Add openshft-console

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

ADOPTERS.md

@@ -28,4 +28,5 @@ This list is sorted in chronological order, based on the submission date.
 | [Ænix](https://aenix.io/) | @kvaps | 2024-02-14 | Ænix provides consulting services for cloud providers and uses Cozystack as the main tool for organizing managed services for them. |
 | [Mediatech](https://mediatech.dev/) | @ugenk | 2024-05-01 | We're developing and hosting software for our and our custmer services. We're using cozystack as a kubernetes distribution for that. |
 | [Bootstack](https://bootstack.app/) | @mrkhachaturov | 2024-08-01| At Bootstack, we utilize a Kubernetes operator specifically designed to simplify and streamline cloud infrastructure creation.|
-| [gohost](https://gohost.kz/) | @karabass_off | 2024-02-01| Our company has been working in the market of Kazakhstan for more than 15 years, providing clients with a standard set of services: VPS/VDC, IaaS, shared hosting, etc. Now we are expanding the lineup by introducing Bare Metal Kubenetes cluster under Cozystack management.|
+| [gohost](https://gohost.kz/) | @karabass_off | 2024-02-01 | Our company has been working in the market of Kazakhstan for more than 15 years, providing clients with a standard set of services: VPS/VDC, IaaS, shared hosting, etc. Now we are expanding the lineup by introducing Bare Metal Kubenetes cluster under Cozystack management. |
+| [Urmanac](https://urmanac.com) | @kingdonb | 2024-12-04 | Urmanac is the future home of a hosting platform for the knowledge base of a community of personal server enthusiasts. We use Cozystack to provide support services for web sites hosted using both conventional deployments and on SpinKube, with WASM. |

hack/e2e.sh

@@ -322,7 +322,7 @@ kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy root-i
 kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=3 -n tenant-root sts etcd
 
 # Wait for Victoria metrics
-kubectl wait --timeout=5m --for=jsonpath=.status.updateStatus=operational -n tenant-root vmalert/vmalert-longterm vmalert/vmalert-shortterm vmalertmanager/alertmanager
+kubectl wait --timeout=5m --for=jsonpath=.status.updateStatus=operational -n tenant-root vmalert/vmalert-shortterm vmalertmanager/alertmanager
 kubectl wait --timeout=5m --for=jsonpath=.status.status=operational -n tenant-root vlogs/generic
 kubectl wait --timeout=5m --for=jsonpath=.status.clusterStatus=operational -n tenant-root vmcluster/shortterm vmcluster/longterm
 

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.19.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.20.2"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.19.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.20.2"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/clickhouse/images/clickhouse-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/clickhouse-backup:0.6.1@sha256:3f76662144e31acf75f9495879da0c358a6729d08cfa0a4721cf495ff9a4c659
+ghcr.io/aenix-io/cozystack/clickhouse-backup:0.6.1@sha256:dda84420cb8648721299221268a00d72a05c7af5b7fb452619bac727068b9e61

packages/apps/ferretdb/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:034a480a119986da8a8e0532f09f66c58ed919e18612987b1a847fe8a59b6f3c
+ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:406d2c5a30fa8b6fe10eab3cba45c06fea3876e81fd123ead6dc3c19347762d0

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:3030c5b58dcb38dab3892fb1b4241381fc04707b2aa66550ef446231077add6e
+ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:27112d470a31725b75b29b29919af06b4ce1339e3b502b08889a92ab7099adde

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.14.0
+version: 0.14.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.14.0@sha256:c80c305a7c0ff5d64664eea9aefc9a2e68c3bd500cf341d820ef8dd460f3174b
+ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.14.1@sha256:b63293bc295e8c04574900bb711ebfe51db6774beb6bc3a58791562ec11b406b

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.14.0@sha256:55b78220b60773eefb7b7d3451d7ab9fe89fb6b989e8fe2ae214aab164f00293
+ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.14.1@sha256:c0561a342e6b55d066f3363182f442e8fa30a0b6b448d89d15a1a855c999b98e

packages/apps/kubernetes/images/kubevirt-cloud-provider/Dockerfile

@@ -3,13 +3,14 @@ FROM --platform=linux/amd64 golang:1.20.6 AS builder
 
 RUN git clone https://github.com/kubevirt/cloud-provider-kubevirt /go/src/kubevirt.io/cloud-provider-kubevirt \
  && cd /go/src/kubevirt.io/cloud-provider-kubevirt \
- && git checkout adbd6c27468b86b020cf38490e84f124ef24ab62
+ && git checkout da9e0cf
 
 WORKDIR /go/src/kubevirt.io/cloud-provider-kubevirt
 
-# see: https://github.com/kubevirt/cloud-provider-kubevirt/pull/291
+# see: https://github.com/kubevirt/cloud-provider-kubevirt/pull/335
+# see: https://github.com/kubevirt/cloud-provider-kubevirt/pull/336
 ADD patches /patches
-RUN git apply /patches/external-traffic-policy-local.diff
+RUN git apply /patches/*.diff
 RUN go get 'k8s.io/endpointslice/util@v0.28' 'k8s.io/apiserver@v0.28'
 RUN go mod tidy
 RUN go mod vendor

packages/apps/kubernetes/images/kubevirt-cloud-provider/patches/335.diff

@@ -0,0 +1,20 @@
+diff --git a/pkg/controller/kubevirteps/kubevirteps_controller.go b/pkg/controller/kubevirteps/kubevirteps_controller.go
+index a3c1aa33..95c31438 100644
+--- a/pkg/controller/kubevirteps/kubevirteps_controller.go
++++ b/pkg/controller/kubevirteps/kubevirteps_controller.go
+@@ -412,11 +412,11 @@ func (c *Controller) reconcileByAddressType(service *v1.Service, tenantSlices []
+ 	// Create the desired port configuration
+ 	var desiredPorts []discovery.EndpointPort
+ 
+-	for _, port := range service.Spec.Ports {
++	for i := range service.Spec.Ports {
+ 		desiredPorts = append(desiredPorts, discovery.EndpointPort{
+-			Port:     &port.TargetPort.IntVal,
+-			Protocol: &port.Protocol,
+-			Name:     &port.Name,
++			Port:     &service.Spec.Ports[i].TargetPort.IntVal,
++			Protocol: &service.Spec.Ports[i].Protocol,
++			Name:     &service.Spec.Ports[i].Name,
+ 		})
+ 	}
+ 

packages/apps/kubernetes/images/kubevirt-cloud-provider/patches/336.diff

@@ -0,0 +1,129 @@
+diff --git a/pkg/controller/kubevirteps/kubevirteps_controller.go b/pkg/controller/kubevirteps/kubevirteps_controller.go
+index a3c1aa33..6f6e3d32 100644
+--- a/pkg/controller/kubevirteps/kubevirteps_controller.go
++++ b/pkg/controller/kubevirteps/kubevirteps_controller.go
+@@ -108,32 +108,24 @@ func newRequest(reqType ReqType, obj interface{}, oldObj interface{}) *Request {
+ }
+ 
+ func (c *Controller) Init() error {
+-
+-	// Act on events from Services on the infra cluster. These are created by the EnsureLoadBalancer function.
+-	// We need to watch for these events so that we can update the EndpointSlices in the infra cluster accordingly.
++	// Existing Service event handlers...
+ 	_, err := c.infraFactory.Core().V1().Services().Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+ 		AddFunc: func(obj interface{}) {
+-			// cast obj to Service
+ 			svc := obj.(*v1.Service)
+-			// Only act on Services of type LoadBalancer
+ 			if svc.Spec.Type == v1.ServiceTypeLoadBalancer {
+ 				klog.Infof("Service added: %v/%v", svc.Namespace, svc.Name)
+ 				c.queue.Add(newRequest(AddReq, obj, nil))
+ 			}
+ 		},
+ 		UpdateFunc: func(oldObj, newObj interface{}) {
+-			// cast obj to Service
+ 			newSvc := newObj.(*v1.Service)
+-			// Only act on Services of type LoadBalancer
+ 			if newSvc.Spec.Type == v1.ServiceTypeLoadBalancer {
+ 				klog.Infof("Service updated: %v/%v", newSvc.Namespace, newSvc.Name)
+ 				c.queue.Add(newRequest(UpdateReq, newObj, oldObj))
+ 			}
+ 		},
+ 		DeleteFunc: func(obj interface{}) {
+-			// cast obj to Service
+ 			svc := obj.(*v1.Service)
+-			// Only act on Services of type LoadBalancer
+ 			if svc.Spec.Type == v1.ServiceTypeLoadBalancer {
+ 				klog.Infof("Service deleted: %v/%v", svc.Namespace, svc.Name)
+ 				c.queue.Add(newRequest(DeleteReq, obj, nil))
+@@ -144,7 +136,7 @@ func (c *Controller) Init() error {
+ 		return err
+ 	}
+ 
+-	// Monitor endpoint slices that we are interested in based on known services in the infra cluster
++	// Existing EndpointSlice event handlers in tenant cluster...
+ 	_, err = c.tenantFactory.Discovery().V1().EndpointSlices().Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+ 		AddFunc: func(obj interface{}) {
+ 			eps := obj.(*discovery.EndpointSlice)
+@@ -194,10 +186,80 @@ func (c *Controller) Init() error {
+ 		return err
+ 	}
+ 
+-	//TODO: Add informer for EndpointSlices in the infra cluster to watch for (unwanted) changes
++	// Add an informer for EndpointSlices in the infra cluster
++	_, err = c.infraFactory.Discovery().V1().EndpointSlices().Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
++		AddFunc: func(obj interface{}) {
++			eps := obj.(*discovery.EndpointSlice)
++			if c.managedByController(eps) {
++				svc, svcErr := c.getInfraServiceForEPS(context.TODO(), eps)
++				if svcErr != nil {
++					klog.Errorf("Failed to get infra Service for EndpointSlice %s/%s: %v", eps.Namespace, eps.Name, svcErr)
++					return
++				}
++				if svc != nil {
++					klog.Infof("Infra EndpointSlice added: %v/%v, requeuing Service: %v/%v", eps.Namespace, eps.Name, svc.Namespace, svc.Name)
++					c.queue.Add(newRequest(AddReq, svc, nil))
++				}
++			}
++		},
++		UpdateFunc: func(oldObj, newObj interface{}) {
++			eps := newObj.(*discovery.EndpointSlice)
++			if c.managedByController(eps) {
++				svc, svcErr := c.getInfraServiceForEPS(context.TODO(), eps)
++				if svcErr != nil {
++					klog.Errorf("Failed to get infra Service for EndpointSlice %s/%s: %v", eps.Namespace, eps.Name, svcErr)
++					return
++				}
++				if svc != nil {
++					klog.Infof("Infra EndpointSlice updated: %v/%v, requeuing Service: %v/%v", eps.Namespace, eps.Name, svc.Namespace, svc.Name)
++					c.queue.Add(newRequest(UpdateReq, svc, nil))
++				}
++			}
++		},
++		DeleteFunc: func(obj interface{}) {
++			eps := obj.(*discovery.EndpointSlice)
++			if c.managedByController(eps) {
++				svc, svcErr := c.getInfraServiceForEPS(context.TODO(), eps)
++				if svcErr != nil {
++					klog.Errorf("Failed to get infra Service for EndpointSlice %s/%s on delete: %v", eps.Namespace, eps.Name, svcErr)
++					return
++				}
++				if svc != nil {
++					klog.Infof("Infra EndpointSlice deleted: %v/%v, requeuing Service: %v/%v", eps.Namespace, eps.Name, svc.Namespace, svc.Name)
++					c.queue.Add(newRequest(DeleteReq, svc, nil))
++				}
++			}
++		},
++	})
++	if err != nil {
++		return err
++	}
++
+ 	return nil
+ }
+ 
++// getInfraServiceForEPS returns the Service in the infra cluster associated with the given EndpointSlice.
++// It does this by reading the "kubernetes.io/service-name" label from the EndpointSlice, which should correspond
++// to the Service name. If not found or if the Service doesn't exist, it returns nil.
++func (c *Controller) getInfraServiceForEPS(ctx context.Context, eps *discovery.EndpointSlice) (*v1.Service, error) {
++	svcName := eps.Labels[discovery.LabelServiceName]
++	if svcName == "" {
++		// No service name label found, can't determine infra service.
++		return nil, nil
++	}
++
++	svc, err := c.infraClient.CoreV1().Services(c.infraNamespace).Get(ctx, svcName, metav1.GetOptions{})
++	if err != nil {
++		if k8serrors.IsNotFound(err) {
++			// Service doesn't exist
++			return nil, nil
++		}
++		return nil, err
++	}
++
++	return svc, nil
++}
++
+ // Run starts an asynchronous loop that monitors and updates GKENetworkParamSet in the cluster.
+ func (c *Controller) Run(numWorkers int, stopCh <-chan struct{}, controllerManagerMetrics *controllersmetrics.ControllerManagerMetrics) {
+ 	defer utilruntime.HandleCrash()

