Add openshft-console

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

.github/workflows/pre-commit.yml

@@ -17,6 +17,18 @@ jobs:
       - name: Install pre-commit
         run: pip install pre-commit
 
+      - name: Install generate
+        run: |
+          sudo apt update
+          sudo apt install curl -y
+          curl -fsSL https://deb.nodesource.com/setup_16.x | sudo -E bash -
+          sudo apt install nodejs -y
+          git clone https://github.com/bitnami/readme-generator-for-helm
+          cd ./readme-generator-for-helm
+          npm install
+          npm install -g pkg
+          pkg . -o /usr/local/bin/readme-generator
+
       - name: Run pre-commit hooks
         run: |
           git fetch origin main || git fetch origin master

.pre-commit-config.yaml

@@ -1,21 +1,6 @@
 repos:
-- repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.5.0
+- repo: local
   hooks:
-    - id: end-of-file-fixer
-    - id: trailing-whitespace
-    - id: mixed-line-ending
-      args: [--fix=lf]
-    - id: check-yaml
-      exclude: '^.*templates/.*\.yaml$'
-      args: [--unsafe]
-- repo: https://github.com/igorshubovych/markdownlint-cli
-  rev: v0.41.0
-  hooks:
-    - id: markdownlint
-      args: [--fix, --disable, MD013, MD041, --]
--   repo: local
-    hooks:
     - id: gen-versions-map
       name: Generate versions map and check for changes
       entry: sh -c 'make -C packages/apps check-version-map && make -C packages/extra check-version-map'
@@ -23,3 +8,16 @@ repos:
       types: [file]
       pass_filenames: false
       description: Run the script and fail if it generates changes
+    - id: run-make-generate
+      name: Run 'make generate' in all app directories
+      entry: |
+        /bin/bash -c '
+          for dir in ./packages/apps/*/; do
+            if [ -d "$dir" ]; then
+              echo "Running make generate in $dir"
+              (cd "$dir" && make generate)
+            fi
+          done
+        '
+      language: script
+      files: ^.*$

ADOPTERS.md

@@ -28,4 +28,5 @@ This list is sorted in chronological order, based on the submission date.
 | [Ænix](https://aenix.io/) | @kvaps | 2024-02-14 | Ænix provides consulting services for cloud providers and uses Cozystack as the main tool for organizing managed services for them. |
 | [Mediatech](https://mediatech.dev/) | @ugenk | 2024-05-01 | We're developing and hosting software for our and our custmer services. We're using cozystack as a kubernetes distribution for that. |
 | [Bootstack](https://bootstack.app/) | @mrkhachaturov | 2024-08-01| At Bootstack, we utilize a Kubernetes operator specifically designed to simplify and streamline cloud infrastructure creation.|
-| [gohost](https://gohost.kz/) | @karabass_off | 2024-02-01| Our company has been working in the market of Kazakhstan for more than 15 years, providing clients with a standard set of services: VPS/VDC, IaaS, shared hosting, etc. Now we are expanding the lineup by introducing Bare Metal Kubenetes cluster under Cozystack management.|
+| [gohost](https://gohost.kz/) | @karabass_off | 2024-02-01 | Our company has been working in the market of Kazakhstan for more than 15 years, providing clients with a standard set of services: VPS/VDC, IaaS, shared hosting, etc. Now we are expanding the lineup by introducing Bare Metal Kubenetes cluster under Cozystack management. |
+| [Urmanac](https://urmanac.com) | @kingdonb | 2024-12-04 | Urmanac is the future home of a hosting platform for the knowledge base of a community of personal server enthusiasts. We use Cozystack to provide support services for web sites hosted using both conventional deployments and on SpinKube, with WASM. |

Makefile

@@ -6,6 +6,7 @@ build:
 	make -C packages/apps/mysql image
 	make -C packages/apps/clickhouse image
 	make -C packages/apps/kubernetes image
+	make -C packages/system/cozystack-api image
 	make -C packages/system/cilium image
 	make -C packages/system/kubeovn image
 	make -C packages/system/dashboard image
@@ -35,4 +36,4 @@ assets:
 test:
 	make -C packages/core/testing apply
 	make -C packages/core/testing test
-	make -C packages/core/testing delete
+	make -C packages/core/testing test-applications

api/api-rules/cozystack_api_violation_exceptions.list

@@ -0,0 +1,25 @@
+API rule violation: list_type_missing,github.com/aenix.io/cozystack/pkg/apis/apps/v1alpha1,ApplicationStatus,Conditions
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,Ref
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,Schema
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XEmbeddedResource
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XIntOrString
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XListMapKeys
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XListType
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XMapType
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XPreserveUnknownFields
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XValidations
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrArray,JSONSchemas
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrArray,Schema
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrBool,Allows
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrBool,Schema
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrStringArray,Property
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrStringArray,Schema
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,APIResourceList,APIResources
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Duration,Duration
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEvent,Object
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEvent,Type
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,MicroTime,Time
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,StatusCause,Type
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Time,Time
+API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,ContentEncoding
+API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,ContentType

cmd/cozystack-api/main.go

@@ -0,0 +1,33 @@
+/*
+Copyright 2024 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"os"
+
+	"github.com/aenix.io/cozystack/pkg/cmd/server"
+	genericapiserver "k8s.io/apiserver/pkg/server"
+	"k8s.io/component-base/cli"
+)
+
+func main() {
+	ctx := genericapiserver.SetupSignalContext()
+	options := server.NewAppsServerOptions(os.Stdout, os.Stderr)
+	cmd := server.NewCommandStartAppsServer(ctx, options)
+	code := cli.Run(cmd)
+	os.Exit(code)
+}

go.mod

@@ -0,0 +1,113 @@
+// This is a generated file. Do not edit directly.
+
+module github.com/aenix.io/cozystack
+
+go 1.23.0
+
+require (
+	github.com/emicklei/go-restful/v3 v3.11.0
+	github.com/google/gofuzz v1.2.0
+	github.com/spf13/cobra v1.8.1
+	github.com/stretchr/testify v1.9.0
+	k8s.io/apiextensions-apiserver v0.31.2
+	k8s.io/apimachinery v0.31.2
+	k8s.io/apiserver v0.31.2
+	k8s.io/client-go v0.31.2
+	k8s.io/code-generator v0.31.2
+	k8s.io/component-base v0.31.2
+	k8s.io/kube-openapi v0.0.0-20240827152857-f7e401e7b4c2
+	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1
+)
+
+require (
+	github.com/NYTimes/gziphandler v1.1.1 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/coreos/go-semver v0.3.1 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fluxcd/helm-controller/api v1.1.0 // indirect
+	github.com/fluxcd/pkg/apis/kustomize v1.6.1 // indirect
+	github.com/fluxcd/pkg/apis/meta v1.6.1 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/cel-go v0.21.0 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
+	github.com/imdario/mergo v0.3.6 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_golang v1.19.1 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stoewer/go-strcase v1.3.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.etcd.io/etcd/api/v3 v3.5.16 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.16 // indirect
+	go.etcd.io/etcd/client/v3 v3.5.16 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
+	go.opentelemetry.io/otel v1.28.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect
+	go.opentelemetry.io/otel/metric v1.28.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
+	go.opentelemetry.io/otel/trace v1.28.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
+	golang.org/x/crypto v0.28.0 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/oauth2 v0.23.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.26.0 // indirect
+	golang.org/x/term v0.25.0 // indirect
+	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/time v0.7.0 // indirect
+	golang.org/x/tools v0.26.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
+	google.golang.org/grpc v1.65.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/api v0.31.2 // indirect
+	k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kms v0.31.2 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 // indirect
+	sigs.k8s.io/controller-runtime v0.19.0 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)

go.sum

@@ -0,0 +1,313 @@
+github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
+github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
+github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
+github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
+github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA=
+github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
+github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
+github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
+github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
+github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fluxcd/helm-controller/api v1.1.0 h1:NS5Wm3U6Kv4w7Cw2sDOV++vf2ecGfFV00x1+2Y3QcOY=
+github.com/fluxcd/helm-controller/api v1.1.0/go.mod h1:BgHMgMY6CWynzl4KIbHpd6Wpn3FN9BqgkwmvoKCp6iE=
+github.com/fluxcd/pkg/apis/kustomize v1.6.1 h1:22FJc69Mq4i8aCxnKPlddHhSMyI4UPkQkqiAdWFcqe0=
+github.com/fluxcd/pkg/apis/kustomize v1.6.1/go.mod h1:5dvQ4IZwz0hMGmuj8tTWGtarsuxW0rWsxJOwC6i+0V8=
+github.com/fluxcd/pkg/apis/meta v1.6.1 h1:maLhcRJ3P/70ArLCY/LF/YovkxXbX+6sTWZwZQBeNq0=
+github.com/fluxcd/pkg/apis/meta v1.6.1/go.mod h1:YndB/gxgGZmKfqpAfFxyCDNFJFP0ikpeJzs66jwq280=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
+github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
+github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
+github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
+github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
+github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
+github.com/google/cel-go v0.21.0 h1:cl6uW/gxN+Hy50tNYvI691+sXxioCnstFzLp2WO4GCI=
+github.com/google/cel-go v0.21.0/go.mod h1:rHUlWCcBKgyEk+eV03RPdZUekPp6YcJwV0FxuUksYxc=
+github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
+github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 h1:FKHo8hFI3A+7w0aUQuYXQ+6EN5stWmeY/AZqtM8xk9k=
+github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
+github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw=
+github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
+github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
+github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=
+github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA=
+github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To=
+github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
+github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
+github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
+github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc=
+github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
+github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
+github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8=
+github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.etcd.io/bbolt v1.3.9 h1:8x7aARPEXiXbHmtUwAIv7eV2fQFHrLLavdiJ3uzJXoI=
+go.etcd.io/bbolt v1.3.9/go.mod h1:zaO32+Ti0PK1ivdPtgMESzuzL2VPoIG1PCQNvOdo/dE=
+go.etcd.io/etcd/api/v3 v3.5.16 h1:WvmyJVbjWqK4R1E+B12RRHz3bRGy9XVfh++MgbN+6n0=
+go.etcd.io/etcd/api/v3 v3.5.16/go.mod h1:1P4SlIP/VwkDmGo3OlOD7faPeP8KDIFhqvciH5EfN28=
+go.etcd.io/etcd/client/pkg/v3 v3.5.16 h1:ZgY48uH6UvB+/7R9Yf4x574uCO3jIx0TRDyetSfId3Q=
+go.etcd.io/etcd/client/pkg/v3 v3.5.16/go.mod h1:V8acl8pcEK0Y2g19YlOV9m9ssUe6MgiDSobSoaBAM0E=
+go.etcd.io/etcd/client/v2 v2.305.13 h1:RWfV1SX5jTU0lbCvpVQe3iPQeAHETWdOTb6pxhd77C8=
+go.etcd.io/etcd/client/v2 v2.305.13/go.mod h1:iQnL7fepbiomdXMb3om1rHq96htNNGv2sJkEcZGDRRg=
+go.etcd.io/etcd/client/v3 v3.5.16 h1:sSmVYOAHeC9doqi0gv7v86oY/BTld0SEFGaxsU9eRhE=
+go.etcd.io/etcd/client/v3 v3.5.16/go.mod h1:X+rExSGkyqxvu276cr2OwPLBaeqFu1cIl4vmRjAD/50=
+go.etcd.io/etcd/pkg/v3 v3.5.13 h1:st9bDWNsKkBNpP4PR1MvM/9NqUPfvYZx/YXegsYEH8M=
+go.etcd.io/etcd/pkg/v3 v3.5.13/go.mod h1:N+4PLrp7agI/Viy+dUYpX7iRtSPvKq+w8Y14d1vX+m0=
+go.etcd.io/etcd/raft/v3 v3.5.13 h1:7r/NKAOups1YnKcfro2RvGGo2PTuizF/xh26Z2CTAzA=
+go.etcd.io/etcd/raft/v3 v3.5.13/go.mod h1:uUFibGLn2Ksm2URMxN1fICGhk8Wu96EfDQyuLhAcAmw=
+go.etcd.io/etcd/server/v3 v3.5.13 h1:V6KG+yMfMSqWt+lGnhFpP5z5dRUj1BDRJ5k1fQ9DFok=
+go.etcd.io/etcd/server/v3 v3.5.13/go.mod h1:K/8nbsGupHqmr5MkgaZpLlH1QdX1pcNQLAkODy44XcQ=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg=
+go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
+go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ=
+go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q=
+go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s=
+go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE=
+go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg=
+go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
+go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
+go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
+go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
+golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
+golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
+golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
+golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
+golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
+golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY=
+google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4=
+google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 h1:7whR9kGa5LUwFtpLm2ArCEejtnxlGeLbAyjFY8sGNFw=
+google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157/go.mod h1:99sLkeliLXfdj2J75X3Ho+rrVCaJze0uwN7zDDkjPVU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY=
+google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
+google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
+gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
+gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0=
+k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk=
+k8s.io/apiextensions-apiserver v0.31.2 h1:W8EwUb8+WXBLu56ser5IudT2cOho0gAKeTOnywBLxd0=
+k8s.io/apiextensions-apiserver v0.31.2/go.mod h1:i+Geh+nGCJEGiCGR3MlBDkS7koHIIKWVfWeRFiOsUcM=
+k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw=
+k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
+k8s.io/apiserver v0.31.2 h1:VUzOEUGRCDi6kX1OyQ801m4A7AUPglpsmGvdsekmcI4=
+k8s.io/apiserver v0.31.2/go.mod h1:o3nKZR7lPlJqkU5I3Ove+Zx3JuoFjQobGX1Gctw6XuE=
+k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc=
+k8s.io/client-go v0.31.2/go.mod h1:NPa74jSVR/+eez2dFsEIHNa+3o09vtNaWwWwb1qSxSs=
+k8s.io/code-generator v0.31.2 h1:xLWxG0HEpMSHfcM//3u3Ro2Hmc6AyyLINQS//Z2GEOI=
+k8s.io/code-generator v0.31.2/go.mod h1:eEQHXgBU/m7LDaToDoiz3t97dUUVyOblQdwOr8rivqc=
+k8s.io/component-base v0.31.2 h1:Z1J1LIaC0AV+nzcPRFqfK09af6bZ4D1nAOpWsy9owlA=
+k8s.io/component-base v0.31.2/go.mod h1:9PeyyFN/drHjtJZMCTkSpQJS3U9OXORnHQqMLDz0sUQ=
+k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9 h1:si3PfKm8dDYxgfbeA6orqrtLkvvIeH8UqffFJDl0bz4=
+k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/kms v0.31.2 h1:pyx7l2qVOkClzFMIWMVF/FxsSkgd+OIGH7DecpbscJI=
+k8s.io/kms v0.31.2/go.mod h1:OZKwl1fan3n3N5FFxnW5C4V3ygrah/3YXeJWS3O6+94=
+k8s.io/kube-openapi v0.0.0-20240827152857-f7e401e7b4c2 h1:GKE9U8BH16uynoxQii0auTjmmmuZ3O0LFMN6S0lPPhI=
+k8s.io/kube-openapi v0.0.0-20240827152857-f7e401e7b4c2/go.mod h1:coRQXBK9NxO98XUv3ZD6AK3xzHCxV6+b7lrquKwaKzA=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 h1:CPT0ExVicCzcpeN4baWEV2ko2Z/AsiZgEdwgcfwLgMo=
+sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
+sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q=
+sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

