Add secureboot support

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

.github/workflows/pre-commit.yml

@@ -17,6 +17,18 @@ jobs:
       - name: Install pre-commit
         run: pip install pre-commit
 
+      - name: Install generate
+        run: |
+          sudo apt update
+          sudo apt install curl -y
+          curl -fsSL https://deb.nodesource.com/setup_16.x | sudo -E bash -
+          sudo apt install nodejs -y
+          git clone https://github.com/bitnami/readme-generator-for-helm
+          cd ./readme-generator-for-helm
+          npm install
+          npm install -g pkg
+          pkg . -o /usr/local/bin/readme-generator
+
       - name: Run pre-commit hooks
         run: |
           git fetch origin main || git fetch origin master

.pre-commit-config.yaml

@@ -1,21 +1,6 @@
 repos:
-- repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.5.0
+- repo: local
   hooks:
-    - id: end-of-file-fixer
-    - id: trailing-whitespace
-    - id: mixed-line-ending
-      args: [--fix=lf]
-    - id: check-yaml
-      exclude: '^.*templates/.*\.yaml$'
-      args: [--unsafe]
-- repo: https://github.com/igorshubovych/markdownlint-cli
-  rev: v0.42.0
-  hooks:
-    - id: markdownlint
-      args: [--fix, --disable, MD013, MD041, --]
--   repo: local
-    hooks:
     - id: gen-versions-map
       name: Generate versions map and check for changes
       entry: sh -c 'make -C packages/apps check-version-map && make -C packages/extra check-version-map'
@@ -23,3 +8,16 @@ repos:
       types: [file]
       pass_filenames: false
       description: Run the script and fail if it generates changes
+    - id: run-make-generate
+      name: Run 'make generate' in all app directories
+      entry: |
+        /bin/bash -c '
+          for dir in ./packages/apps/*/; do
+            if [ -d "$dir" ]; then
+              echo "Running make generate in $dir"
+              (cd "$dir" && make generate)
+            fi
+          done
+        '
+      language: script
+      files: ^.*$

ADOPTERS.md

@@ -28,4 +28,5 @@ This list is sorted in chronological order, based on the submission date.
 | [Ænix](https://aenix.io/) | @kvaps | 2024-02-14 | Ænix provides consulting services for cloud providers and uses Cozystack as the main tool for organizing managed services for them. |
 | [Mediatech](https://mediatech.dev/) | @ugenk | 2024-05-01 | We're developing and hosting software for our and our custmer services. We're using cozystack as a kubernetes distribution for that. |
 | [Bootstack](https://bootstack.app/) | @mrkhachaturov | 2024-08-01| At Bootstack, we utilize a Kubernetes operator specifically designed to simplify and streamline cloud infrastructure creation.|
-| [gohost](https://gohost.kz/) | @karabass_off | 2024-02-01| Our company has been working in the market of Kazakhstan for more than 15 years, providing clients with a standard set of services: VPS/VDC, IaaS, shared hosting, etc. Now we are expanding the lineup by introducing Bare Metal Kubenetes cluster under Cozystack management.|
+| [gohost](https://gohost.kz/) | @karabass_off | 2024-02-01 | Our company has been working in the market of Kazakhstan for more than 15 years, providing clients with a standard set of services: VPS/VDC, IaaS, shared hosting, etc. Now we are expanding the lineup by introducing Bare Metal Kubenetes cluster under Cozystack management. |
+| [Urmanac](https://urmanac.com) | @kingdonb | 2024-12-04 | Urmanac is the future home of a hosting platform for the knowledge base of a community of personal server enthusiasts. We use Cozystack to provide support services for web sites hosted using both conventional deployments and on SpinKube, with WASM. |

hack/e2e.sh

@@ -113,8 +113,6 @@ machine:
         - usermode_helper=disabled
     - name: zfs
     - name: spl
-  install:
-    image: ghcr.io/aenix-io/cozystack/talos:v1.8.2
   files:
   - content: |
       [plugins]
@@ -124,6 +122,12 @@ machine:
     op: create
 
 cluster:
+  apiServer:
+    extraArgs:
+      oidc-issuer-url: "https://keycloak.example.org/realms/cozy"
+      oidc-client-id: "kubernetes"
+      oidc-username-claim: "preferred_username"
+      oidc-groups-claim: "groups"
   network:
     cni:
       name: none
@@ -136,6 +140,9 @@ EOT
 
 cat > patch-controlplane.yaml <<\EOT
 machine:
+  nodeLabels:
+    node.kubernetes.io/exclude-from-external-load-balancers:
+      $patch: delete
   network:
     interfaces:
     - interface: eth0
@@ -182,7 +189,8 @@ timeout 60 sh -c 'until nc -nzv 192.168.123.11 50000 && nc -nzv 192.168.123.12 5
 timeout 10 sh -c 'until talosctl bootstrap -n 192.168.123.11 -e 192.168.123.11; do sleep 1; done'
 
 # Wait for etcd
-timeout 180 sh -c 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep "rpc error"; do sleep 1; done'
+timeout 180 sh -c 'until timeout -s 9 2 talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1; do sleep 1; done'
+timeout 60 sh -c 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep "rpc error"; do sleep 1; done'
 
 rm -f kubeconfig
 talosctl kubeconfig kubeconfig -e 192.168.123.10 -n 192.168.123.10
@@ -203,6 +211,8 @@ data:
   ipv4-pod-gateway: "10.244.0.1"
   ipv4-svc-cidr: "10.96.0.0/16"
   ipv4-join-cidr: "100.64.0.0/16"
+  root-host: example.org
+  api-server-endpoint: https://192.168.123.10:6443
 EOT
 
 #
@@ -287,13 +297,13 @@ spec:
   avoidBuggyIPs: false
 EOT
 
-kubectl patch -n tenant-root hr/tenant-root --type=merge -p '{"spec":{ "values":{
+kubectl patch -n tenant-root tenants.apps.cozystack.io root --type=merge -p '{"spec":{
   "host": "example.org",
   "ingress": true,
   "monitoring": true,
   "etcd": true,
   "isolated": true
-}}}'
+}}'
 
 # Wait for HelmRelease be created
 timeout 60 sh -c 'until kubectl get hr -n tenant-root etcd ingress monitoring tenant-root; do sleep 1; done'
@@ -301,9 +311,9 @@ timeout 60 sh -c 'until kubectl get hr -n tenant-root etcd ingress monitoring te
 # Wait for HelmReleases be installed
 kubectl wait --timeout=2m --for=condition=ready -n tenant-root hr etcd ingress monitoring tenant-root
 
-kubectl patch -n tenant-root hr/ingress --type=merge -p '{"spec":{ "values":{
+kubectl patch -n tenant-root ingresses.apps.cozystack.io ingress --type=merge -p '{"spec":{
   "dashboard": true
-}}}'
+}}'
 
 # Wait for nginx-ingress-controller
 timeout 60 sh -c 'until kubectl get deploy -n tenant-root root-ingress-controller; do sleep 1; done'
@@ -313,7 +323,7 @@ kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy root-i
 kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=3 -n tenant-root sts etcd
 
 # Wait for Victoria metrics
-kubectl wait --timeout=5m --for=jsonpath=.status.updateStatus=operational -n tenant-root vmalert/vmalert-longterm vmalert/vmalert-shortterm vmalertmanager/alertmanager
+kubectl wait --timeout=5m --for=jsonpath=.status.updateStatus=operational -n tenant-root vmalert/vmalert-shortterm vmalertmanager/alertmanager
 kubectl wait --timeout=5m --for=jsonpath=.status.status=operational -n tenant-root vlogs/generic
 kubectl wait --timeout=5m --for=jsonpath=.status.clusterStatus=operational -n tenant-root vmcluster/shortterm vmcluster/longterm
 
@@ -326,3 +336,12 @@ ip=$(kubectl get svc -n tenant-root root-ingress-controller -o jsonpath='{.statu
 
 # Check Grafana
 curl -sS -k "https://$ip" -H 'Host: grafana.example.org' | grep Found
+
+
+# Test OIDC
+kubectl patch -n cozy-system cm/cozystack --type=merge -p '{"data":{
+  "oidc-enabled": "true"
+}}'
+
+timeout 60 sh -c 'until kubectl get hr -n cozy-keycloak keycloak keycloak-configure keycloak-operator; do sleep 1; done'
+kubectl wait --timeout=10m --for=condition=ready -n cozy-keycloak hr keycloak keycloak-configure keycloak-operator

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.18.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.21.0"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.18.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.21.0"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/clickhouse/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.6.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/clickhouse/images/clickhouse-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/clickhouse-backup:0.6.0@sha256:dda84420cb8648721299221268a00d72a05c7af5b7fb452619bac727068b9e61
+ghcr.io/aenix-io/cozystack/clickhouse-backup:0.6.1@sha256:dda84420cb8648721299221268a00d72a05c7af5b7fb452619bac727068b9e61

packages/apps/clickhouse/templates/dashboard-resourcemap.yaml

@@ -8,7 +8,7 @@ rules:
   resources:
   - services
   resourceNames:
-  - chi-clickhouse-test-clickhouse-0-0
+  - chendpoint-{{ .Release.Name }}
   verbs: ["get", "list", "watch"]
 - apiGroups:
   - ""

packages/apps/ferretdb/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1
+ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:4d2271b345240c6c5b37599996745646012004b0f57e31c4c9deb1aba7408a51

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:27112d470a31725b75b29b29919af06b4ce1339e3b502b08889a92ab7099adde
+ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:3e8ae1bd576858a88c995aefb1431a1b89f55b7a1ef60575fecae4bbf5aa0d4e

packages/apps/kafka/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.3.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kafka/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}-kafka-bootstrap
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-clients-ca
+  verbs: ["get", "list", "watch"]

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.14.0
+version: 0.14.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.14.0@sha256:feeb3509702c0d2fdd025196fb05dbf86243ee869bb837ed0174ee2a43c1bbd9
+ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.14.1@sha256:0ea139c71e08db5adb275d81a7efa9a0d8b8db61a1fc1a67167a33a347c07fd8

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.14.0@sha256:df4a937b6fb2b345110174227170691d48189ffe1900c3f848cd5085990a58df
+ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.14.1@sha256:f595d50689405a504249c2af4b84562e8a0d16bdf9287d4eedf7c87959c4fba1

packages/apps/kubernetes/images/kubevirt-cloud-provider/Dockerfile

@@ -3,13 +3,14 @@ FROM --platform=linux/amd64 golang:1.20.6 AS builder
 
 RUN git clone https://github.com/kubevirt/cloud-provider-kubevirt /go/src/kubevirt.io/cloud-provider-kubevirt \
  && cd /go/src/kubevirt.io/cloud-provider-kubevirt \
- && git checkout adbd6c27468b86b020cf38490e84f124ef24ab62
+ && git checkout da9e0cf
 
 WORKDIR /go/src/kubevirt.io/cloud-provider-kubevirt
 
-# see: https://github.com/kubevirt/cloud-provider-kubevirt/pull/291
+# see: https://github.com/kubevirt/cloud-provider-kubevirt/pull/335
+# see: https://github.com/kubevirt/cloud-provider-kubevirt/pull/336
 ADD patches /patches
-RUN git apply /patches/external-traffic-policy-local.diff
+RUN git apply /patches/*.diff
 RUN go get 'k8s.io/endpointslice/util@v0.28' 'k8s.io/apiserver@v0.28'
 RUN go mod tidy
 RUN go mod vendor

packages/apps/kubernetes/images/kubevirt-cloud-provider/patches/335.diff

@@ -0,0 +1,20 @@
+diff --git a/pkg/controller/kubevirteps/kubevirteps_controller.go b/pkg/controller/kubevirteps/kubevirteps_controller.go
+index a3c1aa33..95c31438 100644
+--- a/pkg/controller/kubevirteps/kubevirteps_controller.go
++++ b/pkg/controller/kubevirteps/kubevirteps_controller.go
+@@ -412,11 +412,11 @@ func (c *Controller) reconcileByAddressType(service *v1.Service, tenantSlices []
+ 	// Create the desired port configuration
+ 	var desiredPorts []discovery.EndpointPort
+ 
+-	for _, port := range service.Spec.Ports {
++	for i := range service.Spec.Ports {
+ 		desiredPorts = append(desiredPorts, discovery.EndpointPort{
+-			Port:     &port.TargetPort.IntVal,
+-			Protocol: &port.Protocol,
+-			Name:     &port.Name,
++			Port:     &service.Spec.Ports[i].TargetPort.IntVal,
++			Protocol: &service.Spec.Ports[i].Protocol,
++			Name:     &service.Spec.Ports[i].Name,
+ 		})
+ 	}
+ 

