Add secureboot support

Update Talos v1.9.1
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-05 08:17:59 +00:00 · 2025-01-03 00:53:12 +01:00 · 2024-12-31 17:36:31 +01:00 · 2024-12-30 15:31:48 +01:00 · 2024-12-30 09:46:08 +01:00 · 2024-12-27 19:14:31 +01:00
106 changed files with 1811 additions and 5657 deletions
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -28,4 +28,5 @@ This list is sorted in chronological order, based on the submission date.
 | [Ænix](https://aenix.io/) | @kvaps | 2024-02-14 | Ænix provides consulting services for cloud providers and uses Cozystack as the main tool for organizing managed services for them. |
 | [Mediatech](https://mediatech.dev/) | @ugenk | 2024-05-01 | We're developing and hosting software for our and our custmer services. We're using cozystack as a kubernetes distribution for that. |
 | [Bootstack](https://bootstack.app/) | @mrkhachaturov | 2024-08-01| At Bootstack, we utilize a Kubernetes operator specifically designed to simplify and streamline cloud infrastructure creation.|
-| [gohost](https://gohost.kz/) | @karabass_off | 2024-02-01| Our company has been working in the market of Kazakhstan for more than 15 years, providing clients with a standard set of services: VPS/VDC, IaaS, shared hosting, etc. Now we are expanding the lineup by introducing Bare Metal Kubenetes cluster under Cozystack management.|
+| [gohost](https://gohost.kz/) | @karabass_off | 2024-02-01 | Our company has been working in the market of Kazakhstan for more than 15 years, providing clients with a standard set of services: VPS/VDC, IaaS, shared hosting, etc. Now we are expanding the lineup by introducing Bare Metal Kubenetes cluster under Cozystack management. |
 | [Urmanac](https://urmanac.com) | @kingdonb | 2024-12-04 | Urmanac is the future home of a hosting platform for the knowledge base of a community of personal server enthusiasts. We use Cozystack to provide support services for web sites hosted using both conventional deployments and on SpinKube, with WASM. |
--- a/hack/e2e.sh
+++ b/hack/e2e.sh
@@ -113,8 +113,6 @@ machine:
        - usermode_helper=disabled
    - name: zfs
    - name: spl
  install:
    image: ghcr.io/aenix-io/cozystack/talos:v1.8.3
  files:
  - content: |
      [plugins]
@@ -142,6 +140,9 @@ EOT
 cat > patch-controlplane.yaml <<\EOT
 machine:
  nodeLabels:
    node.kubernetes.io/exclude-from-external-load-balancers:
      $patch: delete
  network:
    interfaces:
    - interface: eth0
@@ -322,7 +323,7 @@ kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy root-i
 kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=3 -n tenant-root sts etcd
 # Wait for Victoria metrics
-kubectl wait --timeout=5m --for=jsonpath=.status.updateStatus=operational -n tenant-root vmalert/vmalert-longterm vmalert/vmalert-shortterm vmalertmanager/alertmanager
+kubectl wait --timeout=5m --for=jsonpath=.status.updateStatus=operational -n tenant-root vmalert/vmalert-shortterm vmalertmanager/alertmanager
 kubectl wait --timeout=5m --for=jsonpath=.status.status=operational -n tenant-root vlogs/generic
 kubectl wait --timeout=5m --for=jsonpath=.status.clusterStatus=operational -n tenant-root vmcluster/shortterm vmcluster/longterm
--- a/manifests/cozystack-installer.yaml
+++ b/manifests/cozystack-installer.yaml
@@ -68,7 +68,7 @@ spec:
      serviceAccountName: cozystack
      containers:
      - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.19.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.21.0"
        env:
        - name: KUBERNETES_SERVICE_HOST
          value: localhost
@@ -87,7 +87,7 @@ spec:
            fieldRef:
              fieldPath: metadata.name
      - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.19.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.21.0"
        command:
        - /usr/bin/darkhttpd
        - /cozystack/assets
--- a/packages/apps/clickhouse/images/clickhouse-backup.tag
+++ b/packages/apps/clickhouse/images/clickhouse-backup.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/clickhouse-backup:0.6.1@sha256:3f76662144e31acf75f9495879da0c358a6729d08cfa0a4721cf495ff9a4c659
+ghcr.io/aenix-io/cozystack/clickhouse-backup:0.6.1@sha256:dda84420cb8648721299221268a00d72a05c7af5b7fb452619bac727068b9e61
--- a/packages/apps/ferretdb/images/postgres-backup.tag
+++ b/packages/apps/ferretdb/images/postgres-backup.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:034a480a119986da8a8e0532f09f66c58ed919e18612987b1a847fe8a59b6f3c
+ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:4d2271b345240c6c5b37599996745646012004b0f57e31c4c9deb1aba7408a51
--- a/packages/apps/http-cache/images/nginx-cache.tag
+++ b/packages/apps/http-cache/images/nginx-cache.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:3030c5b58dcb38dab3892fb1b4241381fc04707b2aa66550ef446231077add6e
+ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:3e8ae1bd576858a88c995aefb1431a1b89f55b7a1ef60575fecae4bbf5aa0d4e
--- a/packages/apps/kubernetes/Chart.yaml
+++ b/packages/apps/kubernetes/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.14.0
+version: 0.14.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/kubernetes/images/cluster-autoscaler.tag
+++ b/packages/apps/kubernetes/images/cluster-autoscaler.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.14.0@sha256:c80c305a7c0ff5d64664eea9aefc9a2e68c3bd500cf341d820ef8dd460f3174b
+ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.14.1@sha256:0ea139c71e08db5adb275d81a7efa9a0d8b8db61a1fc1a67167a33a347c07fd8
--- a/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
+++ b/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.14.0@sha256:55b78220b60773eefb7b7d3451d7ab9fe89fb6b989e8fe2ae214aab164f00293
+ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.14.1@sha256:f595d50689405a504249c2af4b84562e8a0d16bdf9287d4eedf7c87959c4fba1
--- a/packages/apps/kubernetes/images/kubevirt-cloud-provider/Dockerfile
+++ b/packages/apps/kubernetes/images/kubevirt-cloud-provider/Dockerfile
@@ -3,13 +3,14 @@ FROM --platform=linux/amd64 golang:1.20.6 AS builder
 RUN git clone https://github.com/kubevirt/cloud-provider-kubevirt /go/src/kubevirt.io/cloud-provider-kubevirt \
 && cd /go/src/kubevirt.io/cloud-provider-kubevirt \