hack/boilerplate.go.txt

@@ -0,0 +1,16 @@
+/*
+Copyright 2024 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+

hack/e2e.application.sh

@@ -9,15 +9,29 @@ YELLOW='\033[0;33m'
 ROOT_NS="tenant-root"
 TEST_TENANT="tenant-e2e"
 
-function clean() {
-    kubectl delete helmrelease.helm.toolkit.fluxcd.io $TEST_TENANT -n $ROOT_NS
-    if true; then
-        echo -e "${GREEN}Cleanup successful!${RESET}"
-        return 0
-    else
-        echo -e "${RED}Cleanup failed!${RESET}"
-        return 1
+values_base_path="/hack/testdata/"
+checks_base_path="/hack/testdata/"
+
+function delete_hr() {
+    local release_name="$1"
+    local namespace="$2"
+
+    if [[ -z "$release_name" ]]; then
+        echo -e "${RED}Error: Release name is required.${RESET}"
+        exit 1
     fi
+
+    if [[ -z "$namespace" ]]; then
+        echo -e "${RED}Error: Namespace name is required.${RESET}"
+        exit 1
+    fi
+
+    if [[ "$release_name" == "tenant-e2e" ]]; then
+        echo -e "${YELLOW}Skipping deletion for release tenant-e2e.${RESET}"
+        return 0
+    fi
+
+    kubectl delete helmrelease $release_name -n $namespace
 }
 
 function install_helmrelease() {
@@ -43,6 +57,11 @@ function install_helmrelease() {
         exit 1
     fi
 
+    if [[ -n "$values_file" && -f "$values_file" ]]; then
+        local values_section
+        values_section=$(echo "  values:" && sed 's/^/    /' "$values_file")
+    fi
+
     local helmrelease_file=$(mktemp /tmp/HelmRelease.XXXXXX.yaml)
     {
         echo "apiVersion: helm.toolkit.fluxcd.io/v2"
@@ -64,11 +83,7 @@ function install_helmrelease() {
         echo "      version: '*'"
         echo "  interval: 1m0s"
         echo "  timeout: 5m0s"
-
-        if [[ -n "$values_file" && -f "$values_file" ]]; then
-            echo "  values:"
-            cat "$values_file" | sed 's/^/    /'
-        fi
+        [[ -n "$values_section" ]] && echo "$values_section"
     } > "$helmrelease_file"
 
     kubectl apply -f "$helmrelease_file"
@@ -79,26 +94,38 @@ function install_helmrelease() {
 function install_tenant (){
     local release_name="$1"
     local namespace="$2"
-    local values_file="${3:-tenant.yaml}"
+    local values_file="${values_base_path}tenant/values.yaml"
     local repo_name="cozystack-apps"
     local repo_ns="cozy-public"
-
     install_helmrelease "$release_name" "$namespace" "tenant" "$repo_name" "$repo_ns" "$values_file"
 }
 
+function make_extra_checks(){
+    local checks_file="$1"
+    echo "after exec make $checks_file"
+    if [[ -n "$checks_file" && -f "$checks_file" ]]; then
+        echo -e "${YELLOW}Start extra checks with file: ${checks_file}${RESET}"
+
+    fi
+}
+
 function check_helmrelease_status() {
     local release_name="$1"
     local namespace="$2"
+    local checks_file="$3"
     local timeout=300  # Timeout in seconds
     local interval=5   # Interval between checks in seconds
     local elapsed=0
 
+
     while [[ $elapsed -lt $timeout ]]; do
         local status_output
         status_output=$(kubectl get helmrelease "$release_name" -n "$namespace" -o json | jq -r '.status.conditions[-1].reason')
 
-        if [[ "$status_output" == "InstallSucceeded" ]]; then
+        if [[ "$status_output" == "InstallSucceeded" || "$status_output" == "UpgradeSucceeded" ]]; then
             echo -e "${GREEN}Helm release '$release_name' is ready.${RESET}"
+            make_extra_checks "$checks_file"
+            delete_hr $release_name $namespace
             return 0
         elif [[ "$status_output" == "InstallFailed" ]]; then
           echo -e "${RED}Helm release '$release_name': InstallFailed${RESET}"
@@ -122,14 +149,17 @@ if [ -z "$chart_name" ]; then
     exit 1
 fi
 
-echo "Running tests for chart: $chart_name"
-install_tenant $TEST_TENANT $ROOT_NS
-check_helmrelease_status $TEST_TENANT $ROOT_NS
 
+checks_file="${checks_base_path}${chart_name}/check.sh"
 repo_name="cozystack-apps"
 repo_ns="cozy-public"
-
 release_name="$chart_name-e2e"
-install_helmrelease "$release_name" "$TEST_TENANT" "$chart_name" "$repo_name" "$repo_ns"
+values_file="${values_base_path}${chart_name}/values.yaml"
 
-check_helmrelease_status "$release_name" "$TEST_TENANT"
+install_tenant $TEST_TENANT $ROOT_NS
+check_helmrelease_status $TEST_TENANT $ROOT_NS "${checks_base_path}tenant/check.sh"
+
+echo -e "${YELLOW}Running tests for chart: $chart_name${RESET}"
+
+install_helmrelease $release_name $TEST_TENANT $chart_name $repo_name $repo_ns $values_file
+check_helmrelease_status $release_name $TEST_TENANT $checks_file

hack/e2e.sh

@@ -114,7 +114,7 @@ machine:
     - name: zfs
     - name: spl
   install:
-    image: ghcr.io/aenix-io/cozystack/talos:v1.8.1
+    image: ghcr.io/aenix-io/cozystack/talos:v1.8.3
   files:
   - content: |
       [plugins]
@@ -124,6 +124,12 @@ machine:
     op: create
 
 cluster:
+  apiServer:
+    extraArgs:
+      oidc-issuer-url: "https://keycloak.example.org/realms/cozy"
+      oidc-client-id: "kubernetes"
+      oidc-username-claim: "preferred_username"
+      oidc-groups-claim: "groups"
   network:
     cni:
       name: none
@@ -179,10 +185,11 @@ talosctl apply -f controlplane.yaml -n 192.168.123.13 -e 192.168.123.13 -i
 timeout 60 sh -c 'until nc -nzv 192.168.123.11 50000 && nc -nzv 192.168.123.12 50000 && nc -nzv 192.168.123.13 50000; do sleep 1; done'
 
 # Bootstrap
-talosctl bootstrap -n 192.168.123.11 -e 192.168.123.11
+timeout 10 sh -c 'until talosctl bootstrap -n 192.168.123.11 -e 192.168.123.11; do sleep 1; done'
 
 # Wait for etcd
-timeout 180 sh -c 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep "rpc error"; do sleep 1; done'
+timeout 180 sh -c 'until timeout -s 9 2 talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1; do sleep 1; done'
+timeout 60 sh -c 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep "rpc error"; do sleep 1; done'
 
 rm -f kubeconfig
 talosctl kubeconfig kubeconfig -e 192.168.123.10 -n 192.168.123.10
@@ -190,7 +197,7 @@ export KUBECONFIG=$PWD/kubeconfig
 
 # Wait for kubernetes nodes appear
 timeout 60 sh -c 'until [ $(kubectl get node -o name | wc -l) = 3 ]; do sleep 1; done'
-kubectl create ns cozy-system
+kubectl create ns cozy-system -o yaml | kubectl apply -f -
 kubectl create -f - <<\EOT
 apiVersion: v1
 kind: ConfigMap
@@ -203,6 +210,8 @@ data:
   ipv4-pod-gateway: "10.244.0.1"
   ipv4-svc-cidr: "10.96.0.0/16"
   ipv4-join-cidr: "100.64.0.0/16"
+  root-host: example.org
+  api-server-endpoint: https://192.168.123.10:6443
 EOT
 
 #
@@ -287,13 +296,13 @@ spec:
   avoidBuggyIPs: false
 EOT
 
-kubectl patch -n tenant-root hr/tenant-root --type=merge -p '{"spec":{ "values":{
+kubectl patch -n tenant-root tenants.apps.cozystack.io root --type=merge -p '{"spec":{
   "host": "example.org",
   "ingress": true,
   "monitoring": true,
   "etcd": true,
   "isolated": true
-}}}'
+}}'
 
 # Wait for HelmRelease be created
 timeout 60 sh -c 'until kubectl get hr -n tenant-root etcd ingress monitoring tenant-root; do sleep 1; done'
@@ -301,9 +310,9 @@ timeout 60 sh -c 'until kubectl get hr -n tenant-root etcd ingress monitoring te
 # Wait for HelmReleases be installed
 kubectl wait --timeout=2m --for=condition=ready -n tenant-root hr etcd ingress monitoring tenant-root
 
-kubectl patch -n tenant-root hr/ingress --type=merge -p '{"spec":{ "values":{
+kubectl patch -n tenant-root ingresses.apps.cozystack.io ingress --type=merge -p '{"spec":{
   "dashboard": true
-}}}'
+}}'
 
 # Wait for nginx-ingress-controller
 timeout 60 sh -c 'until kubectl get deploy -n tenant-root root-ingress-controller; do sleep 1; done'
@@ -313,7 +322,7 @@ kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy root-i
 kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=3 -n tenant-root sts etcd
 
 # Wait for Victoria metrics
-kubectl wait --timeout=5m --for=jsonpath=.status.updateStatus=operational -n tenant-root vmalert/vmalert-longterm vmalert/vmalert-shortterm vmalertmanager/alertmanager
+kubectl wait --timeout=5m --for=jsonpath=.status.updateStatus=operational -n tenant-root vmalert/vmalert-shortterm vmalertmanager/alertmanager
 kubectl wait --timeout=5m --for=jsonpath=.status.status=operational -n tenant-root vlogs/generic
 kubectl wait --timeout=5m --for=jsonpath=.status.clusterStatus=operational -n tenant-root vmcluster/shortterm vmcluster/longterm
 