packages/apps/kubernetes/images/kubevirt-cloud-provider/patches/336.diff

@@ -0,0 +1,129 @@
+diff --git a/pkg/controller/kubevirteps/kubevirteps_controller.go b/pkg/controller/kubevirteps/kubevirteps_controller.go
+index a3c1aa33..6f6e3d32 100644
+--- a/pkg/controller/kubevirteps/kubevirteps_controller.go
++++ b/pkg/controller/kubevirteps/kubevirteps_controller.go
+@@ -108,32 +108,24 @@ func newRequest(reqType ReqType, obj interface{}, oldObj interface{}) *Request {
+ }
+ 
+ func (c *Controller) Init() error {
+-
+-	// Act on events from Services on the infra cluster. These are created by the EnsureLoadBalancer function.
+-	// We need to watch for these events so that we can update the EndpointSlices in the infra cluster accordingly.
++	// Existing Service event handlers...
+ 	_, err := c.infraFactory.Core().V1().Services().Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+ 		AddFunc: func(obj interface{}) {
+-			// cast obj to Service
+ 			svc := obj.(*v1.Service)
+-			// Only act on Services of type LoadBalancer
+ 			if svc.Spec.Type == v1.ServiceTypeLoadBalancer {
+ 				klog.Infof("Service added: %v/%v", svc.Namespace, svc.Name)
+ 				c.queue.Add(newRequest(AddReq, obj, nil))
+ 			}
+ 		},
+ 		UpdateFunc: func(oldObj, newObj interface{}) {
+-			// cast obj to Service
+ 			newSvc := newObj.(*v1.Service)
+-			// Only act on Services of type LoadBalancer
+ 			if newSvc.Spec.Type == v1.ServiceTypeLoadBalancer {
+ 				klog.Infof("Service updated: %v/%v", newSvc.Namespace, newSvc.Name)
+ 				c.queue.Add(newRequest(UpdateReq, newObj, oldObj))
+ 			}
+ 		},
+ 		DeleteFunc: func(obj interface{}) {
+-			// cast obj to Service
+ 			svc := obj.(*v1.Service)
+-			// Only act on Services of type LoadBalancer
+ 			if svc.Spec.Type == v1.ServiceTypeLoadBalancer {
+ 				klog.Infof("Service deleted: %v/%v", svc.Namespace, svc.Name)
+ 				c.queue.Add(newRequest(DeleteReq, obj, nil))
+@@ -144,7 +136,7 @@ func (c *Controller) Init() error {
+ 		return err
+ 	}
+ 
+-	// Monitor endpoint slices that we are interested in based on known services in the infra cluster
++	// Existing EndpointSlice event handlers in tenant cluster...
+ 	_, err = c.tenantFactory.Discovery().V1().EndpointSlices().Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+ 		AddFunc: func(obj interface{}) {
+ 			eps := obj.(*discovery.EndpointSlice)
+@@ -194,10 +186,80 @@ func (c *Controller) Init() error {
+ 		return err
+ 	}
+ 
+-	//TODO: Add informer for EndpointSlices in the infra cluster to watch for (unwanted) changes
++	// Add an informer for EndpointSlices in the infra cluster
++	_, err = c.infraFactory.Discovery().V1().EndpointSlices().Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
++		AddFunc: func(obj interface{}) {
++			eps := obj.(*discovery.EndpointSlice)
++			if c.managedByController(eps) {
++				svc, svcErr := c.getInfraServiceForEPS(context.TODO(), eps)
++				if svcErr != nil {
++					klog.Errorf("Failed to get infra Service for EndpointSlice %s/%s: %v", eps.Namespace, eps.Name, svcErr)
++					return
++				}
++				if svc != nil {
++					klog.Infof("Infra EndpointSlice added: %v/%v, requeuing Service: %v/%v", eps.Namespace, eps.Name, svc.Namespace, svc.Name)
++					c.queue.Add(newRequest(AddReq, svc, nil))
++				}
++			}
++		},
++		UpdateFunc: func(oldObj, newObj interface{}) {
++			eps := newObj.(*discovery.EndpointSlice)
++			if c.managedByController(eps) {
++				svc, svcErr := c.getInfraServiceForEPS(context.TODO(), eps)
++				if svcErr != nil {
++					klog.Errorf("Failed to get infra Service for EndpointSlice %s/%s: %v", eps.Namespace, eps.Name, svcErr)
++					return
++				}
++				if svc != nil {
++					klog.Infof("Infra EndpointSlice updated: %v/%v, requeuing Service: %v/%v", eps.Namespace, eps.Name, svc.Namespace, svc.Name)
++					c.queue.Add(newRequest(UpdateReq, svc, nil))
++				}
++			}
++		},
++		DeleteFunc: func(obj interface{}) {
++			eps := obj.(*discovery.EndpointSlice)
++			if c.managedByController(eps) {
++				svc, svcErr := c.getInfraServiceForEPS(context.TODO(), eps)
++				if svcErr != nil {
++					klog.Errorf("Failed to get infra Service for EndpointSlice %s/%s on delete: %v", eps.Namespace, eps.Name, svcErr)
++					return
++				}
++				if svc != nil {
++					klog.Infof("Infra EndpointSlice deleted: %v/%v, requeuing Service: %v/%v", eps.Namespace, eps.Name, svc.Namespace, svc.Name)
++					c.queue.Add(newRequest(DeleteReq, svc, nil))
++				}
++			}
++		},
++	})
++	if err != nil {
++		return err
++	}
++
+ 	return nil
+ }
+ 
++// getInfraServiceForEPS returns the Service in the infra cluster associated with the given EndpointSlice.
++// It does this by reading the "kubernetes.io/service-name" label from the EndpointSlice, which should correspond
++// to the Service name. If not found or if the Service doesn't exist, it returns nil.
++func (c *Controller) getInfraServiceForEPS(ctx context.Context, eps *discovery.EndpointSlice) (*v1.Service, error) {
++	svcName := eps.Labels[discovery.LabelServiceName]
++	if svcName == "" {
++		// No service name label found, can't determine infra service.
++		return nil, nil
++	}
++
++	svc, err := c.infraClient.CoreV1().Services(c.infraNamespace).Get(ctx, svcName, metav1.GetOptions{})
++	if err != nil {
++		if k8serrors.IsNotFound(err) {
++			// Service doesn't exist
++			return nil, nil
++		}
++		return nil, err
++	}
++
++	return svc, nil
++}
++
+ // Run starts an asynchronous loop that monitors and updates GKENetworkParamSet in the cluster.
+ func (c *Controller) Run(numWorkers int, stopCh <-chan struct{}, controllerManagerMetrics *controllersmetrics.ControllerManagerMetrics) {
+ 	defer utilruntime.HandleCrash()

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.14.0@sha256:83d71fcd5d699089b11f2999d601d56e31e173bf312be271b7d9b81e69f76a2f
+ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.14.1@sha256:644379ba92c72dbbf07257d70f88ef3e5c1f1fb88f161c03758c13588d33ac2d

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:3758704d9f45ca364af0b656b502975b030d2ccd6899e97e0e58f350756dca57
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:a64fefbd94535be2f8ac92943f0cad076a7b4c61c289a6ac0086a40859ed9d0e

packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml

@@ -48,7 +48,6 @@ spec:
         tenant: {{ .Release.Namespace }}
       remoteWrite:
         url: http://vminsert-shortterm.{{ $targetTenant }}.svc:8480/insert/0/prometheus
-
     fluent-bit:
       readinessProbe:
         httpGet:

packages/apps/mysql/images/mariadb-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:793edb25a29cbc00781e40af883815ca36937e736e2b0d202ea9c9619fb6ca11
+ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:948d41556939d90bdc37b4406b18935d46490dcb3f38a27aa117a4c3973e5604

packages/apps/nats/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/nats/README.md

@@ -4,9 +4,13 @@
 
 ### Common parameters
 
-| Name           | Description                                     | Value   |
-| -------------- | ----------------------------------------------- | ------- |
-| `external`     | Enable external access from outside the cluster | `false` |
-| `replicas`     | Persistent Volume size for NATS                 | `2`     |
-| `storageClass` | StorageClass used to store the data             | `""`    |
-
+| Name                | Description                                        | Value   |
+| ------------------- | -------------------------------------------------- | ------- |
+| `external`          | Enable external access from outside the cluster    | `false` |
+| `replicas`          | Persistent Volume size for NATS                    | `2`     |
+| `storageClass`      | StorageClass used to store the data                | `""`    |
+| `users`             | Users configuration                                | `{}`    |
+| `jetstream.size`    | Jetstream persistent storage size                  | `10Gi`  |
+| `jetstream.enabled` | Enable or disable Jetstream                        | `true`  |
+| `config.merge`      | Additional configuration to merge into NATS config | `{}`    |
+| `config.resolver`   | Additional configuration to merge into NATS config | `{}`    |

packages/apps/nats/templates/nats.yaml

@@ -1,3 +1,25 @@
+{{- $passwords := dict }}
+{{- range $user, $u := .Values.users }}
+  {{- if $u.password }}
+    {{- $_ := set $passwords $user $u.password }}
+  {{- else if not (index $passwords $user) }}
+    {{- $_ := set $passwords $user (randAlphaNum 16) }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.users }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-credentials
+stringData:
+  {{- range $user, $u := .Values.users }}
+  {{ quote $user }}: {{ quote (index $passwords $user) }}
+  {{- end }}
+{{- end }}
+
+---
+
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -18,6 +40,25 @@ spec:
     nats:
       fullnameOverride: {{ .Release.Name }}
       config:
+        {{- if or (gt (len $passwords) 0) (gt (len .Values.config.merge) 0) }}
+        merge:
+          {{- if gt (len $passwords) 0 }}
+          accounts:
+            A:
+              users:
+                {{- range $username, $password := $passwords }}
+                - user: "{{ $username }}"
+                  password: "{{ $password }}"
+                {{- end }}
+          {{- end }}
+          {{- if and .Values.config (hasKey .Values.config "merge") }}
+          {{ toYaml .Values.config.merge | nindent 12 }}
+          {{- end }}
+        {{- end }}
+        {{- if and .Values.config (hasKey .Values.config "resolver") }}
+        resolver:
+          {{ toYaml .Values.config.resolver | nindent 12 }}
+        {{- end }}
         cluster:
           enabled: true
           replicas: {{ .Values.replicas }}
@@ -26,10 +67,10 @@ spec:
         jetstream:
           enabled: true
           fileStore:
-            enabled: true
+            enabled: {{ .Values.jetstream.enabled }}
             pvc:
               enabled: true
-              size: 10Gi
+              size: {{ .Values.jetstream.size }}
               {{- with .Values.storageClass }}
               storageClassName: {{ . }}
               {{- end }}

packages/apps/nats/templates/resourcemap.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-credentials
+  verbs: ["get", "list", "watch"]

packages/apps/nats/values.schema.json

@@ -16,6 +16,36 @@
             "type": "string",
             "description": "StorageClass used to store the data",
             "default": ""
+        },
+        "jetstream": {
+            "type": "object",
+            "properties": {
+                "size": {
+                    "type": "string",
+                    "description": "Jetstream persistent storage size",
+                    "default": "10Gi"
+                },
+                "enabled": {
+                    "type": "boolean",
+                    "description": "Enable or disable Jetstream",
+                    "default": true
+                }
+            }
+        },
+        "config": {
+            "type": "object",
+            "properties": {
+                "merge": {
+                    "type": "object",
+                    "description": "Additional configuration to merge into NATS config",
+                    "default": {}
+                },
+                "resolver": {
+                    "type": "object",
+                    "description": "Additional configuration to merge into NATS config",
+                    "default": {}
+                }
+            }
         }
     }
 }

packages/apps/nats/values.yaml

@@ -8,3 +8,56 @@
 external: false
 replicas: 2
 storageClass: ""
+## @param users [object] Users configuration
+## Example:
+## users:
+##   user1:
+##     password: strongpassword
+##   user2: {}
+users: {}
+
+jetstream:
+  ## @param jetstream.size Jetstream persistent storage size
+  ## Specifies the size of the persistent storage for Jetstream (message store).
+  ## Default: 10Gi
+  size: 10Gi
+
+  ## @param jetstream.enabled Enable or disable Jetstream
+  ## Set to true to enable Jetstream for persistent messaging in NATS.
+  ## Default: true
+  enabled: true
+
+config:
+  ## @param config.merge Additional configuration to merge into NATS config
+  ## Allows you to customize NATS server settings by merging additional configurations.
+  ## For example, you can add extra parameters, configure authentication, or set custom settings.
+  ## Default: {}
+  ## example:
+  ##
+  ##   merge:
+  ##     $include: ./my-config.conf
+  ##     zzz$include: ./my-config-last.conf
+  ##     server_name: nats
+  ##     authorization:
+  ##       token: << $TOKEN >>
+  ##     jetstream:
+  ##       max_memory_store: << 1GB >>
+  ##
+  ## will yield the config:
+  ## {
+  ##   include ./my-config.conf;
+  ##   "authorization": {
+  ##     "token": $TOKEN
+  ##   },
+  ##   "jetstream": {
+  ##     "max_memory_store": 1GB
+  ##   },
+  ##   "server_name": "nats",
+  ##   include ./my-config-last.conf;
+  ## }
+  merge: {}
+  ## @param config.resolver Additional configuration to merge into NATS config
+  ## Allows you to customize NATS server settings by merging resolver configurations.
+  ## Default: {}
+  ## Example see: https://github.com/nats-io/k8s/blob/main/helm/charts/nats/values.yaml#L247
+  resolver: {}

packages/apps/postgres/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:d2015c6dba92293bda652d055e97d1be80e8414c2dc78037c12812d1a2e2cba1
+ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:4d2271b345240c6c5b37599996745646012004b0f57e31c4c9deb1aba7408a51

packages/apps/postgres/values.schema.json

@@ -103,4 +103,4 @@
             }
         }
     }
-}
+}

packages/apps/redis/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/redis/README.md