- && git checkout adbd6c27468b86b020cf38490e84f124ef24ab62
+ && git checkout da9e0cf
 WORKDIR /go/src/kubevirt.io/cloud-provider-kubevirt
-# see: https://github.com/kubevirt/cloud-provider-kubevirt/pull/291
+# see: https://github.com/kubevirt/cloud-provider-kubevirt/pull/335
 # see: https://github.com/kubevirt/cloud-provider-kubevirt/pull/336
 ADD patches /patches
-RUN git apply /patches/external-traffic-policy-local.diff
+RUN git apply /patches/*.diff
 RUN go get 'k8s.io/endpointslice/util@v0.28' 'k8s.io/apiserver@v0.28'
 RUN go mod tidy
 RUN go mod vendor
--- a/packages/apps/kubernetes/images/kubevirt-cloud-provider/patches/335.diff
+++ b/packages/apps/kubernetes/images/kubevirt-cloud-provider/patches/335.diff
@@ -0,0 +1,20 @@
 diff --git a/pkg/controller/kubevirteps/kubevirteps_controller.go b/pkg/controller/kubevirteps/kubevirteps_controller.go
 index a3c1aa33..95c31438 100644
 --- a/pkg/controller/kubevirteps/kubevirteps_controller.go
 +++ b/pkg/controller/kubevirteps/kubevirteps_controller.go
@@ -412,11 +412,11 @@ func (c *Controller) reconcileByAddressType(service *v1.Service, tenantSlices []
 	// Create the desired port configuration
 	var desiredPorts []discovery.EndpointPort
 -	for _, port := range service.Spec.Ports {
 +	for i := range service.Spec.Ports {
 		desiredPorts = append(desiredPorts, discovery.EndpointPort{
 -			Port:     &port.TargetPort.IntVal,
 -			Protocol: &port.Protocol,
 -			Name:     &port.Name,
 +			Port:     &service.Spec.Ports[i].TargetPort.IntVal,
 +			Protocol: &service.Spec.Ports[i].Protocol,
 +			Name:     &service.Spec.Ports[i].Name,
 		})
 	}
--- a/packages/apps/kubernetes/images/kubevirt-cloud-provider/patches/336.diff
+++ b/packages/apps/kubernetes/images/kubevirt-cloud-provider/patches/336.diff
@@ -0,0 +1,129 @@
 diff --git a/pkg/controller/kubevirteps/kubevirteps_controller.go b/pkg/controller/kubevirteps/kubevirteps_controller.go
 index a3c1aa33..6f6e3d32 100644
 --- a/pkg/controller/kubevirteps/kubevirteps_controller.go
 +++ b/pkg/controller/kubevirteps/kubevirteps_controller.go
@@ -108,32 +108,24 @@ func newRequest(reqType ReqType, obj interface{}, oldObj interface{}) *Request {
 }
 func (c *Controller) Init() error {
 -
 -	// Act on events from Services on the infra cluster. These are created by the EnsureLoadBalancer function.
 -	// We need to watch for these events so that we can update the EndpointSlices in the infra cluster accordingly.
 +	// Existing Service event handlers...
 	_, err := c.infraFactory.Core().V1().Services().Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc: func(obj interface{}) {
 -			// cast obj to Service
 			svc := obj.(*v1.Service)
 -			// Only act on Services of type LoadBalancer
 			if svc.Spec.Type == v1.ServiceTypeLoadBalancer {
 				klog.Infof("Service added: %v/%v", svc.Namespace, svc.Name)
 				c.queue.Add(newRequest(AddReq, obj, nil))
 			}
 		},
 		UpdateFunc: func(oldObj, newObj interface{}) {
 -			// cast obj to Service
 			newSvc := newObj.(*v1.Service)
 -			// Only act on Services of type LoadBalancer
 			if newSvc.Spec.Type == v1.ServiceTypeLoadBalancer {
 				klog.Infof("Service updated: %v/%v", newSvc.Namespace, newSvc.Name)
 				c.queue.Add(newRequest(UpdateReq, newObj, oldObj))
 			}
 		},
 		DeleteFunc: func(obj interface{}) {
 -			// cast obj to Service
 			svc := obj.(*v1.Service)
 -			// Only act on Services of type LoadBalancer
 			if svc.Spec.Type == v1.ServiceTypeLoadBalancer {
 				klog.Infof("Service deleted: %v/%v", svc.Namespace, svc.Name)
 				c.queue.Add(newRequest(DeleteReq, obj, nil))
@@ -144,7 +136,7 @@ func (c *Controller) Init() error {
 		return err
 	}
 -	// Monitor endpoint slices that we are interested in based on known services in the infra cluster
 +	// Existing EndpointSlice event handlers in tenant cluster...
 	_, err = c.tenantFactory.Discovery().V1().EndpointSlices().Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc: func(obj interface{}) {
 			eps := obj.(*discovery.EndpointSlice)
@@ -194,10 +186,80 @@ func (c *Controller) Init() error {
 		return err
 	}
 -	//TODO: Add informer for EndpointSlices in the infra cluster to watch for (unwanted) changes
 +	// Add an informer for EndpointSlices in the infra cluster
 +	_, err = c.infraFactory.Discovery().V1().EndpointSlices().Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 +		AddFunc: func(obj interface{}) {
 +			eps := obj.(*discovery.EndpointSlice)
 +			if c.managedByController(eps) {
 +				svc, svcErr := c.getInfraServiceForEPS(context.TODO(), eps)
 +				if svcErr != nil {
 +					klog.Errorf("Failed to get infra Service for EndpointSlice %s/%s: %v", eps.Namespace, eps.Name, svcErr)
 +					return
 +				}
 +				if svc != nil {
 +					klog.Infof("Infra EndpointSlice added: %v/%v, requeuing Service: %v/%v", eps.Namespace, eps.Name, svc.Namespace, svc.Name)
 +					c.queue.Add(newRequest(AddReq, svc, nil))
 +				}
 +			}
 +		},
 +		UpdateFunc: func(oldObj, newObj interface{}) {
 +			eps := newObj.(*discovery.EndpointSlice)
 +			if c.managedByController(eps) {
 +				svc, svcErr := c.getInfraServiceForEPS(context.TODO(), eps)
 +				if svcErr != nil {
 +					klog.Errorf("Failed to get infra Service for EndpointSlice %s/%s: %v", eps.Namespace, eps.Name, svcErr)
 +					return
 +				}
 +				if svc != nil {
 +					klog.Infof("Infra EndpointSlice updated: %v/%v, requeuing Service: %v/%v", eps.Namespace, eps.Name, svc.Namespace, svc.Name)
 +					c.queue.Add(newRequest(UpdateReq, svc, nil))
 +				}
 +			}
 +		},
 +		DeleteFunc: func(obj interface{}) {
 +			eps := obj.(*discovery.EndpointSlice)
 +			if c.managedByController(eps) {
 +				svc, svcErr := c.getInfraServiceForEPS(context.TODO(), eps)
 +				if svcErr != nil {
 +					klog.Errorf("Failed to get infra Service for EndpointSlice %s/%s on delete: %v", eps.Namespace, eps.Name, svcErr)
 +					return
 +				}
 +				if svc != nil {
 +					klog.Infof("Infra EndpointSlice deleted: %v/%v, requeuing Service: %v/%v", eps.Namespace, eps.Name, svc.Namespace, svc.Name)
 +					c.queue.Add(newRequest(DeleteReq, svc, nil))
 +				}
 +			}
 +		},
 +	})
 +	if err != nil {
 +		return err
 +	}
 +
 	return nil
 }
 +// getInfraServiceForEPS returns the Service in the infra cluster associated with the given EndpointSlice.