@@ -326,3 +335,12 @@ ip=$(kubectl get svc -n tenant-root root-ingress-controller -o jsonpath='{.statu
 
 # Check Grafana
 curl -sS -k "https://$ip" -H 'Host: grafana.example.org' | grep Found
+
+
+# Test OIDC
+kubectl patch -n cozy-system cm/cozystack --type=merge -p '{"data":{
+  "oidc-enabled": "true"
+}}'
+
+timeout 60 sh -c 'until kubectl get hr -n cozy-keycloak keycloak keycloak-configure keycloak-operator; do sleep 1; done'
+kubectl wait --timeout=10m --for=condition=ready -n cozy-keycloak hr keycloak keycloak-configure keycloak-operator

hack/testdata/http-cache/check.sh

@@ -0,0 +1 @@
+return 0

hack/testdata/http-cache/values.yaml

@@ -0,0 +1,2 @@
+endpoints:
+  - 8.8.8.8:443

hack/testdata/kubernetes/check.sh

@@ -0,0 +1 @@
+return 0

hack/testdata/kubernetes/values.yaml

@@ -0,0 +1,62 @@
+## @section Common parameters
+
+## @param host The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host).
+## @param controlPlane.replicas Number of replicas for Kubernetes contorl-plane components
+## @param storageClass StorageClass used to store user data
+##
+host: ""
+controlPlane:
+  replicas: 2
+storageClass: replicated
+
+## @param nodeGroups [object] nodeGroups configuration
+##
+nodeGroups:
+  md0:
+    minReplicas: 0
+    maxReplicas: 10
+    instanceType: "u1.medium"
+    ephemeralStorage: 20Gi
+    roles:
+    - ingress-nginx
+
+    resources:
+      cpu: ""
+      memory: ""
+
+## @section Cluster Addons
+##
+addons:
+
+  ## Cert-manager: automatically creates and manages SSL/TLS certificate
+  ##
+  certManager:
+    ## @param addons.certManager.enabled Enables the cert-manager
+    ## @param addons.certManager.valuesOverride Custom values to override
+    enabled: true
+    valuesOverride: {}
+
+  ## Ingress-NGINX Controller
+  ##
+  ingressNginx:
+    ## @param addons.ingressNginx.enabled Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role)
+    ## @param addons.ingressNginx.valuesOverride Custom values to override
+    ##
+    enabled: true
+    ## @param addons.ingressNginx.hosts List of domain names that should be passed through to the cluster by upper cluster
+    ## e.g:
+    ## hosts:
+    ## - example.org
+    ## - foo.example.net
+    ##
+    hosts: []
+    valuesOverride: {}
+
+  ## Flux CD
+  ##
+  fluxcd:
+    ## @param addons.fluxcd.enabled Enables Flux CD
+    ## @param addons.fluxcd.valuesOverride Custom values to override
+    ##
+    enabled: true
+    valuesOverride: {}

hack/testdata/nats/check.sh

@@ -0,0 +1 @@
+return 0

hack/testdata/nats/values.yaml

@@ -0,0 +1,10 @@
+
+## @section Common parameters
+
+## @param external Enable external access from outside the cluster
+## @param replicas Persistent Volume size for NATS
+## @param storageClass StorageClass used to store the data
+##
+external: false
+replicas: 2
+storageClass: ""

hack/testdata/tenant/check.sh

@@ -0,0 +1 @@
+return 0

hack/update-codegen.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Copyright 2024 The Cozystack Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
+CODEGEN_PKG=${CODEGEN_PKG:-$(cd "${SCRIPT_ROOT}"; ls -d -1 ./vendor/k8s.io/code-generator 2>/dev/null || echo ../code-generator)}
+API_KNOWN_VIOLATIONS_DIR="${API_KNOWN_VIOLATIONS_DIR:-"${SCRIPT_ROOT}/api/api-rules"}"
+UPDATE_API_KNOWN_VIOLATIONS="${UPDATE_API_KNOWN_VIOLATIONS:-true}"
+
+source "${CODEGEN_PKG}/kube_codegen.sh"
+
+THIS_PKG="k8s.io/sample-apiserver"
+
+kube::codegen::gen_helpers \
+    --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
+    "${SCRIPT_ROOT}/pkg/apis"
+
+if [[ -n "${API_KNOWN_VIOLATIONS_DIR:-}" ]]; then
+    report_filename="${API_KNOWN_VIOLATIONS_DIR}/cozystack_api_violation_exceptions.list"
+    if [[ "${UPDATE_API_KNOWN_VIOLATIONS:-}" == "true" ]]; then
+        update_report="--update-report"
+    fi
+fi
+
+kube::codegen::gen_openapi \
+    --extra-pkgs "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" \
+    --output-dir "${SCRIPT_ROOT}/pkg/generated/openapi" \
+    --output-pkg "${THIS_PKG}/pkg/generated/openapi" \
+    --report-filename "${report_filename:-"/dev/null"}" \
+    ${update_report:+"${update_report}"} \
+    --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
+    "${SCRIPT_ROOT}/pkg/apis"

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.17.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.20.2"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.17.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.20.2"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/clickhouse/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.6.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/clickhouse/images/clickhouse-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/clickhouse-backup:0.6.0@sha256:dda84420cb8648721299221268a00d72a05c7af5b7fb452619bac727068b9e61
+ghcr.io/aenix-io/cozystack/clickhouse-backup:0.6.1@sha256:dda84420cb8648721299221268a00d72a05c7af5b7fb452619bac727068b9e61

packages/apps/clickhouse/templates/dashboard-resourcemap.yaml

@@ -8,7 +8,7 @@ rules:
   resources:
   - services
   resourceNames:
-  - chi-clickhouse-test-clickhouse-0-0
+  - chendpoint-{{ .Release.Name }}
   verbs: ["get", "list", "watch"]
 - apiGroups:
   - ""

packages/apps/ferretdb/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1
+ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:406d2c5a30fa8b6fe10eab3cba45c06fea3876e81fd123ead6dc3c19347762d0

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:b2b586194d17ca4dc71544971c775ad6878048087290030b8f096d481f57d1f7
+ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:27112d470a31725b75b29b29919af06b4ce1339e3b502b08889a92ab7099adde

packages/apps/kafka/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.3.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kafka/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}-kafka-bootstrap
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-clients-ca
+  verbs: ["get", "list", "watch"]

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.13.0
+version: 0.14.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.13.0@sha256:7f617de5a24de790a15d9e97c6287ff2b390922e6e74c7a665cbf498f634514d
+ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.14.1@sha256:b63293bc295e8c04574900bb711ebfe51db6774beb6bc3a58791562ec11b406b

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.13.0@sha256:b9dc8e5f0296146b37b332b07b8cd74d1b0308786160b161c670c55005d3dbe9
+ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.14.1@sha256:c0561a342e6b55d066f3363182f442e8fa30a0b6b448d89d15a1a855c999b98e

packages/apps/kubernetes/images/kubevirt-cloud-provider/Dockerfile

@@ -3,13 +3,14 @@ FROM --platform=linux/amd64 golang:1.20.6 AS builder
 
 RUN git clone https://github.com/kubevirt/cloud-provider-kubevirt /go/src/kubevirt.io/cloud-provider-kubevirt \
  && cd /go/src/kubevirt.io/cloud-provider-kubevirt \
- && git checkout adbd6c27468b86b020cf38490e84f124ef24ab62
+ && git checkout da9e0cf
 
 WORKDIR /go/src/kubevirt.io/cloud-provider-kubevirt
 
-# see: https://github.com/kubevirt/cloud-provider-kubevirt/pull/291
+# see: https://github.com/kubevirt/cloud-provider-kubevirt/pull/335
+# see: https://github.com/kubevirt/cloud-provider-kubevirt/pull/336
 ADD patches /patches
-RUN git apply /patches/external-traffic-policy-local.diff
+RUN git apply /patches/*.diff
 RUN go get 'k8s.io/endpointslice/util@v0.28' 'k8s.io/apiserver@v0.28'
 RUN go mod tidy
 RUN go mod vendor

packages/apps/kubernetes/images/kubevirt-cloud-provider/patches/335.diff

@@ -0,0 +1,20 @@
+diff --git a/pkg/controller/kubevirteps/kubevirteps_controller.go b/pkg/controller/kubevirteps/kubevirteps_controller.go
+index a3c1aa33..95c31438 100644
+--- a/pkg/controller/kubevirteps/kubevirteps_controller.go
++++ b/pkg/controller/kubevirteps/kubevirteps_controller.go
+@@ -412,11 +412,11 @@ func (c *Controller) reconcileByAddressType(service *v1.Service, tenantSlices []
+ 	// Create the desired port configuration
+ 	var desiredPorts []discovery.EndpointPort
+ 
+-	for _, port := range service.Spec.Ports {
++	for i := range service.Spec.Ports {
+ 		desiredPorts = append(desiredPorts, discovery.EndpointPort{
+-			Port:     &port.TargetPort.IntVal,
+-			Protocol: &port.Protocol,
+-			Name:     &port.Name,
++			Port:     &service.Spec.Ports[i].TargetPort.IntVal,
++			Protocol: &service.Spec.Ports[i].Protocol,
++			Name:     &service.Spec.Ports[i].Name,
+ 		})
+ 	}
+ 

packages/apps/kubernetes/images/kubevirt-cloud-provider/patches/336.diff

@@ -0,0 +1,129 @@
+diff --git a/pkg/controller/kubevirteps/kubevirteps_controller.go b/pkg/controller/kubevirteps/kubevirteps_controller.go
+index a3c1aa33..6f6e3d32 100644
+--- a/pkg/controller/kubevirteps/kubevirteps_controller.go
++++ b/pkg/controller/kubevirteps/kubevirteps_controller.go
+@@ -108,32 +108,24 @@ func newRequest(reqType ReqType, obj interface{}, oldObj interface{}) *Request {
+ }
+ 
+ func (c *Controller) Init() error {
+-
+-	// Act on events from Services on the infra cluster. These are created by the EnsureLoadBalancer function.
+-	// We need to watch for these events so that we can update the EndpointSlices in the infra cluster accordingly.
++	// Existing Service event handlers...
+ 	_, err := c.infraFactory.Core().V1().Services().Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+ 		AddFunc: func(obj interface{}) {
+-			// cast obj to Service
+ 			svc := obj.(*v1.Service)
+-			// Only act on Services of type LoadBalancer
+ 			if svc.Spec.Type == v1.ServiceTypeLoadBalancer {
+ 				klog.Infof("Service added: %v/%v", svc.Namespace, svc.Name)
+ 				c.queue.Add(newRequest(AddReq, obj, nil))
+ 			}
+ 		},
+ 		UpdateFunc: func(oldObj, newObj interface{}) {
+-			// cast obj to Service
+ 			newSvc := newObj.(*v1.Service)
+-			// Only act on Services of type LoadBalancer
+ 			if newSvc.Spec.Type == v1.ServiceTypeLoadBalancer {
+ 				klog.Infof("Service updated: %v/%v", newSvc.Namespace, newSvc.Name)
+ 				c.queue.Add(newRequest(UpdateReq, newObj, oldObj))
+ 			}
+ 		},
+ 		DeleteFunc: func(obj interface{}) {
+-			// cast obj to Service
+ 			svc := obj.(*v1.Service)
+-			// Only act on Services of type LoadBalancer
+ 			if svc.Spec.Type == v1.ServiceTypeLoadBalancer {
+ 				klog.Infof("Service deleted: %v/%v", svc.Namespace, svc.Name)
+ 				c.queue.Add(newRequest(DeleteReq, obj, nil))
+@@ -144,7 +136,7 @@ func (c *Controller) Init() error {
+ 		return err
+ 	}
+ 
+-	// Monitor endpoint slices that we are interested in based on known services in the infra cluster
++	// Existing EndpointSlice event handlers in tenant cluster...
+ 	_, err = c.tenantFactory.Discovery().V1().EndpointSlices().Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+ 		AddFunc: func(obj interface{}) {
+ 			eps := obj.(*discovery.EndpointSlice)
+@@ -194,10 +186,80 @@ func (c *Controller) Init() error {
+ 		return err
+ 	}
+ 
+-	//TODO: Add informer for EndpointSlices in the infra cluster to watch for (unwanted) changes
++	// Add an informer for EndpointSlices in the infra cluster
++	_, err = c.infraFactory.Discovery().V1().EndpointSlices().Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
++		AddFunc: func(obj interface{}) {
++			eps := obj.(*discovery.EndpointSlice)
++			if c.managedByController(eps) {
++				svc, svcErr := c.getInfraServiceForEPS(context.TODO(), eps)
++				if svcErr != nil {
++					klog.Errorf("Failed to get infra Service for EndpointSlice %s/%s: %v", eps.Namespace, eps.Name, svcErr)
++					return
++				}
++				if svc != nil {
++					klog.Infof("Infra EndpointSlice added: %v/%v, requeuing Service: %v/%v", eps.Namespace, eps.Name, svc.Namespace, svc.Name)
++					c.queue.Add(newRequest(AddReq, svc, nil))
++				}
++			}
++		},
++		UpdateFunc: func(oldObj, newObj interface{}) {
++			eps := newObj.(*discovery.EndpointSlice)
++			if c.managedByController(eps) {
++				svc, svcErr := c.getInfraServiceForEPS(context.TODO(), eps)
++				if svcErr != nil {
++					klog.Errorf("Failed to get infra Service for EndpointSlice %s/%s: %v", eps.Namespace, eps.Name, svcErr)
++					return
++				}
++				if svc != nil {
++					klog.Infof("Infra EndpointSlice updated: %v/%v, requeuing Service: %v/%v", eps.Namespace, eps.Name, svc.Namespace, svc.Name)
++					c.queue.Add(newRequest(UpdateReq, svc, nil))
++				}
++			}
++		},
++		DeleteFunc: func(obj interface{}) {
++			eps := obj.(*discovery.EndpointSlice)
++			if c.managedByController(eps) {
++				svc, svcErr := c.getInfraServiceForEPS(context.TODO(), eps)
++				if svcErr != nil {
++					klog.Errorf("Failed to get infra Service for EndpointSlice %s/%s on delete: %v", eps.Namespace, eps.Name, svcErr)
++					return
++				}
++				if svc != nil {
++					klog.Infof("Infra EndpointSlice deleted: %v/%v, requeuing Service: %v/%v", eps.Namespace, eps.Name, svc.Namespace, svc.Name)
++					c.queue.Add(newRequest(DeleteReq, svc, nil))
++				}
++			}
++		},
++	})
++	if err != nil {
++		return err
++	}
++
+ 	return nil
+ }
+ 
++// getInfraServiceForEPS returns the Service in the infra cluster associated with the given EndpointSlice.
++// It does this by reading the "kubernetes.io/service-name" label from the EndpointSlice, which should correspond
++// to the Service name. If not found or if the Service doesn't exist, it returns nil.
++func (c *Controller) getInfraServiceForEPS(ctx context.Context, eps *discovery.EndpointSlice) (*v1.Service, error) {
++	svcName := eps.Labels[discovery.LabelServiceName]
++	if svcName == "" {
++		// No service name label found, can't determine infra service.
++		return nil, nil
++	}
++
++	svc, err := c.infraClient.CoreV1().Services(c.infraNamespace).Get(ctx, svcName, metav1.GetOptions{})
++	if err != nil {
++		if k8serrors.IsNotFound(err) {
++			// Service doesn't exist
++			return nil, nil
++		}
++		return nil, err
++	}
++
++	return svc, nil
++}
++
+ // Run starts an asynchronous loop that monitors and updates GKENetworkParamSet in the cluster.
+ func (c *Controller) Run(numWorkers int, stopCh <-chan struct{}, controllerManagerMetrics *controllersmetrics.ControllerManagerMetrics) {
+ 	defer utilruntime.HandleCrash()