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.14.0@sha256:bc61dba787ca79f9b8d7288a631cbaecf8de9f87b6a2ad44e1513f730362621f
+ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.14.1@sha256:4b84a077e7f1b75bdf8b272c8f147e4ef3b67b9bea83383a399e9149868384ac

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:8258747003f40f0f8dd54317e52e98baf4674c5ac14ad851ac6b2871d29e4b2d
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:91ec9c31472f8e94ae5f6f5a2568058eb28b3f57ab7e203d8d4a0993911fffc3

packages/apps/mysql/images/mariadb-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:c14e21d439600caf6239b767d204b2fd75146e782e35991c6d803490197660bf
+ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:f6435ce02b1bf4d7b2422676e84bc2299725ed2cfb93922e40f40a695d54b9d3

packages/apps/nats/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.1
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/nats/README.md

@@ -4,9 +4,13 @@
 
 ### Common parameters
 
-| Name           | Description                                     | Value   |
-| -------------- | ----------------------------------------------- | ------- |
-| `external`     | Enable external access from outside the cluster | `false` |
-| `replicas`     | Persistent Volume size for NATS                 | `2`     |
-| `storageClass` | StorageClass used to store the data             | `""`    |
-| `users`        | Users configuration                             | `{}`    |
+| Name                | Description                                        | Value   |
+| ------------------- | -------------------------------------------------- | ------- |
+| `external`          | Enable external access from outside the cluster    | `false` |
+| `replicas`          | Persistent Volume size for NATS                    | `2`     |
+| `storageClass`      | StorageClass used to store the data                | `""`    |
+| `users`             | Users configuration                                | `{}`    |
+| `jetstream.size`    | Jetstream persistent storage size                  | `10Gi`  |
+| `jetstream.enabled` | Enable or disable Jetstream                        | `true`  |
+| `config.merge`      | Additional configuration to merge into NATS config | `{}`    |
+| `config.resolver`   | Additional configuration to merge into NATS config | `{}`    |

packages/apps/nats/templates/nats.yaml

@@ -40,8 +40,9 @@ spec:
     nats:
       fullnameOverride: {{ .Release.Name }}
       config:
-        {{- if gt (len $passwords) 0 }}
+        {{- if or (gt (len $passwords) 0) (gt (len .Values.config.merge) 0) }}
         merge:
+          {{- if gt (len $passwords) 0 }}
           accounts:
             A:
               users:
@@ -49,6 +50,14 @@ spec:
                 - user: "{{ $username }}"
                   password: "{{ $password }}"
                 {{- end }}
+          {{- end }}
+          {{- if and .Values.config (hasKey .Values.config "merge") }}
+          {{ toYaml .Values.config.merge | nindent 12 }}
+          {{- end }}
+        {{- end }}
+        {{- if and .Values.config (hasKey .Values.config "resolver") }}
+        resolver:
+          {{ toYaml .Values.config.resolver | nindent 12 }}
         {{- end }}
         cluster:
           enabled: true
@@ -58,10 +67,10 @@ spec:
         jetstream:
           enabled: true
           fileStore:
-            enabled: true
+            enabled: {{ .Values.jetstream.enabled }}
             pvc:
               enabled: true
-              size: 10Gi
+              size: {{ .Values.jetstream.size }}
               {{- with .Values.storageClass }}
               storageClassName: {{ . }}
               {{- end }}

packages/apps/nats/values.schema.json

@@ -16,6 +16,36 @@
             "type": "string",
             "description": "StorageClass used to store the data",
             "default": ""
+        },
+        "jetstream": {
+            "type": "object",
+            "properties": {
+                "size": {
+                    "type": "string",
+                    "description": "Jetstream persistent storage size",
+                    "default": "10Gi"
+                },
+                "enabled": {
+                    "type": "boolean",
+                    "description": "Enable or disable Jetstream",
+                    "default": true
+                }
+            }
+        },
+        "config": {
+            "type": "object",
+            "properties": {
+                "merge": {
+                    "type": "object",
+                    "description": "Additional configuration to merge into NATS config",
+                    "default": {}
+                },
+                "resolver": {
+                    "type": "object",
+                    "description": "Additional configuration to merge into NATS config",
+                    "default": {}
+                }
+            }
         }
     }
 }

packages/apps/nats/values.yaml

@@ -15,3 +15,49 @@ storageClass: ""
 ##     password: strongpassword
 ##   user2: {}
 users: {}
+
+jetstream:
+  ## @param jetstream.size Jetstream persistent storage size
+  ## Specifies the size of the persistent storage for Jetstream (message store).
+  ## Default: 10Gi
+  size: 10Gi
+
+  ## @param jetstream.enabled Enable or disable Jetstream
+  ## Set to true to enable Jetstream for persistent messaging in NATS.
+  ## Default: true
+  enabled: true
+
+config:
+  ## @param config.merge Additional configuration to merge into NATS config
+  ## Allows you to customize NATS server settings by merging additional configurations.
+  ## For example, you can add extra parameters, configure authentication, or set custom settings.
+  ## Default: {}
+  ## example:
+  ##
+  ##   merge:
+  ##     $include: ./my-config.conf
+  ##     zzz$include: ./my-config-last.conf
+  ##     server_name: nats
+  ##     authorization:
+  ##       token: << $TOKEN >>
+  ##     jetstream:
+  ##       max_memory_store: << 1GB >>
+  ##
+  ## will yield the config:
+  ## {
+  ##   include ./my-config.conf;
+  ##   "authorization": {
+  ##     "token": $TOKEN
+  ##   },
+  ##   "jetstream": {
+  ##     "max_memory_store": 1GB
+  ##   },
+  ##   "server_name": "nats",
+  ##   include ./my-config-last.conf;
+  ## }
+  merge: {}
+  ## @param config.resolver Additional configuration to merge into NATS config
+  ## Allows you to customize NATS server settings by merging resolver configurations.
+  ## Default: {}
+  ## Example see: https://github.com/nats-io/k8s/blob/main/helm/charts/nats/values.yaml#L247
+  resolver: {}

packages/apps/postgres/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:034a480a119986da8a8e0532f09f66c58ed919e18612987b1a847fe8a59b6f3c
+ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:406d2c5a30fa8b6fe10eab3cba45c06fea3876e81fd123ead6dc3c19347762d0

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.6.1
+version: 1.6.2

packages/apps/tenant/templates/kubeconfig.yaml

@@ -27,7 +27,7 @@ stringData:
         namespace: {{ include "tenant.name" . }}
         user: keycloak
       name: {{ include "tenant.name" . }}
-    current-context: default
+    current-context: {{ include "tenant.name" . }}
     users:
     - name: keycloak
       user:
@@ -40,6 +40,5 @@ stringData:
           - --oidc-client-id=kubernetes
           - --oidc-client-secret={{ $k8sClient }}
           - --skip-open-browser
-          - --grant-type=password
           command: kubectl
 {{- end }}

packages/apps/tenant/templates/networkpolicy.yaml

@@ -192,16 +192,4 @@ spec:
   - toEndpoints:
     - matchLabels:
         cozystack.io/service: ingress
----
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-to-keycloak
-  namespace: {{ include "tenant.name" . }}
-spec:
-  endpointSelector: {}
-  egress:
-  - toEndpoints:
-      - matchLabels:
-          "k8s:io.kubernetes.pod.namespace": cozy-keycloak
 {{- end }}

packages/apps/tenant/templates/tenant.yaml

@@ -43,9 +43,6 @@ subjects:
 - kind: ServiceAccount
   name: tenant-root
   namespace: tenant-root
-- kind: Group
-  name: tenant-root-super-admin
-  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- if hasPrefix "tenant-" .Release.Namespace }}
 {{- $parts := splitList "-" .Release.Namespace }}
@@ -54,18 +51,12 @@ subjects:
 - kind: ServiceAccount
   name: {{ join "-" (slice $parts 0 (add $i 1)) }}
   namespace: {{ join "-" (slice $parts 0 (add $i 1)) }}
-- kind: Group
-  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-super-admin
-  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- end }}
 {{- end }}
 - kind: ServiceAccount
   name: {{ include "tenant.name" . }}
   namespace: {{ include "tenant.name" . }}
-- kind: Group
-  name: {{ include "tenant.name" . }}-super-admin
-  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}
@@ -84,23 +75,6 @@ rules:
   resources: ["helmcharts"]
   verbs: ["*"]
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "tenant.name" . }}
-  namespace: cozy-public
-subjects:
-- kind: ServiceAccount
-  name: {{ include "tenant.name" . }}
-  namespace: {{ include "tenant.name" . }}
-- kind: Group
-  name: {{ include "tenant.name" . }}-super-admin
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: Role
-  name: {{ include "tenant.name" . }}
-  apiGroup: rbac.authorization.k8s.io
----
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -361,3 +335,101 @@ roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-admin
   apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-super-admin
+  namespace: {{ include "tenant.name" . }}
+rules:
+  - apiGroups: [rbac.authorization.k8s.io]
+    resources:
+    - roles
+    verbs:
+    - get
+  - apiGroups: [""]
+    resources:
+    - "*"
+    verbs:
+    - get
+    - list
+    - watch
+    - delete
+  - apiGroups: ["helm.toolkit.fluxcd.io"]
+    resources:
+    - helmreleases
+    verbs:
+    - '*'
+  - apiGroups: ["kubevirt.io"]
+    resources:
+    - virtualmachines
+    verbs:
+    - '*'
+  - apiGroups: ["subresources.kubevirt.io"]
+    resources:
+    - virtualmachineinstances/console
+    - virtualmachineinstances/vnc
+    verbs:
+    - get
+    - list
+  - apiGroups: ["apps.cozystack.io"]
+    resources:
+    - '*'
+    verbs:
+    - '*'
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "tenant.name" . }}-super-admin
+  namespace: cozy-public
+rules:
+  - apiGroups: ["source.toolkit.fluxcd.io"]
+    resources: ["helmrepositories"]
+    verbs:
+    - get
+    - list
+  - apiGroups: ["source.toolkit.fluxcd.io"]
+    resources:
+    - helmcharts
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "tenant.name" . }}-super-admin
+  namespace: cozy-public
+subjects:
+- kind: Group
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "tenant.name" . }}-super-admin
+  namespace: {{ include "tenant.name" . }}
+subjects:
+{{- if hasPrefix "tenant-" .Release.Namespace }}
+{{- $parts := splitList "-" .Release.Namespace }}
+{{- range $i, $v := $parts }}
+{{- if ne $i 0 }}
+- kind: Group
+  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}
+{{- end }}
+- kind: Group
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io

packages/apps/versions_map

@@ -41,7 +41,8 @@ kubernetes 0.11.1 4f430a90
 kubernetes 0.12.0 74649f8
 kubernetes 0.12.1 28fca4e
 kubernetes 0.13.0 ced8e5b9
-kubernetes 0.14.0 HEAD
+kubernetes 0.14.0 bfbde07c
+kubernetes 0.14.1 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
@@ -52,7 +53,8 @@ mysql 0.5.2 HEAD
 nats 0.1.0 5ca8823
 nats 0.2.0 c07c4bbd
 nats 0.3.0 78366f19
-nats 0.3.1 HEAD
+nats 0.3.1 b7375f73
+nats 0.4.0 HEAD
 postgres 0.1.0 f642698
 postgres 0.2.0 7cd7de73
 postgres 0.2.1 4a97e297
@@ -88,7 +90,8 @@ tenant 1.3.1 c56e5769
 tenant 1.4.0 94c688f7
 tenant 1.5.0 48128743
 tenant 1.6.0 df448b99
-tenant 1.6.1 HEAD
+tenant 1.6.1 edbbb9be
+tenant 1.6.2 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:latest@sha256:78cad710dec0f941694871cec338d9169db05f42ea13749c0a6503285540e1cc
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.20.2@sha256:061668fa81344302f1097482418fe7925d77ca74ccc856dcb739119590523136

packages/core/platform/bundles/paas-full.yaml

@@ -223,7 +223,7 @@ releases:
             {{- end }}
   {{- end }}
   {{- end }}
-  {{- if $oidcEnabled }}
+  {{- if eq $oidcEnabled "true" }}
   dependsOn: [keycloak-configure]
   valuesFrom:
     - kind: ConfigMap
@@ -233,6 +233,12 @@ releases:
   dependsOn: []
   {{- end }}
 