 +// It does this by reading the "kubernetes.io/service-name" label from the EndpointSlice, which should correspond
 +// to the Service name. If not found or if the Service doesn't exist, it returns nil.
 +func (c *Controller) getInfraServiceForEPS(ctx context.Context, eps *discovery.EndpointSlice) (*v1.Service, error) {
 +	svcName := eps.Labels[discovery.LabelServiceName]
 +	if svcName == "" {
 +		// No service name label found, can't determine infra service.
 +		return nil, nil
 +	}
 +
 +	svc, err := c.infraClient.CoreV1().Services(c.infraNamespace).Get(ctx, svcName, metav1.GetOptions{})
 +	if err != nil {
 +		if k8serrors.IsNotFound(err) {
 +			// Service doesn't exist
 +			return nil, nil
 +		}
 +		return nil, err
 +	}
 +
 +	return svc, nil
 +}
 +
 // Run starts an asynchronous loop that monitors and updates GKENetworkParamSet in the cluster.
 func (c *Controller) Run(numWorkers int, stopCh <-chan struct{}, controllerManagerMetrics *controllersmetrics.ControllerManagerMetrics) {
 	defer utilruntime.HandleCrash()
--- a/packages/apps/kubernetes/images/kubevirt-cloud-provider/patches/external-traffic-policy-local.diff
+++ b/packages/apps/kubernetes/images/kubevirt-cloud-provider/patches/external-traffic-policy-local.diff
--- a/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
+++ b/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.14.0@sha256:bc61dba787ca79f9b8d7288a631cbaecf8de9f87b6a2ad44e1513f730362621f
+ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.14.1@sha256:644379ba92c72dbbf07257d70f88ef3e5c1f1fb88f161c03758c13588d33ac2d
--- a/packages/apps/kubernetes/images/ubuntu-container-disk.tag
+++ b/packages/apps/kubernetes/images/ubuntu-container-disk.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:8258747003f40f0f8dd54317e52e98baf4674c5ac14ad851ac6b2871d29e4b2d
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:a64fefbd94535be2f8ac92943f0cad076a7b4c61c289a6ac0086a40859ed9d0e
--- a/packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml
@@ -48,7 +48,6 @@ spec:
        tenant: {{ .Release.Namespace }}
      remoteWrite:
        url: http://vminsert-shortterm.{{ $targetTenant }}.svc:8480/insert/0/prometheus
    fluent-bit:
      readinessProbe:
        httpGet:
--- a/packages/apps/mysql/images/mariadb-backup.tag
+++ b/packages/apps/mysql/images/mariadb-backup.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:c14e21d439600caf6239b767d204b2fd75146e782e35991c6d803490197660bf
+ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:948d41556939d90bdc37b4406b18935d46490dcb3f38a27aa117a4c3973e5604
--- a/packages/apps/nats/Chart.yaml
+++ b/packages/apps/nats/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.1
+version: 0.4.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/nats/README.md
+++ b/packages/apps/nats/README.md
@@ -4,9 +4,13 @@
 ### Common parameters
-| Name           | Description                                     | Value   |
+| Name                | Description                                        | Value   |
-| -------------- | ----------------------------------------------- | ------- |
+| ------------------- | -------------------------------------------------- | ------- |
-| `external`     | Enable external access from outside the cluster | `false` |
+| `external`          | Enable external access from outside the cluster    | `false` |
-| `replicas`     | Persistent Volume size for NATS                 | `2`     |
+| `replicas`          | Persistent Volume size for NATS                    | `2`     |
-| `storageClass` | StorageClass used to store the data             | `""`    |
+| `storageClass`      | StorageClass used to store the data                | `""`    |
-| `users`        | Users configuration                             | `{}`    |
+| `users`             | Users configuration                                | `{}`    |
 | `jetstream.size`    | Jetstream persistent storage size                  | `10Gi`  |
 | `jetstream.enabled` | Enable or disable Jetstream                        | `true`  |
 | `config.merge`      | Additional configuration to merge into NATS config | `{}`    |
 | `config.resolver`   | Additional configuration to merge into NATS config | `{}`    |
--- a/packages/apps/nats/templates/nats.yaml
+++ b/packages/apps/nats/templates/nats.yaml
@@ -40,8 +40,9 @@ spec:
    nats:
      fullnameOverride: {{ .Release.Name }}
      config:
-        {{- if gt (len $passwords) 0 }}
+        {{- if or (gt (len $passwords) 0) (gt (len .Values.config.merge) 0) }}
        merge:
          {{- if gt (len $passwords) 0 }}
          accounts:
            A:
              users:
@@ -49,6 +50,14 @@ spec:
                - user: "{{ $username }}"
                  password: "{{ $password }}"
                {{- end }}
          {{- end }}
          {{- if and .Values.config (hasKey .Values.config "merge") }}
          {{ toYaml .Values.config.merge | nindent 12 }}
          {{- end }}
        {{- end }}
        {{- if and .Values.config (hasKey .Values.config "resolver") }}
        resolver:
          {{ toYaml .Values.config.resolver | nindent 12 }}
        {{- end }}
        cluster:
          enabled: true
@@ -58,10 +67,10 @@ spec:
        jetstream:
          enabled: true
          fileStore:
-            enabled: true
+            enabled: {{ .Values.jetstream.enabled }}
            pvc:
              enabled: true
-              size: 10Gi
+              size: {{ .Values.jetstream.size }}
              {{- with .Values.storageClass }}
              storageClassName: {{ . }}
              {{- end }}
--- a/packages/apps/nats/values.schema.json
+++ b/packages/apps/nats/values.schema.json
@@ -16,6 +16,36 @@
            "type": "string",
            "description": "StorageClass used to store the data",
            "default": ""
        },
        "jetstream": {
            "type": "object",
            "properties": {
                "size": {
                    "type": "string",
                    "description": "Jetstream persistent storage size",
                    "default": "10Gi"
                },
                "enabled": {
                    "type": "boolean",
                    "description": "Enable or disable Jetstream",
                    "default": true
                }
            }
        },
        "config": {
            "type": "object",
            "properties": {
                "merge": {
                    "type": "object",
                    "description": "Additional configuration to merge into NATS config",
                    "default": {}
                },
                "resolver": {
                    "type": "object",
                    "description": "Additional configuration to merge into NATS config",
                    "default": {}
                }
            }
        }
    }
 }
--- a/packages/apps/nats/values.yaml
+++ b/packages/apps/nats/values.yaml
@@ -15,3 +15,49 @@ storageClass: ""
 ##     password: strongpassword
 ##   user2: {}
 users: {}
 jetstream:
  ## @param jetstream.size Jetstream persistent storage size
  ## Specifies the size of the persistent storage for Jetstream (message store).
  ## Default: 10Gi
  size: 10Gi
  ## @param jetstream.enabled Enable or disable Jetstream
  ## Set to true to enable Jetstream for persistent messaging in NATS.
  ## Default: true
  enabled: true
 config:
  ## @param config.merge Additional configuration to merge into NATS config
  ## Allows you to customize NATS server settings by merging additional configurations.
  ## For example, you can add extra parameters, configure authentication, or set custom settings.
  ## Default: {}
  ## example:
  ##
  ##   merge:
  ##     $include: ./my-config.conf
  ##     zzz$include: ./my-config-last.conf
  ##     server_name: nats
  ##     authorization:
  ##       token: << $TOKEN >>
  ##     jetstream:
  ##       max_memory_store: << 1GB >>
  ##
  ## will yield the config:
  ## {
  ##   include ./my-config.conf;
  ##   "authorization": {
  ##     "token": $TOKEN
  ##   },
  ##   "jetstream": {
  ##     "max_memory_store": 1GB
  ##   },
  ##   "server_name": "nats",
  ##   include ./my-config-last.conf;
  ## }
  merge: {}
  ## @param config.resolver Additional configuration to merge into NATS config
  ## Allows you to customize NATS server settings by merging resolver configurations.
  ## Default: {}
  ## Example see: https://github.com/nats-io/k8s/blob/main/helm/charts/nats/values.yaml#L247
  resolver: {}
--- a/packages/apps/postgres/images/postgres-backup.tag
+++ b/packages/apps/postgres/images/postgres-backup.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:034a480a119986da8a8e0532f09f66c58ed919e18612987b1a847fe8a59b6f3c
+ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:4d2271b345240c6c5b37599996745646012004b0f57e31c4c9deb1aba7408a51
--- a/packages/apps/redis/Chart.yaml
+++ b/packages/apps/redis/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.1
+version: 0.4.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/redis/README.md
+++ b/packages/apps/redis/README.md
@@ -19,5 +19,6 @@ Service utilizes the Spotahome Redis Operator for efficient management and orche
 | `size`         | Persistent Volume size                          | `1Gi`   |
 | `replicas`     | Number of Redis replicas                        | `2`     |
 | `storageClass` | StorageClass used to store the data             | `""`    |
 | `authEnabled`  | Enable password generation                      | `true`  |
--- a/packages/apps/redis/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/redis/templates/dashboard-resourcemap.yaml
@@ -13,3 +13,10 @@ rules:
  - rfrs-{{ .Release.Name }}
  - "{{ .Release.Name }}-external-lb"
  verbs: ["get", "list", "watch"]
 - apiGroups:
  - ""
  resources:
  - secrets
  resourceNames:
  - "{{ .Release.Name }}-auth"
  verbs: ["get", "list", "watch"]
--- a/packages/apps/redis/templates/redisfailover.yaml
+++ b/packages/apps/redis/templates/redisfailover.yaml
@@ -1,3 +1,20 @@
 {{- if .Values.authEnabled }}
  {{- $existingPassword := lookup "v1" "Secret" .Release.Namespace (printf "%s-auth" .Release.Name) }}
  {{- $password := randAlphaNum 32 | b64enc }}
  {{- if $existingPassword }}
    {{- $password = index $existingPassword.data "password" }}
  {{- end }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ .Release.Name }}-auth
 data:
  password: {{ $password }}
 {{- end }}
 ---
 apiVersion: databases.spotahome.com/v1
 kind: RedisFailover
 metadata:
@@ -52,3 +69,7 @@ spec:
      - appendonly no
      - save ""
      {{- end }}
  {{- if .Values.authEnabled }}
  auth:
    secretPath: {{ .Release.Name }}-auth
  {{- end }}
--- a/packages/apps/redis/values.schema.json
+++ b/packages/apps/redis/values.schema.json
@@ -21,6 +21,11 @@
            "type": "string",
            "description": "StorageClass used to store the data",
            "default": ""
        },
        "authEnabled": {
            "type": "boolean",
            "description": "Enable password generation",
            "default": true
        }
    }
 }
--- a/packages/apps/redis/values.yaml
+++ b/packages/apps/redis/values.yaml
@@ -4,8 +4,10 @@
 ## @param size Persistent Volume size
 ## @param replicas Number of Redis replicas
 ## @param storageClass StorageClass used to store the data
 ## @param authEnabled Enable password generation
 ##
 external: false
 size: 1Gi
 replicas: 2
 storageClass: ""
 authEnabled: true
--- a/packages/apps/tenant/Chart.yaml
+++ b/packages/apps/tenant/Chart.yaml
@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 type: application
-version: 1.6.1
+version: 1.6.5
--- a/packages/apps/tenant/templates/kubeconfig.yaml
+++ b/packages/apps/tenant/templates/kubeconfig.yaml
@@ -27,7 +27,7 @@ stringData:
        namespace: {{ include "tenant.name" . }}
        user: keycloak
      name: {{ include "tenant.name" . }}
-    current-context: default
+    current-context: {{ include "tenant.name" . }}
    users:
    - name: keycloak
      user:
@@ -40,6 +40,5 @@ stringData:
          - --oidc-client-id=kubernetes
          - --oidc-client-secret={{ $k8sClient }}
          - --skip-open-browser
          - --grant-type=password
          command: kubectl
 {{- end }}
--- a/packages/apps/tenant/templates/networkpolicy.yaml
+++ b/packages/apps/tenant/templates/networkpolicy.yaml
@@ -192,16 +192,4 @@ spec:
  - toEndpoints:
    - matchLabels:
        cozystack.io/service: ingress
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-to-keycloak
  namespace: {{ include "tenant.name" . }}
 spec:
  endpointSelector: {}
  egress:
  - toEndpoints:
      - matchLabels:
          "k8s:io.kubernetes.pod.namespace": cozy-keycloak
 {{- end }}
--- a/packages/apps/tenant/templates/tenant.yaml
+++ b/packages/apps/tenant/templates/tenant.yaml
@@ -14,6 +14,8 @@ metadata:
    kubernetes.io/service-account.name: {{ include "tenant.name" . }}
 type: kubernetes.io/service-account-token
 ---
 # == default role ==
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -29,9 +31,10 @@ rules:
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles"]
  verbs: ["get"]
- apiGroups: ["helm.toolkit.fluxcd.io"]
+- apiGroups: ["apps.cozystack.io"]