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.13.0@sha256:1c96280e10becb858cb5f781a278f383319514f803c8e5fe401e0ef291f65821
+ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.14.1@sha256:4b84a077e7f1b75bdf8b272c8f147e4ef3b67b9bea83383a399e9149868384ac

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:422e2078ebb24b4c327edefaad6dc9b3c8f6cf0cab3d8286c4f2b27ecf8b8466
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:91ec9c31472f8e94ae5f6f5a2568058eb28b3f57ab7e203d8d4a0993911fffc3

packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml

@@ -0,0 +1,54 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-cert-manager-crds
+  labels:
+    cozystack.io/repository: system
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  interval: 5m
+  releaseName: cert-manager-crds
+  chart:
+    spec:
+      chart: cozy-cert-manager-crds
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-kubeconfig
+  targetNamespace: cozy-cert-manager-crds
+  storageNamespace: cozy-cert-manager-crds
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  {{- if .Values.addons.certManager.valuesOverride }}
+  valuesFrom:
+  - kind: Secret
+    name: {{ .Release.Name }}-cert-manager-crds-values-override
+    valuesKey: values
+  {{- end }}
+
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
+{{- if .Values.addons.certManager.valuesOverride }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-cert-manager-crds-values-override
+stringData:
+  values: |
+    {{- toYaml .Values.addons.certManager.valuesOverride | nindent 4 }}
+{{- end }}

packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml

@@ -43,6 +43,8 @@ spec:
   {{- end }}
   - name: {{ .Release.Name }}-cilium
     namespace: {{ .Release.Namespace }}
+  - name: {{ .Release.Name }}-cert-manager-crds
+    namespace: {{ .Release.Namespace }}
 {{- end }}
 {{- if .Values.addons.certManager.valuesOverride }}
 ---

packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml

@@ -0,0 +1,105 @@
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $targetTenant := index $myNS.metadata.annotations "namespace.cozystack.io/monitoring" }}
+{{- if .Values.addons.monitoringAgents.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-monitoring-agents
+  labels:
+    cozystack.io/repository: system
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  interval: 5m
+  releaseName: cozy-monitoring-agents
+  chart:
+    spec:
+      chart: cozy-monitoring-agents
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-kubeconfig
+  targetNamespace: cozy-monitoring-agents
+  storageNamespace: cozy-monitoring-agents
+  install:
+    createNamespace: true
+    timeout: "300s"
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
+  - name: {{ .Release.Name }}-cozy-victoria-metrics-operator
+    namespace: {{ .Release.Namespace }}
+  values:
+    vmagent:
+      externalLabels:
+        cluster: {{ .Release.Name }}
+        tenant: {{ .Release.Namespace }}
+      remoteWrite:
+        url: http://vminsert-shortterm.{{ $targetTenant }}.svc:8480/insert/0/prometheus
+
+    fluent-bit:
+      readinessProbe:
+        httpGet:
+          path: /
+      daemonSetVolumes:
+        - name: varlog
+          hostPath:
+            path: /var/log
+        - name: varlibdockercontainers
+          hostPath:
+            path: /var/lib/docker/containers
+      daemonSetVolumeMounts:
+        - name: varlog
+          mountPath: /var/log
+        - name: varlibdockercontainers
+          mountPath: /var/lib/docker/containers
+          readOnly: true
+      config:
+        outputs: |
+          [OUTPUT]
+              Name http
+              Match kube.*
+              Host vlogs-generic.{{ $targetTenant }}.svc
+              port 9428
+              compress gzip
+              uri /insert/jsonline?_stream_fields=stream,kubernetes_pod_name,kubernetes_container_name,kubernetes_namespace_name&_msg_field=log&_time_field=date
+              format json_lines
+              json_date_format iso8601
+              header AccountID 0
+              header ProjectID 0
+        filters: |
+          [FILTER]
+              Name kubernetes
+              Match kube.*
+              Merge_Log On
+              Keep_Log On
+              K8S-Logging.Parser On
+              K8S-Logging.Exclude On
+          [FILTER]
+              Name                nest
+              Match               *
+              Wildcard            pod_name
+              Operation lift
+              Nested_under kubernetes
+              Add_prefix   kubernetes_
+          [FILTER]
+              Name modify
+              Match *
+              Add tenant {{ .Release.Namespace }}
+          [FILTER]
+              Name modify
+              Match *
+              Add cluster {{ .Release.Name }}
+{{- end }}

packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml

@@ -0,0 +1,41 @@
+{{- if .Values.addons.monitoringAgents.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-cozy-victoria-metrics-operator
+  labels:
+    cozystack.io/repository: system
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  interval: 5m
+  releaseName: cozy-victoria-metrics-operator
+  chart:
+    spec:
+      chart: cozy-victoria-metrics-operator
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-kubeconfig
+  targetNamespace: cozy-victoria-metrics-operator
+  storageNamespace: cozy-victoria-metrics-operator
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
+  - name: {{ .Release.Name }}-cert-manager-crds
+    namespace: {{ .Release.Namespace }}
+{{- end }}

packages/apps/kubernetes/values.schema.json

@@ -75,8 +75,23 @@
                             "default": {}
                         }
                     }
+                },
+                "monitoringAgents": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean",
+                            "description": "Enables MonitoringAgents (fluentbit, vmagents for sending logs and metrics to storage) if tenant monitoring enabled, send to tenant storage, else to root storage",
+                            "default": false
+                        },
+                        "valuesOverride": {
+                            "type": "object",
+                            "description": "Custom values to override",
+                            "default": {}
+                        }
+                    }
                 }
             }
         }
     }
-}
+}

packages/apps/kubernetes/values.yaml

@@ -60,3 +60,12 @@ addons:
     ##
     enabled: false
     valuesOverride: {}
+
+  ## MonitoringAgents
+  ##
+  monitoringAgents:
+    ## @param addons.monitoringAgents.enabled Enables MonitoringAgents (fluentbit, vmagents for sending logs and metrics to storage) if tenant monitoring enabled, send to tenant storage, else to root storage
+    ## @param addons.monitoringAgents.valuesOverride Custom values to override
+    ##
+    enabled: false
+    valuesOverride: {}

packages/apps/mysql/images/mariadb-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:793edb25a29cbc00781e40af883815ca36937e736e2b0d202ea9c9619fb6ca11
+ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:f6435ce02b1bf4d7b2422676e84bc2299725ed2cfb93922e40f40a695d54b9d3

packages/apps/nats/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/nats/README.md

@@ -4,9 +4,13 @@
 
 ### Common parameters
 
-| Name           | Description                                     | Value   |
-| -------------- | ----------------------------------------------- | ------- |
-| `external`     | Enable external access from outside the cluster | `false` |
-| `replicas`     | Persistent Volume size for NATS                 | `2`     |
-| `storageClass` | StorageClass used to store the data             | `""`    |
-
+| Name                | Description                                        | Value   |
+| ------------------- | -------------------------------------------------- | ------- |
+| `external`          | Enable external access from outside the cluster    | `false` |
+| `replicas`          | Persistent Volume size for NATS                    | `2`     |
+| `storageClass`      | StorageClass used to store the data                | `""`    |
+| `users`             | Users configuration                                | `{}`    |
+| `jetstream.size`    | Jetstream persistent storage size                  | `10Gi`  |
+| `jetstream.enabled` | Enable or disable Jetstream                        | `true`  |
+| `config.merge`      | Additional configuration to merge into NATS config | `{}`    |
+| `config.resolver`   | Additional configuration to merge into NATS config | `{}`    |

packages/apps/nats/templates/nats.yaml

@@ -1,3 +1,25 @@
+{{- $passwords := dict }}
+{{- range $user, $u := .Values.users }}
+  {{- if $u.password }}
+    {{- $_ := set $passwords $user $u.password }}
+  {{- else if not (index $passwords $user) }}
+    {{- $_ := set $passwords $user (randAlphaNum 16) }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.users }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-credentials
+stringData:
+  {{- range $user, $u := .Values.users }}
+  {{ quote $user }}: {{ quote (index $passwords $user) }}
+  {{- end }}
+{{- end }}
+
+---
+
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -18,6 +40,25 @@ spec:
     nats:
       fullnameOverride: {{ .Release.Name }}
       config:
+        {{- if or (gt (len $passwords) 0) (gt (len .Values.config.merge) 0) }}
+        merge:
+          {{- if gt (len $passwords) 0 }}
+          accounts:
+            A:
+              users:
+                {{- range $username, $password := $passwords }}
+                - user: "{{ $username }}"
+                  password: "{{ $password }}"
+                {{- end }}
+          {{- end }}
+          {{- if and .Values.config (hasKey .Values.config "merge") }}
+          {{ toYaml .Values.config.merge | nindent 12 }}
+          {{- end }}
+        {{- end }}
+        {{- if and .Values.config (hasKey .Values.config "resolver") }}
+        resolver:
+          {{ toYaml .Values.config.resolver | nindent 12 }}
+        {{- end }}
         cluster:
           enabled: true
           replicas: {{ .Values.replicas }}
@@ -26,10 +67,10 @@ spec:
         jetstream:
           enabled: true
           fileStore:
-            enabled: true
+            enabled: {{ .Values.jetstream.enabled }}
             pvc:
               enabled: true
-              size: 10Gi
+              size: {{ .Values.jetstream.size }}
               {{- with .Values.storageClass }}
               storageClassName: {{ . }}
               {{- end }}

packages/apps/nats/templates/resourcemap.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]