+- name: console
+  releaseName: console
+  chart: cozy-console
+  namespace: cozy-console
+  dependsOn: [cilium,kubeovn]
+
 - name: kamaji
   releaseName: kamaji
   chart: cozy-kamaji

packages/core/platform/bundles/paas-hosted.yaml

@@ -153,7 +153,7 @@ releases:
             {{- end }}
   {{- end }}
   {{- end }}
-  {{- if $oidcEnabled }}
+  {{- if eq $oidcEnabled "true" }}
   dependsOn: [keycloak-configure]
   valuesFrom:
     - kind: ConfigMap
@@ -163,6 +163,12 @@ releases:
   dependsOn: []
   {{- end }}
 
+- name: console
+  releaseName: console
+  chart: cozy-console
+  namespace: cozy-console
+  dependsOn: [cilium,kubeovn]
+
 {{- if $oidcEnabled }}
 - name: keycloak
   releaseName: keycloak

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.19.0@sha256:1a26a511b9e269bcb607e2d80f878d7c2d993b7a2a7a3a2a1042470c8c56b061
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.20.2@sha256:1a26a511b9e269bcb607e2d80f878d7c2d993b7a2a7a3a2a1042470c8c56b061

packages/extra/monitoring/Chart.yaml

@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.5.1
+version: 1.5.2

packages/extra/monitoring/templates/vm/vmalert.yaml

@@ -18,4 +18,5 @@ spec:
     url: http://vminsert-{{ .name }}.{{ $.Release.Namespace }}.svc:8480/insert/0/prometheus/api/v1/write
   resources: {}
   selectAllByDefault: true
+{{- break }}
 {{- end }}

packages/extra/versions_map

@@ -15,7 +15,8 @@ monitoring 1.2.1 4471b4ba
 monitoring 1.3.0 6c5cf5b
 monitoring 1.4.0 adaf603b
 monitoring 1.5.0 4b90bf5a
-monitoring 1.5.1 HEAD
+monitoring 1.5.1 57e90b70
+monitoring 1.5.2 HEAD
 seaweedfs 0.1.0 5ca8823
 seaweedfs 0.2.0 9e33dc0
 seaweedfs 0.2.1 HEAD

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:b8891879e6f150a0e15afd00cd6aae1f024a245bbcca3d4569e6e3d71f512c3f
+ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:e0cb068804546e4152ce4cf7a7c315a5a2a669a7236c9fe47371de934cdf99a9

packages/system/cilium/values.yaml

@@ -13,6 +13,6 @@ cilium:
   image:
     repository: ghcr.io/aenix-io/cozystack/cilium
     tag: 1.16.4
-    digest: "sha256:496f43b28953c44d3c08922fa850b812263935ab4d895ff63c9e282ab52f363e"
+    digest: "sha256:9c808dfa6ee2445f5606341db599b039f48e2a4a703a9236c0ae2f85c69f69a1"
   envoy:
     enabled: false

packages/system/console/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-console
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/console/Makefile

@@ -0,0 +1,5 @@
+export NAME=console
+export NAMESPACE=cozy-$(NAME)
+
+include ../../../scripts/common-envs.mk
+include ../../../scripts/package.mk

packages/system/console/charts/openshift-console/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

packages/system/console/charts/openshift-console/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+appVersion: 4.20.0
+description: OpenShift Cluster Console UI
+icon: https://avatars0.githubusercontent.com/u/792337?s=200&v=4
+name: openshift-console
+type: application
+version: 0.3.6

packages/system/console/charts/openshift-console/README.md

@@ -0,0 +1,75 @@
+# OpenShift Console (Bridge)
+
+[Bridge](https://github.com/openshift/console) is the OpenShift console.
+
+## TL;DR
+
+```console
+$ helm repo add av1o https://av1o.gitlab.io/charts
+$ helm install bridge av1o/openshift-console
+```
+
+## Introduction
+
+This chart bootstraps a deployment of the OpenShift Console on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+The OpenShift Console is designed for running on OpenShift, however it works perfectly fine in native Kubernetes. Since the Console is unable to use the default OpenShift OAuth2, this chart is expecting a Dex deployment which is configured to generate OIDC tokens for the Kubernetes API server.
+This behaviour can be configured with the `extraEnv` map.
+
+## Prerequisites
+
+- Kubernetes 1.12+
+- Helm 3
+
+## Installing the Chart
+To install the chart with the release name `my-release`:
+
+```console
+$ helm install my-release av1o/openshift-console
+```
+
+The command deploys the console on the Kubernetes cluster in the default configuration.
+
+> **Tip**: List all releases using `helm list`
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```console
+$ helm delete my-release
+```
+
+## Parameters
+
+The following table lists the configurable parameters of the OpenShift Console chart and their default values.
+
+| Parameter                      | Description                                                                                                                                    | Default                       |
+|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------|
+| `replicaCount`                 | Number of pods to run                                                                                                                          | 1                             |
+| `image.registry`               | Docker image registry                                                                                                                          | `quay.io`                     |
+| `image.repository`             | Docker image name                                                                                                                              | `openshift/origin-console`    |
+| `image.pullPolicy`             | Docker image pull policy                                                                                                                       | `IfNotPresent`                |
+| `image.tag`                    | Docker image tag                                                                                                                               | `${CHART_VERSION}`            |
+| `imagePullSecrets`             | Specify Image pull secrets                                                                                                                     | `[]`                          |
+| `podAnnotations`               | Map of annotations to add to the pods                                                                                                          | See `values.yaml`             |
+| `podSecurityContext`           | Map of security context to add to the pod                                                                                                      | See `values.yaml`             |
+| `securityContext`              | Map of security context to add to the container                                                                                                | See `values.yaml`             |
+| `service.type`                 | Service type                                                                                                                                   | `ClusterIP`                   |
+| `extraEnv`                     | Map of environment variables to include in the container                                                                                       | `{}`                          |
+| `console.dex.host`             | HTTP(S) address of the Dex instance                                                                                                            | `https://dex.example.org`     |
+| `console.baseUrl`              | HTTP(S) address of the Console                                                                                                                 | `https://console.example.org` |
+| `console.impersonateOpenShift` | Install CRDs to trick the Console into showing some OpenShift-exclusive actions which work on Kubernetes. Note: requires `cluster-admin`       | `false`                       |
+| `console.oidc.enabled`         | Enable OIDC authentication                                                                                                                     | `true`                        |
+| `console.oidc.issuerUrl`       | Issuer of the OIDC server                                                                                                                      | `https://dex.example.org`     |
+| `console.oidc.clientId`        | OIDC client ID                                                                                                                                 | `kubernetes`                  |
+| `console.oidc.clientSecret`    | OIDC client secret                                                                                                                             | `hunter2`                     |
+| `rbac.enabled`                 | Install RBAC to trick the Console into behaving closer to how OpenShift does. Required `cluster-admin` and `console.impersonateOpenShift=true` | `false`                       |
+| `ingress.className`            | IngressClass resource to use.                                                                                                                  |                               |
+| `sidecars`                     | Arbitrary sidecars to include as-is                                                                                                            | `[]`                          |
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
+
+### Version `0.2.X`
+
+Version `0.2.0` and above require the `networking.k8s.io/v1` API for Ingress which is available in Kubernetes 1.19 and above.

packages/system/console/charts/openshift-console/ci/hostaliases.yaml

@@ -0,0 +1,4 @@
+hostAliases:
+  - ip: "127.0.0.1"
+    hostnames:
+      - "kubernetes.default.svc"

packages/system/console/charts/openshift-console/ci/sidecar.yaml

@@ -0,0 +1,7 @@
+sidecars:
+ - name: your-image-name
+   image: your-image
+   imagePullPolicy: Always
+   ports:
+     - name: portname
+       containerPort: 1234

packages/system/console/charts/openshift-console/templates/NOTES.txt

@@ -0,0 +1,21 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "openshift-console.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "openshift-console.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "openshift-console.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "openshift-console.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
+{{- end }}

packages/system/console/charts/openshift-console/templates/_helpers.tpl

@@ -0,0 +1,75 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "openshift-console.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "openshift-console.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "openshift-console.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "openshift-console.labels" -}}
+helm.sh/chart: {{ include "openshift-console.chart" . }}
+{{ include "openshift-console.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "openshift-console.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "openshift-console.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "openshift-console.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "openshift-console.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Renders a value that contains template.
+Usage:
+{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
+*/}}
+{{- define "common.tplvalues.render" -}}
+    {{- if typeIs "string" .value }}
+        {{- tpl .value .context }}
+    {{- else }}
+        {{- tpl (.value | toYaml) .context }}
+    {{- end }}
+{{- end -}}

packages/system/console/charts/openshift-console/templates/crd.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.console.impersonateOpenShift }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: apps.apps.openshift.io
+spec:
+  group: apps.openshift.io
+  versions:
+    - name: v1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties: {}
+  scope: Namespaced
+  names:
+    plural: apps
+    singular: app
+    kind: OpenShift
+{{- end }}

packages/system/console/charts/openshift-console/templates/deployment.yaml

@@ -0,0 +1,134 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "openshift-console.fullname" . }}
+  labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- include "openshift-console.labels" . | nindent 4 }}
+  annotations:
+    {{- toYaml .Values.annotations | nindent 4 }}
+spec:
+{{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+{{- end }}
+  selector:
+    matchLabels:
+      {{- include "openshift-console.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+    {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      labels:
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- include "openshift-console.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+      serviceAccountName: {{ include "openshift-console.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext:
+        {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      volumes:
+      {{- if .Values.volumes }}
+      {{- range .Values.volumes }}
+        - name: {{ .name }}
+{{ toYaml .config | indent 10 }}
+      {{- end }}
+      {{- end }}
+      {{- with .Values.hostAliases }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          {{- with .Values.args }}
+          args:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.command }}
+          command:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.securityContext.enabled }}
+          securityContext:
+            {{- omit .Values.securityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
+          image: "{{ .Values.image.registry}}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: BRIDGE_KUBECTL_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: secret
+                  name: {{ include "openshift-console.fullname" . }}
+            - name: BRIDGE_DOCUMENTATION_BASE_URL
+              value: https://kubernetes.io/docs/
+            - name: BRIDGE_DEX_API_HOST
+              value: {{ .Values.console.dex.host }}
+            - name: BRIDGE_BASE_ADDRESS
+              value: {{ .Values.console.baseUrl }}
+            {{- if .Values.console.oidc.enabled }}
+            - name: BRIDGE_USER_AUTH
+              value: oidc
+            - name: BRIDGE_K8S_AUTH
+              value: oidc
+            - name: BRIDGE_USER_AUTH_OIDC_ISSUER_URL
+              value: {{ .Values.console.oidc.issuerUrl }}
+            - name: BRIDGE_USER_AUTH_OIDC_CLIENT_ID
+              value: {{ .Values.console.oidc.clientId }}
+            - name: BRIDGE_USER_AUTH_OIDC_CLIENT_SECRET
+              value: {{ .Values.console.oidc.clientSecret }}
+            {{- end }}
+{{- range $key, $value := .Values.extraEnv }}
+            - name: {{ $key }}
+              value:  {{ $value | quote }}
+{{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          volumeMounts:
+          {{- if .Values.volumes }}
+          {{- range .Values.volumes }}
+            - mountPath: {{ .mountPath }}
+              name: {{ .name }}
+              {{- if .subPath }}
+              subPath: {{ .subPath }}
+              {{- end }}
+          {{- end }}
+          {{- end }}
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+{{- if .Values.sidecars }}
+{{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $ ) | nindent 8 }}
+{{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