@@ -19,5 +19,6 @@ Service utilizes the Spotahome Redis Operator for efficient management and orche
 | `size`         | Persistent Volume size                          | `1Gi`   |
 | `replicas`     | Number of Redis replicas                        | `2`     |
 | `storageClass` | StorageClass used to store the data             | `""`    |
+| `authEnabled`  | Enable password generation                      | `true`  |
 
 

packages/apps/redis/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - rfs-{{ .Release.Name }}
+  - rfrm-{{ .Release.Name }}
+  - rfrs-{{ .Release.Name }}
+  - "{{ .Release.Name }}-external-lb"
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - "{{ .Release.Name }}-auth"
+  verbs: ["get", "list", "watch"]

packages/apps/redis/templates/redisfailover.yaml

@@ -1,3 +1,20 @@
+{{- if .Values.authEnabled }}
+  {{- $existingPassword := lookup "v1" "Secret" .Release.Namespace (printf "%s-auth" .Release.Name) }}
+  {{- $password := randAlphaNum 32 | b64enc }}
+  {{- if $existingPassword }}
+    {{- $password = index $existingPassword.data "password" }}
+  {{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-auth
+data:
+  password: {{ $password }}
+{{- end }}
+
+---
+
 apiVersion: databases.spotahome.com/v1
 kind: RedisFailover
 metadata:
@@ -52,3 +69,7 @@ spec:
       - appendonly no
       - save ""
       {{- end }}
+  {{- if .Values.authEnabled }}
+  auth:
+    secretPath: {{ .Release.Name }}-auth
+  {{- end }}

packages/apps/redis/values.schema.json

@@ -21,6 +21,11 @@
             "type": "string",
             "description": "StorageClass used to store the data",
             "default": ""
+        },
+        "authEnabled": {
+            "type": "boolean",
+            "description": "Enable password generation",
+            "default": true
         }
     }
 }

packages/apps/redis/values.yaml

@@ -4,8 +4,10 @@
 ## @param size Persistent Volume size
 ## @param replicas Number of Redis replicas
 ## @param storageClass StorageClass used to store the data
+## @param authEnabled Enable password generation
 ##
 external: false
 size: 1Gi
 replicas: 2
 storageClass: ""
+authEnabled: true

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.5.0
+version: 1.6.5

packages/apps/tenant/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "tenant.name" . }}-dashboard-resources
+  namespace: {{ .Release.namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - kubeconfig-{{ include "tenant.name" . }}
+  verbs: ["get", "list", "watch"]

packages/apps/tenant/templates/keycloakgroups.yaml

@@ -0,0 +1,53 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }}
+{{- if $oidcEnabled }}
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakRealmGroup
+metadata:
+  name: {{ include "tenant.name" . }}-view
+  namespace: {{ include "tenant.name" . }}
+spec:
+  name: {{ include "tenant.name" . }}-view
+  realmRef:
+    name: keycloakrealm-cozy
+    kind: ClusterKeycloakRealm
+
+---
+
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakRealmGroup
+metadata:
+  name: {{ include "tenant.name" . }}-use
+  namespace: {{ include "tenant.name" . }}
+spec:
+  name: {{ include "tenant.name" . }}-use
+  realmRef:
+    name: keycloakrealm-cozy
+    kind: ClusterKeycloakRealm
+
+---
+
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakRealmGroup
+metadata:
+  name: {{ include "tenant.name" . }}-admin
+  namespace: {{ include "tenant.name" . }}
+spec:
+  name: {{ include "tenant.name" . }}-admin
+  realmRef:
+    name: keycloakrealm-cozy
+    kind: ClusterKeycloakRealm
+
+---
+
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakRealmGroup
+metadata:
+  name: {{ include "tenant.name" . }}-super-admin
+  namespace: {{ include "tenant.name" . }}
+spec:
+  name: {{ include "tenant.name" . }}-super-admin
+  realmRef:
+    name: keycloakrealm-cozy
+    kind: ClusterKeycloakRealm
+{{- end }}

packages/apps/tenant/templates/kubeconfig.yaml

@@ -0,0 +1,44 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $host := index $cozyConfig.data "root-host" }}
+{{- $k8sClientSecret := lookup "v1" "Secret" "cozy-keycloak" "k8s-client" }}
+
+{{- if $k8sClientSecret }}
+{{- $apiServerEndpoint := index $cozyConfig.data "api-server-endpoint" }}
+{{- $k8sClient := index $k8sClientSecret.data "client-secret-key" | b64dec }}
+{{- $rootSaConfigMap := lookup "v1" "ConfigMap" "kube-system" "kube-root-ca.crt" }}
+{{- $k8sCa := index $rootSaConfigMap.data "ca.crt" | b64enc  }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubeconfig-{{ include "tenant.name" . }}
+  namespace: tenant-root
+stringData:
+  kubeconfig: |
+    apiVersion: v1
+    clusters:
+    - cluster:
+        server: {{ $apiServerEndpoint }}
+        certificate-authority-data: {{ $k8sCa }}
+      name: cluster
+    contexts:
+    - context:
+        cluster: cluster
+        namespace: {{ include "tenant.name" . }}
+        user: keycloak
+      name: {{ include "tenant.name" . }}
+    current-context: {{ include "tenant.name" . }}
+    users:
+    - name: keycloak
+      user:
+        exec:
+          apiVersion: client.authentication.k8s.io/v1beta1
+          args:
+          - oidc-login
+          - get-token
+          - --oidc-issuer-url=https://keycloak.{{ $host }}/realms/cozy
+          - --oidc-client-id=kubernetes
+          - --oidc-client-secret={{ $k8sClient }}
+          - --skip-open-browser
+          command: kubectl
+{{- end }}

packages/apps/tenant/templates/networkpolicy.yaml

@@ -159,6 +159,18 @@ spec:
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
+metadata:
+  name: allow-to-keycloak
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  egress:
+  - toEndpoints:
+      - matchLabels:
+          "k8s:io.kubernetes.pod.namespace": cozy-keycloak
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
 metadata:
   name: allow-to-cdi-upload-proxy
   namespace: {{ include "tenant.name" . }}

packages/apps/tenant/templates/tenant.yaml

@@ -14,6 +14,8 @@ metadata:
     kubernetes.io/service-account.name: {{ include "tenant.name" . }}
 type: kubernetes.io/service-account-token
 ---
+# == default role ==
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -29,9 +31,10 @@ rules:
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources: ["roles"]
   verbs: ["get"]
-- apiGroups: ["helm.toolkit.fluxcd.io"]
-  resources: ["helmreleases"]
-  verbs: ["*"]
+- apiGroups: ["apps.cozystack.io"]
+  resources: ['*']
+  verbs: ['*']
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -62,6 +65,307 @@ roleRef:
   name: {{ include "tenant.name" . }}
   apiGroup: rbac.authorization.k8s.io
 ---
+# == view role ==
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-view
+  namespace: {{ include "tenant.name" . }}
+rules:
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - roles
+    verbs:
+      - get
+  - apiGroups:
+      - apps.cozystack.io
+    resources:
+      - "*"
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - "*"
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-view
+  namespace: {{ include "tenant.name" . }}
+subjects:
+{{- if ne .Release.Namespace "tenant-root" }}
+- kind: Group
+  name: tenant-root-view
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+- kind: Group
+  name: {{ include "tenant.name" . }}-view
+  apiGroup: rbac.authorization.k8s.io
+{{- if hasPrefix "tenant-" .Release.Namespace }}
+{{- $parts := splitList "-" .Release.Namespace }}
+{{- range $i, $v := $parts }}
+{{- if ne $i 0 }}
+- kind: Group
+  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-view
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}
+{{- end }}
+roleRef:
+  kind: Role
+  name: {{ include "tenant.name" . }}-view
+  apiGroup: rbac.authorization.k8s.io
+
+---
+# == use role ==
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-use
+  namespace: {{ include "tenant.name" . }}
+rules:
+  - apiGroups: [rbac.authorization.k8s.io]
+    resources:
+    - roles
+    verbs:
+    - get
+  - apiGroups: ["apps.cozystack.io"]
+    resources:
+    - "*"
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups: [""]
+    resources:
+    - "*"
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+    - ingresses
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups: ["subresources.kubevirt.io"]
+    resources:
+    - virtualmachineinstances/console
+    - virtualmachineinstances/vnc
+    verbs:
+    - get
+    - list
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-use
+  namespace: {{ include "tenant.name" . }}
+subjects:
+{{- if ne .Release.Namespace "tenant-root" }}
+- kind: Group
+  name: tenant-root-use
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+- kind: Group
+  name: {{ include "tenant.name" . }}-use
+  apiGroup: rbac.authorization.k8s.io
+{{- if hasPrefix "tenant-" .Release.Namespace }}
+{{- $parts := splitList "-" .Release.Namespace }}
+{{- range $i, $v := $parts }}
+{{- if ne $i 0 }}
+- kind: Group
+  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-use
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}
+{{- end }}
+roleRef:
+  kind: Role
+  name: {{ include "tenant.name" . }}-use
+  apiGroup: rbac.authorization.k8s.io
+---
+# == admin role ==
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-admin
+  namespace: {{ include "tenant.name" . }}
+rules:
+  - apiGroups: [rbac.authorization.k8s.io]
+    resources:
+    - roles
+    verbs:
+    - get
+  - apiGroups: [""]
+    resources:
+    - "*"
+    verbs:
+    - get
+    - list
+    - watch
+    - delete
+  - apiGroups: ["kubevirt.io"]
+    resources:
+    - virtualmachines
+    verbs:
+    - get
+    - list
+  - apiGroups: ["subresources.kubevirt.io"]
+    resources:
+    - virtualmachineinstances/console
+    - virtualmachineinstances/vnc
+    verbs:
+    - get
+    - list
+  - apiGroups: ["apps.cozystack.io"]
+    resources:
+    - buckets
+    - clickhouses
+    - ferretdb
+    - foos
+    - httpcaches
+    - kafkas
+    - kuberneteses
+    - mysqls
+    - natses
+    - postgreses
+    - rabbitmqs
+    - redises
+    - seaweedfses
+    - tcpbalancers
+    - virtualmachines
+    - vmdisks
+    - vminstances
+    verbs:
+    - get
+    - list
+    - watch
+    - create
+    - update
+    - patch
+    - delete
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-admin
+  namespace: {{ include "tenant.name" . }}
+subjects:
+{{- if ne .Release.Namespace "tenant-root" }}
+- kind: Group
+  name: tenant-root-admin
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+- kind: Group
+  name: {{ include "tenant.name" . }}-admin
+  apiGroup: rbac.authorization.k8s.io
+{{- if hasPrefix "tenant-" .Release.Namespace }}
+{{- $parts := splitList "-" .Release.Namespace }}
+{{- range $i, $v := $parts }}
+{{- if ne $i 0 }}
+- kind: Group
+  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-admin
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}
+{{- end }}
+roleRef:
+  kind: Role
+  name: {{ include "tenant.name" . }}-admin
+  apiGroup: rbac.authorization.k8s.io
+---
+# == super admin role ==
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-super-admin
+  namespace: {{ include "tenant.name" . }}
+rules:
+  - apiGroups: [rbac.authorization.k8s.io]
+    resources:
+    - roles
+    verbs:
+    - get
+  - apiGroups: [""]
+    resources:
+    - "*"
+    verbs:
+    - get
+    - list
+    - watch
+    - delete
+  - apiGroups: ["kubevirt.io"]
+    resources:
+    - virtualmachines
+    verbs:
+    - '*'
+  - apiGroups: ["subresources.kubevirt.io"]
+    resources:
+    - virtualmachineinstances/console
+    - virtualmachineinstances/vnc
+    verbs:
+    - get
+    - list
+  - apiGroups: ["apps.cozystack.io"]
+    resources:
+    - '*'
+    verbs:
+    - '*'
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-super-admin
+  namespace: {{ include "tenant.name" . }}
+subjects:
+{{- if ne .Release.Namespace "tenant-root" }}
+- kind: Group
+  name: tenant-root-super-admin
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+- kind: Group
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
+{{- if hasPrefix "tenant-" .Release.Namespace }}
+{{- $parts := splitList "-" .Release.Namespace }}
+{{- range $i, $v := $parts }}
+{{- if ne $i 0 }}
+- kind: Group
+  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}
+{{- end }}
+roleRef:
+  kind: Role
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
+---
+# == dashboard role ==
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -73,7 +377,7 @@ rules:
   verbs: ["get", "list"]
 - apiGroups: ["source.toolkit.fluxcd.io"]
   resources: ["helmcharts"]
-  verbs: ["*"]
+  verbs: ["get", "list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -81,6 +385,18 @@ metadata:
   name: {{ include "tenant.name" . }}
   namespace: cozy-public
 subjects:
+- kind: Group
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: {{ include "tenant.name" . }}-admin
+  apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: {{ include "tenant.name" . }}-use
+  apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: {{ include "tenant.name" . }}-view
+  apiGroup: rbac.authorization.k8s.io
 - kind: ServiceAccount
   name: {{ include "tenant.name" . }}
   namespace: {{ include "tenant.name" . }}