packages/apps/nats/values.schema.json

@@ -16,6 +16,36 @@
             "type": "string",
             "description": "StorageClass used to store the data",
             "default": ""
+        },
+        "jetstream": {
+            "type": "object",
+            "properties": {
+                "size": {
+                    "type": "string",
+                    "description": "Jetstream persistent storage size",
+                    "default": "10Gi"
+                },
+                "enabled": {
+                    "type": "boolean",
+                    "description": "Enable or disable Jetstream",
+                    "default": true
+                }
+            }
+        },
+        "config": {
+            "type": "object",
+            "properties": {
+                "merge": {
+                    "type": "object",
+                    "description": "Additional configuration to merge into NATS config",
+                    "default": {}
+                },
+                "resolver": {
+                    "type": "object",
+                    "description": "Additional configuration to merge into NATS config",
+                    "default": {}
+                }
+            }
         }
     }
 }

packages/apps/nats/values.yaml

@@ -8,3 +8,56 @@
 external: false
 replicas: 2
 storageClass: ""
+## @param users [object] Users configuration
+## Example:
+## users:
+##   user1:
+##     password: strongpassword
+##   user2: {}
+users: {}
+
+jetstream:
+  ## @param jetstream.size Jetstream persistent storage size
+  ## Specifies the size of the persistent storage for Jetstream (message store).
+  ## Default: 10Gi
+  size: 10Gi
+
+  ## @param jetstream.enabled Enable or disable Jetstream
+  ## Set to true to enable Jetstream for persistent messaging in NATS.
+  ## Default: true
+  enabled: true
+
+config:
+  ## @param config.merge Additional configuration to merge into NATS config
+  ## Allows you to customize NATS server settings by merging additional configurations.
+  ## For example, you can add extra parameters, configure authentication, or set custom settings.
+  ## Default: {}
+  ## example:
+  ##
+  ##   merge:
+  ##     $include: ./my-config.conf
+  ##     zzz$include: ./my-config-last.conf
+  ##     server_name: nats
+  ##     authorization:
+  ##       token: << $TOKEN >>
+  ##     jetstream:
+  ##       max_memory_store: << 1GB >>
+  ##
+  ## will yield the config:
+  ## {
+  ##   include ./my-config.conf;
+  ##   "authorization": {
+  ##     "token": $TOKEN
+  ##   },
+  ##   "jetstream": {
+  ##     "max_memory_store": 1GB
+  ##   },
+  ##   "server_name": "nats",
+  ##   include ./my-config-last.conf;
+  ## }
+  merge: {}
+  ## @param config.resolver Additional configuration to merge into NATS config
+  ## Allows you to customize NATS server settings by merging resolver configurations.
+  ## Default: {}
+  ## Example see: https://github.com/nats-io/k8s/blob/main/helm/charts/nats/values.yaml#L247
+  resolver: {}

packages/apps/postgres/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1
+ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:406d2c5a30fa8b6fe10eab3cba45c06fea3876e81fd123ead6dc3c19347762d0

packages/apps/postgres/values.schema.json

@@ -103,4 +103,4 @@
             }
         }
     }
-}
+}

packages/apps/redis/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.3.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/redis/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - rfs-{{ .Release.Name }}
+  - rfrm-{{ .Release.Name }}
+  - rfrs-{{ .Release.Name }}
+  - "{{ .Release.Name }}-external-lb"
+  verbs: ["get", "list", "watch"]

packages/apps/redis/templates/redisfailover.yaml

@@ -20,7 +20,6 @@ spec:
         cpu: 150m
         memory: 400Mi
       limits:
-        cpu: 2
         memory: 1000Mi
     {{- with .Values.size }}
     storage:
@@ -37,7 +36,7 @@ spec:
           storageClassName: {{ . }}
           {{- end }}
     {{- end }}
-    exporter: 
+    exporter:
       enabled: true
       image: oliver006/redis_exporter:v1.55.0-alpine
       args:

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.5.0
+version: 1.6.2

packages/apps/tenant/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "tenant.name" . }}-dashboard-resources
+  namespace: {{ .Release.namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - kubeconfig-{{ include "tenant.name" . }}
+  verbs: ["get", "list", "watch"]

packages/apps/tenant/templates/keycloakgroups.yaml

@@ -0,0 +1,53 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }}
+{{- if $oidcEnabled }}
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakRealmGroup
+metadata:
+  name: {{ include "tenant.name" . }}-view
+  namespace: {{ include "tenant.name" . }}
+spec:
+  name: {{ include "tenant.name" . }}-view
+  realmRef:
+    name: keycloakrealm-cozy
+    kind: ClusterKeycloakRealm
+
+---
+
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakRealmGroup
+metadata:
+  name: {{ include "tenant.name" . }}-use
+  namespace: {{ include "tenant.name" . }}
+spec:
+  name: {{ include "tenant.name" . }}-use
+  realmRef:
+    name: keycloakrealm-cozy
+    kind: ClusterKeycloakRealm
+
+---
+
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakRealmGroup
+metadata:
+  name: {{ include "tenant.name" . }}-admin
+  namespace: {{ include "tenant.name" . }}
+spec:
+  name: {{ include "tenant.name" . }}-admin
+  realmRef:
+    name: keycloakrealm-cozy
+    kind: ClusterKeycloakRealm
+
+---
+
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakRealmGroup
+metadata:
+  name: {{ include "tenant.name" . }}-super-admin
+  namespace: {{ include "tenant.name" . }}
+spec:
+  name: {{ include "tenant.name" . }}-super-admin
+  realmRef:
+    name: keycloakrealm-cozy
+    kind: ClusterKeycloakRealm
+{{- end }}

packages/apps/tenant/templates/kubeconfig.yaml

@@ -0,0 +1,44 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $host := index $cozyConfig.data "root-host" }}
+{{- $k8sClientSecret := lookup "v1" "Secret" "cozy-keycloak" "k8s-client" }}
+
+{{- if $k8sClientSecret }}
+{{- $apiServerEndpoint := index $cozyConfig.data "api-server-endpoint" }}
+{{- $k8sClient := index $k8sClientSecret.data "client-secret-key" | b64dec }}
+{{- $rootSaConfigMap := lookup "v1" "ConfigMap" "kube-system" "kube-root-ca.crt" }}
+{{- $k8sCa := index $rootSaConfigMap.data "ca.crt" | b64enc  }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubeconfig-{{ include "tenant.name" . }}
+  namespace: tenant-root
+stringData:
+  kubeconfig: |
+    apiVersion: v1
+    clusters:
+    - cluster:
+        server: {{ $apiServerEndpoint }}
+        certificate-authority-data: {{ $k8sCa }}
+      name: cluster
+    contexts:
+    - context:
+        cluster: cluster
+        namespace: {{ include "tenant.name" . }}
+        user: keycloak
+      name: {{ include "tenant.name" . }}
+    current-context: {{ include "tenant.name" . }}
+    users:
+    - name: keycloak
+      user:
+        exec:
+          apiVersion: client.authentication.k8s.io/v1beta1
+          args:
+          - oidc-login
+          - get-token
+          - --oidc-issuer-url=https://keycloak.{{ $host }}/realms/cozy
+          - --oidc-client-id=kubernetes
+          - --oidc-client-secret={{ $k8sClient }}
+          - --skip-open-browser
+          command: kubectl
+{{- end }}

packages/apps/tenant/templates/networkpolicy.yaml

@@ -159,6 +159,18 @@ spec:
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
+metadata:
+  name: allow-to-keycloak
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  egress:
+  - toEndpoints:
+      - matchLabels:
+          "k8s:io.kubernetes.pod.namespace": cozy-keycloak
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
 metadata:
   name: allow-to-cdi-upload-proxy
   namespace: {{ include "tenant.name" . }}

packages/apps/tenant/templates/tenant.yaml

@@ -75,16 +75,361 @@ rules:
   resources: ["helmcharts"]
   verbs: ["*"]
 ---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-view
+  namespace: {{ include "tenant.name" . }}
+rules:
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - roles
+    verbs:
+      - get
+  - apiGroups:
+      - apps.cozystack.io
+    resources:
+      - "*"
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - helm.toolkit.fluxcd.io
+    resources:
+      - helmreleases
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - "*"
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+
+---
+
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-view
+  namespace: {{ include "tenant.name" . }}
+subjects:
+  - kind: Group
+    name: {{ include "tenant.name" . }}-view
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: {{ include "tenant.name" . }}-view
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-use
+  namespace: {{ include "tenant.name" . }}
+rules:
+  - apiGroups: [rbac.authorization.k8s.io]
+    resources:
+    - roles
+    verbs:
+    - get
+  - apiGroups: ["apps.cozystack.io"]
+    resources:
+    - "*"
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups: ["helm.toolkit.fluxcd.io"]
+    resources:
+    - helmreleases
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups: [""]
+    resources:
+    - "*"
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+    - ingresses
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups: ["subresources.kubevirt.io"]
+    resources:
+    - virtualmachineinstances/console
+    - virtualmachineinstances/vnc
+    verbs:
+    - get
+    - list
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-use
+  namespace: {{ include "tenant.name" . }}
+subjects:
+  - kind: Group
+    name: {{ include "tenant.name" . }}-use
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: {{ include "tenant.name" . }}-use
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-admin
+  namespace: {{ include "tenant.name" . }}
+rules:
+  - apiGroups: [rbac.authorization.k8s.io]
+    resources:
+    - roles
+    verbs:
+    - get
+  - apiGroups: [""]
+    resources:
+    - "*"
+    verbs:
+    - get
+    - list
+    - watch
+    - delete
+  - apiGroups: ["helm.toolkit.fluxcd.io"]
+    resources:
+    - helmreleases
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups: ["kubevirt.io"]
+    resources:
+    - virtualmachines
+    verbs:
+    - get
+    - list
+  - apiGroups: ["subresources.kubevirt.io"]
+    resources:
+    - virtualmachineinstances/console
+    - virtualmachineinstances/vnc
+    verbs:
+    - get
+    - list
+  - apiGroups: ["apps.cozystack.io"]
+    resources:
+    - buckets
+    - clickhouses
+    - ferretdb
+    - foos
+    - httpcaches
+    - kafkas
+    - kuberneteses
+    - mysqls
+    - natses
+    - postgreses
+    - rabbitmqs
+    - redises
+    - seaweedfses
+    - tcpbalancers
+    - virtualmachines
+    - vmdisks
+    - vminstances
+    verbs:
+    - get
+    - list
+    - watch
+    - create
+    - update
+    - patch
+    - delete
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "tenant.name" . }}-admin
+  namespace: cozy-public
+rules:
+  - apiGroups: ["source.toolkit.fluxcd.io"]
+    resources: ["helmrepositories"]
+    verbs:
+    - get
+    - list
+  - apiGroups:
+    - source.toolkit.fluxcd.io
+    resources:
+    - helmcharts
+    verbs:
+    - get
+    - list
+  - apiGroups: ["source.toolkit.fluxcd.io"]
+    resources:
+    - helmcharts
+    verbs: ["*"]
+    resourceNames:
+    - bucket
+    - clickhouse
+    - ferretdb
+    - foo
+    - httpcache
+    - kafka
+    - kubernetes
+    - mysql
+    - nats
+    - postgres
+    - rabbitmq
+    - redis
+    - seaweedfs
+    - tcpbalancer
+    - virtualmachine
+    - vmdisk
+    - vminstance
+
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ include "tenant.name" . }}
+  name: {{ include "tenant.name" . }}-admin
   namespace: cozy-public
 subjects:
-- kind: ServiceAccount
-  name: {{ include "tenant.name" . }}
-  namespace: {{ include "tenant.name" . }}
+- kind: Group
+  name: {{ include "tenant.name" . }}-admin
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
-  name: {{ include "tenant.name" . }}
+  name: {{ include "tenant.name" . }}-admin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-admin
+  namespace: {{ include "tenant.name" . }}
+subjects:
+  - kind: Group
+    name: {{ include "tenant.name" . }}-admin
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: {{ include "tenant.name" . }}-admin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-super-admin
+  namespace: {{ include "tenant.name" . }}
+rules:
+  - apiGroups: [rbac.authorization.k8s.io]
+    resources:
+    - roles
+    verbs:
+    - get
+  - apiGroups: [""]
+    resources:
+    - "*"
+    verbs:
+    - get
+    - list
+    - watch
+    - delete
+  - apiGroups: ["helm.toolkit.fluxcd.io"]
+    resources:
+    - helmreleases
+    verbs:
+    - '*'
+  - apiGroups: ["kubevirt.io"]
+    resources:
+    - virtualmachines
+    verbs:
+    - '*'
+  - apiGroups: ["subresources.kubevirt.io"]
+    resources:
+    - virtualmachineinstances/console
+    - virtualmachineinstances/vnc
+    verbs:
+    - get
+    - list
+  - apiGroups: ["apps.cozystack.io"]
+    resources:
+    - '*'
+    verbs:
+    - '*'
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "tenant.name" . }}-super-admin
+  namespace: cozy-public
+rules:
+  - apiGroups: ["source.toolkit.fluxcd.io"]
+    resources: ["helmrepositories"]
+    verbs:
+    - get
+    - list
+  - apiGroups: ["source.toolkit.fluxcd.io"]
+    resources:
+    - helmcharts
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "tenant.name" . }}-super-admin
+  namespace: cozy-public
+subjects:
+- kind: Group
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-super-admin
+  namespace: {{ include "tenant.name" . }}
+subjects:
+{{- if hasPrefix "tenant-" .Release.Namespace }}
+{{- $parts := splitList "-" .Release.Namespace }}
+{{- range $i, $v := $parts }}
+{{- if ne $i 0 }}
+- kind: Group
+  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}
+{{- end }}
+- kind: Group
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: {{ include "tenant.name" . }}-super-admin
   apiGroup: rbac.authorization.k8s.io