-  resources: ["helmreleases"]
+  resources: ['*']
-  verbs: ["*"]
+  verbs: ['*']
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -43,9 +46,6 @@ subjects:
 - kind: ServiceAccount
  name: tenant-root
  namespace: tenant-root
 - kind: Group
  name: tenant-root-super-admin
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- if hasPrefix "tenant-" .Release.Namespace }}
 {{- $parts := splitList "-" .Release.Namespace }}
@@ -54,52 +54,18 @@ subjects:
 - kind: ServiceAccount
  name: {{ join "-" (slice $parts 0 (add $i 1)) }}
  namespace: {{ join "-" (slice $parts 0 (add $i 1)) }}
 - kind: Group
  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-super-admin
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- end }}
 {{- end }}
 - kind: ServiceAccount
  name: {{ include "tenant.name" . }}
  namespace: {{ include "tenant.name" . }}
 - kind: Group
  name: {{ include "tenant.name" . }}-super-admin
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}
  apiGroup: rbac.authorization.k8s.io
 ---
-apiVersion: rbac.authorization.k8s.io/v1
+# == view role ==
 kind: Role
 metadata:
  name: {{ include "tenant.name" . }}
  namespace: cozy-public
 rules:
 - apiGroups: ["source.toolkit.fluxcd.io"]
  resources: ["helmrepositories"]
  verbs: ["get", "list"]
 - apiGroups: ["source.toolkit.fluxcd.io"]
  resources: ["helmcharts"]
  verbs: ["*"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "tenant.name" . }}
  namespace: cozy-public
 subjects:
 - kind: ServiceAccount
  name: {{ include "tenant.name" . }}
  namespace: {{ include "tenant.name" . }}
 - kind: Group
  name: {{ include "tenant.name" . }}-super-admin
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}
  apiGroup: rbac.authorization.k8s.io
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
@@ -121,14 +87,6 @@ rules:
      - get
      - list
      - watch
  - apiGroups:
      - helm.toolkit.fluxcd.io
    resources:
      - helmreleases
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
@@ -145,22 +103,38 @@ rules:
      - get
      - list
      - watch
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ include "tenant.name" . }}-view
  namespace: {{ include "tenant.name" . }}
 subjects:
-  - kind: Group
+{{- if ne .Release.Namespace "tenant-root" }}
-    name: {{ include "tenant.name" . }}-view
+- kind: Group
-    apiGroup: rbac.authorization.k8s.io
+  name: tenant-root-view
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 - kind: Group
  name: {{ include "tenant.name" . }}-view
  apiGroup: rbac.authorization.k8s.io
 {{- if hasPrefix "tenant-" .Release.Namespace }}
 {{- $parts := splitList "-" .Release.Namespace }}
 {{- range $i, $v := $parts }}
 {{- if ne $i 0 }}
 - kind: Group
  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-view
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- end }}
 {{- end }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-view
  apiGroup: rbac.authorization.k8s.io
 ---
 # == use role ==
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
@@ -180,13 +154,6 @@ rules:
    - get
    - list
    - watch
  - apiGroups: ["helm.toolkit.fluxcd.io"]
    resources:
    - helmreleases
    verbs:
    - get
    - list
    - watch
  - apiGroups: [""]
    resources:
    - "*"
@@ -215,14 +182,31 @@ metadata:
  name: {{ include "tenant.name" . }}-use
  namespace: {{ include "tenant.name" . }}
 subjects:
-  - kind: Group
+{{- if ne .Release.Namespace "tenant-root" }}
-    name: {{ include "tenant.name" . }}-use
+- kind: Group
-    apiGroup: rbac.authorization.k8s.io
+  name: tenant-root-use
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 - kind: Group
  name: {{ include "tenant.name" . }}-use
  apiGroup: rbac.authorization.k8s.io
 {{- if hasPrefix "tenant-" .Release.Namespace }}
 {{- $parts := splitList "-" .Release.Namespace }}
 {{- range $i, $v := $parts }}
 {{- if ne $i 0 }}
 - kind: Group
  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-use
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- end }}
 {{- end }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-use
  apiGroup: rbac.authorization.k8s.io
 ---
 # == admin role ==
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -242,13 +226,6 @@ rules:
    - list
    - watch
    - delete
  - apiGroups: ["helm.toolkit.fluxcd.io"]
    resources:
    - helmreleases
    verbs:
    - get
    - list
    - watch
  - apiGroups: ["kubevirt.io"]
    resources:
    - virtualmachines
@@ -289,64 +266,6 @@ rules:
    - update
    - patch
    - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "tenant.name" . }}-admin
  namespace: cozy-public
 rules:
  - apiGroups: ["source.toolkit.fluxcd.io"]
    resources: ["helmrepositories"]
    verbs:
    - get
    - list
  - apiGroups:
    - source.toolkit.fluxcd.io
    resources:
    - helmcharts
    verbs:
    - get
    - list
  - apiGroups: ["source.toolkit.fluxcd.io"]
    resources:
    - helmcharts
    verbs: ["*"]
    resourceNames:
    - bucket
    - clickhouse
    - ferretdb
    - foo
    - httpcache
    - kafka
    - kubernetes
    - mysql
    - nats
    - postgres
    - rabbitmq
    - redis
    - seaweedfs
    - tcpbalancer
    - virtualmachine
    - vmdisk
    - vminstance
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "tenant.name" . }}-admin
  namespace: cozy-public
 subjects:
 - kind: Group
  name: {{ include "tenant.name" . }}-admin
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-admin
  apiGroup: rbac.authorization.k8s.io
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -354,10 +273,134 @@ metadata:
  name: {{ include "tenant.name" . }}-admin
  namespace: {{ include "tenant.name" . }}
 subjects:
-  - kind: Group
+{{- if ne .Release.Namespace "tenant-root" }}
-    name: {{ include "tenant.name" . }}-admin
+- kind: Group
-    apiGroup: rbac.authorization.k8s.io
+  name: tenant-root-admin
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 - kind: Group
  name: {{ include "tenant.name" . }}-admin
  apiGroup: rbac.authorization.k8s.io
 {{- if hasPrefix "tenant-" .Release.Namespace }}
 {{- $parts := splitList "-" .Release.Namespace }}
 {{- range $i, $v := $parts }}
 {{- if ne $i 0 }}
 - kind: Group
  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-admin