packages/apps/versions_map

@@ -5,7 +5,8 @@ clickhouse 0.2.1 5ca8823
 clickhouse 0.3.0 b00621e
 clickhouse 0.4.0 320fc32
 clickhouse 0.5.0 2a4768a5
-clickhouse 0.6.0 HEAD
+clickhouse 0.6.0 18bbdb67
+clickhouse 0.6.1 HEAD
 ferretdb 0.1.0 4ffa8615
 ferretdb 0.1.1 5ca8823
 ferretdb 0.2.0 adaf603
@@ -21,7 +22,8 @@ kafka 0.2.0 a2cc83d
 kafka 0.2.1 3ac17018
 kafka 0.2.2 d0758692
 kafka 0.2.3 5ca8823
-kafka 0.3.0 HEAD
+kafka 0.3.0 c07c4bbd
+kafka 0.3.1 HEAD
 kubernetes 0.1.0 f642698
 kubernetes 0.2.0 7cd7de73
 kubernetes 0.3.0 7caccec1
@@ -39,7 +41,8 @@ kubernetes 0.11.1 4f430a90
 kubernetes 0.12.0 74649f8
 kubernetes 0.12.1 28fca4e
 kubernetes 0.13.0 ced8e5b9
-kubernetes 0.14.0 HEAD
+kubernetes 0.14.0 bfbde07c
+kubernetes 0.14.1 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
@@ -48,7 +51,10 @@ mysql 0.5.0 4b84798
 mysql 0.5.1 fab5940b
 mysql 0.5.2 HEAD
 nats 0.1.0 5ca8823
-nats 0.2.0 HEAD
+nats 0.2.0 c07c4bbd
+nats 0.3.0 78366f19
+nats 0.3.1 b7375f73
+nats 0.4.0 HEAD
 postgres 0.1.0 f642698
 postgres 0.2.0 7cd7de73
 postgres 0.2.1 4a97e297
@@ -69,7 +75,9 @@ rabbitmq 0.4.2 00b2834e
 rabbitmq 0.4.3 HEAD
 redis 0.1.1 f642698
 redis 0.2.0 5ca8823
-redis 0.3.0 HEAD
+redis 0.3.0 c07c4bbd
+redis 0.3.1 b7375f73
+redis 0.4.0 HEAD
 tcp-balancer 0.1.0 f642698
 tcp-balancer 0.2.0 HEAD
 tenant 0.1.3 3d1b86c
@@ -81,7 +89,13 @@ tenant 1.2.0 15478a88
 tenant 1.3.0 ceefae03
 tenant 1.3.1 c56e5769
 tenant 1.4.0 94c688f7
-tenant 1.5.0 HEAD
+tenant 1.5.0 48128743
+tenant 1.6.0 df448b99
+tenant 1.6.1 edbbb9be
+tenant 1.6.2 ccedc5fe
+tenant 1.6.3 2057bb96
+tenant 1.6.4 3c9e50a4
+tenant 1.6.5 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823
@@ -89,7 +103,8 @@ virtual-machine 0.3.0 b908400
 virtual-machine 0.4.0 4746d51
 virtual-machine 0.5.0 HEAD
 vm-disk 0.1.0 HEAD
-vm-instance 0.1.0 HEAD
+vm-instance 0.1.0 ced8e5b9
+vm-instance 0.2.0 HEAD
 vpn 0.1.0 f642698
 vpn 0.2.0 7151424
 vpn 0.3.0 a2bcf100

packages/apps/vm-instance/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.0"
+appVersion: "0.2.0"

packages/apps/vm-instance/templates/vm.yaml

@@ -85,7 +85,7 @@ spec:
       {{- range .Values.disks }}
       - name: disk-{{ .name }}
         dataVolume:
-          name: {{ .name }}
+          name: vm-disk-{{ .name }}
       {{- end }}
       {{- if or .Values.sshKeys .Values.cloudInit }}
       - name: cloudinitdisk

packages/apps/vm-instance/values.yaml

@@ -18,8 +18,8 @@ instanceProfile: ubuntu
 ## @param disks [array] List of disks to attach
 ## Example:
 ## disks:
-## - name: vm-disk-example-system
-## - name: vm-disk-example-data
+## - name: example-system
+## - name: example-data
 disks: []
 
 ## @param resources.cpu The number of CPU cores allocated to the virtual machine

packages/core/installer/Makefile

@@ -38,8 +38,8 @@ image-cozystack:
 	rm -f images/cozystack.json
 
 image-talos:
-	test -f ../../../_out/assets/installer-amd64.tar || make talos-installer
-	docker load -i ../../../_out/assets/installer-amd64.tar
+	test -f ../../../_out/assets/installer-amd64-secureboot.tar || make talos-installer
+	docker load -i ../../../_out/assets/installer-amd64-secureboot.tar
 	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
 	docker push $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
 
@@ -59,8 +59,17 @@ image-matchbox:
 
 assets: talos-iso talos-nocloud talos-metal
 
-talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud talos-metal:
+talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud talos-metal: secureboot-keys
 	mkdir -p ../../../_out/assets
+	docker rm -f talos-imager 2>/dev/null || true 
+	docker run -d --rm --name talos-imager --privileged -v /dev:/dev --entrypoint=/bin/sleep "ghcr.io/siderolabs/imager:$(TALOS_VERSION)" infinity
+	docker cp ../../../_out/secureboot talos-imager:/secureboot && \
 	cat images/talos/profiles/$(subst talos-,,$@).yaml | \
-		docker run --rm -i -v /dev:/dev --privileged "ghcr.io/siderolabs/imager:$(TALOS_VERSION)" --tar-to-stdout - | \
-		tar -C ../../../_out/assets -xzf-
+		docker exec -i talos-imager /bin/imager --tar-to-stdout - | \
+		tar -C ../../../_out/assets -xzf- ; \
+	docker rm -f talos-imager
+
+secureboot-keys:
+	test -d ../../../_out/secureboot || ( \
+	talosctl gen secureboot uki --common-name "SecureBoot Key" -o ../../../_out/secureboot/ && \
+	talosctl gen secureboot pcr -o ../../../_out/secureboot/ )

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.2
+version: v1.9.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.2
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20241029
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.2
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.2
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
   kind: initramfs
   imageOptions: {}

packages/core/installer/images/talos/profiles/installer.yaml

@@ -2,26 +2,29 @@
 # do not edit it
 arch: amd64
 platform: metal
-secureboot: false
-version: v1.8.2
+version: v1.9.1
+secureboot: true
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.2
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20241029
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.2
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.2
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
   kind: installer
   imageOptions: {}
   outFormat: raw
+customization:
+  extraKernelArgs:
+  - -selinux

packages/core/installer/images/talos/profiles/iso.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.2
+version: v1.9.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.2
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20241029
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.2
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.2
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
   kind: iso
   imageOptions: {}

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.2
+version: v1.9.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.2
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20241029
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.2
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.2
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
   kind: kernel
   imageOptions: {}

packages/core/installer/images/talos/profiles/metal.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.2
+version: v1.9.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.2
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20241029
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.2
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.2
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.8.2
+version: v1.9.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.2
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241017
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20241029
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241017
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.2
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.2
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.18.0@sha256:8c0e75ca3c9cbc8289cff7955f83e6d52d077cbb0e1328e64a82026c7bea19b5
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.21.0@sha256:90487dafccb12705b5e9760595b43c0352f3a94551c55c5fa7778bf9173d1737

packages/core/platform/bundles/distro-full.yaml

@@ -174,3 +174,17 @@ releases:
   namespace: cozy-external-secrets-operator
   optional: true
   dependsOn: [cilium]
+
+- name: keycloak
+  releaseName: keycloak
+  chart: cozy-keycloak
+  namespace: cozy-keycloak
+  optional: true
+  dependsOn: [postgres-operator]
+
+- name: keycloak-operator
+  releaseName: keycloak-operator
+  chart: cozy-keycloak-operator
+  namespace: cozy-keycloak
+  optional: true
+  dependsOn: [keycloak]

packages/core/platform/bundles/distro-hosted.yaml

@@ -124,3 +124,17 @@ releases:
   namespace: cozy-external-secrets-operator
   optional: true
   dependsOn: []
+
+- name: keycloak
+  releaseName: keycloak
+  chart: cozy-keycloak
+  namespace: cozy-keycloak
+  optional: true
+  dependsOn: [postgres-operator]
+
+- name: keycloak-operator
+  releaseName: keycloak-operator
+  chart: cozy-keycloak-operator
+  namespace: cozy-keycloak
+  optional: true
+  dependsOn: [keycloak]

packages/core/platform/bundles/paas-full.yaml

@@ -1,4 +1,13 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }}
+{{- $host := index $cozyConfig.data "root-host" }}
+{{- if not $host }}
+{{- fail "ERROR need root-host in cozystack ConfigMap" }}
+{{- end }}
+{{- $apiServerEndpoint := index $cozyConfig.data "api-server-endpoint" }}
+{{- if not $apiServerEndpoint }}
+{{- fail "ERROR need api-server-endpoint in cozystack ConfigMap" }}
+{{- end }}
 
 releases:
 - name: fluxcd-operator
@@ -200,20 +209,31 @@ releases:
   releaseName: dashboard
   chart: cozy-dashboard
   namespace: cozy-dashboard
-  dependsOn: [cilium,kubeovn]
-  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
-  {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
+  dependsOn: [cilium,kubeovn,keycloak-configure]
   values:
-    kubeapps:
-      redis:
-        master:
-          podAnnotations:
-            {{- range $index, $repo := . }}
-            {{- with (($repo.status).artifact).revision }}
-            repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
-            {{- end }}
-            {{- end }}
-  {{- end }}
+    {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
+    {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
+    redis:
+      master:
+        podAnnotations:
+          {{- range $index, $repo := . }}
+          {{- with (($repo.status).artifact).revision }}
+          repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
+          {{- end }}
+          {{- end }}
+    {{- end }}
+    {{- end }}
+
+    {{- $dashboardKCconfig := lookup "v1" "ConfigMap" "cozy-dashboard" "kubeapps-auth-config" }}
+    {{- $dashboardKCValues := dig "data" "values.yaml" "" $dashboardKCconfig }}
+    {{- if $dashboardKCValues }}
+    {{- $dashboardKCValues | nindent 4 }}
+    {{- end }}
+
+  {{- if eq $oidcEnabled "true" }}
+  dependsOn: [keycloak-configure]
+  {{- else }}
+  dependsOn: []
   {{- end }}
 
 - name: kamaji
@@ -249,3 +269,23 @@ releases:
   namespace: cozy-external-secrets-operator
   optional: true
   dependsOn: [cilium,kubeovn]
+
+{{- if $oidcEnabled }}
+- name: keycloak
+  releaseName: keycloak
+  chart: cozy-keycloak
+  namespace: cozy-keycloak
+  dependsOn: [postgres-operator]
+
+- name: keycloak-operator
+  releaseName: keycloak-operator
+  chart: cozy-keycloak-operator
+  namespace: cozy-keycloak
+  dependsOn: [keycloak]
+
+- name: keycloak-configure
+  releaseName: keycloak-configure
+  chart: cozy-keycloak-configure
+  namespace: cozy-keycloak
+  dependsOn: [keycloak-operator]
+{{- end }}

packages/core/platform/bundles/paas-hosted.yaml

@@ -1,4 +1,13 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }}
+{{- $host := index $cozyConfig.data "root-host" }}
+{{- if not $host }}
+{{- fail "ERROR need root-host in cozystack ConfigMap" }}
+{{- end }}
+{{- $apiServerEndpoint := index $cozyConfig.data "api-server-endpoint" }}
+{{- if not $apiServerEndpoint }}
+{{- fail "ERROR need api-server-endpoint in cozystack ConfigMap" }}
+{{- end }}
 
 releases:
 - name: fluxcd-operator
@@ -19,7 +28,7 @@ releases:
   chart: cozy-cert-manager-crds
   namespace: cozy-cert-manager
   dependsOn: []
-  
+
 - name: cozystack-api
   releaseName: cozystack-api
   chart: cozy-cozystack-api
@@ -130,10 +139,9 @@ releases:
   releaseName: dashboard
   chart: cozy-dashboard
   namespace: cozy-dashboard
-  dependsOn: []
-  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
-  {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
   values:
+    {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
+    {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
     kubeapps:
       redis:
         master:
@@ -143,5 +151,37 @@ releases:
             repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
             {{- end }}
             {{- end }}
+    {{- end }}
+    {{- end }}
+
+    {{- $dashboardKCconfig := lookup "v1" "ConfigMap" "cozy-dashboard" "kubeapps-auth-config" }}
+    {{- $dashboardKCValues := dig "data" "values.yaml" "" $dashboardKCconfig }}
+    {{- if $dashboardKCValues }}
+    {{- $dashboardKCValues | nindent 4 }}
+    {{- end }}
+
+  {{- if eq $oidcEnabled "true" }}
+  dependsOn: [keycloak-configure]
+  {{- else }}
+  dependsOn: []
   {{- end }}
-  {{- end }}
+
+{{- if $oidcEnabled }}
+- name: keycloak
+  releaseName: keycloak
+  chart: cozy-keycloak
+  namespace: cozy-keycloak
+  dependsOn: [postgres-operator]
+
+- name: keycloak-operator
+  releaseName: keycloak-operator
+  chart: cozy-keycloak-operator
+  namespace: cozy-keycloak
+  dependsOn: [keycloak]
+
+- name: keycloak-configure
+  releaseName: keycloak-configure
+  chart: cozy-keycloak-configure
+  namespace: cozy-keycloak
+  dependsOn: [keycloak-operator]
+{{- end }}

