
+          - name: cache
+            emptyDir: {}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 9000
+            runAsGroup: 9000
+            seccompProfile:
+              type: RuntimeDefault
+{{- end }}

packages/apps/clickhouse/templates/backup-script.yaml

@@ -0,0 +1,55 @@
+{{- if .Values.backup.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-backup-script
+stringData:
+  backup.sh: |
+    #!/bin/sh
+    set -e
+    set -o pipefail
+    
+    JOB_ID="job-$(uuidgen|cut -f1 -d-)"
+    TABLE_LIST=$(clickhouse-client --host "$CLICKHOUSE_HOST" -q 'SHOW TABLES;' | grep -v '^.inner.' || true)
+    echo DB_LIST=$(echo "$TABLE_LIST" | shuf) # shuffle list
+    echo "Job ID: $JOB_ID"
+    echo "Target repo: $REPO_PREFIX"
+    echo "Cleanup strategy: $CLEANUP_STRATEGY"
+    echo "Start backup for:"
+    echo "$TABLE_LIST"
+    echo
+    echo "Backup started at `date +%Y-%m-%d\ %H:%M:%S`"
+    for table in $TABLE_LIST; do
+      (
+        set -x
+        restic -r "s3:${REPO_PREFIX}/$table" cat config >/dev/null 2>&1 || \
+          restic -r "s3:${REPO_PREFIX}/$table" init --repository-version 2
+        restic -r "s3:${REPO_PREFIX}/$table" unlock --remove-all >/dev/null 2>&1 || true # no locks, k8s takes care of it
+        clickhouse-client --host "$CLICKHOUSE_HOST" -q "SHOW CREATE TABLE ${table}" | awk '{gsub(/\\n/, "\n")} {gsub(/\\'\''/, "'\''")} 1' | \
+          restic -r "s3:${REPO_PREFIX}/$table" backup --tag "$JOB_ID" --tag index --stdin --stdin-filename index.sql
+        clickhouse-client --host "$CLICKHOUSE_HOST" -q "SELECT * FROM ${table} FORMAT TabSeparated" | \
+          restic -r "s3:${REPO_PREFIX}/$table" backup --tag "$JOB_ID" --tag data --stdin --stdin-filename data.tsv
+        restic -r "s3:${REPO_PREFIX}/$table" tag --tag "$JOB_ID" --set "completed"
+      )
+    done
+    echo "Backup finished at `date +%Y-%m-%d\ %H:%M:%S`"
+    
+    echo
+    echo "Run cleanup:"
+    echo
+    
+    echo "Cleanup started at `date +%Y-%m-%d\ %H:%M:%S`"
+    for db in $DB_LIST; do
+      (
+        set -x
+        # keep completed snapshots only
+        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags --keep-tag "completed" --tag index
+        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags --keep-tag "completed" --tag data
+        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags $CLEANUP_STRATEGY --tag index
+        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags $CLEANUP_STRATEGY --tag data
+        restic prune -r "s3:${REPO_PREFIX}/$db"
+      )
+    done
+    echo "Cleanup finished at `date +%Y-%m-%d\ %H:%M:%S`"
+{{- end }}

packages/apps/clickhouse/templates/backup-secret.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.backup.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-backup
+stringData:
+  s3AccessKey: {{ required "s3AccessKey is not specified!" .Values.backup.s3AccessKey }}
+  s3SecretKey: {{ required "s3SecretKey is not specified!" .Values.backup.s3SecretKey }}
+  resticPassword: {{ required "resticPassword is not specified!" .Values.backup.resticPassword }}
+{{- end }}

packages/apps/clickhouse/templates/clickhouse.yaml

@@ -1,3 +1,32 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
+{{- $passwords := dict }}
+{{- $users := .Values.users }}
+{{- $_ := set $users "backup" dict }}
+
+{{- with (index $existingSecret "data") }}
+  {{- range $k, $v := . }}
+    {{- $_ := set $passwords $k (b64dec $v) }}
+  {{- end }}
+{{- end }}
+
+{{- range $user, $u := $users }}
+  {{- if $u.password }}
+    {{- $_ := set $passwords $user $u.password }}
+  {{- else if not (index $passwords $user) }}
+    {{- $_ := set $passwords $user (randAlphaNum 16) }}
+  {{- end }}
+{{- end }}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-credentials
+stringData:
+  {{- range $user, $u := .Values.users }}
+  {{ quote $user }}: {{ quote (index $passwords $user) }}
+  {{- end }}
+
+---
 apiVersion: "clickhouse.altinity.com/v1"
 kind: "ClickHouseInstallation"
 metadata:
@@ -9,10 +38,10 @@ spec:
       dataVolumeClaimTemplate: data-volume-template
   {{- end }}
   configuration:
-    {{- with .Values.users }}
+    {{- with $users }}
     users:
       {{- range $name, $u := . }}
-      {{ $name }}/password_sha256_hex: {{ sha256sum $u.password }}
+      {{ $name }}/password_sha256_hex: {{ sha256sum (index $passwords $name) }}
       {{ $name }}/profile: {{ ternary "readonly" "default" (index $u "readonly" | default false) }}
       {{ $name }}/networks/ip: ["::/0"]
       {{- end }}
@@ -31,7 +60,7 @@ spec:
         spec:
           accessModes:
             - ReadWriteOnce
-          {{- with .Values.stroageClass }}
+          {{- with $.Values.storageClass }}
           storageClassName: {{ . }}
           {{- end }}
           resources:

packages/apps/clickhouse/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - chi-clickhouse-test-clickhouse-0-0
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]

packages/apps/clickhouse/values.schema.json

@@ -21,6 +21,51 @@
             "type": "string",
             "description": "StorageClass used to store the data",
             "default": ""
+        },
+        "backup": {
+            "type": "object",
+            "properties": {
+                "enabled": {
+                    "type": "boolean",
+                    "description": "Enable pereiodic backups",
+                    "default": false
+                },
+                "s3Region": {
+                    "type": "string",
+                    "description": "The AWS S3 region where backups are stored",
+                    "default": "us-east-1"
+                },
+                "s3Bucket": {
+                    "type": "string",
+                    "description": "The S3 bucket used for storing backups",
+                    "default": "s3.example.org/clickhouse-backups"
+                },
+                "schedule": {
+                    "type": "string",
+                    "description": "Cron schedule for automated backups",
+                    "default": "0 2 * * *"
+                },
+                "cleanupStrategy": {
+                    "type": "string",
+                    "description": "The strategy for cleaning up old backups",
+                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+                },
+                "s3AccessKey": {
+                    "type": "string",
+                    "description": "The access key for S3, used for authentication",
+                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
+                },
+                "s3SecretKey": {
+                    "type": "string",
+                    "description": "The secret key for S3, used for authentication",
+                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
+                },
+                "resticPassword": {
+                    "type": "string",
+                    "description": "The password for Restic backup encryption",
+                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
+                }
+            }
         }
     }
 }

packages/apps/clickhouse/values.yaml

@@ -22,3 +22,23 @@ storageClass: ""
 ##     password: hackme
 ##
 users: {}
+
+## @section Backup parameters
+
+## @param backup.enabled Enable pereiodic backups
+## @param backup.s3Region The AWS S3 region where backups are stored
+## @param backup.s3Bucket The S3 bucket used for storing backups
+## @param backup.schedule Cron schedule for automated backups
+## @param backup.cleanupStrategy The strategy for cleaning up old backups
+## @param backup.s3AccessKey The access key for S3, used for authentication
+## @param backup.s3SecretKey The secret key for S3, used for authentication
+## @param backup.resticPassword The password for Restic backup encryption
+backup:
+  enabled: false
+  s3Region: us-east-1
+  s3Bucket: s3.example.org/clickhouse-backups
+  schedule: "0 2 * * *"
+  cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+  s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
+  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
+  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0