packages/apps/versions_map

@@ -5,7 +5,8 @@ clickhouse 0.2.1 5ca8823
 clickhouse 0.3.0 b00621e
 clickhouse 0.4.0 320fc32
 clickhouse 0.5.0 2a4768a5
-clickhouse 0.6.0 HEAD
+clickhouse 0.6.0 18bbdb67
+clickhouse 0.6.1 HEAD
 ferretdb 0.1.0 4ffa8615
 ferretdb 0.1.1 5ca8823
 ferretdb 0.2.0 adaf603
@@ -21,7 +22,8 @@ kafka 0.2.0 a2cc83d
 kafka 0.2.1 3ac17018
 kafka 0.2.2 d0758692
 kafka 0.2.3 5ca8823
-kafka 0.3.0 HEAD
+kafka 0.3.0 c07c4bbd
+kafka 0.3.1 HEAD
 kubernetes 0.1.0 f642698
 kubernetes 0.2.0 7cd7de73
 kubernetes 0.3.0 7caccec1
@@ -38,7 +40,9 @@ kubernetes 0.11.0 4eaca42
 kubernetes 0.11.1 4f430a90
 kubernetes 0.12.0 74649f8
 kubernetes 0.12.1 28fca4e
-kubernetes 0.13.0 HEAD
+kubernetes 0.13.0 ced8e5b9
+kubernetes 0.14.0 bfbde07c
+kubernetes 0.14.1 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
@@ -47,7 +51,10 @@ mysql 0.5.0 4b84798
 mysql 0.5.1 fab5940b
 mysql 0.5.2 HEAD
 nats 0.1.0 5ca8823
-nats 0.2.0 HEAD
+nats 0.2.0 c07c4bbd
+nats 0.3.0 78366f19
+nats 0.3.1 b7375f73
+nats 0.4.0 HEAD
 postgres 0.1.0 f642698
 postgres 0.2.0 7cd7de73
 postgres 0.2.1 4a97e297
@@ -68,7 +75,8 @@ rabbitmq 0.4.2 00b2834e
 rabbitmq 0.4.3 HEAD
 redis 0.1.1 f642698
 redis 0.2.0 5ca8823
-redis 0.3.0 HEAD
+redis 0.3.0 c07c4bbd
+redis 0.3.1 HEAD
 tcp-balancer 0.1.0 f642698
 tcp-balancer 0.2.0 HEAD
 tenant 0.1.3 3d1b86c
@@ -80,7 +88,10 @@ tenant 1.2.0 15478a88
 tenant 1.3.0 ceefae03
 tenant 1.3.1 c56e5769
 tenant 1.4.0 94c688f7
-tenant 1.5.0 HEAD
+tenant 1.5.0 48128743
+tenant 1.6.0 df448b99
+tenant 1.6.1 edbbb9be
+tenant 1.6.2 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823

packages/apps/vm-instance/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 #name: Virtual Machine
 name: vm-instance
 description: Virtual machine instance
-icon: /logos/vm.svg
+icon: /logos/vmi.svg
 
 # A chart can be either an 'application' or a 'library' chart.
 #

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.1
+version: v1.8.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.1
+    imageRef: ghcr.io/siderolabs/installer:v1.8.3
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.1
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
 output:
   kind: initramfs
   imageOptions: {}

packages/core/installer/images/talos/profiles/installer.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.1
+version: v1.8.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.1
+    imageRef: ghcr.io/siderolabs/installer:v1.8.3
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.1
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
 output:
   kind: installer
   imageOptions: {}

packages/core/installer/images/talos/profiles/iso.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.1
+version: v1.8.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.1
+    imageRef: ghcr.io/siderolabs/installer:v1.8.3
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.1
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
 output:
   kind: iso
   imageOptions: {}

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.1
+version: v1.8.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.1
+    imageRef: ghcr.io/siderolabs/installer:v1.8.3
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.1
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
 output:
   kind: kernel
   imageOptions: {}

packages/core/installer/images/talos/profiles/metal.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.1
+version: v1.8.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.1
+    imageRef: ghcr.io/siderolabs/installer:v1.8.3
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.1
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.8.1
+version: v1.8.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.1
+    imageRef: ghcr.io/siderolabs/installer:v1.8.3
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20240910
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.1
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.17.1@sha256:7c83bf1a31096cecc78da2a10b0bb4e2c1723bdcbfd79cd523516d737fa1f952
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.20.2@sha256:061668fa81344302f1097482418fe7925d77ca74ccc856dcb739119590523136

packages/core/platform/bundles/distro-full.yaml

@@ -31,29 +31,38 @@ releases:
       autoDirectNodeRoutes: true
       routingMode: native
 
+- name: cert-manager-crds
+  releaseName: cert-manager-crds
+  chart: cozy-cert-manager-crds
+  namespace: cozy-cert-manager
+  dependsOn: [cilium]
+
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
   namespace: cozy-cert-manager
-  dependsOn: [cilium]
+  dependsOn: [cert-manager-crds]
 
 - name: cert-manager-issuers
   releaseName: cert-manager-issuers
   chart: cozy-cert-manager-issuers
   namespace: cozy-cert-manager
+  optional: true
   dependsOn: [cilium,cert-manager]
 
 - name: victoria-metrics-operator
   releaseName: victoria-metrics-operator
   chart: cozy-victoria-metrics-operator
   namespace: cozy-victoria-metrics-operator
+  optional: true
   dependsOn: [cilium,cert-manager]
 
-- name: monitoring
-  releaseName: monitoring
-  chart: cozy-monitoring
+- name: monitoring-agents
+  releaseName: monitoring-agents
+  chart: cozy-monitoring-agents
   namespace: cozy-monitoring
   privileged: true
+  optional: true
   dependsOn: [cilium,victoria-metrics-operator]
 
 - name: metallb
@@ -67,48 +76,56 @@ releases:
   releaseName: etcd-operator
   chart: cozy-etcd-operator
   namespace: cozy-etcd-operator
+  optional: true
   dependsOn: [cilium,cert-manager]
 
 - name: grafana-operator
   releaseName: grafana-operator
   chart: cozy-grafana-operator
   namespace: cozy-grafana-operator
+  optional: true
   dependsOn: [cilium]
 
 - name: mariadb-operator
   releaseName: mariadb-operator
   chart: cozy-mariadb-operator
   namespace: cozy-mariadb-operator
+  optional: true
   dependsOn: [cilium,cert-manager,victoria-metrics-operator]
 
 - name: postgres-operator
   releaseName: postgres-operator
   chart: cozy-postgres-operator
   namespace: cozy-postgres-operator
+  optional: true
   dependsOn: [cilium,cert-manager]
 
 - name: kafka-operator
   releaseName: kafka-operator
   chart: cozy-kafka-operator
   namespace: cozy-kafka-operator
+  optional: true
   dependsOn: [cilium]
 
 - name: clickhouse-operator
   releaseName: clickhouse-operator
   chart: cozy-clickhouse-operator
   namespace: cozy-clickhouse-operator
+  optional: true
   dependsOn: [cilium]
 
 - name: rabbitmq-operator
   releaseName: rabbitmq-operator
   chart: cozy-rabbitmq-operator
   namespace: cozy-rabbitmq-operator
+  optional: true
   dependsOn: [cilium]
 
 - name: redis-operator
   releaseName: redis-operator
   chart: cozy-redis-operator
   namespace: cozy-redis-operator
+  optional: true
   dependsOn: [cilium]
 
 - name: piraeus-operator
@@ -127,6 +144,7 @@ releases:
   releaseName: objectstorage-controller
   chart: cozy-objectstorage-controller
   namespace: cozy-objectstorage-controller
+  optional: true
   dependsOn: [cilium]
 
 - name: linstor
@@ -156,3 +174,17 @@ releases:
   namespace: cozy-external-secrets-operator
   optional: true
   dependsOn: [cilium]
+
+- name: keycloak
+  releaseName: keycloak
+  chart: cozy-keycloak
+  namespace: cozy-keycloak
+  optional: true
+  dependsOn: [postgres-operator]
+
+- name: keycloak-operator
+  releaseName: keycloak-operator
+  chart: cozy-keycloak-operator
+  namespace: cozy-keycloak
+  optional: true
+  dependsOn: [keycloak]

packages/core/platform/bundles/distro-hosted.yaml

@@ -14,77 +14,94 @@ releases:
   namespace: cozy-fluxcd
   dependsOn: [fluxcd-operator]
 
+- name: cert-manager-crds
+  releaseName: cert-manager-crds
+  chart: cozy-cert-manager-crds
+  namespace: cozy-cert-manager
+  dependsOn: []
+
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
   namespace: cozy-cert-manager
-  dependsOn: []
+  dependsOn: [cert-manager-crds]
 
 - name: cert-manager-issuers
   releaseName: cert-manager-issuers
   chart: cozy-cert-manager-issuers
   namespace: cozy-cert-manager
+  optional: true
   dependsOn: [cert-manager]
 
 - name: victoria-metrics-operator
   releaseName: victoria-metrics-operator
   chart: cozy-victoria-metrics-operator
   namespace: cozy-victoria-metrics-operator
+  optional: true
   dependsOn: [cert-manager]
 
-- name: monitoring
-  releaseName: monitoring
-  chart: cozy-monitoring
+- name: monitoring-agents
+  releaseName: monitoring-agents
+  chart: cozy-monitoring-agents
   namespace: cozy-monitoring
   privileged: true
+  optional: true
   dependsOn: [victoria-metrics-operator]
 
 - name: etcd-operator
   releaseName: etcd-operator
   chart: cozy-etcd-operator
   namespace: cozy-etcd-operator
+  optional: true
   dependsOn: [cert-manager]
 
 - name: grafana-operator
   releaseName: grafana-operator
   chart: cozy-grafana-operator
   namespace: cozy-grafana-operator
+  optional: true
   dependsOn: []
 
 - name: mariadb-operator
   releaseName: mariadb-operator
   chart: cozy-mariadb-operator
   namespace: cozy-mariadb-operator
+  optional: true
   dependsOn: [victoria-metrics-operator]
 
 - name: postgres-operator
   releaseName: postgres-operator
   chart: cozy-postgres-operator
   namespace: cozy-postgres-operator
+  optional: true
   dependsOn: [cert-manager]
 
 - name: kafka-operator
   releaseName: kafka-operator
   chart: cozy-kafka-operator
   namespace: cozy-kafka-operator
+  optional: true
   dependsOn: []
 
 - name: clickhouse-operator
   releaseName: clickhouse-operator
   chart: cozy-clickhouse-operator
   namespace: cozy-clickhouse-operator
+  optional: true
   dependsOn: []
 
 - name: rabbitmq-operator
   releaseName: rabbitmq-operator
   chart: cozy-rabbitmq-operator
   namespace: cozy-rabbitmq-operator
+  optional: true
   dependsOn: []
 
 - name: redis-operator
   releaseName: redis-operator
   chart: cozy-redis-operator
   namespace: cozy-redis-operator
+  optional: true
   dependsOn: []
 
 - name: telepresence
@@ -99,7 +116,7 @@ releases:
   chart: cozy-external-dns
   namespace: cozy-external-dns
   optional: true
-  dependsOn: [] 
+  dependsOn: []
 