packages/core/platform/templates/apps.yaml

@@ -2,6 +2,12 @@
 {{- $bundleName := index $cozyConfig.data "bundle-name" }}
 {{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
 {{- $host := "example.org" }}
+{{- $host := "example.org" }}
+{{- if $cozyConfig.data }}
+  {{- if hasKey $cozyConfig.data "root-host" }}
+    {{- $host = index $cozyConfig.data "root-host" }}
+  {{- end }}
+{{- end }}
 {{- $tenantRoot := list }}
 {{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2" }}
 {{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" "tenant-root" "tenant-root" }}

packages/core/platform/templates/helmreleases.yaml

@@ -56,6 +56,18 @@ spec:
   values:
     {{- toYaml . | nindent 4}}
   {{- end }}
+
+  {{- if $x.valuesFrom }}
+  valuesFrom:
+  {{- range $source := $x.valuesFrom }}
+  - kind: {{ $source.kind }}
+    name: {{ $source.name }}
+    {{- if $source.valuesKey }}
+    valuesKey: {{ $source.valuesKey }}
+    {{- end }}
+  {{- end }}
+  {{- end }}
+
   {{- with $x.dependsOn }}
   dependsOn:
   {{- range $dep := . }}

packages/core/testing/images/e2e-sandbox/Dockerfile

@@ -1,8 +1,8 @@
 FROM ubuntu:22.04
 
-ARG KUBECTL_VERSION=1.31.0
-ARG TALOSCTL_VERSION=1.7.6
-ARG HELM_VERSION=3.15.4
+ARG KUBECTL_VERSION=1.32.0
+ARG TALOSCTL_VERSION=1.8.4
+ARG HELM_VERSION=3.16.4
 
 RUN apt-get update
 RUN apt-get -y install genisoimage qemu-kvm qemu-utils iproute2 iptables wget xz-utils netcat curl jq

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.18.0@sha256:1a26a511b9e269bcb607e2d80f878d7c2d993b7a2a7a3a2a1042470c8c56b061
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.21.0@sha256:38229517c86e179984a6d39f5510b859d13d965e35b216bc01ce456f9ab5f8b5

packages/extra/ingress/templates/dashboard.yaml

@@ -10,9 +10,13 @@ kind: Ingress
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    {{- if eq $issuerType "cloudflare" }} 
+    {{- if eq $issuerType "cloudflare" }}
     {{- else }}
     acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}
+    nginx.ingress.kubernetes.io/proxy-body-size: 100m
+    nginx.ingress.kubernetes.io/proxy-buffer-size: 100m
+    nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
+    nginx.ingress.kubernetes.io/client-max-body-size: 100m
     {{- end }}
   name: dashboard-{{ .Release.Namespace }}
   namespace: cozy-dashboard

packages/extra/monitoring/Chart.yaml

@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.5.1
+version: 1.5.3

packages/extra/monitoring/README.md

@@ -4,12 +4,13 @@
 
 ### Common parameters
 
-| Name                            | Description                                                                                               | Value                                            |
-| ------------------------------- | --------------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
-| `host`                          | The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host). | `""`                                             |
-| `metricsStorages`               | Configuration of metrics storage instances                                                                | `[]`                                             |
-| `logsStorages`                  | Configuration of logs storage instances                                                                   | `[]`                                             |
-| `alerta.storage`                | Persistent Volume size for alerta database                                                                | `10Gi`                                           |
-| `alerta.storageClassName`       | StorageClass used to store the data                                                                       | `""`                                             |
-| `alerta.alerts.telegram.token`  | telegram token for your bot                                                                               | `7262461387:AAGtwq16iwuVtWtzoN6TUEMpF00fpC9Xz34` |
-| `alerta.alerts.telegram.chatID` | specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot                       | `-4520856007`                                    |
+| Name                            | Description                                                                                               | Value  |
+| ------------------------------- | --------------------------------------------------------------------------------------------------------- | ------ |
+| `host`                          | The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host). | `""`   |
+| `metricsStorages`               | Configuration of metrics storage instances                                                                | `[]`   |
+| `logsStorages`                  | Configuration of logs storage instances                                                                   | `[]`   |
+| `alerta.storage`                | Persistent Volume size for alerta database                                                                | `10Gi` |
+| `alerta.storageClassName`       | StorageClass used to store the data                                                                       | `""`   |
+| `alerta.alerts.telegram.token`  | telegram token for your bot                                                                               | `""`   |
+| `alerta.alerts.telegram.chatID` | specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot                       | `""`   |
+| `grafana.db.size`               | Persistent Volume size for grafana database                                                               | `10Gi` |

packages/extra/monitoring/templates/grafana/db.yaml

@@ -5,7 +5,7 @@ metadata:
 spec:
   instances: 2
   storage:
-    size: 10Gi
+    size: {{ .Values.grafana.db.size }}
 
   inheritedMetadata:
     labels:

packages/extra/monitoring/templates/grafana/grafana.yaml

@@ -1,5 +1,5 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
-{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }} 
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
 
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
@@ -30,7 +30,7 @@ spec:
       admin_user: user
       admin_password: ${GF_PASSWORD}
     plugins:
-      allow_loading_unsigned_plugins: "victorialogs-datasource"
+      allow_loading_unsigned_plugins: "victoriametrics-logs-datasource"
   deployment:
     spec:
       replicas: 2
@@ -50,8 +50,8 @@ spec:
                 - |
                   set -ex
                   mkdir -p /var/lib/grafana/plugins/
-                  ver=$(curl -s https://api.github.com/repos/VictoriaMetrics/victorialogs-datasource/releases/latest | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' | head -1)
-                  curl -L https://github.com/VictoriaMetrics/victorialogs-datasource/releases/download/$ver/victorialogs-datasource-$ver.tar.gz -o /var/lib/grafana/plugins/vl-plugin.tar.gz
+                  ver=$(curl -s https://api.github.com/repos/VictoriaMetrics/victorialogs-datasource/releases/latest | grep -oE 'v0\.13\.[0-9]+' | head -1)
+                  curl -L https://github.com/VictoriaMetrics/victorialogs-datasource/releases/download/$ver/victoriametrics-logs-datasource-$ver.tar.gz -o /var/lib/grafana/plugins/vl-plugin.tar.gz
                   tar -xf /var/lib/grafana/plugins/vl-plugin.tar.gz -C /var/lib/grafana/plugins/
                   rm /var/lib/grafana/plugins/vl-plugin.tar.gz
               volumeMounts:

packages/extra/monitoring/templates/vlogs/grafana-datasource.yaml

@@ -6,7 +6,7 @@ metadata:
 spec:
   datasource:
     access: proxy
-    type: victorialogs-datasource
+    type: victoriametrics-logs-datasource
     name: vlogs-{{ .name }}
     url: http://vlogs-{{ .name }}.{{ $.Release.Namespace }}.svc:9428
   instanceSelector:

packages/extra/monitoring/templates/vm/vmalert.yaml

@@ -18,4 +18,5 @@ spec:
     url: http://vminsert-{{ .name }}.{{ $.Release.Namespace }}.svc:8480/insert/0/prometheus/api/v1/write
   resources: {}
   selectAllByDefault: true
+{{- break }}
 {{- end }}

packages/extra/monitoring/templates/vm/vmcluster.yaml

@@ -34,6 +34,12 @@ spec:
               storage: 2Gi
   vmstorage:
     replicaCount: 2
+    resources:
+      limits:
+        memory: 1000Mi
+      requests:
+        cpu: 100m
+        memory: 500Mi
     storage:
       volumeClaimTemplate:
         spec:

packages/extra/monitoring/values.schema.json

@@ -45,18 +45,33 @@
                 "token": {
                   "type": "string",
                   "description": "telegram token for your bot",
-                  "default": "7262461387:AAGtwq16iwuVtWtzoN6TUEMpF00fpC9Xz34"
+                  "default": ""
                 },
                 "chatID": {
                   "type": "string",
                   "description": "specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot",
-                  "default": "-4520856007"
+                  "default": ""
                 }
               }
             }
           }
         }
       }
+    },
+    "grafana": {
+      "type": "object",
+      "properties": {
+        "db": {
+          "type": "object",
+          "properties": {
+            "size": {
+              "type": "string",
+              "description": "Persistent Volume size for grafana database",
+              "default": "10Gi"
+            }
+          }
+        }
+      }
     }
   }
 }

packages/extra/monitoring/values.yaml

@@ -44,3 +44,9 @@ alerta:
     telegram:
       token: ""
       chatID: ""
+
+## Configuration for Grafana
+## @param grafana.db.size Persistent Volume size for grafana database
+grafana:
+  db:
+    size: 10Gi

packages/extra/versions_map

@@ -15,7 +15,9 @@ monitoring 1.2.1 4471b4ba
 monitoring 1.3.0 6c5cf5b
 monitoring 1.4.0 adaf603b
 monitoring 1.5.0 4b90bf5a
-monitoring 1.5.1 HEAD
+monitoring 1.5.1 57e90b70
+monitoring 1.5.2 898374b5
+monitoring 1.5.3 HEAD
 seaweedfs 0.1.0 5ca8823
 seaweedfs 0.2.0 9e33dc0
 seaweedfs 0.2.1 HEAD

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:6a33bc3bb8e64ce7acb805d911cceb893e7cdcc9dcb47249d26287c2ea78757d
+ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:109b1f36e85353066b387472aaab936d7d5b691ac99547312acd26484e3ebe8e

packages/system/cilium/charts/cilium/Chart.yaml

@@ -79,7 +79,7 @@ annotations:
     Pod IP Pool\n  description: |\n    CiliumPodIPPool defines an IP pool that can
     be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n"
 apiVersion: v2
-appVersion: 1.16.3
+appVersion: 1.16.4
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
@@ -95,4 +95,4 @@ kubeVersion: '>= 1.21.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.16.3
+version: 1.16.4

packages/system/cilium/charts/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.16.3](https://img.shields.io/badge/Version-1.16.3-informational?style=flat-square) ![AppVersion: 1.16.3](https://img.shields.io/badge/AppVersion-1.16.3-informational?style=flat-square)
+![Version: 1.16.4](https://img.shields.io/badge/Version-1.16.4-informational?style=flat-square) ![AppVersion: 1.16.4](https://img.shields.io/badge/AppVersion-1.16.4-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -182,7 +182,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
 | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.3","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.4","useDigest":true}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
@@ -353,7 +353,8 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:42614a44e508f70d03a04470df5f61e3cffd22462471a0be0544cf116f2c50ba","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:0287b36f70cfbdf54f894160082f4f94d1ee1fb10389f3a95baa6c8e448586ed","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.30.7-1731393961-97edc2815e2c6a174d3d12e71731d54f5d32ea16","useDigest":true}` | Envoy container image. |
+| envoy.initialFetchTimeoutSeconds | int | `30` | Time in seconds after which the initial fetch on an xDS stream is considered timed out |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
 | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
@@ -484,7 +485,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.3","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.4","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -532,10 +533,10 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-relay update strategy |
 | hubble.skipUnknownCGroupIDs | bool | `true` | Skip Hubble events with unknown cgroup ids |
 | hubble.socketPath | string | `"/var/run/cilium/hubble.sock"` | Unix domain socket path to listen to when Hubble is enabled. |
-| hubble.tls | object | `{"auto":{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"},"enabled":true,"server":{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}}` | TLS configuration for Hubble |
-| hubble.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"}` | Configure automatic TLS certificates generation. |
+| hubble.tls | object | `{"auto":{"certManagerIssuerRef":{},"certValidityDuration":365,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"},"enabled":true,"server":{"cert":"","existingSecret":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}}` | TLS configuration for Hubble |
+| hubble.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":365,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"}` | Configure automatic TLS certificates generation. |
 | hubble.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when hubble.tls.auto.method=certmanager. |
-| hubble.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. |
+| hubble.tls.auto.certValidityDuration | int | `365` | Generated certificates validity duration in days.  Defaults to 365 days (1 year) because MacOS does not accept self-signed certificates with expirations > 825 days. |
 | hubble.tls.auto.enabled | bool | `true` | Auto-generate certificates. When set to true, automatically generate a CA and certificates to enable mTLS between Hubble server and Hubble Relay instances. If set to false, the certs for Hubble server need to be provided by setting appropriate values below. |
 | hubble.tls.auto.method | string | `"helm"` | Set the method to auto-generate certificates. Supported values: - helm:         This method uses Helm to generate all certificates. - cronJob:      This method uses a Kubernetes CronJob the generate any                 certificates not provided by the user at installation                 time. - certmanager:  This method use cert-manager to generate & rotate certificates. |
 | hubble.tls.auto.schedule | string | `"0 0 1 */4 *"` | Schedule for certificates regeneration (regardless of their expiration date). Only used if method is "cronJob". If nil, then no recurring job will be created. Instead, only the one-shot job is deployed to generate the certificates at installation time.  Defaults to midnight of the first day of every fourth month. For syntax, see https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax |
@@ -590,7 +591,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.3","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.4","useDigest":true}` | Agent container image. |
 | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -717,7 +718,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.hostNetwork | bool | `true` | HostNetwork setting |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898","awsDigest":"sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916","azureDigest":"sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542","genericDigest":"sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.3","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686","awsDigest":"sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be","azureDigest":"sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de","genericDigest":"sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.4","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -767,7 +768,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.3","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.4","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
@@ -816,7 +817,7 @@ contributors across the globe, there is almost always someone available to help.
 | serviceAccounts.clustermeshcertgen | object | `{"annotations":{},"automount":true,"create":true,"name":"clustermesh-apiserver-generate-certs"}` | Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob |
 | serviceAccounts.hubblecertgen | object | `{"annotations":{},"automount":true,"create":true,"name":"hubble-generate-certs"}` | Hubblecertgen is used if hubble.tls.auto.method=cronJob |
 | serviceAccounts.nodeinit.enabled | bool | `false` | Enabled is temporary until https://github.com/cilium/cilium-cli/issues/1396 is implemented. Cilium CLI doesn't create the SAs for node-init, thus the workaround. Helm is not affected by this issue. Name and automount can be configured, if enabled is set to true. Otherwise, they are ignored. Enabled can be removed once the issue is fixed. Cilium-nodeinit DS must also be fixed. |
-| serviceNoBackendResponse | string | `"reject"` | Configure what the response should be to traffic for a service without backends. "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop". Possible values:  - reject (default)  - drop |
+| serviceNoBackendResponse | string | `"reject"` | Configure what the response should be to traffic for a service without backends. Possible values:  - reject (default)  - drop |
 | sleepAfterInit | bool | `false` | Do not run Cilium agent when running with clean mode. Useful to completely uninstall Cilium as it will stop Cilium from starting and create artifacts in the node. |
 | socketLB | object | `{"enabled":false}` | Configure socket LB |
 | socketLB.enabled | bool | `false` | Enable socket LB |

packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json

@@ -338,6 +338,7 @@
   },
   "dynamicResources": {
     "ldsConfig": {
+      "initialFetchTimeout": "{{ .Values.envoy.initialFetchTimeoutSeconds }}s",
       "apiConfigSource": {
         "apiType": "GRPC",
         "transportApiVersion": "V3",
@@ -353,6 +354,7 @@
       "resourceApiVersion": "V3"
     },
     "cdsConfig": {
+      "initialFetchTimeout": "{{ .Values.envoy.initialFetchTimeoutSeconds }}s",
       "apiConfigSource": {
         "apiType": "GRPC",
         "transportApiVersion": "V3",
@@ -376,14 +378,13 @@
       }
     }
   ],
-  "layeredRuntime": {
-    "layers": [
+  "overload_manager": {
+    "resource_monitors": [
       {
-        "name": "static_layer_0",
-        "staticLayer": {
-          "overload": {
-            "global_downstream_max_connections": 50000
-          }
+        "name": "envoy.resource_monitors.global_downstream_max_connections",
+        "typed_config": {
+          "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig",
+          "max_active_downstream_connections": "50000"
         }
       }
     ]

packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml

@@ -712,13 +712,17 @@ data:
 {{- if $socketLB }}
 {{- if hasKey $socketLB "enabled" }}
   bpf-lb-sock: {{ $socketLB.enabled | quote }}
-  bpf-lb-sock-terminate-pod-connections: {{ $socketLB.enabled | quote }}
 {{- end }}
 {{- if hasKey $socketLB "hostNamespaceOnly" }}
   bpf-lb-sock-hostns-only: {{ $socketLB.hostNamespaceOnly | quote }}
 {{- end }}
 {{- if hasKey $socketLB "terminatePodConnections" }}
   bpf-lb-sock-terminate-pod-connections: {{ $socketLB.terminatePodConnections | quote }}
+{{- else if hasKey $socketLB "enabled" }}
+  bpf-lb-sock-terminate-pod-connections: {{ $socketLB.enabled | quote }}
+{{- end }}
+{{- if hasKey $socketLB "tracing" }}
+  trace-sock: {{ $socketLB.tracing | quote }}
 {{- end }}
 {{- end }}
 
@@ -1057,7 +1061,7 @@ data:
   egress-gateway-reconciliation-trigger-interval: {{ .Values.egressGateway.reconciliationTriggerInterval | quote }}
 {{- end }}
 {{- if .Values.egressGateway.maxPolicyEntries }}
-  egress-gateway-policy-map-max: {{ .Values.egressGateway.maxPolicyEntries }}
+  egress-gateway-policy-map-max: {{ .Values.egressGateway.maxPolicyEntries | quote }}
 {{- end }}
 
 {{- if hasKey .Values "vtep" }}
@@ -1271,6 +1275,7 @@ data:
   proxy-xff-num-trusted-hops-ingress: {{ .Values.envoy.xffNumTrustedHopsL7PolicyIngress | quote }}
   proxy-xff-num-trusted-hops-egress: {{ .Values.envoy.xffNumTrustedHopsL7PolicyEgress | quote }}
   proxy-connect-timeout: {{ .Values.envoy.connectTimeoutSeconds | quote }}
+  proxy-initial-fetch-timeout: {{ .Values.envoy.initialFetchTimeoutSeconds | quote }}
   proxy-max-requests-per-connection: {{ .Values.envoy.maxRequestsPerConnection | quote }}
   proxy-max-connection-duration-seconds: {{ .Values.envoy.maxConnectionDurationSeconds | quote }}
   proxy-idle-timeout-seconds: {{ .Values.envoy.idleTimeoutDurationSeconds | quote }}

packages/system/cilium/charts/cilium/templates/hubble-relay/serviceaccount.yaml

@@ -13,4 +13,5 @@ metadata:
       {{- toYaml . | nindent 4 }}
     {{- end }}
   {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccounts.relay.automount }}
 {{- end }}

packages/system/cilium/charts/cilium/templates/validate.yaml

@@ -150,6 +150,11 @@
 {{- if and (eq .Values.cluster.name "default") (ne (int .Values.cluster.id) 0) }}
   {{ fail "The cluster name is invalid: cannot use default value with cluster.id != 0" }}
 {{- end }}
+{{ if and
+    (or (and (ge (int .Values.cluster.id) 128) (le (int .Values.cluster.id) 255)) (and (ge (int .Values.cluster.id) 384) (le (int .Values.cluster.id) 511)))
+    (or .Values.eni.enabled .Values.alibabacloud.enabled (eq .Values.cni.chainingMode "aws-cni")) -}}
+  {{ fail "Cilium is currently affected by a bug that causes traffic matched by network policies to be incorrectly dropped when running in either ENI mode (both AWS and AlibabaCloud) or AWS VPC CNI chaining mode, if the cluster ID is 128-255 (and 384-511 when maxConnectedClusters=511). Please refer to https://github.com/cilium/cilium/issues/21330 for additional details." }}
+{{- end }}
 
 {{/* validate clustermesh-apiserver */}}
 {{- if .Values.clustermesh.useAPIServer }}

packages/system/cilium/charts/cilium/values.schema.json

@@ -1953,6 +1953,9 @@
           },
           "type": "object"
         },
+        "initialFetchTimeoutSeconds": {
+          "type": "integer"
+        },
         "livenessProbe": {
           "properties": {
             "failureThreshold": {

packages/system/cilium/charts/cilium/values.yaml

@@ -153,10 +153,10 @@ image:
   # @schema
   override: ~
   repository: "quay.io/cilium/cilium"
-  tag: "v1.16.3"
+  tag: "v1.16.4"
   pullPolicy: "IfNotPresent"
   # cilium-digest
-  digest: "sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28"
+  digest: "sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf"
   useDigest: true
 # -- Affinity for cilium-agent.
 affinity:
@@ -997,6 +997,8 @@ socketLB:
   # hostNamespaceOnly: false
   # -- Enable terminating pod connections to deleted service backends.
   # terminatePodConnections: true
+  # -- Enables tracing for socket-based load balancing.
+  # tracing: true
 # -- Configure certificate generation for Hubble integration.
 # If hubble.tls.auto.method=cronJob, these values are used
 # for the Kubernetes CronJob which will be scheduled regularly to
@@ -1266,7 +1268,10 @@ hubble:
       # - certmanager:  This method use cert-manager to generate & rotate certificates.
       method: helm
       # -- Generated certificates validity duration in days.
-      certValidityDuration: 1095
+      #
+      # Defaults to 365 days (1 year) because MacOS does not accept
+      # self-signed certificates with expirations > 825 days.
+      certValidityDuration: 365
       # -- Schedule for certificates regeneration (regardless of their expiration date).
       # Only used if method is "cronJob". If nil, then no recurring job will be created.
       # Instead, only the one-shot job is deployed to generate the certificates at
@@ -1309,9 +1314,9 @@ hubble:
       # @schema
       override: ~
       repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.16.3"
+      tag: "v1.16.4"
       # hubble-relay-digest
-      digest: "sha256:feb60efd767e0e7863a94689f4a8db56a0acc7c1d2b307dee66422e3dc25a089"
+      digest: "sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2"
       useDigest: true
       pullPolicy: "IfNotPresent"
     # -- Specifies the resources for the hubble-relay pods
@@ -2140,6 +2145,8 @@ envoy:
     path: ""
   # -- Time in seconds after which a TCP connection attempt times out
   connectTimeoutSeconds: 2
+  # -- Time in seconds after which the initial fetch on an xDS stream is considered timed out
+  initialFetchTimeoutSeconds: 30
   # -- ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for Envoy
   maxRequestsPerConnection: 0
   # -- Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable)
@@ -2158,9 +2165,9 @@ envoy:
     # @schema
     override: ~
     repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd"
+    tag: "v1.30.7-1731393961-97edc2815e2c6a174d3d12e71731d54f5d32ea16"
     pullPolicy: "IfNotPresent"
-    digest: "sha256:42614a44e508f70d03a04470df5f61e3cffd22462471a0be0544cf116f2c50ba"
+    digest: "sha256:0287b36f70cfbdf54f894160082f4f94d1ee1fb10389f3a95baa6c8e448586ed"
     useDigest: true
   # -- Additional containers added to the cilium Envoy DaemonSet.
   extraContainers: []
@@ -2439,7 +2446,6 @@ routingMode: ""
 # @default -- Port 8472 for VXLAN, Port 6081 for Geneve
 tunnelPort: 0
 # -- Configure what the response should be to traffic for a service without backends.
-# "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop".
 # Possible values:
 #  - reject (default)
 #  - drop
@@ -2474,15 +2480,15 @@ operator:
     # @schema
     override: ~
     repository: "quay.io/cilium/operator"
-    tag: "v1.16.3"
+    tag: "v1.16.4"
     # operator-generic-digest
-    genericDigest: "sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b"
+    genericDigest: "sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5"
     # operator-azure-digest
-    azureDigest: "sha256:2882aaf03c32525a99181b7c065b2bb19c03eba6626fc736aebe368d90791542"
+    azureDigest: "sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de"
     # operator-aws-digest
-    awsDigest: "sha256:47f5abc5fa528472d3509c3199d7aab1e120833fb68df455e3b4476916385916"
+    awsDigest: "sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be"
     # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:d80a785c0e807fc708264a3fcb19be404114f619fd756dd5214f4cad5a281898"
+    alibabacloudDigest: "sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686"
     useDigest: true
     pullPolicy: "IfNotPresent"
     suffix: ""
@@ -2756,9 +2762,9 @@ preflight:
     # @schema
     override: ~
     repository: "quay.io/cilium/cilium"
-    tag: "v1.16.3"
+    tag: "v1.16.4"
     # cilium-digest
-    digest: "sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28"
+    digest: "sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf"
     useDigest: true
     pullPolicy: "IfNotPresent"
   # -- The priority class to use for the preflight pod.
@@ -2905,9 +2911,9 @@ clustermesh:
       # @schema
       override: ~
       repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.16.3"
+      tag: "v1.16.4"
       # clustermesh-apiserver-digest
-      digest: "sha256:598cb4fd30b47bf2bc229cd6a011e451cf14753e56a80bb9ef01a09a519f52fb"
+      digest: "sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2"
       useDigest: true
       pullPolicy: "IfNotPresent"
     # -- TCP port for the clustermesh-apiserver health API.