packages/apps/ferretdb/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.22.0"
+appVersion: "1.24.0"

packages/apps/ferretdb/images/postgres-backup.tag

@@ -0,0 +1 @@
+ghcr.io/aenix-io/cozystack/postgres-backup:0.6.2@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1

packages/apps/ferretdb/templates/backup-cronjob.yaml

@@ -24,8 +24,8 @@ spec:
         spec:
           restartPolicy: Never
           containers:
-          - name: mysqldump
-            image: "{{ index $image "image.name" }}@{{ index $image "containerimage.digest" }}"
+          - name: pgdump
+            image: "{{ $.Files.Get "images/postgres-backup.tag" | trim }}"
             command:
             - /bin/sh
             - /scripts/backup.sh

packages/apps/ferretdb/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]

packages/apps/ferretdb/templates/ferretdb.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: ferretdb
-        image: ghcr.io/ferretdb/ferretdb:1.22.0
+        image: ghcr.io/ferretdb/ferretdb:1.24.0
         ports:
         - containerPort: 27017
         env:

packages/apps/ferretdb/templates/init-script.yaml

@@ -1,3 +1,30 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
+{{- $passwords := dict }}
+
+{{- with (index $existingSecret "data") }}
+  {{- range $k, $v := . }}
+    {{- $_ := set $passwords $k (b64dec $v) }}
+  {{- end }}
+{{- end }}
+
+{{- range $user, $u := .Values.users }}
+  {{- if $u.password }}
+    {{- $_ := set $passwords $user $u.password }}
+  {{- else if not (index $passwords $user) }}
+    {{- $_ := set $passwords $user (randAlphaNum 16) }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.users }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-credentials
+stringData:
+  {{- range $user, $u := .Values.users }}
+  {{ quote $user }}: {{ quote (index $passwords $user) }}
+  {{- end }}
+{{- end }}
 ---
 apiVersion: v1
 kind: Secret
@@ -13,7 +40,7 @@ stringData:
     {{- range $user, $u := .Values.users }}
     SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;'
     WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec
-    ALTER ROLE {{ $user }} WITH PASSWORD '{{ $u.password }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
+    ALTER ROLE {{ $user }} WITH PASSWORD '{{ index $passwords $user }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
     COMMENT ON ROLE {{ $user }} IS 'user managed by helm';
     {{- end }}
     EOT

packages/apps/ferretdb/templates/postgres.yaml

@@ -15,7 +15,7 @@ spec:
 
   storage:
     size: {{ required ".Values.size is required" .Values.size }}
-    {{- with .Values.stroageClass }}
+    {{- with .Values.storageClass }}
     storageClass: {{ . }}
     {{- end }}
 

packages/apps/ferretdb/values2.yaml

@@ -1,56 +0,0 @@
-## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param size Persistent Volume size
-## @param replicas Number of Postgres replicas
-##
-external: false
-size: 10Gi
-replicas: 1
-
-## Configuration for the quorum-based synchronous replication
-## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.
-## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).
-quorum:
-  minSyncReplicas: 0
-  maxSyncReplicas: 0
-
-## @section Configuration parameters
-
-## @param users [object] Users configuration
-## Example:
-## users:
-##   user1:
-##     password: strongpassword
-##   user2:
-##     password: hackme
-##
-users:
-  foo:
-    password: asd
-  bar:
-    password: asd
-  baz:
-    password: asd
-  boo:
-    password: asd
-
-## @section Backup parameters
-
-## @param backup.enabled Enable pereiodic backups
-## @param backup.s3Region The AWS S3 region where backups are stored
-## @param backup.s3Bucket The S3 bucket used for storing backups
-## @param backup.schedule Cron schedule for automated backups
-## @param backup.cleanupStrategy The strategy for cleaning up old backups
-## @param backup.s3AccessKey The access key for S3, used for authentication
-## @param backup.s3SecretKey The secret key for S3, used for authentication
-## @param backup.resticPassword The password for Restic backup encryption
-backup:
-  enabled: false
-  s3Region: us-east-1
-  s3Bucket: s3.example.org/postgres-backups
-  schedule: "0 2 * * *"
-  cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
-  s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
-  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
-  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0

packages/apps/http-cache/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: http-cache
-description: Layer7 load balacner and caching service
+description: Layer7 load balancer and caching service
 icon: /logos/nginx.svg
 
 # A chart can be either an 'application' or a 'library' chart.
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.3.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/http-cache/Makefile

@@ -1,4 +1,4 @@
-NGINX_CACHE_TAG = v0.1.0
+NGINX_CACHE_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
 
 include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
@@ -9,7 +9,6 @@ image-nginx:
 	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/nginx-cache \
 		--provenance false \
 		--tag $(REGISTRY)/nginx-cache:$(call settag,$(NGINX_CACHE_TAG)) \
-		--tag $(REGISTRY)/nginx-cache:$(call settag,$(NGINX_CACHE_TAG)-$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/nginx-cache:latest \
 		--cache-to type=inline \
 		--metadata-file images/nginx-cache.json \

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0@sha256:556bc8d29ee9e90b3d64d0481dcfc66483d055803315bba3d9ece17c0d97f32b
+ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:556bc8d29ee9e90b3d64d0481dcfc66483d055803315bba3d9ece17c0d97f32b

packages/apps/http-cache/templates/nginx/deployment.yaml

@@ -114,7 +114,7 @@ spec:
   resources:
     requests:
       storage: "{{ $.Values.size }}"
-  {{- with $.Values.stroageClass }}
+  {{- with $.Values.storageClass }}
   storageClassName: {{ . }}
   {{- end }}
 ---

packages/apps/kafka/templates/kafka.yaml

@@ -53,7 +53,7 @@ spec:
         {{- with .Values.kafka.size }}
         size: {{ . }}
         {{- end }}
-        {{- with .Values.kafka.stroageClass }}
+        {{- with .Values.kafka.storageClass }}
         class: {{ . }}
         {{- end }}
         deleteClaim: true
@@ -64,7 +64,7 @@ spec:
       {{- with .Values.zookeeper.size }}
       size: {{ . }}
       {{- end }}
-      {{- with .Values.kafka.stroageClass }}
+      {{- with .Values.kafka.storageClass }}
       class: {{ . }}
       {{- end }}
       deleteClaim: false

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.0
+version: 0.10.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/templates/cluster.yaml

@@ -18,6 +18,8 @@ spec:
       runStrategy: Always
       template:
         metadata:
+          annotations:
+            kubevirt.io/allow-pod-bridge-network-live-migration: "true"
           labels:
             {{- range .group.roles }}
             node-role.kubernetes.io/{{ . }}: ""
@@ -38,7 +40,9 @@ spec:
                 disk:
                   bus: virtio
                   pciAddress: 0000:08:00.0
-              networkInterfaceMultiqueue: true
+              interfaces:
+              - name: default
+                bridge: {}
             memory:
               guest: {{ .group.resources.memory }}
           evictionStrategy: External
@@ -49,6 +53,9 @@ spec:
           - name: ephemeral
             emptyDisk:
               capacity: {{ .group.ephemeralStorage | default "20Gi" }}
+          networks:
+          - name: default
+            pod: {}
 {{- end }}
 ---
 apiVersion: cluster.x-k8s.io/v1beta1

packages/apps/kubernetes/templates/helmreleases/cilium.yaml

@@ -31,20 +31,8 @@ spec:
   values:
     cilium:
       tunnel: disabled
-      autoDirectNodeRoutes: false
-      bpf:
-        masquerade: true
-      cgroup:
-        autoMount:
-          enabled: true
-        hostRoot: /run/cilium/cgroupv2
       k8sServiceHost: {{ .Release.Name }}.{{ .Release.Namespace }}.svc
       k8sServicePort: 6443
-    
-      cni:
-        chainingMode: ~
-        customConf: false
-        configMap: ""
       routingMode: tunnel
       enableIPv4Masquerade: true
       ipv4NativeRoutingCIDR: ""

packages/apps/kubernetes/templates/helmreleases/csi.yaml

@@ -28,7 +28,7 @@ spec:
   upgrade:
     remediation:
       retries: -1
-  {{- with .Values.stroageClass }}
+  {{- with .Values.storageClass }}
   values:
     storageClass: "{{ . }}"
   {{- end }}

packages/apps/mysql/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.5.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/mysql/Makefile