packages/system/console/charts/openshift-console/templates/hpa.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "openshift-console.fullname" . }}
+  labels:
+    {{- include "openshift-console.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "openshift-console.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+  {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+  {{- end }}
+  {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+  {{- end }}
+{{- end }}

packages/system/console/charts/openshift-console/templates/ingress.yaml

@@ -0,0 +1,41 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "openshift-console.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "openshift-console.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- omit . "kubernetes.io/ingress.class" | toYaml | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className | default (get .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ . }}
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
+  {{- end }}

packages/system/console/charts/openshift-console/templates/rbac.yaml

@@ -0,0 +1,31 @@
+{{- if and .Values.console.impersonateOpenShift .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "openshift-console.fullname" . }}-dashboards
+  namespace: openshift-config-managed
+rules:
+  - verbs:
+      - get
+      - list
+      - watch
+    apiGroups:
+      - ""
+    resources:
+      - configmaps
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "openshift-console.fullname" . }}-dashboards
+  # unfortunately this is hardcoded (https://github.com/openshift/console/blob/master/cmd/bridge/main.go#L576)
+  namespace: openshift-config-managed
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "openshift-console.fullname" . }}-dashboards
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "openshift-console.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

packages/system/console/charts/openshift-console/templates/secret.yaml

@@ -0,0 +1,15 @@
+{{ if .Values.consolesecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "openshift-console.fullname" . }}
+  labels:
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- include "openshift-console.labels" . | nindent 4 }}
+  annotations:
+    {{- toYaml .Values.annotations | nindent 4 }}
+data:
+  secret: {{ .Values.consolesecret | b64enc | quote }}
+{{- end }}

packages/system/console/charts/openshift-console/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "openshift-console.fullname" . }}
+  labels:
+    {{- include "openshift-console.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "openshift-console.selectorLabels" . | nindent 4 }}

packages/system/console/charts/openshift-console/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "openshift-console.serviceAccountName" . }}
+  labels:
+    {{- include "openshift-console.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

packages/system/console/charts/openshift-console/templates/tests/test-connection.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "openshift-console.fullname" . }}-test-connection"
+  labels:
+    {{- include "openshift-console.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "openshift-console.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never

packages/system/console/charts/openshift-console/values.yaml

@@ -0,0 +1,130 @@
+# Default values for openshift-console.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  registry: quay.io
+  repository: openshift/origin-console
+  pullPolicy: Always
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: 4.20.0
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+annotations: {}
+labels: {}
+
+podLabels: {}
+podAnnotations: {}
+
+podSecurityContext:
+  enabled: true
+  runAsUser: 1001
+
+securityContext:
+  enabled: true
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  runAsNonRoot: true
+  runAsUser: 1001
+
+service:
+  type: ClusterIP
+  port: 9000
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths: []
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+extraEnv:
+  BRIDGE_K8S_AUTH_BEARER_TOKEN: 'CENSORED'
+  BRIDGE_GRAFANA_PUBLIC_URL: https://grafana.something.com
+  BRIDGE_KUBECTL_CLIENT_ID: console
+  BRIDGE_K8S_MODE: off-cluster
+  BRIDGE_K8S_MODE_OFF_CLUSTER_ALERTMANAGER: https://alertmanager.something.com
+  BRIDGE_K8S_MODE_OFF_CLUSTER_SKIP_VERIFY_TLS: "true"
+  BRIDGE_K8S_MODE_OFF_CLUSTER_THANOS: https://prometheus.something.com
+  BRIDGE_K8S_MODE_OFF_CLUSTER_ENDPOINT: https://kube-oidc-proxy:443
+
+volumes: []
+# - name: my-volume
+#   mountPath: /foo/bar
+#   config:
+#     emptyDir: {}
+
+console:
+  dex:
+    host: https://dex.something.com
+  baseUrl: https://console.something.com
+  impersonateOpenShift: false
+  oidc:
+    enabled: true
+    issuerUrl: https://dex.something.com
+    clientId: console
+    clientSecret: 'xxxxxx'
+
+rbac:
+  enabled: false
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+sidecars: []
+
+serviceAccount:
+  create: false
+  automountServiceAccountToken: true
+  annotations: {}
+  name: ""
+
+hostAliases: []
+#  - ip: "127.0.0.1"
+#    hostnames:
+#      - "kubernetes.default.svc"
+
+
+consolesecret: 'XXXXXXXXX'
+#cookie-encryption-key-file:     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+#cookie-authentication-key-file: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+
+args:
+- --public-dir=/opt/bridge/static
+- -v
+- "7"
+command:
+- /opt/bridge/bin/bridge
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 200m
+    memory: 256Mi

packages/system/console/templates/00_helmchartrepositories.crd.yaml

@@ -0,0 +1,168 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/598
+    api.openshift.io/merged-by-featuregates: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+  name: helmchartrepositories.helm.openshift.io
+spec:
+  group: helm.openshift.io
+  names:
+    kind: HelmChartRepository
+    listKind: HelmChartRepositoryList
+    plural: helmchartrepositories
+    singular: helmchartrepository
+  scope: Cluster
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          HelmChartRepository holds cluster-wide configuration for proxied Helm chart repository
+
+          Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec holds user settable values for configuration
+            properties:
+              connectionConfig:
+                description: Required configuration for connecting to the chart repo
+                properties:
+                  ca:
+                    description: |-
+                      ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+                      It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+                      The key "ca-bundle.crt" is used to locate the data.
+                      If empty, the default system roots are used.
+                      The namespace for this config map is openshift-config.
+                    properties:
+                      name:
+                        description: name is the metadata.name of the referenced config
+                          map
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  tlsClientConfig:
+                    description: |-
+                      tlsClientConfig is an optional reference to a secret by name that contains the
+                      PEM-encoded TLS client certificate and private key to present when connecting to the server.
+                      The key "tls.crt" is used to locate the client certificate.
+                      The key "tls.key" is used to locate the private key.
+                      The namespace for this secret is openshift-config.
+                    properties:
+                      name:
+                        description: name is the metadata.name of the referenced secret
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  url:
+                    description: Chart repository URL
+                    maxLength: 2048
+                    pattern: ^https?:\/\/
+                    type: string
+                type: object
+              description:
+                description: Optional human readable repository description, it can
+                  be used by UI for displaying purposes
+                maxLength: 2048
+                minLength: 1
+                type: string
+              disabled:
+                description: If set to true, disable the repo usage in the cluster/namespace
+                type: boolean
+              name:
+                description: Optional associated human readable repository name, it
+                  can be used by UI for displaying purposes
+                maxLength: 100
+                minLength: 1
+                type: string
+            type: object
+          status:
+            description: Observed status of the repository within the cluster..
+            properties:
+              conditions:
+                description: conditions is a list of conditions and their statuses
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

packages/system/console/templates/00_projecthelmchartrepositories.crd.yaml

@@ -0,0 +1,182 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/1084
+    api.openshift.io/merged-by-featuregates: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+  name: projecthelmchartrepositories.helm.openshift.io
+spec:
+  group: helm.openshift.io
+  names:
+    kind: ProjectHelmChartRepository
+    listKind: ProjectHelmChartRepositoryList
+    plural: projecthelmchartrepositories
+    singular: projecthelmchartrepository
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          ProjectHelmChartRepository holds namespace-wide configuration for proxied Helm chart repository
+
+          Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec holds user settable values for configuration
+            properties:
+              connectionConfig:
+                description: Required configuration for connecting to the chart repo
+                properties:
+                  basicAuthConfig:
+                    description: |-
+                      basicAuthConfig is an optional reference to a secret by name that contains
+                      the basic authentication credentials to present when connecting to the server.
+                      The key "username" is used locate the username.
+                      The key "password" is used to locate the password.
+                      The namespace for this secret must be same as the namespace where the project helm chart repository is getting instantiated.
+                    properties:
+                      name:
+                        description: name is the metadata.name of the referenced secret
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  ca:
+                    description: |-
+                      ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+                      It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+                      The key "ca-bundle.crt" is used to locate the data.
+                      If empty, the default system roots are used.
+                      The namespace for this configmap must be same as the namespace where the project helm chart repository is getting instantiated.
+                    properties:
+                      name:
+                        description: name is the metadata.name of the referenced config
+                          map
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  tlsClientConfig:
+                    description: |-
+                      tlsClientConfig is an optional reference to a secret by name that contains the
+                      PEM-encoded TLS client certificate and private key to present when connecting to the server.
+                      The key "tls.crt" is used to locate the client certificate.
+                      The key "tls.key" is used to locate the private key.
+                      The namespace for this secret must be same as the namespace where the project helm chart repository is getting instantiated.
+                    properties:
+                      name:
+                        description: name is the metadata.name of the referenced secret
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  url:
+                    description: Chart repository URL
+                    maxLength: 2048
+                    pattern: ^https?:\/\/
+                    type: string
+                type: object
+              description:
+                description: Optional human readable repository description, it can
+                  be used by UI for displaying purposes
+                maxLength: 2048
+                minLength: 1
+                type: string
+              disabled:
+                description: If set to true, disable the repo usage in the namespace
+                type: boolean
+              name:
+                description: Optional associated human readable repository name, it
+                  can be used by UI for displaying purposes
+                maxLength: 100
+                minLength: 1
+                type: string
+            type: object
+          status:
+            description: Observed status of the repository within the namespace..
+            properties:
+              conditions:
+                description: conditions is a list of conditions and their statuses
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

packages/system/console/templates/cozystack.yaml

@@ -0,0 +1,8 @@
+apiVersion: helm.openshift.io/v1beta1
+kind: HelmChartRepository
+metadata:
+  name: cozystack
+spec:
+  name: cozystack
+  connectionConfig:
+    url: http://cozystack.cozy-system.svc/repos/apps 

packages/system/console/templates/kubevirt.yaml

@@ -0,0 +1,88 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kubevirt-plugin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kubevirt-plugin
+  template:
+    metadata:
+      labels:
+        app: kubevirt-plugin
+    spec:
+      containers:
+        - name: kubevirt-plugin
+          image: quay.io/kubevirt-ui/kubevirt-plugin:v4.17.0
+          ports:
+            - containerPort: 9443
+              protocol: TCP
+          imagePullPolicy: Always
+          volumeMounts:
+            #- name: plugin-serving-cert
+            #  readOnly: true
+            #  mountPath: /var/serving-cert
+            - name: nginx-conf
+              readOnly: true
+              mountPath: /etc/nginx/nginx.conf
+              subPath: nginx.conf
+      volumes:
+        #- name: plugin-serving-cert
+        #  secret:
+        #    secretName: plugin-serving-cert
+        #    defaultMode: 420
+        - name: nginx-conf
+          configMap:
+            name: nginx-conf
+            defaultMode: 420
+      restartPolicy: Always
+      dnsPolicy: ClusterFirst
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 25%
+      maxSurge: 25%
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-conf
+data:
+  nginx.conf: |
+    error_log /dev/stdout info;
+    events {}
+    http {
+      access_log         /dev/stdout;
+      include            /etc/nginx/mime.types;
+      default_type       application/octet-stream;
+      keepalive_timeout  65;
+      server {
+        listen              9443;
+        root                /usr/share/nginx/html;
+      }
+      #server {
+      #  listen              9443 ssl;
+      #  ssl_certificate     /var/serving-cert/tls.crt;
+      #  ssl_certificate_key /var/serving-cert/tls.key;
+      #  root                /usr/share/nginx/html;
+      #}
+    }
+---
+apiVersion: v1
+kind: Service
+metadata:
+  #annotations:
+  #  service.alpha.openshift.io/serving-cert-secret-name: plugin-serving-cert
+  name: kubevirt-plugin
+spec:
+  ports:
+    - name: 9443-tcp
+      protocol: TCP
+      port: 9443
+      targetPort: 9443
+  selector:
+    app: kubevirt-plugin
+  type: ClusterIP
+  sessionAffinity: None