packages/system/cilium/charts/cilium/values.yaml.tmpl

@@ -1006,6 +1006,8 @@ socketLB:
   # hostNamespaceOnly: false
   # -- Enable terminating pod connections to deleted service backends.
   # terminatePodConnections: true
+  # -- Enables tracing for socket-based load balancing.
+  # tracing: true
 # -- Configure certificate generation for Hubble integration.
 # If hubble.tls.auto.method=cronJob, these values are used
 # for the Kubernetes CronJob which will be scheduled regularly to
@@ -1275,7 +1277,10 @@ hubble:
       # - certmanager:  This method use cert-manager to generate & rotate certificates.
       method: helm
       # -- Generated certificates validity duration in days.
-      certValidityDuration: 1095
+      #
+      # Defaults to 365 days (1 year) because MacOS does not accept
+      # self-signed certificates with expirations > 825 days.
+      certValidityDuration: 365
       # -- Schedule for certificates regeneration (regardless of their expiration date).
       # Only used if method is "cronJob". If nil, then no recurring job will be created.
       # Instead, only the one-shot job is deployed to generate the certificates at
@@ -2154,6 +2159,8 @@ envoy:
     path: ""
   # -- Time in seconds after which a TCP connection attempt times out
   connectTimeoutSeconds: 2
+  # -- Time in seconds after which the initial fetch on an xDS stream is considered timed out
+  initialFetchTimeoutSeconds: 30
   # -- ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for Envoy
   maxRequestsPerConnection: 0
   # -- Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable)
@@ -2455,7 +2462,6 @@ routingMode: ""
 # @default -- Port 8472 for VXLAN, Port 6081 for Geneve
 tunnelPort: 0
 # -- Configure what the response should be to traffic for a service without backends.
-# "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop".
 # Possible values:
 #  - reject (default)
 #  - drop

packages/system/cilium/images/cilium/Dockerfile

@@ -1,2 +1,2 @@
-ARG VERSION=v1.16.3
+ARG VERSION=v1.16.4
 FROM quay.io/cilium/cilium:${VERSION}

packages/system/cilium/values.yaml

@@ -12,7 +12,7 @@ cilium:
     mode: "kubernetes"
   image:
     repository: ghcr.io/aenix-io/cozystack/cilium
-    tag: 1.16.3
-    digest: "sha256:a2a37ab3ea769b85703478f1f46c3fd9696fc7037b73b0a3ba5c53821f4791a7"
+    tag: 1.16.4
+    digest: "sha256:9c808dfa6ee2445f5606341db599b039f48e2a4a703a9236c0ae2f85c69f69a1"
   envoy:
     enabled: false

packages/system/cozystack-api/templates/configmap.yaml

@@ -71,7 +71,7 @@ data:
         labels:
           cozystack.io/ui: "true"
         chart:
-          name: http-cache
+          name: tcp-balancer
           sourceRef:
             kind: HelmRepository
             name: cozystack-apps
@@ -155,7 +155,7 @@ data:
         labels:
           cozystack.io/ui: "true"
         chart:
-          name: rabbitmq
+          name: redis
           sourceRef:
             kind: HelmRepository
             name: cozystack-apps
@@ -207,7 +207,7 @@ data:
         singular: kafka
         plural: kafkas
       release:
-        prefix: ferretdb-
+        prefix: kafka-
         labels:
           cozystack.io/ui: "true"
         chart:

packages/system/cozystack-api/values.yaml

@@ -1,2 +1,2 @@
 cozystackAPI:
-  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.18.0@sha256:d3f817ee20cc502b7c5deffa46a1ad94a6e1a74fa035dbeb65ef742e67fd1fe5
+  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.21.0@sha256:1eb7f0387ea01754107a4aabe72c2e1e7d2c55303dc15cfe9caa2c0739c0215e

packages/system/dashboard/Makefile

@@ -25,7 +25,7 @@ update-dockerfiles:
 	version=$$(echo "$$tag" | sed 's/^v//') && \
 	sed -i "s/ARG VERSION=.*/ARG VERSION=$${version}/" images/dashboard/Dockerfile
 
-image-dashboard:
+image-dashboard: update-version
 	docker buildx build images/dashboard \
 		--provenance false \
 		--tag $(REGISTRY)/dashboard:$(call settag,$(TAG)) \
@@ -44,7 +44,7 @@ image-dashboard:
 		yq -i '.kubeapps.dashboard.image.digest = strenv(DIGEST)' values.yaml
 	rm -f images/dashboard.json
 
-image-kubeapps-apis:
+image-kubeapps-apis: update-version
 	docker buildx build images/kubeapps-apis \
 		--provenance false \
 		--tag $(REGISTRY)/kubeapps-apis:$(call settag,$(TAG)) \
@@ -62,3 +62,6 @@ image-kubeapps-apis:
 	DIGEST=$$(yq e '."containerimage.digest"' images/kubeapps-apis.json -o json -r) \
 		yq -i '.kubeapps.kubeappsapis.image.digest = strenv(DIGEST)' values.yaml
 	rm -f images/kubeapps-apis.json
+
+update-version:
+	sed -i "s|\(\"appVersion\":\).*|\1 \"$(TAG)\",|g" ./charts/kubeapps/templates/dashboard/configmap.yaml

packages/system/dashboard/charts/kubeapps/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: redis
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 19.6.3
+  version: 20.2.1
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 15.5.19
+  version: 16.1.0
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.20.5
-digest: sha256:eb2c690088e9dd237a1443aeedcf71419d5d4efe6999cf9e352b5407c005c6bc
-generated: "2024-07-25T06:10:39.073759816Z"
+  version: 2.26.0
+digest: sha256:8765098cabaca39ce13d856f5260df97667201dac6d2209280e5de9ad1a33006
+generated: "2024-10-31T19:49:51.754205675Z"

packages/system/dashboard/charts/kubeapps/Chart.yaml

@@ -2,33 +2,33 @@ annotations:
   category: Infrastructure
   images: |
     - name: kubeapps-apis
-      image: docker.io/bitnami/kubeapps-apis:2.11.0-debian-12-r2
+      image: docker.io/bitnami/kubeapps-apis:2.12.0-debian-12-r0
     - name: kubeapps-apprepository-controller
-      image: docker.io/bitnami/kubeapps-apprepository-controller:2.11.0-debian-12-r2
+      image: docker.io/bitnami/kubeapps-apprepository-controller:2.12.0-debian-12-r0
     - name: kubeapps-asset-syncer
-      image: docker.io/bitnami/kubeapps-asset-syncer:2.11.0-debian-12-r2
+      image: docker.io/bitnami/kubeapps-asset-syncer:2.12.0-debian-12-r0
     - name: kubeapps-dashboard
-      image: docker.io/bitnami/kubeapps-dashboard:2.11.0-debian-12-r2
+      image: docker.io/bitnami/kubeapps-dashboard:2.12.0-debian-12-r0
     - name: kubeapps-oci-catalog
-      image: docker.io/bitnami/kubeapps-oci-catalog:2.11.0-debian-12-r2
+      image: docker.io/bitnami/kubeapps-oci-catalog:2.12.0-debian-12-r0
     - name: kubeapps-pinniped-proxy
-      image: docker.io/bitnami/kubeapps-pinniped-proxy:2.11.0-debian-12-r2
+      image: docker.io/bitnami/kubeapps-pinniped-proxy:2.12.0-debian-12-r0
     - name: nginx
-      image: docker.io/bitnami/nginx:1.27.0-debian-12-r4
+      image: docker.io/bitnami/nginx:1.27.2-debian-12-r2
     - name: oauth2-proxy
-      image: docker.io/bitnami/oauth2-proxy:7.6.0-debian-12-r17
+      image: docker.io/bitnami/oauth2-proxy:7.7.1-debian-12-r1
   licenses: Apache-2.0
 apiVersion: v2
-appVersion: 2.11.0
+appVersion: 2.12.0
 dependencies:
 - condition: packaging.flux.enabled
   name: redis
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 19.x.x
+  version: 20.x.x
 - condition: packaging.helm.enabled
   name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 15.x.x
+  version: 16.x.x
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
   tags:
@@ -51,4 +51,4 @@ maintainers:
 name: kubeapps
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/kubeapps
-version: 15.3.10
+version: 17.0.3

packages/system/dashboard/charts/kubeapps/README.md

@@ -218,7 +218,7 @@ In the first two cases, it is needed a certificate and a key. We would expect th
 | `frontend.podSecurityContext.supplementalGroups`             | Set filesystem extra groups                                                                                                                                                                                                         | `[]`                    |
 | `frontend.podSecurityContext.fsGroup`                        | Set frontend pod's Security Context fsGroup                                                                                                                                                                                         | `1001`                  |
 | `frontend.containerSecurityContext.enabled`                  | Enabled containers' Security Context                                                                                                                                                                                                | `true`                  |
-| `frontend.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                    | `nil`                   |
+| `frontend.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                    | `{}`                    |
 | `frontend.containerSecurityContext.runAsUser`                | Set containers' Security Context runAsUser                                                                                                                                                                                          | `1001`                  |
 | `frontend.containerSecurityContext.runAsGroup`               | Set containers' Security Context runAsGroup                                                                                                                                                                                         | `1001`                  |
 | `frontend.containerSecurityContext.runAsNonRoot`             | Set container's Security Context runAsNonRoot                                                                                                                                                                                       | `true`                  |
@@ -326,7 +326,7 @@ In the first two cases, it is needed a certificate and a key. We would expect th
 | `dashboard.podSecurityContext.supplementalGroups`             | Set filesystem extra groups                                                                                                                                                                                                           | `[]`                                 |
 | `dashboard.podSecurityContext.fsGroup`                        | Set Dashboard pod's Security Context fsGroup                                                                                                                                                                                          | `1001`                               |
 | `dashboard.containerSecurityContext.enabled`                  | Enabled containers' Security Context                                                                                                                                                                                                  | `true`                               |
-| `dashboard.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                      | `nil`                                |
+| `dashboard.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                      | `{}`                                 |
 | `dashboard.containerSecurityContext.runAsUser`                | Set containers' Security Context runAsUser                                                                                                                                                                                            | `1001`                               |
 | `dashboard.containerSecurityContext.runAsGroup`               | Set containers' Security Context runAsGroup                                                                                                                                                                                           | `1001`                               |
 | `dashboard.containerSecurityContext.runAsNonRoot`             | Set container's Security Context runAsNonRoot                                                                                                                                                                                         | `true`                               |
@@ -427,7 +427,7 @@ In the first two cases, it is needed a certificate and a key. We would expect th
 | `apprepository.podSecurityContext.supplementalGroups`             | Set filesystem extra groups                                                                                                                                                                                                                   | `[]`                                                |
 | `apprepository.podSecurityContext.fsGroup`                        | Set AppRepository Controller pod's Security Context fsGroup                                                                                                                                                                                   | `1001`                                              |
 | `apprepository.containerSecurityContext.enabled`                  | Enabled containers' Security Context                                                                                                                                                                                                          | `true`                                              |
-| `apprepository.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                              | `nil`                                               |
+| `apprepository.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                              | `{}`                                                |
 | `apprepository.containerSecurityContext.runAsUser`                | Set containers' Security Context runAsUser                                                                                                                                                                                                    | `1001`                                              |
 | `apprepository.containerSecurityContext.runAsGroup`               | Set containers' Security Context runAsGroup                                                                                                                                                                                                   | `1001`                                              |
 | `apprepository.containerSecurityContext.runAsNonRoot`             | Set container's Security Context runAsNonRoot                                                                                                                                                                                                 | `true`                                              |
@@ -506,7 +506,7 @@ In the first two cases, it is needed a certificate and a key. We would expect th
 | `authProxy.extraVolumeMounts`                                 | Optionally specify extra list of additional volumeMounts for the Auth Proxy container(s)                                                                                                                                              | `[]`                           |
 | `authProxy.containerPorts.proxy`                              | Auth Proxy HTTP container port                                                                                                                                                                                                        | `3000`                         |
 | `authProxy.containerSecurityContext.enabled`                  | Enabled containers' Security Context                                                                                                                                                                                                  | `true`                         |
-| `authProxy.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                      | `nil`                          |
+| `authProxy.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                      | `{}`                           |
 | `authProxy.containerSecurityContext.runAsUser`                | Set containers' Security Context runAsUser                                                                                                                                                                                            | `1001`                         |
 | `authProxy.containerSecurityContext.runAsGroup`               | Set containers' Security Context runAsGroup                                                                                                                                                                                           | `1001`                         |
 | `authProxy.containerSecurityContext.runAsNonRoot`             | Set container's Security Context runAsNonRoot                                                                                                                                                                                         | `true`                         |
@@ -543,7 +543,7 @@ In the first two cases, it is needed a certificate and a key. We would expect th
 | `pinnipedProxy.extraVolumeMounts`                                 | Optionally specify extra list of additional volumeMounts for the Pinniped Proxy container(s)                                                                                                                                                  | `[]`                                      |
 | `pinnipedProxy.containerPorts.pinnipedProxy`                      | Pinniped Proxy container port                                                                                                                                                                                                                 | `3333`                                    |
 | `pinnipedProxy.containerSecurityContext.enabled`                  | Enabled containers' Security Context                                                                                                                                                                                                          | `true`                                    |
-| `pinnipedProxy.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                              | `nil`                                     |
+| `pinnipedProxy.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                              | `{}`                                      |
 | `pinnipedProxy.containerSecurityContext.runAsUser`                | Set containers' Security Context runAsUser                                                                                                                                                                                                    | `1001`                                    |
 | `pinnipedProxy.containerSecurityContext.runAsGroup`               | Set containers' Security Context runAsGroup                                                                                                                                                                                                   | `1001`                                    |
 | `pinnipedProxy.containerSecurityContext.runAsNonRoot`             | Set container's Security Context runAsNonRoot                                                                                                                                                                                                 | `true`                                    |
@@ -629,7 +629,7 @@ In the first two cases, it is needed a certificate and a key. We would expect th
 | `kubeappsapis.podSecurityContext.supplementalGroups`                                            | Set filesystem extra groups                                                                                                                                                                                                                 | `[]`                               |
 | `kubeappsapis.podSecurityContext.fsGroup`                                                       | Set KubeappsAPIs pod's Security Context fsGroup                                                                                                                                                                                             | `1001`                             |
 | `kubeappsapis.containerSecurityContext.enabled`                                                 | Enabled containers' Security Context                                                                                                                                                                                                        | `true`                             |
-| `kubeappsapis.containerSecurityContext.seLinuxOptions`                                          | Set SELinux options in container                                                                                                                                                                                                            | `nil`                              |
+| `kubeappsapis.containerSecurityContext.seLinuxOptions`                                          | Set SELinux options in container                                                                                                                                                                                                            | `{}`                               |
 | `kubeappsapis.containerSecurityContext.runAsUser`                                               | Set containers' Security Context runAsUser                                                                                                                                                                                                  | `1001`                             |
 | `kubeappsapis.containerSecurityContext.runAsGroup`                                              | Set containers' Security Context runAsGroup                                                                                                                                                                                                 | `1001`                             |
 | `kubeappsapis.containerSecurityContext.runAsNonRoot`                                            | Set container's Security Context runAsNonRoot                                                                                                                                                                                               | `true`                             |
@@ -718,7 +718,7 @@ In the first two cases, it is needed a certificate and a key. We would expect th
 | `ociCatalog.resourcesPreset`                                   | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if ociCatalog.resources is set (ociCatalog.resources is recommended for production). | `micro`                                |
 | `ociCatalog.resources`                                         | Set container requests and limits for different resources like CPU or memory (essential for production workloads)                                                                                                                       | `{}`                                   |
 | `ociCatalog.containerSecurityContext.enabled`                  | Enabled containers' Security Context                                                                                                                                                                                                    | `true`                                 |
-| `ociCatalog.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                        | `nil`                                  |
+| `ociCatalog.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                        | `{}`                                   |
 | `ociCatalog.containerSecurityContext.runAsUser`                | Set containers' Security Context runAsUser                                                                                                                                                                                              | `1001`                                 |
 | `ociCatalog.containerSecurityContext.runAsGroup`               | Set containers' Security Context runAsGroup                                                                                                                                                                                             | `1001`                                 |
 | `ociCatalog.containerSecurityContext.runAsNonRoot`             | Set container's Security Context runAsNonRoot                                                                                                                                                                                           | `true`                                 |
@@ -1031,6 +1031,14 @@ helm upgrade $RELEASE_NAME oci://REGISTRY_NAME/REPOSITORY_NAME/kubeapps
 