@@ -1,4 +1,20 @@
+MARIADB_BACKUP_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
+
+include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
+
+image:
+	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/mariadb-backup \
+		--provenance false \
+		--tag $(REGISTRY)/mariadb-backup:$(call settag,$(MARIADB_BACKUP_TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/mariadb-backup:latest \
+		--cache-to type=inline \
+		--metadata-file images/mariadb-backup.json \
+		--push=$(PUSH) \
+		--load=$(LOAD)
+	echo "$(REGISTRY)/mariadb-backup:$(call settag,$(MARIADB_BACKUP_TAG))@$$(yq e '."containerimage.digest"' images/mariadb-backup.json -o json -r)" \
+		> images/mariadb-backup.tag
+	rm -f images/mariadb-backup.json

packages/apps/mysql/README.md

@@ -79,7 +79,7 @@ more details:
 | Name        | Description             | Value |
 | ----------- | ----------------------- | ----- |
 | `users`     | Users configuration     | `{}`  |
-| `databases` | Databases configuration | `[]`  |
+| `databases` | Databases configuration | `{}`  |
 
 ### Backup parameters
 

packages/apps/mysql/images/mariadb-backup.tag

@@ -0,0 +1 @@
+ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.1@sha256:fa2b3195521cffa55eb6d71a50b875d3c234a45e5dff71b2b9002674175bea93

packages/apps/mysql/images/mariadb-backup/Dockerfile

@@ -0,0 +1,2 @@
+FROM alpine:3.20
+RUN apk add --no-cache mariadb-client uuidgen restic

packages/apps/mysql/templates/backup-cronjob.yaml

@@ -27,7 +27,7 @@ spec:
           restartPolicy: Never
           containers:
           - name: mysqldump
-            image: "{{ index $image "image.name" }}@{{ index $image "containerimage.digest" }}"
+            image: "{{ $.Files.Get "images/mariadb-backup.tag" | trim }}"
             command:
             - /bin/sh
             - /scripts/backup.sh

packages/apps/mysql/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}-primary
+  - {{ .Release.Name }}-secondary
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]

packages/apps/mysql/templates/db.yaml

@@ -1,14 +1,47 @@
-{{- range $name := .Values.databases }}
-{{ $dnsName := replace "_" "-" $name }}
+{{- range $name, $db := .Values.databases }}
+{{ $dbDNSName := replace "_" "-" $name }}
 ---
 apiVersion: k8s.mariadb.com/v1alpha1
 kind: Database
 metadata:
-  name: {{ $.Release.Name }}-{{ $dnsName }}
+  name: {{ $.Release.Name }}-{{ $dbDNSName }}
 spec:
   name: {{ $name }}
   mariaDbRef:
     name: {{ $.Release.Name }}
   characterSet: utf8
   collate: utf8_general_ci
+{{- range $user := $db.roles.admin }}
+{{ $userDNSName := replace "_" "-" $user }}
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: {{ $.Release.Name }}-{{ $dbDNSName }}-{{ $userDNSName }}
+spec:
+  mariaDbRef:
+    name: {{ $.Release.Name }}
+  privileges: ['ALL']
+  database: {{ $name }}
+  table: "*"
+  username: {{ $user }}
+  grantOption: true
+{{- end }}
+{{- range $user := $db.roles.readonly }}
+{{ $userDNSName := replace "_" "-" $user }}
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: {{ $.Release.Name }}-{{ $dbDNSName }}-{{ $userDNSName }}
+spec:
+  mariaDbRef:
+    name: {{ $.Release.Name }}
+  privileges: ['SELECT']
+  database: {{ $name }}
+  table: "*"
+  username: {{ $user }}
+  grantOption: true
+{{- end }}
+
 {{- end }}

packages/apps/mysql/templates/mariadb.yaml

@@ -4,11 +4,9 @@ kind: MariaDB
 metadata:
   name: {{ .Release.Name }}
 spec:
-  {{- if (and .Values.users.root .Values.users.root.password) }}
   rootPasswordSecretKeyRef:
-    name: {{ .Release.Name }}
-    key: root-password
-  {{- end }}
+    name: {{ .Release.Name }}-credentials
+    key: root
 
   image: "mariadb:11.0.2"
 
@@ -62,7 +60,7 @@ spec:
     size: {{ .Values.size }}
     resizeInUseVolumes: true
     waitForVolumeResize: true
-    {{- with .Values.stroageClass }}
+    {{- with .Values.storageClass }}
     storageClassName: {{ . }}
     {{- end }}
 

packages/apps/mysql/templates/secret.yaml

@@ -1,9 +1,31 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
+{{- $passwords := dict }}
+
+{{- with (index $existingSecret "data") }}
+  {{- range $k, $v := . }}
+    {{- $_ := set $passwords $k (b64dec $v) }}
+  {{- end }}
+{{- end }}
+
+{{- $usersWithRoot := .Values.users }}
+{{- if (and .Values.users.root .Values.users.root.password) }}
+  {{- $_ := set $usersWithRoot "root" dict }}
+{{- end }}
+
+{{- range $user, $u := $usersWithRoot }}
+  {{- if $u.password }}
+    {{- $_ := set $passwords $user $u.password }}
+  {{- else if not (index $passwords $user) }}
+    {{- $_ := set $passwords $user (randAlphaNum 16) }}
+  {{- end }}
+{{- end }}
+
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Release.Name }}
+  name: {{ .Release.Name }}-credentials
 stringData:
-  {{- range $name, $u := .Values.users }}
-  {{ $name }}-password: {{ $u.password }}
+  {{- range $name, $u := $usersWithRoot }}
+  {{ $name }}: {{ index $passwords $name }}
   {{- end }}

packages/apps/mysql/templates/user.yaml

@@ -11,21 +11,8 @@ spec:
   mariaDbRef:
     name: {{ $.Release.Name }}
   passwordSecretKeyRef:
-    name: {{ $.Release.Name }}
-    key: {{ $name }}-password
+    name: {{ $.Release.Name }}-credentials
+    key: {{ $name }}
   maxUserConnections: {{ $u.maxUserConnections }}
----
-apiVersion: k8s.mariadb.com/v1alpha1
-kind: Grant
-metadata:
-  name: {{ $.Release.Name }}-{{ $dnsName }}
-spec:
-  mariaDbRef:
-    name: {{ $.Release.Name }}
-  privileges: {{ $u.privileges | toJson }}
-  database: "*"
-  table: "*"
-  username: {{ $name }}
-  grantOption: true
 {{- end }}
 {{- end }}

packages/apps/mysql/values.schema.json

@@ -22,12 +22,6 @@
             "description": "StorageClass used to store the data",
             "default": ""
         },
-        "databases": {
-            "type": "array",
-            "description": "Databases configuration",
-            "default": [],
-            "items": {}
-        },
         "backup": {
             "type": "object",
             "properties": {

packages/apps/mysql/values.yaml

@@ -15,27 +15,25 @@ storageClass: ""
 ## @param users [object] Users configuration
 ## Example:
 ## users:
-##   root:
-##     password: strongpassword
 ##   user1:
-##     privileges: ['ALL']
 ##     maxUserConnections: 1000
 ##     password: hackme
 ##   user2:
-##     privileges: ['SELECT']
 ##     maxUserConnections: 1000
 ##     password: hackme
 ##
 users: {}
 