packages/system/console/templates/secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: openshift-console
+stringData:
+  cookie_auth_key: rpb7aos4rd0m32x9omcrcqacnia0xty2
+  cookie_enc_key: gg1ejofgupoc19wyuywr2yflm75aeiwg

packages/system/console/values.yaml

@@ -0,0 +1,50 @@
+openshift-console:
+  fullnameOverride: console
+  console:
+    baseUrl: https://console.infra.aenix.org
+    oidc:
+      enabled: true
+      issuerUrl: https://keycloak.infra.aenix.org/realms/cozy
+      clientId: console-test
+      clientSecret: Sgq1yrmmEwPKy9YxGmg37b1EgsLu3P9g
+  extraEnv:
+    BRIDGE_K8S_AUTH_BEARER_TOKEN: null
+    BRIDGE_GRAFANA_PUBLIC_URL: https://grafana.infra.aenix.org
+    BRIDGE_KUBECTL_CLIENT_ID: console
+    BRIDGE_K8S_MODE: in-cluster
+    BRIDGE_COOKIE_AUTHENTICATION_KEY_FILE: /etc/openshift-console-secrets/cookie_auth_key
+    BRIDGE_COOKIE_ENCRYPTION_KEY_FILE: /etc/openshift-console-secrets/cookie_enc_key
+    BRIDGE_PLUGINS: kubevirt-plugin=http://kubevirt-plugin.cozy-console.svc:9443/
+    BRIDGE_ALERMANAGER_PUBLIC_URL: http://vmalertmanager-alertmanager.tenant-root.svc:9093
+    BRIDGE_THANOS_PUBLIC_URL: http://vmselect-shortterm.tenant-root.svc:8481/select/0/prometheus
+    BRIDGE_SKIP_VERIFY_TLS: true
+  volumes:
+  - name: cookie-secrets
+    mountPath: /etc/openshift-console-secrets
+    config:
+      secret:
+        secretName: openshift-console
+  - name: tmp
+    mountPath: /tmp
+    config:
+      emptyDir: {}
+  ingress:
+    enabled: true
+    annotations:
+      acme.cert-manager.io/http01-ingress-class: tenant-root
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    className: 'tenant-root'
+    hosts:
+    - host: console.infra.aenix.org
+      paths: ["/"]
+    tls:
+    - secretName: console-tls
+      hosts:
+        - console.infra.aenix.org
+  resources:
+    limits:
+      cpu: 500m
+      memory: 2048Mi
+    requests:
+      cpu: 200m
+      memory: 512Mi

packages/system/cozystack-api/templates/configmap.yaml

@@ -155,7 +155,7 @@ data:
         labels:
           cozystack.io/ui: "true"
         chart:
-          name: rabbitmq
+          name: redis
           sourceRef:
             kind: HelmRepository
             name: cozystack-apps

packages/system/cozystack-api/values.yaml

@@ -1,2 +1,2 @@
 cozystackAPI:
-  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.19.0@sha256:ae79f91f8cd9d5f379cda70c6beddb9fdb508082523b652fc42eb89e9500e964
+  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.20.2@sha256:fd7bebabd4b8d29c5749bc454feec1ef35bf29ce60b5edebb9a550ca6dcfed49

packages/system/dashboard/values.yaml

@@ -33,11 +33,11 @@ kubeapps:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: dashboard
-      tag: v0.19.0
-      digest: "sha256:bc3474db3cff7937fb1b18bc6fa413fc245866ae727e9e9af6c93d3733e0316a"
+      tag: v0.20.2
+      digest: "sha256:4818712e9fc9c57cc321512760c3226af564a04e69d4b3ec9229ab91fd39abeb"
   kubeappsapis:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: kubeapps-apis
-      tag: v0.19.0
-      digest: "sha256:da558e5ccdb129819e16db55d5501f7e62cd54b2ea0ce2fdee38bf89c17ff5ce"
+      tag: v0.20.2
+      digest: "sha256:7640ba0c9549e6051b4e26488904a4f07d532087f1ac2f32bdc35687d7291ace"

packages/system/kamaji/values.yaml

@@ -3,7 +3,7 @@ kamaji:
     deploy: false
   image:
     pullPolicy: IfNotPresent
-    tag: v0.19.0@sha256:3da74afcc569fa2e706d41d7fc14a473b3b972c8b07004a5ebaca0b59bf492e4
+    tag: v0.20.2@sha256:f7ebb4e8b833b90982d371a8d8292c328ab7e828ffd953a32f08cdd91398faef
     repository: ghcr.io/aenix-io/cozystack/kamaji
   resources:
     limits:

packages/system/keycloak-configure/templates/configure-kk.yaml

@@ -112,8 +112,6 @@ spec:
 
 ---
 
----
-
 apiVersion: v1.edp.epam.com/v1
 kind: KeycloakClient
 metadata:
@@ -227,3 +225,16 @@ spec:
   realmRef:
     name: keycloakrealm-cozy
     kind: ClusterKeycloakRealm
+
+---
+
+apiVersion: v1.edp.epam.com/v1
+kind: KeycloakRealmGroup
+metadata:
+  name: cozystack-cluster-admin
+  namespace: cozy-system
+spec:
+  name: cozystack-cluster-admin
+  realmRef:
+    name: keycloakrealm-cozy
+    kind: ClusterKeycloakRealm

packages/system/keycloak-configure/templates/rolebinding.yaml

@@ -6,8 +6,39 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: admin
+  name: kubeapps-admin
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
   name: kubeapps-admin
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kubeapps-admin
+  namespace: cozy-public
+subjects:
+- kind: Group
+  name: kubeapps-admin
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: kubeapps-admin
+  apiGroup: rbac.authorization.k8s.io
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cozystack-cluster-admin-group
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cozystack-cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: cozystack-cluster-admin

packages/system/keycloak-configure/templates/roles.yaml

@@ -0,0 +1,57 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubeapps-admin
+rules:
+- apiGroups: [""]
+  resources:
+  - "*"
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["apps.cozystack.io"]
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups: ["helm.toolkit.fluxcd.io"]
+  resources:
+  - helmreleases
+  verbs:
+  - '*'
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: kubeapps-admin
+  namespace: cozy-public
+rules:
+  - apiGroups: ["source.toolkit.fluxcd.io"]
+    resources: ["helmrepositories"]
+    verbs:
+    - get
+    - list
+  - apiGroups: ["source.toolkit.fluxcd.io"]
+    resources:
+    - helmcharts
+    verbs: ["*"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cozystack-cluster-admin
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- nonResourceURLs:
+  - '*'
+  verbs:
+  - '*'

packages/system/kubeovn/Makefile

@@ -8,8 +8,9 @@ include ../../../scripts/package.mk
 
 update:
 	rm -rf charts && mkdir -p charts/kube-ovn
-	curl -sSL https://github.com/kubeovn/kube-ovn/archive/refs/heads/master.tar.gz | \
-	tar xzvf - --strip 1 kube-ovn-master/charts
+	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/kubeovn/kube-ovn | awk -F'[/^]' 'END{print $$3}') && \
+	curl -sSL https://github.com/kubeovn/kube-ovn/archive/refs/tags/$${tag}.tar.gz | \
+	tar xzvf - --strip 1 kube-ovn-$${tag#*v}/charts
 	patch --no-backup-if-mismatch -p4 < patches/cozyconfig.diff
 	patch --no-backup-if-mismatch -p4 < patches/mtu.diff
 

packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl

@@ -75,3 +75,11 @@ Number of master nodes
     {{- end -}}
   {{- end -}}
 {{- end -}}
+
+{{- define "kubeovn.runAsUser" -}}
+  {{- if $.Values.func.ENABLE_OVN_IPSEC -}}
+    0
+  {{- else -}}
+    65534
+  {{- end -}}
+{{- end -}}

packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml

@@ -40,15 +40,42 @@ spec:
       priorityClassName: system-cluster-critical
       serviceAccountName: ovn-ovs
       hostNetwork: true
+      initContainers:
+        - name: hostpath-init
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - sh
+            - -c
+            - "chown -R nobody: /var/run/ovn /etc/ovn /var/log/ovn"
+          securityContext:
+            allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+                - ALL
+            privileged: true
+            runAsUser: 0
+          volumeMounts:
+            - mountPath: /var/run/ovn
+              name: host-run-ovn
+            - mountPath: /etc/ovn
+              name: host-config-ovn
+            - mountPath: /var/log/ovn
+              name: host-log-ovn
       containers:
         - name: ovn-central
           image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command: 
+          - bash
           - /kube-ovn/start-db.sh
           securityContext:
+            runAsUser: {{ include "kubeovn.runAsUser" . }}
+            privileged: false
             capabilities:
-              add: ["SYS_NICE"]
+              add:
+                - NET_BIND_SERVICE
+                - SYS_NICE
           env:
             - name: ENABLE_SSL
               value: "{{ .Values.networking.ENABLE_SSL }}"
@@ -92,16 +119,10 @@ spec:
               cpu: {{ index .Values "ovn-central" "limits" "cpu" }}
               memory: {{ index .Values "ovn-central" "limits" "memory" }}
           volumeMounts:
-            - mountPath: /var/run/openvswitch
-              name: host-run-ovs
             - mountPath: /var/run/ovn
               name: host-run-ovn
-            - mountPath: /etc/openvswitch
-              name: host-config-openvswitch
             - mountPath: /etc/ovn
               name: host-config-ovn
-            - mountPath: /var/log/openvswitch
-              name: host-log-ovs
             - mountPath: /var/log/ovn
               name: host-log-ovn
             - mountPath: /etc/localtime
@@ -131,21 +152,12 @@ spec:
         {{ index . 0 }}: "{{ if eq (len .) 2 }}{{ index . 1 }}{{ end }}"
         {{- end }}
       volumes:
-        - name: host-run-ovs
-          hostPath:
-            path: /run/openvswitch
         - name: host-run-ovn
           hostPath:
             path: /run/ovn
-        - name: host-config-openvswitch
-          hostPath:
-            path: {{ .Values.OPENVSWITCH_DIR }}
         - name: host-config-ovn
           hostPath:
             path: {{ .Values.OVN_DIR }}
-        - name: host-log-ovs
-          hostPath:
-            path: {{ .Values.log_conf.LOG_DIR }}/openvswitch
         - name: host-log-ovn
           hostPath:
             path: {{ .Values.log_conf.LOG_DIR }}/ovn

packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml

@@ -47,6 +47,24 @@ spec:
       priorityClassName: system-cluster-critical
       serviceAccountName: ovn
       hostNetwork: true
+      initContainers:
+        - name: hostpath-init
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - sh
+            - -c
+            - "chown -R nobody: /var/log/kube-ovn"
+          securityContext:
+            allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+                - ALL
+            privileged: true
+            runAsUser: 0
+          volumeMounts:
+            - name: kube-ovn-log
+              mountPath: /var/log/kube-ovn
       containers:
         - name: kube-ovn-controller
           image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
@@ -89,6 +107,17 @@ spec:
           - --keep-vm-ip={{- .Values.func.ENABLE_KEEP_VM_IP }}
           - --enable-metrics={{- .Values.networking.ENABLE_METRICS }}
           - --node-local-dns-ip={{- .Values.networking.NODE_LOCAL_DNS_IP }}
+          - --secure-serving={{- .Values.func.SECURE_SERVING }}
+          - --enable-ovn-ipsec={{- .Values.func.ENABLE_OVN_IPSEC }}
+          - --enable-anp={{- .Values.func.ENABLE_ANP }}
+          - --ovsdb-con-timeout={{- .Values.func.OVSDB_CON_TIMEOUT }}
+          - --ovsdb-inactivity-timeout={{- .Values.func.OVSDB_INACTIVITY_TIMEOUT }}
+          securityContext:
+            runAsUser: {{ include "kubeovn.runAsUser" . }}
+            privileged: false
+            capabilities:
+              add:
+                - NET_BIND_SERVICE
           env:
             - name: ENABLE_SSL
               value: "{{ .Values.networking.ENABLE_SSL }}"
@@ -96,6 +125,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
             - name: KUBE_NAMESPACE
               valueFrom:
                 fieldRef:
@@ -106,6 +139,10 @@ spec:
                   fieldPath: spec.nodeName
             - name: OVN_DB_IPS
               value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}"
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: POD_IPS
               valueFrom:
                 fieldRef:
@@ -126,17 +163,21 @@ spec:
           readinessProbe:
             exec:
               command:
-                - /kube-ovn/kube-ovn-controller-healthcheck
+                - /kube-ovn/kube-ovn-healthcheck
+                - --port=10660
+                - --tls={{- .Values.func.SECURE_SERVING }}
             periodSeconds: 3
-            timeoutSeconds: 45
+            timeoutSeconds: 5
           livenessProbe:
             exec:
               command:
-                - /kube-ovn/kube-ovn-controller-healthcheck
+                - /kube-ovn/kube-ovn-healthcheck
+                - --port=10660
+                - --tls={{- .Values.func.SECURE_SERVING }}
             initialDelaySeconds: 300
             periodSeconds: 7
             failureThreshold: 5
-            timeoutSeconds: 45
+            timeoutSeconds: 5
           resources:
             requests:
               cpu: {{ index .Values "kube-ovn-controller" "requests" "cpu" }}

packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml

@@ -41,6 +41,28 @@ spec:
       priorityClassName: system-cluster-critical
       serviceAccountName: ovn
       hostNetwork: true
+      initContainers:
+        - name: hostpath-init
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - sh
+            - -c
+            - "chown -R nobody: /var/run/ovn /var/log/ovn /var/log/kube-ovn"
+          securityContext:
+            allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+                - ALL
+            privileged: true
+            runAsUser: 0
+          volumeMounts:
+            - mountPath: /var/run/ovn
+              name: host-run-ovn
+            - mountPath: /var/log/ovn
+              name: host-log-ovn
+            - name: kube-ovn-log
+              mountPath: /var/log/kube-ovn
       containers:
         - name: ovn-ic-controller
           image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
@@ -52,8 +74,12 @@ spec:
           - --logtostderr=false
           - --alsologtostderr=true
           securityContext:
+            runAsUser: {{ include "kubeovn.runAsUser" . }}
+            privileged: false
             capabilities:
-              add: ["SYS_NICE"]
+              add:
+                - NET_BIND_SERVICE
+                - SYS_NICE
           env:
             - name: ENABLE_SSL
               value: "{{ .Values.networking.ENABLE_SSL }}"
@@ -62,7 +88,7 @@ spec:
                 fieldRef:
                   fieldPath: metadata.namespace
             - name: OVN_DB_IPS
-              value: "{{ .Values.MASTER_NODES }}"
+              value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}"
           resources:
             requests:
               cpu: 300m
@@ -73,8 +99,6 @@ spec:
           volumeMounts:
             - mountPath: /var/run/ovn
               name: host-run-ovn
-            - mountPath: /etc/ovn
-              name: host-config-ovn
             - mountPath: /var/log/ovn
               name: host-log-ovn
             - mountPath: /etc/localtime
@@ -90,9 +114,6 @@ spec:
         - name: host-run-ovn
           hostPath:
             path: /run/ovn
-        - name: host-config-ovn
-          hostPath:
-            path: /etc/origin/ovn
         - name: host-log-ovn
           hostPath:
             path: /var/log/ovn

packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml

@@ -503,6 +503,31 @@ spec:
                     type: string
                 qosPolicy:
                   type: string
+                bgpSpeaker:
+                  type: object
+                  properties:
+                    enabled:
+                      type: boolean
+                    asn:
+                      type: integer
+                    remoteAsn:
+                      type: integer
+                    neighbors:
+                      type: array
+                      items:
+                        type: string
+                    holdTime:
+                      type: string
+                    routerId:
+                      type: string
+                    password:
+                      type: string
+                    enableGracefulRestart:
+                      type: boolean
+                    extraArgs:
+                      type: array
+                      items:
+                        type: string
                 tolerations:
                   type: array
                   items:
@@ -1300,8 +1325,12 @@ spec:
                   type: boolean
                 v4Eip:
                   type: string
+                v6Eip:
+                  type: string
                 v4Ip:
                   type: string
+                v6Ip:
+                  type: string
                 vpc:
                   type: string
                 conditions:
@@ -1493,8 +1522,12 @@ spec:
                   type: boolean
                 v4Eip:
                   type: string
+                v6Eip:
+                  type: string
                 v4Ip:
                   type: string
+                v6Ip:
+                  type: string
                 vpc:
                   type: string
                 externalPort:
@@ -1570,12 +1603,17 @@ spec:
         - jsonPath: .spec.namespaces
           name: Namespaces
           type: string
+        - jsonPath: .status.defaultLogicalSwitch
+          name: DefaultSubnet
+          type: string
       name: v1
       schema:
         openAPIV3Schema:
           properties:
             spec:
               properties:
+                defaultSubnet:
+                  type: string
                 enableExternal:
                   type: boolean
                 enableBfd:
@@ -1976,6 +2014,10 @@ spec:
                   type: string
                 u2oInterconnectionVPC:
                   type: string
+                mcastQuerierIP:
+                  type: string
+                mcastQuerierMAC:
+                  type: string
                 v4usingIPrange:
                   type: string
                 v4availableIPrange:
@@ -2156,6 +2198,28 @@ spec:
                   type: boolean
                 routeTable:
                   type: string
+                namespaceSelectors:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      matchLabels:
+                        type: object
+                        additionalProperties:
+                          type: string
+                      matchExpressions:
+                        type: array
+                        items:
+                          type: object
+                          properties:
+                            key:
+                              type: string
+                            operator:
+                              type: string
+                            values:
+                              type: array
+                              items:
+                                type: string
   scope: Cluster
   names:
     plural: subnets

packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml

@@ -38,19 +38,41 @@ spec:
       priorityClassName: system-cluster-critical
       serviceAccountName: kube-ovn-app
       hostNetwork: true
+      initContainers:
+        - name: hostpath-init
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - sh
+            - -c
+            - "chown -R nobody: /var/log/kube-ovn"
+          securityContext:
+            allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+                - ALL
+            privileged: true
+            runAsUser: 0
+          volumeMounts:
+            - name: kube-ovn-log
+              mountPath: /var/log/kube-ovn
       containers:
         - name: kube-ovn-monitor
           image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command: ["/kube-ovn/start-ovn-monitor.sh"]
           args:
+          - --secure-serving={{- .Values.func.SECURE_SERVING }}
           - --log_file=/var/log/kube-ovn/kube-ovn-monitor.log
           - --logtostderr=false
           - --alsologtostderr=true
           - --log_file_max_size=200
           securityContext:
-            runAsUser: 0
+            runAsUser: {{ include "kubeovn.runAsUser" . }}
             privileged: false
+            capabilities:
+              add:
+                - NET_BIND_SERVICE
           env:
             - name: ENABLE_SSL
               value: "{{ .Values.networking.ENABLE_SSL }}"
@@ -58,6 +80,18 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
             - name: POD_IPS
               valueFrom:
                 fieldRef:
@@ -72,12 +106,8 @@ spec:
               cpu: {{ index .Values "kube-ovn-monitor" "limits" "cpu" }}
               memory: {{ index .Values "kube-ovn-monitor" "limits" "memory" }}
           volumeMounts:
-            - mountPath: /var/run/openvswitch
-              name: host-run-ovs
             - mountPath: /var/run/ovn
               name: host-run-ovn
-            - mountPath: /etc/openvswitch
-              name: host-config-openvswitch
             - mountPath: /etc/ovn
               name: host-config-ovn
             - mountPath: /var/log/ovn
@@ -95,32 +125,32 @@ spec:
             initialDelaySeconds: 30
             periodSeconds: 7
             successThreshold: 1
-            tcpSocket:
-              port: 10661
-            timeoutSeconds: 3
+            exec:
+              command:
+                - /kube-ovn/kube-ovn-healthcheck
+                - --port=10661
+                - --tls={{- .Values.func.SECURE_SERVING }}
+            timeoutSeconds: 5
           readinessProbe:
             failureThreshold: 3
             initialDelaySeconds: 30
             periodSeconds: 7
             successThreshold: 1
-            tcpSocket:
-              port: 10661
-            timeoutSeconds: 3
+            exec:
+              command:
+                - /kube-ovn/kube-ovn-healthcheck
+                - --port=10661
+                - --tls={{- .Values.func.SECURE_SERVING }}
+            timeoutSeconds: 5
       nodeSelector:
         kubernetes.io/os: "linux"
         {{- with splitList "=" .Values.MASTER_NODES_LABEL }}
         {{ index . 0 }}: "{{ if eq (len .) 2 }}{{ index . 1 }}{{ end }}"
         {{- end }}
       volumes:
-        - name: host-run-ovs
-          hostPath:
-            path: /run/openvswitch
         - name: host-run-ovn
           hostPath:
             path: /run/ovn
-        - name: host-config-openvswitch
-          hostPath:
-            path: {{ .Values.OPENVSWITCH_DIR }}
         - name: host-config-ovn
           hostPath:
             path: {{ .Values.OVN_DIR }}

packages/system/kubeovn/charts/kube-ovn/templates/ovn-CR.yaml

@@ -163,7 +163,49 @@ rules:
       - get
       - list
       - watch
-
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
+  - apiGroups: 
+      - "certificates.k8s.io"
+    resources: 
+      - "certificatesigningrequests"
+    verbs: 
+      - "get"
+      - "list"
+      - "watch"
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+    - certificatesigningrequests/status
+    - certificatesigningrequests/approval
+    verbs:
+    - update
+  - apiGroups:
+    - ""
+    resources:
+    - secrets
+    verbs:
+    - get
+    - create
+  - apiGroups:
+    - certificates.k8s.io
+    resourceNames:
+    - kubeovn.io/signer
+    resources:
+    - signers
+    verbs:
+    - approve
+    - sign
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -248,7 +290,34 @@ rules:
       - get
       - list
       - watch
-
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
+  - apiGroups: 
+      - "certificates.k8s.io"
+    resources: 
+      - "certificatesigningrequests"
+    verbs: 
+      - "create" 
+      - "get"
+      - "list"
+      - "watch"
+      - "delete"
+  - apiGroups:
+      - ""
+    resources:
+      - "secrets"
+    verbs:
+      - "get"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -271,3 +340,15 @@ rules:
       - daemonsets
     verbs:
       - get
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create

packages/system/kubeovn/charts/kube-ovn/templates/ovn-CRB.yaml

@@ -10,7 +10,20 @@ subjects:
   - kind: ServiceAccount
     name: ovn
     namespace: {{ .Values.namespace }}
-
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ovn
+  namespace: {{ .Values.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - kind: ServiceAccount
+    name: ovn
+    namespace: {{ .Values.namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -38,7 +51,20 @@ subjects:
   - kind: ServiceAccount
     name: kube-ovn-cni
     namespace: {{ .Values.namespace }}
-
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kube-ovn-cni
+  namespace: {{ .Values.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - kind: ServiceAccount
+    name: kube-ovn-cni
+    namespace: {{ .Values.namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -52,3 +78,17 @@ subjects:
   - kind: ServiceAccount
     name: kube-ovn-app
     namespace: {{ .Values.namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kube-ovn-app
+  namespace: {{ .Values.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - kind: ServiceAccount
+    name: kube-ovn-app
+    namespace: {{ .Values.namespace }}

packages/system/kubeovn/charts/kube-ovn/templates/ovn-sa.yaml

@@ -18,6 +18,14 @@ kind: ServiceAccount
 metadata:
   name: ovn-ovs
   namespace: {{ .Values.namespace }}
+{{-  if .Values.global.registry.imagePullSecrets }}
+imagePullSecrets:
+{{- range $index, $secret := .Values.global.registry.imagePullSecrets }}
+{{- if $secret }}
+- name: {{ $secret | quote}}
+{{- end }}
+{{- end }}
+{{- end }}
 
 ---
 apiVersion: v1
@@ -25,6 +33,14 @@ kind: ServiceAccount
 metadata:
   name: kube-ovn-cni
   namespace: {{ .Values.namespace }}
+{{-  if .Values.global.registry.imagePullSecrets }}
+imagePullSecrets:
+{{- range $index, $secret := .Values.global.registry.imagePullSecrets }}
+{{- if $secret }}
+- name: {{ $secret | quote}}
+{{- end }}
+{{- end }}
+{{- end }}
 