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- end }}
 {{- end }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-admin
  apiGroup: rbac.authorization.k8s.io
 ---
 # == super admin role ==
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ include "tenant.name" . }}-super-admin
  namespace: {{ include "tenant.name" . }}
 rules:
  - apiGroups: [rbac.authorization.k8s.io]
    resources:
    - roles
    verbs:
    - get
  - apiGroups: [""]
    resources:
    - "*"
    verbs:
    - get
    - list
    - watch
    - delete
  - apiGroups: ["kubevirt.io"]
    resources:
    - virtualmachines
    verbs:
    - '*'
  - apiGroups: ["subresources.kubevirt.io"]
    resources:
    - virtualmachineinstances/console
    - virtualmachineinstances/vnc
    verbs:
    - get
    - list
  - apiGroups: ["apps.cozystack.io"]
    resources:
    - '*'
    verbs:
    - '*'
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ include "tenant.name" . }}-super-admin
  namespace: {{ include "tenant.name" . }}
 subjects:
 {{- if ne .Release.Namespace "tenant-root" }}
 - kind: Group
  name: tenant-root-super-admin
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 - kind: Group
  name: {{ include "tenant.name" . }}-super-admin
  apiGroup: rbac.authorization.k8s.io
 {{- if hasPrefix "tenant-" .Release.Namespace }}
 {{- $parts := splitList "-" .Release.Namespace }}
 {{- range $i, $v := $parts }}
 {{- if ne $i 0 }}
 - kind: Group
  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-super-admin
  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- end }}
 {{- end }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}-super-admin
  apiGroup: rbac.authorization.k8s.io
 ---
 # == dashboard role ==
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "tenant.name" . }}
  namespace: cozy-public
 rules:
 - apiGroups: ["source.toolkit.fluxcd.io"]
  resources: ["helmrepositories"]
  verbs: ["get", "list"]
 - apiGroups: ["source.toolkit.fluxcd.io"]
  resources: ["helmcharts"]
  verbs: ["get", "list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "tenant.name" . }}
  namespace: cozy-public
 subjects:
 - kind: Group
  name: {{ include "tenant.name" . }}-super-admin
  apiGroup: rbac.authorization.k8s.io
 - kind: Group
  name: {{ include "tenant.name" . }}-admin
  apiGroup: rbac.authorization.k8s.io
 - kind: Group
  name: {{ include "tenant.name" . }}-use
  apiGroup: rbac.authorization.k8s.io
 - kind: Group
  name: {{ include "tenant.name" . }}-view
  apiGroup: rbac.authorization.k8s.io
 - kind: ServiceAccount
  name: {{ include "tenant.name" . }}
  namespace: {{ include "tenant.name" . }}
 roleRef:
  kind: Role
  name: {{ include "tenant.name" . }}
  apiGroup: rbac.authorization.k8s.io
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -41,7 +41,8 @@ kubernetes 0.11.1 4f430a90
 kubernetes 0.12.0 74649f8
 kubernetes 0.12.1 28fca4e
 kubernetes 0.13.0 ced8e5b9
-kubernetes 0.14.0 HEAD
+kubernetes 0.14.0 bfbde07c
 kubernetes 0.14.1 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
@@ -52,7 +53,8 @@ mysql 0.5.2 HEAD
 nats 0.1.0 5ca8823
 nats 0.2.0 c07c4bbd
 nats 0.3.0 78366f19
-nats 0.3.1 HEAD
+nats 0.3.1 b7375f73
 nats 0.4.0 HEAD
 postgres 0.1.0 f642698
 postgres 0.2.0 7cd7de73
 postgres 0.2.1 4a97e297
@@ -74,7 +76,8 @@ rabbitmq 0.4.3 HEAD
 redis 0.1.1 f642698
 redis 0.2.0 5ca8823
 redis 0.3.0 c07c4bbd
-redis 0.3.1 HEAD
+redis 0.3.1 b7375f73
 redis 0.4.0 HEAD
 tcp-balancer 0.1.0 f642698
 tcp-balancer 0.2.0 HEAD
 tenant 0.1.3 3d1b86c
@@ -88,7 +91,11 @@ tenant 1.3.1 c56e5769
 tenant 1.4.0 94c688f7
 tenant 1.5.0 48128743
 tenant 1.6.0 df448b99
-tenant 1.6.1 HEAD
+tenant 1.6.1 edbbb9be
 tenant 1.6.2 ccedc5fe
 tenant 1.6.3 2057bb96
 tenant 1.6.4 3c9e50a4
 tenant 1.6.5 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823
@@ -96,7 +103,8 @@ virtual-machine 0.3.0 b908400
 virtual-machine 0.4.0 4746d51
 virtual-machine 0.5.0 HEAD
 vm-disk 0.1.0 HEAD
-vm-instance 0.1.0 HEAD
+vm-instance 0.1.0 ced8e5b9
 vm-instance 0.2.0 HEAD
 vpn 0.1.0 f642698
 vpn 0.2.0 7151424
 vpn 0.3.0 a2bcf100
--- a/packages/apps/vm-instance/Chart.yaml
+++ b/packages/apps/vm-instance/Chart.yaml
@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.0"
+appVersion: "0.2.0"
--- a/packages/apps/vm-instance/templates/vm.yaml
+++ b/packages/apps/vm-instance/templates/vm.yaml
@@ -85,7 +85,7 @@ spec:
      {{- range .Values.disks }}
      - name: disk-{{ .name }}
        dataVolume:
-          name: {{ .name }}
+          name: vm-disk-{{ .name }}
      {{- end }}
      {{- if or .Values.sshKeys .Values.cloudInit }}
      - name: cloudinitdisk
--- a/packages/apps/vm-instance/values.yaml
+++ b/packages/apps/vm-instance/values.yaml
@@ -18,8 +18,8 @@ instanceProfile: ubuntu
 ## @param disks [array] List of disks to attach
 ## Example:
 ## disks:
-## - name: vm-disk-example-system
+## - name: example-system
-## - name: vm-disk-example-data
+## - name: example-data
 disks: []
 ## @param resources.cpu The number of CPU cores allocated to the virtual machine
--- a/packages/core/installer/Makefile
+++ b/packages/core/installer/Makefile
@@ -38,8 +38,8 @@ image-cozystack:
 	rm -f images/cozystack.json
 image-talos:
-	test -f ../../../_out/assets/installer-amd64.tar || make talos-installer
+	test -f ../../../_out/assets/installer-amd64-secureboot.tar || make talos-installer
-	docker load -i ../../../_out/assets/installer-amd64.tar
+	docker load -i ../../../_out/assets/installer-amd64-secureboot.tar
 	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
 	docker push $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
@@ -59,8 +59,17 @@ image-matchbox:
 assets: talos-iso talos-nocloud talos-metal
-talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud talos-metal:
+talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud talos-metal: secureboot-keys
 	mkdir -p ../../../_out/assets
 	docker rm -f talos-imager 2>/dev/null || true 
 	docker run -d --rm --name talos-imager --privileged -v /dev:/dev --entrypoint=/bin/sleep "ghcr.io/siderolabs/imager:$(TALOS_VERSION)" infinity
 	docker cp ../../../_out/secureboot talos-imager:/secureboot && \
 	cat images/talos/profiles/$(subst talos-,,$@).yaml | \