-## @param databases Databases configuration
+## @param databases [object] Databases configuration
 ## Example:
 ## databases:
-## - wordpress1
-## - wordpress2
-## - wordpress3
-## - wordpress4
-databases: []
+##   myapp1:
+##     roles:
+##       admin:
+##       - user1
+##       readonly:
+##       - user2
+databases: {}
 
 ## @section Backup parameters
 

packages/apps/postgres/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.6.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/postgres/Makefile

@@ -1,4 +1,21 @@
+POSTGRES_BACKUP_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
+
+include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
+
+image:
+	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/postgres-backup \
+		--provenance false \
+		--tag $(REGISTRY)/postgres-backup:$(call settag,$(POSTGRES_BACKUP_TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/postgres-backup:latest \
+		--cache-to type=inline \
+		--metadata-file images/postgres-backup.json \
+		--push=$(PUSH) \
+		--load=$(LOAD)
+	echo "$(REGISTRY)/postgres-backup:$(call settag,$(POSTGRES_BACKUP_TAG))@$$(yq e '."containerimage.digest"' images/postgres-backup.json -o json -r)" \
+		> images/postgres-backup.tag
+	cp images/postgres-backup.tag ../ferretdb/images/
+	rm -f images/postgres-backup.json

packages/apps/postgres/images/postgres-backup.tag

@@ -0,0 +1 @@
+ghcr.io/aenix-io/cozystack/postgres-backup:0.6.2@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1

packages/apps/postgres/images/postgres-backup/Dockerfile

@@ -0,0 +1,2 @@
+FROM alpine:3.20
+RUN apk add --no-cache postgresql16-client uuidgen restic

packages/apps/postgres/templates/backup-cronjob.yaml

@@ -26,8 +26,8 @@ spec:
           - name: {{ .Release.Name }}-regsecret
           restartPolicy: Never
           containers:
-          - name: mysqldump
-            image: "{{ index $image "image.name" }}@{{ index $image "containerimage.digest" }}"
+          - name: pgdump
+            image: "{{ $.Files.Get "images/postgres-backup.tag" | trim }}"
             command:
             - /bin/sh
             - /scripts/backup.sh

packages/apps/postgres/templates/dashboard-resourcemap.yaml

@@ -8,7 +8,14 @@ rules:
   resources:
   - services
   resourceNames:
-  - postgres-service-r
-  - postgres-service-ro
-  - postgres-service-rw
+  - {{ .Release.Name }}-r
+  - {{ .Release.Name }}-ro
+  - {{ .Release.Name }}-rw
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
   verbs: ["get", "list", "watch"]

packages/apps/postgres/templates/db.yaml

@@ -19,7 +19,7 @@ spec:
 
   storage:
     size: {{ required ".Values.size is required" .Values.size }}
-    {{- with .Values.stroageClass }}
+    {{- with .Values.storageClass }}
     storageClass: {{ . }}
     {{- end }}
 

packages/apps/postgres/templates/init-script.yaml

@@ -1,3 +1,30 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
+{{- $passwords := dict }}
+
+{{- with (index $existingSecret "data") }}
+  {{- range $k, $v := . }}
+    {{- $_ := set $passwords $k (b64dec $v) }}
+  {{- end }}
+{{- end }}
+
+{{- range $user, $u := .Values.users }}
+  {{- if $u.password }}
+    {{- $_ := set $passwords $user $u.password }}
+  {{- else if not (index $passwords $user) }}
+    {{- $_ := set $passwords $user (randAlphaNum 16) }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.users }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-credentials
+stringData:
+  {{- range $user, $u := .Values.users }}
+  {{ quote $user }}: {{ quote (index $passwords $user) }}
+  {{- end }}
+{{- end }}
 ---
 apiVersion: v1
 kind: Secret
@@ -13,7 +40,7 @@ stringData:
     {{- range $user, $u := .Values.users }}
     SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;'
     WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec
-    ALTER ROLE {{ $user }} WITH PASSWORD '{{ $u.password }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
+    ALTER ROLE {{ $user }} WITH PASSWORD '{{ index $passwords $user }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
     COMMENT ON ROLE {{ $user }} IS 'user managed by helm';
     {{- end }}
     EOT

packages/apps/rabbitmq/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.4.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "3.12.2"
+appVersion: "3.13.2"

packages/apps/rabbitmq/README.md

@@ -19,3 +19,10 @@ The service utilizes official RabbitMQ operator. This ensures the reliability an
 | `size`         | Persistent Volume size                          | `10Gi`  |
 | `replicas`     | Number of RabbitMQ replicas                     | `3`     |
 | `storageClass` | StorageClass used to store the data             | `""`    |
+
+### Configuration parameters
+
+| Name     | Description                 | Value |
+| -------- | --------------------------- | ----- |
+| `users`  | Users configuration         | `{}`  |
+| `vhosts` | Virtual Hosts configuration | `{}`  |

packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-default-user
+  {{- range $name, $u := .Values.users }}
+  - {{ $.Release.Name }}-{{ kebabcase $name }}-credentials
+  {{- end }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/apps/rabbitmq/templates/rabbitmq.yaml

@@ -12,8 +12,94 @@ spec:
     type: LoadBalancer
   {{- end }}
 
+  override:
+    statefulSet:
+      spec:
+        template:
+          metadata:
+            labels:
+              policy.cozystack.io/allow-to-apiserver: "true"
+
   persistence:
-    {{- with .Values.stroageClass }}
+    {{- with .Values.storageClass }}
     storageClassName: {{ . }}
     {{- end }}
     storage: {{ .Values.size }}
+
+{{- range $user, $u := .Values.users }}
+
+{{- $password := $u.password }}
+{{- if not $password }}
+{{- with (dig "data" "password" "" (lookup "v1" "Secret" $.Release.Namespace (printf "%s-%s-credentials" $.Release.Name (kebabcase $user)))) }}
+{{- $password = b64dec . }}
+{{- end }}
+{{- end }}
+{{- if not $password }}
+{{- $password = (randAlphaNum 16) }}
+{{- end }}
+
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: User
+metadata:
+  name: {{ $.Release.Name }}-{{ kebabcase $user }}
+  annotations:
+    config: '{{ printf "%s %s" $user $password | sha256sum }}'
+spec:
+  importCredentialsSecret:
+    name: {{ $.Release.Name }}-{{ $user }}-credentials
+  rabbitmqClusterReference:
+    name: {{ $.Release.Name }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $.Release.Name }}-{{ kebabcase $user }}-credentials
+type: Opaque
+stringData:
+  username: {{ $user }}
+  password: {{ $password }}
+{{- end }}
+
+{{- range $host, $h := .Values.vhosts }}
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Vhost
+metadata:
+  name: {{ $.Release.Name }}-{{ kebabcase $host }}
+spec:
+  name: {{ $host }}
+  rabbitmqClusterReference:
+    name: {{ $.Release.Name }}
+{{- range $user := $h.roles.admin }}
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Permission
+metadata:
+  name: {{ $.Release.Name }}-{{ kebabcase $host }}-{{ kebabcase $user }}
+spec:
+  vhost: "{{ $host }}"
+  user: "{{ $user }}"
+  permissions:
+    write: ".*"
+    configure: ".*"
+    read: ".*"
+  rabbitmqClusterReference:
+    name: {{ $.Release.Name }}
+{{- end }}
+{{- range $user := $h.roles.readonly }}
+---
+apiVersion: rabbitmq.com/v1beta1
+kind: Permission
+metadata:
+  name: {{ $.Release.Name }}-{{ kebabcase $host }}-{{ kebabcase $user }}
+spec:
+  vhost: "{{ $host }}"
+  user: "{{ $user }}"
+  permissions:
+    read: ".*"
+  rabbitmqClusterReference:
+    name: {{ $.Release.Name }}
+{{- end }}
+
+{{- end }}