 ---
 apiVersion: v1
@@ -32,3 +48,11 @@ kind: ServiceAccount
 metadata:
   name: kube-ovn-app
   namespace: {{ .Values.namespace }}
+{{-  if .Values.global.registry.imagePullSecrets }}
+imagePullSecrets:
+{{- range $index, $secret := .Values.global.registry.imagePullSecrets }}
+{{- if $secret }}
+- name: {{ $secret | quote}}
+{{- end }}
+{{- end }}
+{{- end }}

packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml

@@ -29,16 +29,52 @@ spec:
       hostNetwork: true
       hostPID: true
       initContainers:
+      - name: hostpath-init
+        image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        command:
+          - sh
+          - -xec
+          - {{ if not .Values.DISABLE_MODULES_MANAGEMENT -}}
+            iptables -V
+            {{- else -}}
+            echo "nothing to do"
+            {{- end }}
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            drop:
+              - ALL
+          privileged: true
+          runAsUser: 0
+          runAsGroup: 0
+        volumeMounts:
+          - name: usr-local-sbin
+            mountPath: /usr/local/sbin
+          - mountPath: /run/xtables.lock
+            name: xtables-lock
+            readOnly: false
+          - mountPath: /var/run/netns
+            name: host-ns
+            readOnly: false
+          - name: kube-ovn-log
+            mountPath: /var/log/kube-ovn
       - name: install-cni
         image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
-        command: ["/kube-ovn/install-cni.sh"]
+        command:
+          - /kube-ovn/install-cni.sh
+          - --cni-conf-dir={{ .Values.cni_conf.CNI_CONF_DIR }}
+          - --cni-conf-file={{ .Values.cni_conf.CNI_CONF_FILE }}
+          - --cni-conf-name={{- .Values.cni_conf.CNI_CONFIG_PRIORITY -}}-kube-ovn.conflist
         securityContext:
           runAsUser: 0
           privileged: true
         volumeMounts:
           - mountPath: /opt/cni/bin
             name: cni-bin
+          - mountPath: /etc/cni/net.d
+            name: cni-conf
           {{- if .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }}
           - mountPath: /usr/local/bin
             name: local-bin
@@ -65,9 +101,6 @@ spec:
           - --dpdk-tunnel-iface={{- .Values.networking.DPDK_TUNNEL_IFACE }}
           - --network-type={{- .Values.networking.TUNNEL_TYPE }}
           - --default-interface-name={{- .Values.networking.vlan.VLAN_INTERFACE_NAME }}
-          - --cni-conf-dir={{ .Values.cni_conf.CNI_CONF_DIR }}
-          - --cni-conf-file={{ .Values.cni_conf.CNI_CONF_FILE }}
-          - --cni-conf-name={{- .Values.cni_conf.CNI_CONFIG_PRIORITY -}}-kube-ovn.conflist
           - --logtostderr=false
           - --alsologtostderr=true
           - --log_file=/var/log/kube-ovn/kube-ovn-cni.log
@@ -76,12 +109,26 @@ spec:
           - --kubelet-dir={{ .Values.kubelet_conf.KUBELET_DIR }}
           - --enable-tproxy={{ .Values.func.ENABLE_TPROXY }}
           - --ovs-vsctl-concurrency={{ .Values.performance.OVS_VSCTL_CONCURRENCY }}
+          - --secure-serving={{- .Values.func.SECURE_SERVING }}
+          - --enable-ovn-ipsec={{- .Values.func.ENABLE_OVN_IPSEC }}
+          - --set-vxlan-tx-off={{- .Values.func.SET_VXLAN_TX_OFF }}
           {{- with .Values.mtu }}
           - --mtu={{ . }}
           {{- end }}
         securityContext:
           runAsUser: 0
-          privileged: true
+          privileged: false
+          capabilities:
+            add:
+              - NET_ADMIN
+              - NET_BIND_SERVICE
+              - NET_RAW
+              - SYS_ADMIN
+              - SYS_PTRACE
+              {{- if not .Values.DISABLE_MODULES_MANAGEMENT }}
+              - SYS_MODULE
+              {{- end }}
+              - SYS_NICE
         env:
           - name: ENABLE_SSL
             value: "{{ .Values.networking.ENABLE_SSL }}"
@@ -93,6 +140,14 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: spec.nodeName
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
           - name: POD_IPS
             valueFrom:
               fieldRef:
@@ -102,19 +157,22 @@ spec:
           - name: DBUS_SYSTEM_BUS_ADDRESS
             value: "unix:path=/host/var/run/dbus/system_bus_socket"
         volumeMounts:
+          - name: usr-local-sbin
+            mountPath: /usr/local/sbin
           - name: host-modules
             mountPath: /lib/modules
             readOnly: true
+          - mountPath: /run/xtables.lock
+            name: xtables-lock
+            readOnly: false
           - name: shared-dir
             mountPath: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods
           - mountPath: /etc/openvswitch
             name: systemid
             readOnly: true
-          - mountPath: /etc/cni/net.d
-            name: cni-conf
           - mountPath: /run/openvswitch
             name: host-run-ovs
-            mountPropagation: Bidirectional
+            mountPropagation: HostToContainer
           - mountPath: /run/ovn
             name: host-run-ovn
           - mountPath: /host/var/run/dbus
@@ -132,21 +190,31 @@ spec:
           - mountPath: /etc/localtime
             name: localtime
             readOnly: true
+        {{- if .Values.func.ENABLE_OVN_IPSEC }}
+          - mountPath: /etc/ovs_ipsec_keys
+            name: ovs-ipsec-keys
+        {{- end }}
         readinessProbe:
           failureThreshold: 3
           periodSeconds: 7
           successThreshold: 1
-          tcpSocket:
-            port: 10665
-          timeoutSeconds: 3
+          exec:
+            command:
+              - /kube-ovn/kube-ovn-healthcheck
+              - --port=10665
+              - --tls={{- .Values.func.SECURE_SERVING }}
+          timeoutSeconds: 5
         livenessProbe:
           failureThreshold: 3
           initialDelaySeconds: 30
           periodSeconds: 7
           successThreshold: 1
-          tcpSocket:
-            port: 10665
-          timeoutSeconds: 3
+          exec:
+            command:
+              - /kube-ovn/kube-ovn-healthcheck
+              - --port=10665
+              - --tls={{- .Values.func.SECURE_SERVING }}
+          timeoutSeconds: 5
         resources:
           requests:
             cpu: {{ index .Values "kube-ovn-cni" "requests" "cpu" }}
@@ -157,9 +225,15 @@ spec:
       nodeSelector:
         kubernetes.io/os: "linux"
       volumes:
+        - name: usr-local-sbin
+          emptyDir: {}
         - name: host-modules
           hostPath:
             path: /lib/modules
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
         - name: shared-dir
           hostPath:
             path: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods
@@ -201,3 +275,8 @@ spec:
           hostPath:
             path: {{ .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }}
         {{- end }}
+        {{- if .Values.func.ENABLE_OVN_IPSEC }}
+        - name: ovs-ipsec-keys
+          hostPath:
+            path: /etc/origin/ovs_ipsec_keys
+        {{- end }}

packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml

@@ -36,6 +36,46 @@ spec:
       serviceAccountName: ovn-ovs
       hostNetwork: true
       hostPID: true
+      initContainers:
+        - name: hostpath-init
+          {{- if .Values.DPDK }}
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.dpdkRepository }}:{{ .Values.DPDK_VERSION }}-{{ .Values.global.images.kubeovn.tag }}
+          {{- else }}
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
+          {{- end }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - sh
+            - -xec
+            - |
+              chown -R nobody: /var/run/ovn /var/log/ovn /etc/openvswitch /var/run/openvswitch /var/log/openvswitch
+              {{- if not .Values.DISABLE_MODULES_MANAGEMENT }}
+              iptables -V
+              {{- else }}
+              ln -sf /bin/true /usr/local/sbin/modprobe
+              ln -sf /bin/true /usr/local/sbin/modinfo
+              ln -sf /bin/true /usr/local/sbin/rmmod
+              {{- end }}
+          securityContext:
+            allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+                - ALL
+            privileged: true
+            runAsUser: 0
+          volumeMounts:
+            - mountPath: /usr/local/sbin
+              name: usr-local-sbin
+            - mountPath: /var/log/ovn
+              name: host-log-ovn
+            - mountPath: /var/run/ovn
+              name: host-run-ovn
+            - mountPath: /etc/openvswitch
+              name: host-config-openvswitch
+            - mountPath: /var/run/openvswitch
+              name: host-run-ovs
+            - mountPath: /var/log/openvswitch
+              name: host-log-ovs
       containers:
         - name: openvswitch
           {{- if .Values.DPDK }}
@@ -47,22 +87,20 @@ spec:
           {{- if .Values.DPDK }}
           command: ["/kube-ovn/start-ovs-dpdk.sh"]
           {{- else }}
-          command: 
-          {{- if .Values.DISABLE_MODULES_MANAGEMENT }}
-          - /bin/sh
-          - -ec
-          - |
-              ln -sf /bin/true /usr/sbin/modprobe
-              ln -sf /bin/true /usr/sbin/modinfo
-              ln -sf /bin/true /usr/sbin/rmmod
-              exec /kube-ovn/start-ovs.sh
-          {{- else }}
-          - /kube-ovn/start-ovs.sh
-          {{- end }}
+          command: ["/kube-ovn/start-ovs.sh"]
           {{- end }}
           securityContext:
-            runAsUser: 0
-            privileged: true
+            runAsUser: {{ include "kubeovn.runAsUser" . }}
+            privileged: false
+            capabilities:
+              add:
+                - NET_ADMIN
+                - NET_BIND_SERVICE
+                {{- if not .Values.DISABLE_MODULES_MANAGEMENT }}
+                - SYS_MODULE
+                {{- end }}
+                - SYS_NICE
+                - SYS_ADMIN
           env:
             - name: ENABLE_SSL
               value: "{{ .Values.networking.ENABLE_SSL }}"
@@ -93,9 +131,8 @@ spec:
             - name: OVN_REMOTE_OPENFLOW_INTERVAL
               value: "{{ .Values.networking.OVN_REMOTE_OPENFLOW_INTERVAL }}"
           volumeMounts:
-            - mountPath: /var/run/netns
-              name: host-ns
-              mountPropagation: HostToContainer
+            - mountPath: /usr/local/sbin
+              name: usr-local-sbin
             - mountPath: /lib/modules
               name: host-modules
               readOnly: true
@@ -105,8 +142,6 @@ spec:
               name: host-run-ovn
             - mountPath: /etc/openvswitch
               name: host-config-openvswitch
-            - mountPath: /etc/ovn
-              name: host-config-ovn
             - mountPath: /var/log/openvswitch
               name: host-log-ovs
             - mountPath: /var/log/ovn
@@ -175,6 +210,8 @@ spec:
       nodeSelector:
         kubernetes.io/os: "linux"
       volumes:
+        - name: usr-local-sbin
+          emptyDir: {}
         - name: host-modules
           hostPath:
             path: /lib/modules
@@ -187,9 +224,6 @@ spec:
         - name: host-config-openvswitch
           hostPath:
             path: {{ .Values.OPENVSWITCH_DIR }}
-        - name: host-config-ovn
-          hostPath:
-            path: {{ .Values.OVN_DIR }}
         - name: host-log-ovs
           hostPath:
             path: {{ .Values.log_conf.LOG_DIR }}/openvswitch
@@ -203,9 +237,6 @@ spec:
           secret:
             optional: true
             secretName: kube-ovn-tls
-        - name: host-ns
-          hostPath:
-            path: /var/run/netns
         - hostPath:
             path: /var/run/containerd
           name: cruntime

packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml

@@ -29,6 +29,24 @@ spec:
           operator: Exists
       serviceAccountName: kube-ovn-app
       hostPID: true
+      initContainers:
+        - name: hostpath-init
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - sh
+            - -c
+            - "chown -R nobody: /var/log/kube-ovn"
+          securityContext:
+            allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+                - ALL
+            privileged: true
+            runAsUser: 0
+          volumeMounts:
+            - name: kube-ovn-log
+              mountPath: /var/log/kube-ovn
       containers:
         - name: pinger
           image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
@@ -37,7 +55,7 @@ spec:
           args:
           - --external-address=
           {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
-          {{ .Values.dual_stack.PINGER_EXTERNAL_ADDRESS }} 
+          {{ .Values.dual_stack.PINGER_EXTERNAL_ADDRESS }}
           {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
           {{ .Values.ipv4.PINGER_EXTERNAL_ADDRESS }}
           {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
@@ -59,8 +77,12 @@ spec:
           - --enable-metrics={{- .Values.networking.ENABLE_METRICS }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
-            runAsUser: 0
+            runAsUser: {{ include "kubeovn.runAsUser" . }}
             privileged: false
+            capabilities:
+              add:
+                - NET_BIND_SERVICE
+                - NET_RAW
           env:
             - name: ENABLE_SSL
               value: "{{ .Values.networking.ENABLE_SSL }}"

packages/system/kubeovn/charts/kube-ovn/values.yaml

@@ -58,7 +58,6 @@ networking:
 func:
   ENABLE_LB: true
   ENABLE_NP: true
-  ENABLE_EIP_SNAT: true
   ENABLE_EXTERNAL_VPC: true
   HW_OFFLOAD: false
   ENABLE_LB_SVC: false
@@ -68,10 +67,16 @@ func:
   CHECK_GATEWAY: true
   LOGICAL_GATEWAY: false
   ENABLE_BIND_LOCAL_IP: true
+  SECURE_SERVING: false
   U2O_INTERCONNECTION: false
   ENABLE_TPROXY: false
   ENABLE_IC: false
   ENABLE_NAT_GW: true
+  ENABLE_OVN_IPSEC: false
+  ENABLE_ANP: false
+  SET_VXLAN_TX_OFF: false
+  OVSDB_CON_TIMEOUT: 3
+  OVSDB_INACTIVITY_TIMEOUT: 10
 
 ipv4:
   PINGER_EXTERNAL_ADDRESS: "1.1.1.1"
@@ -119,21 +124,20 @@ log_conf:
 OPENVSWITCH_DIR: "/etc/origin/openvswitch"
 OVN_DIR: "/etc/origin/ovn"
 DISABLE_MODULES_MANAGEMENT: false
-  
-imagePullSecrets: []
+
 nameOverride: ""
 fullnameOverride: ""
 
 # hybrid dpdk
 HYBRID_DPDK: false
-HUGEPAGE_SIZE_TYPE: hugepages-2Mi # Default 
+HUGEPAGE_SIZE_TYPE: hugepages-2Mi # Default
 HUGEPAGES: 1Gi
 
 # DPDK
 DPDK: false
 DPDK_VERSION: "19.11"
-DPDK_CPU: "1000m"                        # Default CPU configuration
-DPDK_MEMORY: "2Gi"                       # Default Memory configuration
+DPDK_CPU: "1000m" # Default CPU configuration
+DPDK_MEMORY: "2Gi" # Default Memory configuration
 
 ovn-central:
   requests:

packages/system/kubeovn/images/kubeovn/Dockerfile

@@ -1,45 +1,54 @@
-ARG VERSION=v1.12.19
+# syntax = docker/dockerfile:experimental
+ARG VERSION=v1.13.0
 ARG BASE_TAG=$VERSION
 
-FROM golang:1.22-bookworm as builder
+FROM golang:1.23-bookworm as builder
 
-ARG COMMIT_REF=e1310e1
+ARG TAG=v1.13.0
+RUN git clone --branch ${TAG} --depth 1 https://github.com/kubeovn/kube-ovn /source
 
 WORKDIR /source
 
 COPY patches /patches
-RUN wget -O- https://github.com/kubeovn/kube-ovn/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1
 RUN git apply /patches/*.diff
-RUN sed -i 's|-z now|-z now -static|' Makefile
 RUN make build-go
 
 WORKDIR /source/dist/images
 
 # imported from https://github.com/kubeovn/kube-ovn/blob/master/dist/images/Dockerfile
-FROM kubeovn/kube-ovn-base:$BASE_TAG
+FROM kubeovn/kube-ovn-base:$BASE_TAG AS setcap
 
 COPY --from=builder /source/dist/images/*.sh /kube-ovn/
 COPY --from=builder /source/dist/images/kubectl-ko /kube-ovn/kubectl-ko
 COPY --from=builder /source/dist/images/01-kube-ovn.conflist /kube-ovn/01-kube-ovn.conflist
-COPY --from=builder /source/dist/images/logrotate/* /etc/logrotate.d/
-COPY --from=builder /source/dist/images/grace_stop_ovn_controller /usr/share/ovn/scripts/grace_stop_ovn_controller
-
-WORKDIR /kube-ovn
-
-RUN /kube-ovn/iptables-wrapper-installer.sh --no-sanity-check
-RUN rm -f /usr/bin/nc &&\
-    rm -f /usr/bin/netcat &&\
-    rm -f /usr/lib/apt/methods/mirror
-RUN deluser sync
 
 COPY --from=builder /source/dist/images/kube-ovn /kube-ovn/kube-ovn
 COPY --from=builder /source/dist/images/kube-ovn-cmd /kube-ovn/kube-ovn-cmd
-COPY --from=builder /source/dist/images/kube-ovn-webhook /kube-ovn/kube-ovn-webhook
+COPY --from=builder /source/dist/images/kube-ovn-daemon /kube-ovn/kube-ovn-daemon
+COPY --from=builder /source/dist/images/kube-ovn-pinger /kube-ovn/kube-ovn-pinger
 RUN ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-controller && \
-    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-daemon && \
     ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-monitor && \
-    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-pinger && \
     ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-speaker && \
-    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-controller-healthcheck && \
+    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-webhook && \
+    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-healthcheck && \
     ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-leader-checker && \
-    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-ic-controller
+    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-ic-controller && \
+    setcap CAP_NET_BIND_SERVICE+eip /kube-ovn/kube-ovn-cmd && \
+    setcap CAP_NET_RAW,CAP_NET_BIND_SERVICE+eip /kube-ovn/kube-ovn-pinger && \
+    setcap CAP_NET_ADMIN,CAP_NET_RAW,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /kube-ovn/kube-ovn-daemon
+
+FROM kubeovn/kube-ovn-base:$BASE_TAG
+
+COPY --chmod=0644 --from=builder /source/dist/images/logrotate/* /etc/logrotate.d/
+COPY --from=builder /source/dist/images/grace_stop_ovn_controller /usr/share/ovn/scripts/grace_stop_ovn_controller
+
+COPY --from=setcap /kube-ovn /kube-ovn
+RUN /kube-ovn/iptables-wrapper-installer.sh --no-sanity-check
+
+WORKDIR /kube-ovn
+
+# Fix https://github.com/kubeovn/kube-ovn/issues/4526
+RUN setcap CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /usr/lib/openvswitch-switch/ovs-vswitchd \
+ && setcap CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /usr/sbin/xtables-legacy-multi \
+ && setcap CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /usr/sbin/xtables-nft-multi \
+ && setcap CAP_NET_ADMIN,CAP_NET_RAW,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /usr/sbin/ipset

packages/system/kubeovn/patches/mtu.diff

@@ -1,14 +1,14 @@
 diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
-index c6834ef..423f66b 100644
+index 63f4258..dafe1fd 100644
 --- a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
 +++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
-@@ -76,6 +76,9 @@ spec:
-           - --kubelet-dir={{ .Values.kubelet_conf.KUBELET_DIR }}
-           - --enable-tproxy={{ .Values.func.ENABLE_TPROXY }}
-           - --ovs-vsctl-concurrency={{ .Values.performance.OVS_VSCTL_CONCURRENCY }}
+@@ -112,6 +112,9 @@ spec:
+           - --secure-serving={{- .Values.func.SECURE_SERVING }}
+           - --enable-ovn-ipsec={{- .Values.func.ENABLE_OVN_IPSEC }}
+           - --set-vxlan-tx-off={{- .Values.func.SET_VXLAN_TX_OFF }}
 +          {{- with .Values.mtu }}
 +          - --mtu={{ . }}
 +          {{- end }}
          securityContext:
            runAsUser: 0
-           privileged: true
+           privileged: false

packages/system/kubeovn/values.yaml

@@ -22,4 +22,4 @@ global:
   images:
     kubeovn:
       repository: kubeovn
-      tag: v1.13.0@sha256:f8b1a3d3459bf896b3e2122fd6856b790ab6919dba1d22395eeb63f4af63d16c
+      tag: v1.13.0@sha256:3962404f479a95a6d8c0d4566b2694bcc9f2e88048edde4f368b84e0e0fadb7b

packages/system/monitoring-agents/alerts/flux.yaml

@@ -1,18 +1,7 @@
 apiVersion: operator.victoriametrics.com/v1beta1
 kind: VMRule
 metadata:
-  annotations:
-    meta.helm.sh/release-name: monitoring
-    meta.helm.sh/release-namespace: cozy-monitoring
-  labels:
-    app: victoria-metrics-k8s-stack
-    app.kubernetes.io/instance: monitoring
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: victoria-metrics-k8s-stack
-    app.kubernetes.io/version: v1.102.1
-    helm.sh/chart: victoria-metrics-k8s-stack-0.25.17
   name: alerts-flux-resources
-  namespace: cozy-monitoring
 spec:
   groups:
   - name: flux-resources-alerts

packages/system/monitoring-agents/templates/kube-state-metrics-scrape.yaml

@@ -8,7 +8,6 @@ spec:
   selector:
     matchLabels:
       app.kubernetes.io/name: kube-state-metrics
-      app.kubernetes.io/instance: "monitoring"
   endpoints:
   - port: http
     honorLabels: true

pkg/apis/apps/v1alpha1/register.go

@@ -72,6 +72,10 @@ func RegisterDynamicTypes(scheme *runtime.Scheme, cfg *config.ResourceConfig) er
 		scheme.AddKnownTypeWithName(gvk, &Application{})
 		scheme.AddKnownTypeWithName(gvk.GroupVersion().WithKind(kind+"List"), &ApplicationList{})
 
+		gvkInternal := schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}.WithKind(kind)
+		scheme.AddKnownTypeWithName(gvkInternal, &Application{})
+		scheme.AddKnownTypeWithName(gvkInternal.GroupVersion().WithKind(kind+"List"), &ApplicationList{})
+
 		klog.V(1).Infof("Registered kind: %s\n", kind)
 		RegisteredGVKs = append(RegisteredGVKs, gvk)
 	}

pkg/cmd/server/start.go

@@ -256,6 +256,9 @@ func (o *AppsServerOptions) Config() (*apiserver.Config, error) {
 			klog.V(6).Infof("PostProcessSpec: Added OpenAPI definition for %s\n", listResourceName)
 		}
 
+		delete(defs, "com.github.aenix.io.cozystack.pkg.apis.apps.v1alpha1.Application")
+		delete(defs, "com.github.aenix.io.cozystack.pkg.apis.apps.v1alpha1.ApplicationList")
+
 		swagger.Definitions = defs
 		return swagger, nil
 	}

scripts/installer.sh

@@ -3,7 +3,7 @@ set -o pipefail
 set -e
 
 BUNDLE=$(set -x; kubectl get configmap -n cozy-system cozystack -o 'go-template={{index .data "bundle-name"}}')
-VERSION=8
+VERSION=9
 
 run_migrations() {
   if ! kubectl get configmap -n cozy-system cozystack-version; then

scripts/migrations/7

@@ -1,7 +1,6 @@
 #!/bin/sh
 # Migration 7 --> 8
 
-
 host=$(kubectl get hr tenant-root -n tenant-root -o yaml | grep 'host:' | awk '{print $2}')
 kubectl patch configmap -n cozy-system cozystack --type merge -p "{\"data\":{\"root-host\":\"$host\"}}"
 

scripts/migrations/8

@@ -0,0 +1,9 @@
+#!/bin/sh
+# Migration 7 --> 9
+
+if kubectl get clusterrolebinding kubeapps-admin-group; then
+  kubectl delete clusterrolebinding kubeapps-admin-group
+fi
+
+# Write version to cozystack-version config
+kubectl create configmap -n cozy-system cozystack-version --from-literal=version=9 --dry-run=client -o yaml | kubectl apply -f-