-		docker run --rm -i -v /dev:/dev --privileged "ghcr.io/siderolabs/imager:$(TALOS_VERSION)" --tar-to-stdout - | \
+		docker exec -i talos-imager /bin/imager --tar-to-stdout - | \
-		tar -C ../../../_out/assets -xzf-
+		tar -C ../../../_out/assets -xzf- ; \
 	docker rm -f talos-imager
 secureboot-keys:
 	test -d ../../../_out/secureboot || ( \
 	talosctl gen secureboot uki --common-name "SecureBoot Key" -o ../../../_out/secureboot/ && \
 	talosctl gen secureboot pcr -o ../../../_out/secureboot/ )
--- a/packages/core/installer/images/talos/profiles/initramfs.yaml
+++ b/packages/core/installer/images/talos/profiles/initramfs.yaml
@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.3
+version: v1.9.1
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.3
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
  kind: initramfs
  imageOptions: {}
--- a/packages/core/installer/images/talos/profiles/installer.yaml
+++ b/packages/core/installer/images/talos/profiles/installer.yaml
@@ -2,26 +2,29 @@
 # do not edit it
 arch: amd64
 platform: metal
-secureboot: false
+version: v1.9.1
-version: v1.8.3
+secureboot: true
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.3
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
  kind: installer
  imageOptions: {}
  outFormat: raw
 customization:
  extraKernelArgs:
  - -selinux
--- a/packages/core/installer/images/talos/profiles/iso.yaml
+++ b/packages/core/installer/images/talos/profiles/iso.yaml
@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.3
+version: v1.9.1
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.3
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
  kind: iso
  imageOptions: {}
--- a/packages/core/installer/images/talos/profiles/kernel.yaml
+++ b/packages/core/installer/images/talos/profiles/kernel.yaml
@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.3
+version: v1.9.1
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.3
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
  kind: kernel
  imageOptions: {}
--- a/packages/core/installer/images/talos/profiles/metal.yaml
+++ b/packages/core/installer/images/talos/profiles/metal.yaml
@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.3
+version: v1.9.1
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.3
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
  kind: image
  imageOptions: { diskSize: 1306525696, diskFormat: raw }
--- a/packages/core/installer/images/talos/profiles/nocloud.yaml
+++ b/packages/core/installer/images/talos/profiles/nocloud.yaml
@@ -3,24 +3,24 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.8.3
+version: v1.9.1
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.3
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
  systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
    - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
  kind: image
  imageOptions: { diskSize: 1306525696, diskFormat: raw }
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:latest@sha256:78cad710dec0f941694871cec338d9169db05f42ea13749c0a6503285540e1cc
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.21.0@sha256:90487dafccb12705b5e9760595b43c0352f3a94551c55c5fa7778bf9173d1737
--- a/packages/core/platform/bundles/paas-full.yaml
+++ b/packages/core/platform/bundles/paas-full.yaml
@@ -210,25 +210,28 @@ releases:
  chart: cozy-dashboard
  namespace: cozy-dashboard
  dependsOn: [cilium,kubeovn,keycloak-configure]
  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
  {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
  values:
-      redis:
+    {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
-        master:
+    {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
-          podAnnotations:
+    redis:
-            {{- range $index, $repo := . }}
+      master:
-            {{- with (($repo.status).artifact).revision }}
+        podAnnotations:
-            repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
+          {{- range $index, $repo := . }}
-            {{- end }}
+          {{- with (($repo.status).artifact).revision }}
-            {{- end }}
+          repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
-  {{- end }}
+          {{- end }}
-  {{- end }}
+          {{- end }}
-  {{- if $oidcEnabled }}
+    {{- end }}
    {{- end }}
    {{- $dashboardKCconfig := lookup "v1" "ConfigMap" "cozy-dashboard" "kubeapps-auth-config" }}
    {{- $dashboardKCValues := dig "data" "values.yaml" "" $dashboardKCconfig }}
    {{- if $dashboardKCValues }}
    {{- $dashboardKCValues | nindent 4 }}
    {{- end }}
  {{- if eq $oidcEnabled "true" }}
  dependsOn: [keycloak-configure]
  valuesFrom:
    - kind: ConfigMap
      name: kubeapps-auth-config
      valuesKey: values.yaml
  {{- else }}
  dependsOn: []
  {{- end }}
--- a/packages/core/platform/bundles/paas-hosted.yaml
+++ b/packages/core/platform/bundles/paas-hosted.yaml
@@ -139,9 +139,9 @@ releases:
  releaseName: dashboard
  chart: cozy-dashboard
  namespace: cozy-dashboard
  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
  {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
  values:
    {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
    {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
    kubeapps:
      redis:
        master:
@@ -151,14 +151,17 @@ releases:
            repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
            {{- end }}
            {{- end }}
-  {{- end }}
+    {{- end }}
-  {{- end }}
+    {{- end }}
-  {{- if $oidcEnabled }}
+
    {{- $dashboardKCconfig := lookup "v1" "ConfigMap" "cozy-dashboard" "kubeapps-auth-config" }}
    {{- $dashboardKCValues := dig "data" "values.yaml" "" $dashboardKCconfig }}
    {{- if $dashboardKCValues }}
    {{- $dashboardKCValues | nindent 4 }}
    {{- end }}
  {{- if eq $oidcEnabled "true" }}
  dependsOn: [keycloak-configure]
  valuesFrom:
    - kind: ConfigMap
      name: kubeapps-auth-config
      valuesKey: values.yaml
  {{- else }}
  dependsOn: []
  {{- end }}
--- a/packages/core/testing/images/e2e-sandbox/Dockerfile
+++ b/packages/core/testing/images/e2e-sandbox/Dockerfile
@@ -1,8 +1,8 @@
 FROM ubuntu:22.04