packages/apps/rabbitmq/values.schema.json

@@ -21,6 +21,11 @@
             "type": "string",
             "description": "StorageClass used to store the data",
             "default": ""
+        },
+        "vhosts": {
+            "type": "object",
+            "description": "Virtual Hosts configuration",
+            "default": {}
         }
     }
 }

packages/apps/rabbitmq/values.yaml

@@ -9,3 +9,33 @@ external: false
 size: 10Gi
 replicas: 3
 storageClass: ""
+
+## @section Configuration parameters
+
+## @param users [object] Users configuration
+## Example:
+## users:
+##   user1:
+##     password: strongpassword
+##   user2:
+##     password: hackme
+##   user3:
+##     password: testtest
+##
+users: {}
+
+## @param vhosts Virtual Hosts configuration
+## Example:
+## vhosts:
+##   myapp:
+##     roles:
+##       admin:
+##       - user1
+##       - user2
+##       readonly:
+##       - user3
+##   test:
+##     roles:
+##       admin:
+##       - user3
+vhosts: {}

packages/apps/versions_map

@@ -2,13 +2,18 @@ bucket 0.1.0 HEAD
 clickhouse 0.1.0 ca79f72
 clickhouse 0.2.0 7cd7de73
 clickhouse 0.2.1 5ca8823
-clickhouse 0.3.0 HEAD
+clickhouse 0.3.0 b00621e
+clickhouse 0.4.0 320fc32
+clickhouse 0.5.0 HEAD
 ferretdb 0.1.0 4ffa8615
 ferretdb 0.1.1 5ca8823
-ferretdb 0.2.0 HEAD
+ferretdb 0.2.0 adaf603
+ferretdb 0.3.0 aa2f553
+ferretdb 0.4.0 HEAD
 http-cache 0.1.0 a956713
 http-cache 0.2.0 5ca8823
-http-cache 0.3.0 HEAD
+http-cache 0.3.0 fab5940
+http-cache 0.3.1 HEAD
 kafka 0.1.0 760f86d2
 kafka 0.2.0 a2cc83d
 kafka 0.2.1 3ac17018
@@ -25,11 +30,14 @@ kubernetes 0.7.0 ceefae03
 kubernetes 0.8.0 ac11056e
 kubernetes 0.8.1 e54608d8
 kubernetes 0.8.2 5ca8823
-kubernetes 0.9.0 HEAD
+kubernetes 0.9.0 9b6dd19
+kubernetes 0.10.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
-mysql 0.4.0 HEAD
+mysql 0.4.0 93018c4
+mysql 0.5.0 4b84798
+mysql 0.5.1 HEAD
 nats 0.1.0 5ca8823
 nats 0.2.0 HEAD
 postgres 0.1.0 f642698
@@ -38,10 +46,14 @@ postgres 0.2.1 4a97e297
 postgres 0.3.0 995dea6f
 postgres 0.4.0 ec283c33
 postgres 0.4.1 5ca8823
-postgres 0.5.0 HEAD
+postgres 0.5.0 c07c4bbd
+postgres 0.6.0 2a4768a
+postgres 0.6.2 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 5ca8823
-rabbitmq 0.3.0 HEAD
+rabbitmq 0.3.0 9e33dc0
+rabbitmq 0.4.0 36d8855
+rabbitmq 0.4.1 HEAD
 redis 0.1.1 f642698
 redis 0.2.0 5ca8823
 redis 0.3.0 HEAD
@@ -59,7 +71,8 @@ tenant 1.4.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823
-virtual-machine 0.3.0 HEAD
+virtual-machine 0.3.0 b908400
+virtual-machine 0.4.0 HEAD
 vpn 0.1.0 f642698
 vpn 0.2.0 7151424
 vpn 0.3.0 HEAD

packages/apps/virtual-machine/Chart.yaml

@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/virtual-machine/Makefile

@@ -3,7 +3,8 @@ include ../../../scripts/package.mk
 generate:
 	readme-generator -v values.yaml -s values.schema.json.tmp -r README.md
 	cat values.schema.json.tmp | \
-		jq '.properties.image.enum = ["ubuntu", "cirros", "alpine", "fedora"]' | \
-		jq '.properties.resources.properties.memory["x-display"] = "slider"' \
+		jq '.properties.image.enum = ["ubuntu", "cirros", "alpine", "fedora", "talos"]' | \
+		jq '.properties.resources.properties.memory["x-display"] = "slider"' | \
+		jq '.properties.externalPorts.items.type = "integer"' \
 		> values.schema.json
 	rm -f values.schema.json.tmp

packages/apps/virtual-machine/README.md

@@ -9,51 +9,67 @@ The virtual machine is managed and hosted through KubeVirt, allowing you to harn
 - Docs: [KubeVirt User Guide](https://kubevirt.io/user-guide/)
 - GitHub: [KubeVirt Repository](https://github.com/kubevirt/kubevirt)
 
+## Accessing virtual machine
+
+You can access the virtual machine using the virtctl tool:
+- [KubeVirt User Guide - Virtctl Client Tool](https://kubevirt.io/user-guide/user_workloads/virtctl_client_tool/)
+
+To access the serial console:
+
+```
+virtctl console <vm>
+```
+
+To access the VM using VNC:
+
+```
+virtctl vnc <vm>
+```
+
+To SSH into the VM:
+
+```
+virtctl ssh <user>@<vm>
+```
+
 ## Parameters
 
 ### Common parameters
 
-| Name               | Description                                                                                       | Value                               |
-| ------------------ | ------------------------------------------------------------------------------------------------- | ----------------------------------- |
-| `external`         | Enable external access from outside the cluster                                                   | `false`                             |
-| `running`          | Determines if the virtual machine should be running                                               | `true`                              |
-| `image`            | The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine` and `fedora` | `ubuntu`                            |
-| `storageClass`     | StorageClass used to store the data                                                               | `replicated`                        |
-| `resources.cpu`    | The number of CPU cores allocated to the virtual machine                                          | `1`                                 |
-| `resources.memory` | The amount of memory allocated to the virtual machine                                             | `1024M`                             |
-| `resources.disk`   | The size of the disk allocated for the virtual machine                                            | `5Gi`                               |
-| `sshPwauth`        | Enable password authentication for SSH. If set to `true`, users can log in using a password       | `true`                              |
-| `disableRoot`      | Disable root login via SSH. If set to `true`, root login will be disabled                         | `true`                              |
-| `password`         | The default password for the virtual machine                                                      | `hackme`                            |
-| `chpasswdExpire`   | Set whether the password should expire                                                            | `false`                             |
-| `sshKeys`          | List of SSH public keys for authentication. Can be a single key or a list of keys                 | `["ssh-rsa ...","ssh-ed25519 ..."]` |
+| Name               | Description                                                                                                | Value            |
+| ------------------ | ---------------------------------------------------------------------------------------------------------- | ---------------- |
+| `external`         | Enable external access from outside the cluster                                                            | `false`          |
+| `externalPorts`    | Specify ports to forward from outside the cluster                                                          | `[]`             |
+| `running`          | Determines if the virtual machine should be running                                                        | `true`           |
+| `image`            | The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos` | `ubuntu`         |
+| `storageClass`     | StorageClass used to store the data                                                                        | `replicated`     |
+| `resources.cpu`    | The number of CPU cores allocated to the virtual machine                                                   | `1`              |
+| `resources.memory` | The amount of memory allocated to the virtual machine                                                      | `1024M`          |
+| `resources.disk`   | The size of the disk allocated for the virtual machine                                                     | `5Gi`            |
+| `sshKeys`          | List of SSH public keys for authentication. Can be a single key or a list of keys.                         | `[]`             |
+| `cloudInit`        | cloud-init user data config. See cloud-init documentation for more details.                                | `#cloud-config
+` |
 
 You can customize the exposed ports by specifying them under `service.ports` in the `values.yaml` file.
 