 - name: external-secrets-operator
   releaseName: external-secrets-operator
@@ -107,3 +124,17 @@ releases:
   namespace: cozy-external-secrets-operator
   optional: true
   dependsOn: []
+
+- name: keycloak
+  releaseName: keycloak
+  chart: cozy-keycloak
+  namespace: cozy-keycloak
+  optional: true
+  dependsOn: [postgres-operator]
+
+- name: keycloak-operator
+  releaseName: keycloak-operator
+  chart: cozy-keycloak-operator
+  namespace: cozy-keycloak
+  optional: true
+  dependsOn: [keycloak]

packages/core/platform/bundles/paas-full.yaml

@@ -1,4 +1,13 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }}
+{{- $host := index $cozyConfig.data "root-host" }}
+{{- if not $host }}
+{{- fail "ERROR need root-host in cozystack ConfigMap" }}
+{{- end }}
+{{- $apiServerEndpoint := index $cozyConfig.data "api-server-endpoint" }}
+{{- if not $apiServerEndpoint }}
+{{- fail "ERROR need api-server-endpoint in cozystack ConfigMap" }}
+{{- end }}
 
 releases:
 - name: fluxcd-operator
@@ -41,11 +50,23 @@ releases:
         SVC_CIDR: "{{ index $cozyConfig.data "ipv4-svc-cidr" }}"
         JOIN_CIDR: "{{ index $cozyConfig.data "ipv4-join-cidr" }}"
 
+- name: cert-manager-crds
+  releaseName: cert-manager-crds
+  chart: cozy-cert-manager-crds
+  namespace: cozy-cert-manager
+  dependsOn: [cilium, kubeovn]
+
+- name: cozystack-api
+  releaseName: cozystack-api
+  chart: cozy-cozystack-api
+  namespace: cozy-system
+  dependsOn: [cilium,kubeovn]
+
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
   namespace: cozy-cert-manager
-  dependsOn: [cilium,kubeovn]
+  dependsOn: [cert-manager-crds]
 
 - name: cert-manager-issuers
   releaseName: cert-manager-issuers
@@ -59,9 +80,9 @@ releases:
   namespace: cozy-victoria-metrics-operator
   dependsOn: [cilium,kubeovn,cert-manager]
 
-- name: monitoring
-  releaseName: monitoring
-  chart: cozy-monitoring
+- name: monitoring-agents
+  releaseName: monitoring-agents
+  chart: cozy-monitoring-agents
   namespace: cozy-monitoring
   privileged: true
   dependsOn: [cilium,kubeovn,victoria-metrics-operator]
@@ -169,7 +190,7 @@ releases:
   releaseName: snapshot-controller
   chart: cozy-snapshot-controller
   namespace: cozy-snapshot-controller
-  dependsOn: [cilium,kubeovn,cert-manager-issuers]  
+  dependsOn: [cilium,kubeovn,cert-manager-issuers]
 
 - name: objectstorage-controller
   releaseName: objectstorage-controller
@@ -188,11 +209,10 @@ releases:
   releaseName: dashboard
   chart: cozy-dashboard
   namespace: cozy-dashboard
-  dependsOn: [cilium,kubeovn]
+  dependsOn: [cilium,kubeovn,keycloak-configure]
   {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
   {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
   values:
-    kubeapps:
       redis:
         master:
           podAnnotations:
@@ -203,6 +223,21 @@ releases:
             {{- end }}
   {{- end }}
   {{- end }}
+  {{- if eq $oidcEnabled "true" }}
+  dependsOn: [keycloak-configure]
+  valuesFrom:
+    - kind: ConfigMap
+      name: kubeapps-auth-config
+      valuesKey: values.yaml
+  {{- else }}
+  dependsOn: []
+  {{- end }}
+
+- name: console
+  releaseName: console
+  chart: cozy-console
+  namespace: cozy-console
+  dependsOn: [cilium,kubeovn]
 
 - name: kamaji
   releaseName: kamaji
@@ -237,3 +272,23 @@ releases:
   namespace: cozy-external-secrets-operator
   optional: true
   dependsOn: [cilium,kubeovn]
+
+{{- if $oidcEnabled }}
+- name: keycloak
+  releaseName: keycloak
+  chart: cozy-keycloak
+  namespace: cozy-keycloak
+  dependsOn: [postgres-operator]
+
+- name: keycloak-operator
+  releaseName: keycloak-operator
+  chart: cozy-keycloak-operator
+  namespace: cozy-keycloak
+  dependsOn: [keycloak]
+
+- name: keycloak-configure
+  releaseName: keycloak-configure
+  chart: cozy-keycloak-configure
+  namespace: cozy-keycloak
+  dependsOn: [keycloak-operator]
+{{- end }}

packages/core/platform/bundles/paas-hosted.yaml

@@ -1,4 +1,13 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }}
+{{- $host := index $cozyConfig.data "root-host" }}
+{{- if not $host }}
+{{- fail "ERROR need root-host in cozystack ConfigMap" }}
+{{- end }}
+{{- $apiServerEndpoint := index $cozyConfig.data "api-server-endpoint" }}
+{{- if not $apiServerEndpoint }}
+{{- fail "ERROR need api-server-endpoint in cozystack ConfigMap" }}
+{{- end }}
 
 releases:
 - name: fluxcd-operator
@@ -14,11 +23,23 @@ releases:
   namespace: cozy-fluxcd
   dependsOn: [fluxcd-operator]
 
+- name: cert-manager-crds
+  releaseName: cert-manager-crds
+  chart: cozy-cert-manager-crds
+  namespace: cozy-cert-manager
+  dependsOn: []
+
+- name: cozystack-api
+  releaseName: cozystack-api
+  chart: cozy-cozystack-api
+  namespace: cozy-system
+  dependsOn: []
+
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
   namespace: cozy-cert-manager
-  dependsOn: []
+  dependsOn: [cert-manager-crds]
 
 - name: cert-manager-issuers
   releaseName: cert-manager-issuers
@@ -32,9 +53,9 @@ releases:
   namespace: cozy-victoria-metrics-operator
   dependsOn: [cert-manager]
 
-- name: monitoring
-  releaseName: monitoring
-  chart: cozy-monitoring
+- name: monitoring-agents
+  releaseName: monitoring-agents
+  chart: cozy-monitoring-agents
   namespace: cozy-monitoring
   privileged: true
   dependsOn: [victoria-metrics-operator]
@@ -118,7 +139,6 @@ releases:
   releaseName: dashboard
   chart: cozy-dashboard
   namespace: cozy-dashboard
-  dependsOn: []
   {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
   {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
   values:
@@ -133,3 +153,38 @@ releases:
             {{- end }}
   {{- end }}
   {{- end }}
+  {{- if eq $oidcEnabled "true" }}
+  dependsOn: [keycloak-configure]
+  valuesFrom:
+    - kind: ConfigMap
+      name: kubeapps-auth-config
+      valuesKey: values.yaml
+  {{- else }}
+  dependsOn: []
+  {{- end }}
+
+- name: console
+  releaseName: console
+  chart: cozy-console
+  namespace: cozy-console
+  dependsOn: [cilium,kubeovn]
+
+{{- if $oidcEnabled }}
+- name: keycloak
+  releaseName: keycloak
+  chart: cozy-keycloak
+  namespace: cozy-keycloak
+  dependsOn: [postgres-operator]
+
+- name: keycloak-operator
+  releaseName: keycloak-operator
+  chart: cozy-keycloak-operator
+  namespace: cozy-keycloak
+  dependsOn: [keycloak]
+
+- name: keycloak-configure
+  releaseName: keycloak-configure
+  chart: cozy-keycloak-configure
+  namespace: cozy-keycloak
+  dependsOn: [keycloak-operator]
+{{- end }}

packages/core/platform/templates/apps.yaml

@@ -2,6 +2,12 @@
 {{- $bundleName := index $cozyConfig.data "bundle-name" }}
 {{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
 {{- $host := "example.org" }}
+{{- $host := "example.org" }}
+{{- if $cozyConfig.data }}
+  {{- if hasKey $cozyConfig.data "root-host" }}
+    {{- $host = index $cozyConfig.data "root-host" }}
+  {{- end }}
+{{- end }}
 {{- $tenantRoot := list }}
 {{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2" }}
 {{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" "tenant-root" "tenant-root" }}

packages/core/platform/templates/helmreleases.yaml

@@ -56,6 +56,18 @@ spec:
   values:
     {{- toYaml . | nindent 4}}
   {{- end }}
+
+  {{- if $x.valuesFrom }}
+  valuesFrom:
+  {{- range $source := $x.valuesFrom }}
+  - kind: {{ $source.kind }}
+    name: {{ $source.name }}
+    {{- if $source.valuesKey }}
+    valuesKey: {{ $source.valuesKey }}
+    {{- end }}
+  {{- end }}
+  {{- end }}
+
   {{- with $x.dependsOn }}
   dependsOn:
   {{- range $dep := . }}

packages/core/testing/Makefile

@@ -42,7 +42,6 @@ test: wait-for-sandbox copy-hack-dir ## Run the end-to-end tests in existing san
 
 test-applications: wait-for-sandbox copy-hack-dir ## Run the end-to-end tests in existing sandbox for applications.
 	for app in $(TESTING_APPS); do \
-		echo "Running tests for $${app}"; \
 		kubectl exec -ti -n cozy-e2e-tests deploy/cozystack-e2e-sandbox -- bash -c "/hack/e2e.application.sh $${app}"; \
 	done
 	kubectl exec -ti -n cozy-e2e-tests deploy/cozystack-e2e-sandbox -- bash -c "kubectl get hr -A | grep -v 'True'"

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:latest@sha256:1a26a511b9e269bcb607e2d80f878d7c2d993b7a2a7a3a2a1042470c8c56b061
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.20.2@sha256:1a26a511b9e269bcb607e2d80f878d7c2d993b7a2a7a3a2a1042470c8c56b061

packages/extra/ingress/templates/dashboard.yaml

@@ -10,9 +10,13 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    {{- if eq $issuerType "cloudflare" }} 
+    {{- if eq $issuerType "cloudflare" }}
     {{- else }}
     acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}
+    nginx.ingress.kubernetes.io/proxy-body-size: 100m
+    nginx.ingress.kubernetes.io/proxy-buffer-size: 100m
+    nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
+    nginx.ingress.kubernetes.io/client-max-body-size: 100m
     {{- end }}
   name: dashboard-{{ .Release.Namespace }}
   namespace: cozy-dashboard

packages/extra/monitoring/Chart.yaml

@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.5.0
+version: 1.5.2

packages/extra/monitoring/templates/alerta/alerta.yaml

@@ -36,7 +36,7 @@ data:
         'endpoint'    : "/api",
         'provider'    : "basic"
       })
-      .constant('colors', {});  
+      .constant('colors', {});
 ---
 apiVersion: v1
 kind: Service
@@ -115,7 +115,7 @@ spec:
             - name: TELEGRAM_TOKEN
               value: "{{ .Values.alerta.alerts.telegram.token }}"
             - name: TELEGRAM_WEBHOOK_URL
-              value: "https://alerta.infra.aenix.org/api/webhooks/telegram?api-key={{ $apiKey }}"
+              value: "https://{{ printf "alerta.%s" (.Values.host | default $host) }}/api/webhooks/telegram?api-key={{ $apiKey }}"
             {{- end }}
 
           ports:
@@ -148,9 +148,9 @@ metadata:
   labels:
     app: alerta
   annotations:
-    {{- if ne $issuerType "cloudflare" }} 
+    {{- if ne $issuerType "cloudflare" }}
     acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
-    {{- end }} 
+    {{- end }}
     cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
   ingressClassName: {{ $ingress }}

packages/extra/monitoring/templates/vm/vmalert.yaml

@@ -18,4 +18,5 @@ spec:
     url: http://vminsert-{{ .name }}.{{ $.Release.Namespace }}.svc:8480/insert/0/prometheus/api/v1/write
   resources: {}
   selectAllByDefault: true
+{{- break }}
 {{- end }}

packages/extra/monitoring/templates/vm/vmcluster.yaml

@@ -12,6 +12,12 @@ spec:
     resources: {}
   vmselect:
     replicaCount: 2
+    resources:
+      limits:
+        memory: 1000Mi
+      requests:
+        cpu: 100m
+        memory: 500Mi
     extraArgs:
       search.maxUniqueTimeseries: "600000"
       vmalert.proxyURL: http://vmalert-{{ .name }}.{{ $.Release.Namespace }}.svc:8080

packages/extra/versions_map

@@ -14,7 +14,9 @@ monitoring 1.2.0 c9e0d63b
 monitoring 1.2.1 4471b4ba
 monitoring 1.3.0 6c5cf5b
 monitoring 1.4.0 adaf603b
-monitoring 1.5.0 HEAD
+monitoring 1.5.0 4b90bf5a
+monitoring 1.5.1 57e90b70
+monitoring 1.5.2 HEAD
 seaweedfs 0.1.0 5ca8823
 seaweedfs 0.2.0 9e33dc0
 seaweedfs 0.2.1 HEAD