 If you find issues upgrading Kubeapps, check the [troubleshooting](#error-while-upgrading-the-chart) section.
 
+### To 17.0.0
+
+This major updates the PostgreSQL subchart to its newest major, 16.0.0, which uses PostgreSQL 17.x.  Follow the [official instructions](https://www.postgresql.org/docs/17/upgrading.html) to upgrade to 17.x.
+
+### To 16.0.0
+
+This major updates the Redis® subchart to its newest major, 20.0.0. [Here](https://github.com/bitnami/charts/tree/main/bitnami/redis#to-2000) you can find more information about the changes introduced in that version.
+
 ### To 15.0.0
 
 This major bump changes the following security defaults:
@@ -1173,7 +1181,7 @@ kubectl delete statefulset -n kubeapps kubeapps-postgresql-master kubeapps-postg
 
 #### Useful links
 
-- <https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-resolve-helm2-helm3-post-migration-issues-index.html>
+- <https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-resolve-helm2-helm3-post-migration-issues-index.html>
 - <https://helm.sh/docs/topics/v2_v3_migration/>
 - <https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/>
 

packages/system/dashboard/charts/kubeapps/charts/common/Chart.yaml

@@ -2,7 +2,7 @@ annotations:
   category: Infrastructure
   licenses: Apache-2.0
 apiVersion: v2
-appVersion: 2.20.5
+appVersion: 2.26.0
 description: A Library Helm Chart for grouping common logic between bitnami charts.
   This chart is not deployable by itself.
 home: https://bitnami.com
@@ -20,4 +20,4 @@ name: common
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/common
 type: library
-version: 2.20.5
+version: 2.26.0

packages/system/dashboard/charts/kubeapps/charts/common/templates/_affinities.tpl

@@ -60,13 +60,14 @@ Return a topologyKey definition
 
 {{/*
 Return a soft podAffinity/podAntiAffinity definition
-{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}}
+{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}}
 */}}
 {{- define "common.affinities.pods.soft" -}}
 {{- $component := default "" .component -}}
 {{- $customLabels := default (dict) .customLabels -}}
 {{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
 {{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
+{{- $extraNamespaces := default (list) .extraNamespaces -}}
 preferredDuringSchedulingIgnoredDuringExecution:
   - podAffinityTerm:
       labelSelector:
@@ -77,6 +78,13 @@ preferredDuringSchedulingIgnoredDuringExecution:
           {{- range $key, $value := $extraMatchLabels }}
           {{ $key }}: {{ $value | quote }}
           {{- end }}
+      {{- if $extraNamespaces }}
+      namespaces:
+        - {{ .context.Release.Namespace }}
+        {{- with $extraNamespaces }}
+        {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }}
+        {{- end }}
+      {{- end }}
       topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
     weight: 1
   {{- range $extraPodAffinityTerms }}
@@ -96,13 +104,14 @@ preferredDuringSchedulingIgnoredDuringExecution:
 
 {{/*
 Return a hard podAffinity/podAntiAffinity definition
-{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}}
+{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}}
 */}}
 {{- define "common.affinities.pods.hard" -}}
 {{- $component := default "" .component -}}
 {{- $customLabels := default (dict) .customLabels -}}
 {{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
 {{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
+{{- $extraNamespaces := default (list) .extraNamespaces -}}
 requiredDuringSchedulingIgnoredDuringExecution:
   - labelSelector:
       matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }}
@@ -112,6 +121,13 @@ requiredDuringSchedulingIgnoredDuringExecution:
         {{- range $key, $value := $extraMatchLabels }}
         {{ $key }}: {{ $value | quote }}
         {{- end }}
+      {{- if $extraNamespaces }}
+      namespaces:
+        - {{ .context.Release.Namespace }}
+        {{- with $extraNamespaces }}
+        {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }}
+        {{- end }}
+      {{- end }}
     topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
   {{- range $extraPodAffinityTerms }}
   - labelSelector:

packages/system/dashboard/charts/kubeapps/charts/common/templates/_compatibility.tpl

@@ -34,6 +34,10 @@ Usage:
     {{- end -}}
   {{- end -}}
 {{- end -}}
+{{/* Remove empty seLinuxOptions object if global.compatibility.omitEmptySeLinuxOptions is set to true */}}
+{{- if and (((.context.Values.global).compatibility).omitEmptySeLinuxOptions) (not .secContext.seLinuxOptions) -}}
+  {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
+{{- end -}}
 {{/* Remove fields that are disregarded when running the container in privileged mode */}}
 {{- if $adaptedContext.privileged -}}
   {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}}

packages/system/dashboard/charts/kubeapps/charts/common/templates/_images.tpl

@@ -5,8 +5,9 @@ SPDX-License-Identifier: APACHE-2.0
 
 {{/* vim: set filetype=mustache: */}}
 {{/*
-Return the proper image name
-{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }}
+Return the proper image name.
+If image tag and digest are not defined, termination fallbacks to chart appVersion.
+{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global "chart" .Chart ) }}
 */}}
 {{- define "common.images.image" -}}
 {{- $registryName := default .imageRoot.registry ((.global).imageRegistry) -}}
@@ -14,6 +15,11 @@ Return the proper image name
 {{- $separator := ":" -}}
 {{- $termination := .imageRoot.tag | toString -}}
 
+{{- if not .imageRoot.tag }}
+  {{- if .chart }}
+    {{- $termination = .chart.AppVersion | toString -}}
+  {{- end -}}
+{{- end -}}
 {{- if .imageRoot.digest }}
     {{- $separator = "@" -}}
     {{- $termination = .imageRoot.digest | toString -}}

packages/system/dashboard/charts/kubeapps/charts/common/templates/_secrets.tpl

@@ -103,30 +103,33 @@ The order in which this function returns a secret password:
     {{- $password = index $secretData .key | b64dec }}
   {{- else if not (eq .failOnNew false) }}
     {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}}
-  {{- else if $providedPasswordValue }}
+  {{- end -}}
+{{- end }}
+
+{{- if not $password }}
+  {{- if $providedPasswordValue }}
     {{- $password = $providedPasswordValue | toString }}
-  {{- end -}}
-{{- else if $providedPasswordValue }}
-  {{- $password = $providedPasswordValue | toString }}
-{{- else }}
-
-  {{- if .context.Values.enabled }}
-    {{- $subchart = $chartName }}
-  {{- end -}}
-
-  {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}}
-  {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}}
-  {{- $passwordValidationErrors := list $requiredPasswordError -}}
-  {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}}
-
-  {{- if .strong }}
-    {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
-    {{- $password = randAscii $passwordLength }}
-    {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
-    {{- $password = printf "%s%s" $subStr $password | toString | shuffle }}
   {{- else }}
-    {{- $password = randAlphaNum $passwordLength }}
-  {{- end }}
+    {{- if .context.Values.enabled }}
+      {{- $subchart = $chartName }}
+    {{- end -}}
+
+    {{- if not (eq .failOnNew false) }}
+      {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}}
+      {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}}
+      {{- $passwordValidationErrors := list $requiredPasswordError -}}
+      {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}}
+    {{- end }}
+
+    {{- if .strong }}
+      {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
+      {{- $password = randAscii $passwordLength }}
+      {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
+      {{- $password = printf "%s%s" $subStr $password | toString | shuffle }}
+    {{- else }}
+      {{- $password = randAlphaNum $passwordLength }}
+    {{- end }}
+  {{- end -}}
 {{- end -}}
 {{- if not .skipB64enc }}
 {{- $password = $password | b64enc }}

packages/system/dashboard/charts/kubeapps/charts/common/templates/_tplvalues.tpl

@@ -36,3 +36,17 @@ Usage:
 {{- end -}}
 {{ $dst | toYaml }}
 {{- end -}}
+
+{{/*
+Merge a list of values that contains template after rendering them.
+Merge precedence is consistent with https://masterminds.github.io/sprig/dicts.html#mergeoverwrite-mustmergeoverwrite
+Usage:
+{{ include "common.tplvalues.merge-overwrite" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }}
+*/}}
+{{- define "common.tplvalues.merge-overwrite" -}}
+{{- $dst := dict -}}
+{{- range .values -}}
+{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | mergeOverwrite $dst -}}
+{{- end -}}
+{{ $dst | toYaml }}
+{{- end -}}

packages/system/dashboard/charts/kubeapps/charts/common/templates/validations/_cassandra.tpl

@@ -4,32 +4,6 @@ SPDX-License-Identifier: APACHE-2.0
 */}}
 
 {{/* vim: set filetype=mustache: */}}
-{{/*
-Validate Cassandra required passwords are not empty.
-
-Usage:
-{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
-Params:
-  - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret"
-  - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
-*/}}
-{{- define "common.validations.values.cassandra.passwords" -}}
-  {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}}
-  {{- $enabled := include "common.cassandra.values.enabled" . -}}
-  {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}}
-  {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}}
-
-  {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
-    {{- $requiredPasswords := list -}}
-
-    {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}}
-    {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
-
-    {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
-
-  {{- end -}}
-{{- end -}}
-
 {{/*
 Auxiliary function to get the right value for existingSecret.
 

packages/system/dashboard/charts/kubeapps/charts/common/templates/validations/_mongodb.tpl

@@ -4,52 +4,6 @@ SPDX-License-Identifier: APACHE-2.0
 */}}
 
 {{/* vim: set filetype=mustache: */}}
-{{/*
-Validate MongoDB® required passwords are not empty.
-
-Usage:
-{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
-Params:
-  - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret"
-  - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false
-*/}}
-{{- define "common.validations.values.mongodb.passwords" -}}
-  {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}}
-  {{- $enabled := include "common.mongodb.values.enabled" . -}}
-  {{- $authPrefix := include "common.mongodb.values.key.auth" . -}}
-  {{- $architecture := include "common.mongodb.values.architecture" . -}}
-  {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
-  {{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
-  {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}}
-  {{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
-  {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}}
-  {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}}
-
-  {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}}
-
-  {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}}
-    {{- $requiredPasswords := list -}}
-
-    {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}}
-    {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
-
-    {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
-    {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }}
-    {{- if and $valueUsername $valueDatabase -}}
-        {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}}
-        {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
-    {{- end -}}
-
-    {{- if (eq $architecture "replicaset") -}}
-        {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}}
-        {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}}
-    {{- end -}}
-
-    {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
-
-  {{- end -}}
-{{- end -}}
-
 {{/*
 Auxiliary function to get the right value for existingSecret.