-## Example `values.yaml`
+## Example virtual machine:
 
 ```yaml
-external: false
 running: true
-image: ubuntu
+image: fedora
+storageClass: replicated
 resources:
   cpu: 1
   memory: 1024M
-  disk: 5Gi
-sshPwauth: true
-disableRoot: true
-password: hackme
-chpasswdExpire: false
-sshKeys: 
-  - YOUR_SSH_PUB_KEY_HERE
-  - ANOTHER_SSH_PUB_KEY_HERE
+  disk: 10Gi
 
-service:
-  ports:
-    - name: http
-      port: 80
-      targetPort: 80
-    - name: https
-      port: 443
-      targetPort: 443
+sshKeys:
+- ssh-rsa ...
+
+cloudInit: |
+  #cloud-config
+  user: fedora
+  password: fedora
+  chpasswd: { expire: False }
+  ssh_pwauth: True
 ```

packages/apps/virtual-machine/templates/secret.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.sshKeys }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "virtual-machine.fullname" $ }}-ssh-keys
+stringData:
+  {{- range $k, $v := .Values.sshKeys }}
+  key{{ $k }}: {{ quote $v }} 
+  {{- end }}
+{{- end }}
+{{- if .Values.cloudInit }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "virtual-machine.fullname" . }}-cloud-init
+stringData:
+  userdata: |
+    {{- .Values.cloudInit | nindent 4 }}
+{{- end }}

packages/apps/virtual-machine/templates/service.yaml

@@ -8,21 +8,14 @@ metadata:
     {{- include "virtual-machine.labels" . | nindent 4 }}
 spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
-  {{- if .Values.external }}
   externalTrafficPolicy: Local
   allocateLoadBalancerNodePorts: false
-  {{- end }}
   selector:
     {{- include "virtual-machine.labels" . | nindent 4 }}
   ports:
-    - name: ssh
-      port: 22
-      targetPort: 22
-    {{- if .Values.service.ports }}
-    {{- range .Values.service.ports }}
-    - name: {{ .name }}
-      port: {{ .port }}
-      targetPort: {{ .targetPort }}
-    {{- end }}
+    {{- range .Values.externalPorts }}
+    - name: port-{{ . }}
+      port: {{ . }}
+      targetPort: {{ . }}
     {{- end }}
 {{- end }}

packages/apps/virtual-machine/templates/vm.yaml

@@ -11,8 +11,9 @@ spec:
       name: {{ include "virtual-machine.fullname" . }}
     spec:
       pvc:
+        volumeMode: Block
         accessModes:
-        - ReadWriteOnce
+        - ReadWriteMany
         resources:
           requests:
             storage: {{ .Values.resources.disk | quote }}
@@ -28,7 +29,9 @@ spec:
           {{- else if eq .Values.image "fedora" }}
           url: https://download.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/x86_64/images/Fedora-Cloud-Base-Generic.x86_64-40-1.14.qcow2
           {{- else if eq .Values.image "alpine" }}
-          url: https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/alpine-virt-3.20.2-x86_64.iso
+          url: https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/cloud/nocloud_alpine-3.20.2-x86_64-bios-tiny-r0.qcow2
+          {{- else if eq .Values.image "talos" }}
+          url: https://github.com/siderolabs/talos/releases/download/v1.7.6/nocloud-amd64.raw.xz
           {{- end }}
   template:
     metadata:
@@ -45,34 +48,39 @@ spec:
           - disk:
               bus: scsi
             name: systemdisk
+          {{- if or .Values.sshKeys .Values.cloudInit }}
           - disk:
               bus: virtio
             name: cloudinitdisk
+          {{- end }}
+          interfaces:
+          - name: default
+            bridge: {}
         machine:
           type: ""
         resources:
           requests:
             memory: {{ .Values.resources.memory | quote }}
+      {{- with .Values.sshKeys }}
+      accessCredentials:
+      - sshPublicKey:
+          source:
+            secret:
+              secretName: {{ include "virtual-machine.fullname" $ }}-ssh-keys
+          propagationMethod:
+            noCloud: {}
+      {{- end }}
       terminationGracePeriodSeconds: 30
       volumes:
-      - dataVolume:
+      - name: systemdisk
+        dataVolume:
           name: {{ include "virtual-machine.fullname" . }}
-        name: systemdisk
-      - cloudInitNoCloud:
-          userData: |-
-            #cloud-config
-            ssh_pwauth: {{ if .Values.sshPwauth | default false }}True{{ else }}False{{ end }}
-            disable_root: {{ if .Values.disableRoot | default false }}True{{ else }}False{{ end }}
-            password: {{ .Values.password }}
-            chpasswd: { expire: {{ if .Values.chpasswdExpire | default false }}True{{ else }}False{{ end }} }
-            ssh_authorized_keys:
-            {{- if .Values.sshKeys }}
-              {{- $keys := .Values.sshKeys }}
-              {{- if not (kindIs "slice" $keys) }}
-                {{- $keys = list $keys }}
-              {{- end }}
-              {{- range $keys }}
-              - {{ . }}
-              {{- end }}
-            {{- end }}
-        name: cloudinitdisk
+      {{- if or .Values.sshKeys .Values.cloudInit }}
+      - name: cloudinitdisk
+        cloudInitNoCloud:
+          secretRef:
+            name: {{ include "virtual-machine.fullname" . }}-cloud-init
+      {{- end }}
+      networks:
+      - name: default
+        pod: {}

packages/apps/virtual-machine/values.schema.json

@@ -7,6 +7,14 @@
       "description": "Enable external access from outside the cluster",
       "default": false
     },
+    "externalPorts": {
+      "type": "array",
+      "description": "Specify ports to forward from outside the cluster",
+      "default": "[]",
+      "items": {
+        "type": "integer"
+      }
+    },
     "running": {
       "type": "boolean",
       "description": "Determines if the virtual machine should be running",
@@ -14,13 +22,14 @@
     },
     "image": {
       "type": "string",
-      "description": "The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine` and `fedora`",
+      "description": "The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos`",
       "default": "ubuntu",
       "enum": [
         "ubuntu",
         "cirros",
         "alpine",
-        "fedora"
+        "fedora",
+        "talos"
       ]
     },
     "storageClass": {
@@ -49,36 +58,18 @@
         }
       }
     },
-    "sshPwauth": {
-      "type": "boolean",
-      "description": "Enable password authentication for SSH. If set to `true`, users can log in using a password",
-      "default": true
-    },
-    "disableRoot": {
-      "type": "boolean",
-      "description": "Disable root login via SSH. If set to `true`, root login will be disabled",
-      "default": true
-    },
-    "password": {
-      "type": "string",
-      "description": "The default password for the virtual machine",
-      "default": "hackme"
-    },
-    "chpasswdExpire": {
-      "type": "boolean",
-      "description": "Set whether the password should expire",
-      "default": false
-    },
     "sshKeys": {
       "type": "array",
-      "description": "List of SSH public keys for authentication. Can be a single key or a list of keys",
-      "default": [
-        "ssh-rsa ...",
-        "ssh-ed25519 ..."
-      ],
+      "description": "List of SSH public keys for authentication. Can be a single key or a list of keys.",
+      "default": "[]",
       "items": {
         "type": "string"
       }
+    },
+    "cloudInit": {
+      "type": "string",
+      "description": "cloud-init user data config. See cloud-init documentation for more details.",
+      "default": "#cloud-config\n"
     }
   }
 }