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:009931be22298328f06c5c335ce1dde5697fd0f46d085d21d425fff5f51d9662
+ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:e0cb068804546e4152ce4cf7a7c315a5a2a669a7236c9fe47371de934cdf99a9

packages/system/cert-manager-crds/.helmignore

@@ -0,0 +1,2 @@
+images
+hack

packages/system/cert-manager-crds/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-cert-manager-crds
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/cert-manager-crds/Makefile

@@ -0,0 +1,8 @@
+include ../../../scripts/package.mk
+
+update:
+	rm -rf charts
+	helm repo add jetstack https://charts.jetstack.io
+	helm repo update jetstack
+	helm pull jetstack/cert-manager --untar --untardir charts
+	rm -f -- `find charts/cert-manager/templates -maxdepth 1 -mindepth 1 | grep -v 'crds.yaml\|_helpers.tpl'`

packages/system/cert-manager-crds/charts/cert-manager/Chart.yaml

@@ -0,0 +1,26 @@
+annotations:
+  artifacthub.io/category: security
+  artifacthub.io/license: Apache-2.0
+  artifacthub.io/prerelease: "false"
+  artifacthub.io/signKey: |
+    fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
+    url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
+apiVersion: v2
+appVersion: v1.16.1
+description: A Helm chart for cert-manager
+home: https://cert-manager.io
+icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
+keywords:
+- cert-manager
+- kube-lego
+- letsencrypt
+- tls
+kubeVersion: '>= 1.22.0-0'
+maintainers:
+- email: cert-manager-maintainers@googlegroups.com
+  name: cert-manager-maintainers
+  url: https://cert-manager.io
+name: cert-manager
+sources:
+- https://github.com/cert-manager/cert-manager
+version: v1.16.1

packages/system/cert-manager-crds/charts/cert-manager/templates/_helpers.tpl

@@ -0,0 +1,202 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cert-manager.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "cert-manager.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "cert-manager.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "cert-manager.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Webhook templates
+*/}}
+
+{{/*
+Expand the name of the chart.
+Manually fix the 'app' and 'name' labels to 'webhook' to maintain
+compatibility with the v0.9 deployment selector.
+*/}}
+{{- define "webhook.name" -}}
+{{- printf "webhook" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "webhook.fullname" -}}
+{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 55 | trimSuffix "-" -}}
+{{- printf "%s-webhook" $trimmedName | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "webhook.caRef" -}}
+{{- template "cert-manager.namespace" }}/{{ template "webhook.fullname" . }}-ca
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "webhook.serviceAccountName" -}}
+{{- if .Values.webhook.serviceAccount.create -}}
+    {{ default (include "webhook.fullname" .) .Values.webhook.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.webhook.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+cainjector templates
+*/}}
+
+{{/*
+Expand the name of the chart.
+Manually fix the 'app' and 'name' labels to 'cainjector' to maintain
+compatibility with the v0.9 deployment selector.
+*/}}
+{{- define "cainjector.name" -}}
+{{- printf "cainjector" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cainjector.fullname" -}}
+{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
+{{- printf "%s-cainjector" $trimmedName | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "cainjector.serviceAccountName" -}}
+{{- if .Values.cainjector.serviceAccount.create -}}
+    {{ default (include "cainjector.fullname" .) .Values.cainjector.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.cainjector.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+startupapicheck templates
+*/}}
+
+{{/*
+Expand the name of the chart.
+Manually fix the 'app' and 'name' labels to 'startupapicheck' to maintain
+compatibility with the v0.9 deployment selector.
+*/}}
+{{- define "startupapicheck.name" -}}
+{{- printf "startupapicheck" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "startupapicheck.fullname" -}}
+{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
+{{- printf "%s-startupapicheck" $trimmedName | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "startupapicheck.serviceAccountName" -}}
+{{- if .Values.startupapicheck.serviceAccount.create -}}
+    {{ default (include "startupapicheck.fullname" .) .Values.startupapicheck.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.startupapicheck.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "chartName" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Labels that should be added on each resource
+*/}}
+{{- define "labels" -}}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- if eq .Values.creator "helm" }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+helm.sh/chart: {{ include "chartName" . }}
+{{- end -}}
+{{- if .Values.global.commonLabels}}
+{{ toYaml .Values.global.commonLabels }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Namespace for all resources to be installed into
+If not defined in values file then the helm release namespace is used
+By default this is not set so the helm release namespace will be used
+
+This gets around an problem within helm discussed here
+https://github.com/helm/helm/issues/5358
+*/}}
+{{- define "cert-manager.namespace" -}}
+    {{ .Values.namespace | default .Release.Namespace }}
+{{- end -}}
+
+{{/*
+Util function for generating the image URL based on the provided options.
+IMPORTANT: This function is standardized across all charts in the cert-manager GH organization.
+Any changes to this function should also be made in cert-manager, trust-manager, approver-policy, ...
+See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linked PRs.
+*/}}
+{{- define "image" -}}
+{{- $defaultTag := index . 1 -}}
+{{- with index . 0 -}}
+{{- if .registry -}}{{ printf "%s/%s" .registry .repository }}{{- else -}}{{- .repository -}}{{- end -}}
+{{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
+{{- end }}
+{{- end }}
+
+{{/*
+Check that the user has not set both .installCRDs and .crds.enabled or
+set .installCRDs and disabled .crds.keep.
+.installCRDs is deprecated and users should use .crds.enabled and .crds.keep instead.
+*/}}
+{{- define "cert-manager.crd-check" -}}
+  {{- if and (.Values.installCRDs) (.Values.crds.enabled) }}
+    {{- fail "ERROR: the deprecated .installCRDs option cannot be enabled at the same time as its replacement .crds.enabled" }}
+  {{- end }}
+  {{- if and (.Values.installCRDs) (not .Values.crds.keep) }}
+    {{- fail "ERROR: .crds.keep is not compatible with .installCRDs, please use .crds.enabled and .crds.keep instead" }}
+  {{- end }}
+{{- end -}}

packages/system/cert-manager-crds/values.yaml

@@ -0,0 +1,2 @@
+cert-manager:
+  installCRDs: true

packages/system/cert-manager/values.yaml

@@ -1,2 +1,2 @@
 cert-manager:
-  installCRDs: true
+  installCRDs: false

packages/system/cilium/charts/cilium/Chart.yaml

@@ -79,7 +79,7 @@ annotations:
     Pod IP Pool\n  description: |\n    CiliumPodIPPool defines an IP pool that can
     be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n"
 apiVersion: v2
-appVersion: 1.16.3
+appVersion: 1.16.4
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
@@ -95,4 +95,4 @@ kubeVersion: '>= 1.21.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.16.3
+version: 1.16.4

packages/system/cilium/charts/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.16.3](https://img.shields.io/badge/Version-1.16.3-informational?style=flat-square) ![AppVersion: 1.16.3](https://img.shields.io/badge/AppVersion-1.16.3-informational?style=flat-square)
+![Version: 1.16.4](https://img.shields.io/badge/Version-1.16.4-informational?style=flat-square) ![AppVersion: 1.16.4](https://img.shields.io/badge/AppVersion-1.16.4-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -182,7 +182,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
 | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.3","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.4","useDigest":true}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
@@ -353,7 +353,8 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:42614a44e508f70d03a04470df5f61e3cffd22462471a0be0544cf116f2c50ba","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:0287b36f70cfbdf54f894160082f4f94d1ee1fb10389f3a95baa6c8e448586ed","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.30.7-1731393961-97edc2815e2c6a174d3d12e71731d54f5d32ea16","useDigest":true}` | Envoy container image. |
+| envoy.initialFetchTimeoutSeconds | int | `30` | Time in seconds after which the initial fetch on an xDS stream is considered timed out |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
 | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
@@ -484,7 +485,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.3","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.4","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -532,10 +533,10 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-relay update strategy |
 | hubble.skipUnknownCGroupIDs | bool | `true` | Skip Hubble events with unknown cgroup ids |
 | hubble.socketPath | string | `"/var/run/cilium/hubble.sock"` | Unix domain socket path to listen to when Hubble is enabled. |
-| hubble.tls | object | `{"auto":{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"},"enabled":true,"server":{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}}` | TLS configuration for Hubble |
-| hubble.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"}` | Configure automatic TLS certificates generation. |
+| hubble.tls | object | `{"auto":{"certManagerIssuerRef":{},"certValidityDuration":365,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"},"enabled":true,"server":{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}}` | TLS configuration for Hubble |
+| hubble.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":365,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"}` | Configure automatic TLS certificates generation. |
 | hubble.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when hubble.tls.auto.method=certmanager. |
-| hubble.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. |
+| hubble.tls.auto.certValidityDuration | int | `365` | Generated certificates validity duration in days.  Defaults to 365 days (1 year) because MacOS does not accept self-signed certificates with expirations > 825 days. |
 | hubble.tls.auto.enabled | bool | `true` | Auto-generate certificates. When set to true, automatically generate a CA and certificates to enable mTLS between Hubble server and Hubble Relay instances. If set to false, the certs for Hubble server need to be provided by setting appropriate values below. |
 | hubble.tls.auto.method | string | `"helm"` | Set the method to auto-generate certificates. Supported values: - helm:         This method uses Helm to generate all certificates. - cronJob:      This method uses a Kubernetes CronJob the generate any                 certificates not provided by the user at installation                 time. - certmanager:  This method use cert-manager to generate & rotate certificates. |
 | hubble.tls.auto.schedule | string | `"0 0 1 */4 *"` | Schedule for certificates regeneration (regardless of their expiration date). Only used if method is "cronJob". If nil, then no recurring job will be created. Instead, only the one-shot job is deployed to generate the certificates at installation time.  Defaults to midnight of the first day of every fourth month. For syntax, see https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax |
@@ -590,7 +591,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.3","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.4","useDigest":true}` | Agent container image. |
 | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -717,7 +718,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.hostNetwork | bool | `true` | HostNetwork setting |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898","awsDigest":"sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916","azureDigest":"sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542","genericDigest":"sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.3","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686","awsDigest":"sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be","azureDigest":"sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de","genericDigest":"sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.4","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -767,7 +768,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.3","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.4","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
@@ -816,7 +817,7 @@ contributors across the globe, there is almost always someone available to help.
 | serviceAccounts.clustermeshcertgen | object | `{"annotations":{},"automount":true,"create":true,"name":"clustermesh-apiserver-generate-certs"}` | Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob |
 | serviceAccounts.hubblecertgen | object | `{"annotations":{},"automount":true,"create":true,"name":"hubble-generate-certs"}` | Hubblecertgen is used if hubble.tls.auto.method=cronJob |
 | serviceAccounts.nodeinit.enabled | bool | `false` | Enabled is temporary until https://github.com/cilium/cilium-cli/issues/1396 is implemented. Cilium CLI doesn't create the SAs for node-init, thus the workaround. Helm is not affected by this issue. Name and automount can be configured, if enabled is set to true. Otherwise, they are ignored. Enabled can be removed once the issue is fixed. Cilium-nodeinit DS must also be fixed. |
-| serviceNoBackendResponse | string | `"reject"` | Configure what the response should be to traffic for a service without backends. "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop". Possible values:  - reject (default)  - drop |
+| serviceNoBackendResponse | string | `"reject"` | Configure what the response should be to traffic for a service without backends. Possible values:  - reject (default)  - drop |
 | sleepAfterInit | bool | `false` | Do not run Cilium agent when running with clean mode. Useful to completely uninstall Cilium as it will stop Cilium from starting and create artifacts in the node. |
 | socketLB | object | `{"enabled":false}` | Configure socket LB |
 | socketLB.enabled | bool | `false` | Enable socket LB |

packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json

@@ -338,6 +338,7 @@
   },
   "dynamicResources": {
     "ldsConfig": {
+      "initialFetchTimeout": "{{ .Values.envoy.initialFetchTimeoutSeconds }}s",
       "apiConfigSource": {
         "apiType": "GRPC",
         "transportApiVersion": "V3",
@@ -353,6 +354,7 @@
       "resourceApiVersion": "V3"
     },
     "cdsConfig": {
+      "initialFetchTimeout": "{{ .Values.envoy.initialFetchTimeoutSeconds }}s",
       "apiConfigSource": {
         "apiType": "GRPC",
         "transportApiVersion": "V3",
@@ -376,14 +378,13 @@
       }
     }
   ],
-  "layeredRuntime": {
-    "layers": [
+  "overload_manager": {
+    "resource_monitors": [
       {
-        "name": "static_layer_0",
-        "staticLayer": {
-          "overload": {
-            "global_downstream_max_connections": 50000
-          }
+        "name": "envoy.resource_monitors.global_downstream_max_connections",
+        "typed_config": {
+          "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig",
+          "max_active_downstream_connections": "50000"
         }
       }
     ]