packages/apps/virtual-machine/values.yaml

@@ -1,19 +1,18 @@
 ## @section Common parameters
 
 ## @param external Enable external access from outside the cluster
+## @param externalPorts [array] Specify ports to forward from outside the cluster
 ## @param running Determines if the virtual machine should be running
-## @param image The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine` and `fedora`
+## @param image The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos`
 ## @param storageClass StorageClass used to store the data
 ## @param resources.cpu The number of CPU cores allocated to the virtual machine
 ## @param resources.memory The amount of memory allocated to the virtual machine
 ## @param resources.disk The size of the disk allocated for the virtual machine
-## @param sshPwauth Enable password authentication for SSH. If set to `true`, users can log in using a password
-## @param disableRoot Disable root login via SSH. If set to `true`, root login will be disabled
-## @param password The default password for the virtual machine
-## @param chpasswdExpire Set whether the password should expire
-## @param sshKeys List of SSH public keys for authentication. Can be a single key or a list of keys
 
 external: false
+externalPorts:
+- 22
+
 running: true
 image: ubuntu
 storageClass: replicated
@@ -21,10 +20,24 @@ resources:
   cpu: 1
   memory: 1024M
   disk: 5Gi
-sshPwauth: true
-disableRoot: true
-password: hackme
-chpasswdExpire: false
-sshKeys:
-  - ssh-rsa ...
-  - ssh-ed25519 ...
+
+## @param sshKeys [array] List of SSH public keys for authentication. Can be a single key or a list of keys.
+## Example:
+## sshKeys:
+##   - ssh-rsa ...
+##   - ssh-ed25519 ...
+##
+sshKeys: []
+
+## @param cloudInit cloud-init user data config. See cloud-init documentation for more details.
+## - https://cloudinit.readthedocs.io/en/latest/explanation/format.html
+## - https://cloudinit.readthedocs.io/en/latest/reference/examples.html
+## Example:
+## cloudInit: |
+##   #cloud-config
+##   password: ubuntu
+##   chpasswd: { expire: False }
+##
+cloudInit: |
+  #cloud-config
+

packages/core/installer/Makefile

@@ -54,9 +54,9 @@ image-matchbox:
 		--load=$(LOAD)
 	rm -f images/matchbox.json
 
-assets: talos-iso talos-nocloud
+assets: talos-iso talos-nocloud talos-metal
 
-talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud:
+talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud talos-metal:
 	mkdir -p ../../../_out/assets
 	cat images/talos/profiles/$(subst talos-,,$@).yaml | \
 		docker run --rm -i -v /dev:/dev --privileged "ghcr.io/siderolabs/imager:$(TALOS_VERSION)" --tar-to-stdout - | \

packages/core/installer/hack/gen-profiles.sh

@@ -2,7 +2,7 @@
 set -e
 set -u
 
-PROFILES="initramfs kernel iso installer nocloud"
+PROFILES="initramfs kernel iso installer nocloud metal"
 FIRMWARES="amd-ucode amdgpu-firmware bnx2-bnx2x i915-ucode intel-ice-firmware intel-ucode qlogic-firmware"
 EXTENSIONS="drbd zfs"
 
@@ -32,10 +32,10 @@ done
 
 for profile in $PROFILES; do
   echo "writing profile images/talos/profiles/$profile.yaml"
-  if [ "$profile" = "nocloud" ]; then
+  if [ "$profile" = "nocloud" ] || [ "$profile" = "metal" ]; then
     image_options="{ diskSize: 1306525696, diskFormat: raw }"
     out_format=".xz"
-    platform="nocloud"
+    platform="$profile"
     kind="image"
   else
     image_options="{}"

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -12,13 +12,13 @@ input:
   baseInstaller:
     imageRef: ghcr.io/siderolabs/installer:v1.7.6
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240709
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240531
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
     - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
     - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:

packages/core/installer/images/talos/profiles/installer.yaml

@@ -12,13 +12,13 @@ input:
   baseInstaller:
     imageRef: ghcr.io/siderolabs/installer:v1.7.6
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240709
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240531
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
     - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
     - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:

packages/core/installer/images/talos/profiles/iso.yaml

@@ -12,13 +12,13 @@ input:
   baseInstaller:
     imageRef: ghcr.io/siderolabs/installer:v1.7.6
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240709
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240531
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
     - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
     - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -12,13 +12,13 @@ input:
   baseInstaller:
     imageRef: ghcr.io/siderolabs/installer:v1.7.6
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240709
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240531
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
     - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
     - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:

packages/core/installer/images/talos/profiles/metal.yaml

@@ -0,0 +1,27 @@
+# this file generated by hack/gen-profiles.sh
+# do not edit it
+arch: amd64
+platform: metal
+secureboot: false
+version: v1.7.6
+input:
+  kernel:
+    path: /usr/install/amd64/vmlinuz
+  initramfs:
+    path: /usr/install/amd64/initramfs.xz
+  baseInstaller:
+    imageRef: ghcr.io/siderolabs/installer:v1.7.6
+  systemExtensions:
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
+output:
+  kind: image
+  imageOptions: { diskSize: 1306525696, diskFormat: raw }
+  outFormat: .xz

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -12,13 +12,13 @@ input:
   baseInstaller:
     imageRef: ghcr.io/siderolabs/installer:v1.7.6
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240709
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240709
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240531
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240709
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240811
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240811
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240813
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240811
     - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.6
     - imageRef: ghcr.io/siderolabs/zfs:2.2.4-v1.7.6
 output:

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.12.0@sha256:0917812850fd0359d5ba78fd819c0e4ce6d7c12eed9cd46813e7284064b71d30
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.15.0@sha256:aeff26a80f84b4323578e613b3bf03caa842d617ec8d9ca98706867c1e70609f

packages/core/platform/bundles/distro-full.yaml

@@ -20,14 +20,11 @@ releases:
   namespace: cozy-cilium
   privileged: true
   dependsOn: []
+  valuesFiles:
+  - values.yaml
+  - values-talos.yaml
   values:
     cilium:
-      bpf:
-        masquerade: true
-      cni:
-        chainingMode: ~
-        customConf: false
-        configMap: ""
       enableIPv4Masquerade: true
       enableIdentityMark: true
       ipv4NativeRoutingCIDR: "{{ index $cozyConfig.data "ipv4-pod-cidr" }}"

packages/core/platform/bundles/paas-full.yaml

@@ -20,6 +20,10 @@ releases:
   namespace: cozy-cilium
   privileged: true
   dependsOn: []
+  valuesFiles:
+  - values.yaml
+  - values-talos.yaml
+  - values-kubeovn.yaml
 
 - name: kubeovn
   releaseName: kubeovn

packages/core/platform/templates/helmreleases.yaml

@@ -39,6 +39,10 @@ spec:
         kind: HelmRepository
         name: cozystack-system
         namespace: cozy-system
+      {{- with $x.valuesFiles }}
+      valuesFiles:
+      {{- toYaml $x.valuesFiles | nindent 6 }}
+      {{- end }}
   {{- $values := dict }}
   {{- with $x.values }}
   {{- $values = merge . $values }}

packages/core/testing/templates/sandbox.yaml

@@ -10,6 +10,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: cozystack-e2e-{{ .Release.Name }}
+  namespace: cozy-e2e-tests
 spec:
   replicas: 1
   selector:

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.12.0@sha256:be1693c8ce6a9522499f79b1e42b2e08c7ca80405026a095299e5e990a3ab791
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.15.0@sha256:20cc84e4a11db31434881355c070113a7823501a28a6114ca02830b18607ad21

packages/extra/etcd/templates/etcd-cluster.yaml

@@ -25,7 +25,7 @@ spec:
         resources:
           requests:
             storage: {{ .Values.size }}
-        {{- with .Values.stroageClass }}
+        {{- with .Values.storageClass }}
         storageClassName: {{ . }}
         {{- end }}
   security:

packages/extra/monitoring/Chart.yaml

@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.3.0
+version: 1.4.0

packages/extra/monitoring/Makefile

@@ -5,6 +5,6 @@ include ../../../scripts/package.mk
 generate:
 	readme-generator -v values.yaml -s values.schema.json.tmp -r README.md
 	cat values.schema.json.tmp | \
-		jq '.properties.metricsStorages.items.type = "object"' \
+		jq '.properties.metricsStorages.items.type = "object" | .properties.logsStorages.items.type = "object"' \
 		> values.schema.json
 	rm -f values.schema.json.tmp

packages/extra/monitoring/README.md

@@ -8,4 +8,5 @@
 | ----------------- | --------------------------------------------------------------------------------------------------------- | ------- |
 | `host`            | The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host). | `""`    |
 | `metricsStorages` | Configuration of metrics storage instances                                                                | `[]`    |
+| `logsStorages`    | Configuration of logs storage instances                                                                   | `[]`    |
 | `oncall.enabled`  | Enable Grafana OnCall                                                                                     | `false` |

packages/extra/monitoring/templates/grafana/grafana.yaml

@@ -26,11 +26,34 @@ spec:
     security:
       admin_user: user
       admin_password: ${GF_PASSWORD}
+    plugins:
+      allow_loading_unsigned_plugins: "victorialogs-datasource"
   deployment:
     spec:
       replicas: 2
       template:
         spec:
+          initContainers:
+            - name: "load-vm-ds-plugin"
+              image: "curlimages/curl:7.85.0"
+              command: [ "/bin/sh" ]
+              workingDir: "/var/lib/grafana"
+              securityContext:
+                runAsUser: 10001
+                runAsNonRoot: true
+                runAsGroup: 10001
+              args:
+                - "-c"
+                - |
+                  set -ex
+                  mkdir -p /var/lib/grafana/plugins/
+                  ver=$(curl -s https://api.github.com/repos/VictoriaMetrics/victorialogs-datasource/releases/latest | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' | head -1)
+                  curl -L https://github.com/VictoriaMetrics/victorialogs-datasource/releases/download/$ver/victorialogs-datasource-$ver.tar.gz -o /var/lib/grafana/plugins/vl-plugin.tar.gz
+                  tar -xf /var/lib/grafana/plugins/vl-plugin.tar.gz -C /var/lib/grafana/plugins/
+                  rm /var/lib/grafana/plugins/vl-plugin.tar.gz
+              volumeMounts:
+                - name: grafana-data
+                  mountPath: /var/lib/grafana
           containers:
             - name: grafana
               image: grafana/grafana:10.1.0

packages/extra/monitoring/templates/oncall/oncall-release.yaml

@@ -15,9 +15,9 @@ spec:
       reconcileStrategy: Revision
       sourceRef:
         kind: HelmRepository
-        name: cozystack-extra
-        namespace: cozy-public
-      version: 0.1.0
+        name: cozystack-system
+        namespace: cozy-system
+      version: '*'
   interval: 1m0s
   timeout: 5m0s
   values:

packages/extra/monitoring/templates/vlogs/grafana-datasource.yaml

@@ -0,0 +1,15 @@
+{{- range .Values.logsStorages }}
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDatasource
+metadata:
+  name: vlogs-{{ .name }}
+spec:
+  datasource:
+    access: proxy
+    type: victorialogs-datasource
+    name: vlogs-{{ .name }}
+    url: http://vlogs-{{ .name }}.{{ $.Release.Namespace }}.svc:9428
+  instanceSelector:
+    matchLabels:
+      dashboards: grafana
+{{- end }}

packages/extra/monitoring/templates/vlogs/vlogs.yaml

@@ -0,0 +1,15 @@
+{{- range .Values.logsStorages }}
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VLogs
+metadata:
+  name: {{ .name }}
+spec:
+  storage:
+    resources:
+      requests:
+        storage: {{ .storage }}
+    storageClassName: {{ .storageClassName }}
+    accessModes: [ReadWriteOnce]
+  retentionPeriod: "{{ .retentionPeriod }}"
+  removePvcAfterDelete: true
+{{- end }}

packages/extra/monitoring/templates/vm/grafana-datasource.yaml

@@ -4,13 +4,13 @@
 apiVersion: grafana.integreatly.org/v1beta1
 kind: GrafanaDatasource
 metadata:
-  name: {{ .name }}
+  name: vm-{{ .name }}
 spec:
   instanceSelector:
     matchLabels:
       dashboards: grafana
   datasource:
-    name: {{ .name }}
+    name: vm-{{ .name }}
     type: prometheus
     access: proxy
     url: http://vmselect-{{ .name }}.{{ $.Release.Namespace }}.svc:8481/select/0/prometheus/

packages/extra/monitoring/templates/vm/vmalertmanager.yaml

@@ -27,3 +27,6 @@ metadata:
 spec:
   replicaCount: 2
   configSecret: alertmanager
+  podMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"

packages/extra/monitoring/values.schema.json

@@ -15,6 +15,14 @@
         "type": "object"
       }
     },
+    "logsStorages": {
+      "type": "array",
+      "description": "Configuration of logs storage instances",
+      "default": "[]",
+      "items": {
+        "type": "object"
+      }
+    },
     "oncall": {
       "type": "object",
       "properties": {

packages/extra/monitoring/values.yaml

@@ -17,6 +17,14 @@ metricsStorages:
   storage: 10Gi
   storageClassName: ""
 
+## @param logsStorages [array] Configuration of logs storage instances
+##
+logsStorages:
+- name: generic
+  retentionPeriod: "1"
+  storage: 10Gi
+  storageClassName: replicated
+
 ## @param oncall.enabled Enable Grafana OnCall
 ## 
 oncall:

packages/extra/seaweedfs/templates/seaweedfs.yaml

@@ -34,7 +34,7 @@ spec:
         - name: data1
           type: "persistentVolumeClaim"
           size: "{{ .Values.size }}"
-          {{- with .Values.stroageClass }}
+          {{- with .Values.storageClass }}
           storageClass: {{ . }}
           {{- end }}
           maxVolumes: 0
@@ -50,7 +50,7 @@ spec:
             cert-manager.io/cluster-issuer: letsencrypt-prod
           tls:
             - hosts:
-              - {{ .Values.host | default (printf "seaweedfs.%s" $host) }}
+              - {{ .Values.host | default (printf "s3.%s" $host) }}
               secretName: {{ .Release.Name }}-s3-ingress-tls
 
       cosi:

packages/extra/versions_map

@@ -11,6 +11,7 @@ monitoring 1.0.0 f642698
 monitoring 1.1.0 15478a88
 monitoring 1.2.0 c9e0d63b
 monitoring 1.2.1 4471b4ba
-monitoring 1.3.0 HEAD
+monitoring 1.3.0 6c5cf5b
+monitoring 1.4.0 HEAD
 seaweedfs 0.1.0 5ca8823
 seaweedfs 0.2.0 HEAD

packages/system/cilium/values-kubeovn.yaml

@@ -0,0 +1,18 @@
+cilium:
+  sctp:
+    enabled: true
+  autoDirectNodeRoutes: false
+  bpf:
+    masquerade: false
+  cni:
+    chainingMode: generic-veth
+    chainingTarget: kube-ovn
+    customConf: true
+    configMap: cni-configuration
+  routingMode: native
+  enableIPv4Masquerade: false
+  enableIPv6Masquerade: false
+  enableIdentityMark: false
+  enableRuntimeDeviceDetection: true
+  forceDeviceDetection: true
+  devices: ovn0