-ARG KUBECTL_VERSION=1.31.0
+ARG KUBECTL_VERSION=1.32.0
-ARG TALOSCTL_VERSION=1.7.6
+ARG TALOSCTL_VERSION=1.8.4
-ARG HELM_VERSION=3.15.4
+ARG HELM_VERSION=3.16.4
 RUN apt-get update
 RUN apt-get -y install genisoimage qemu-kvm qemu-utils iproute2 iptables wget xz-utils netcat curl jq
--- a/packages/core/testing/values.yaml
+++ b/packages/core/testing/values.yaml
@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.19.0@sha256:1a26a511b9e269bcb607e2d80f878d7c2d993b7a2a7a3a2a1042470c8c56b061
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.21.0@sha256:38229517c86e179984a6d39f5510b859d13d965e35b216bc01ce456f9ab5f8b5
--- a/packages/extra/monitoring/Chart.yaml
+++ b/packages/extra/monitoring/Chart.yaml
@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.5.1
+version: 1.5.3
--- a/packages/extra/monitoring/README.md
+++ b/packages/extra/monitoring/README.md
@@ -4,12 +4,13 @@
 ### Common parameters
-| Name                            | Description                                                                                               | Value                                            |
+| Name                            | Description                                                                                               | Value  |
-| ------------------------------- | --------------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
+| ------------------------------- | --------------------------------------------------------------------------------------------------------- | ------ |
-| `host`                          | The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host). | `""`                                             |
+| `host`                          | The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host). | `""`   |
-| `metricsStorages`               | Configuration of metrics storage instances                                                                | `[]`                                             |
+| `metricsStorages`               | Configuration of metrics storage instances                                                                | `[]`   |
-| `logsStorages`                  | Configuration of logs storage instances                                                                   | `[]`                                             |
+| `logsStorages`                  | Configuration of logs storage instances                                                                   | `[]`   |
-| `alerta.storage`                | Persistent Volume size for alerta database                                                                | `10Gi`                                           |
+| `alerta.storage`                | Persistent Volume size for alerta database                                                                | `10Gi` |
-| `alerta.storageClassName`       | StorageClass used to store the data                                                                       | `""`                                             |
+| `alerta.storageClassName`       | StorageClass used to store the data                                                                       | `""`   |
-| `alerta.alerts.telegram.token`  | telegram token for your bot                                                                               | `7262461387:AAGtwq16iwuVtWtzoN6TUEMpF00fpC9Xz34` |
+| `alerta.alerts.telegram.token`  | telegram token for your bot                                                                               | `""`   |
-| `alerta.alerts.telegram.chatID` | specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot                       | `-4520856007`                                    |
+| `alerta.alerts.telegram.chatID` | specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot                       | `""`   |
 | `grafana.db.size`               | Persistent Volume size for grafana database                                                               | `10Gi` |
--- a/packages/extra/monitoring/templates/grafana/db.yaml
+++ b/packages/extra/monitoring/templates/grafana/db.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
  instances: 2
  storage:
-    size: 10Gi
+    size: {{ .Values.grafana.db.size }}
  inheritedMetadata:
    labels:
--- a/packages/extra/monitoring/templates/grafana/grafana.yaml
+++ b/packages/extra/monitoring/templates/grafana/grafana.yaml
@@ -30,7 +30,7 @@ spec:
      admin_user: user
      admin_password: ${GF_PASSWORD}
    plugins:
-      allow_loading_unsigned_plugins: "victorialogs-datasource"
+      allow_loading_unsigned_plugins: "victoriametrics-logs-datasource"
  deployment:
    spec:
      replicas: 2
@@ -50,8 +50,8 @@ spec:
                - |
                  set -ex
                  mkdir -p /var/lib/grafana/plugins/
-                  ver=$(curl -s https://api.github.com/repos/VictoriaMetrics/victorialogs-datasource/releases/latest | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' | head -1)
+                  ver=$(curl -s https://api.github.com/repos/VictoriaMetrics/victorialogs-datasource/releases/latest | grep -oE 'v0\.13\.[0-9]+' | head -1)
-                  curl -L https://github.com/VictoriaMetrics/victorialogs-datasource/releases/download/$ver/victorialogs-datasource-$ver.tar.gz -o /var/lib/grafana/plugins/vl-plugin.tar.gz
+                  curl -L https://github.com/VictoriaMetrics/victorialogs-datasource/releases/download/$ver/victoriametrics-logs-datasource-$ver.tar.gz -o /var/lib/grafana/plugins/vl-plugin.tar.gz
                  tar -xf /var/lib/grafana/plugins/vl-plugin.tar.gz -C /var/lib/grafana/plugins/
                  rm /var/lib/grafana/plugins/vl-plugin.tar.gz
              volumeMounts:
--- a/packages/extra/monitoring/templates/vlogs/grafana-datasource.yaml
+++ b/packages/extra/monitoring/templates/vlogs/grafana-datasource.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
  datasource:
    access: proxy
-    type: victorialogs-datasource
+    type: victoriametrics-logs-datasource
    name: vlogs-{{ .name }}
    url: http://vlogs-{{ .name }}.{{ $.Release.Namespace }}.svc:9428
  instanceSelector:
--- a/packages/extra/monitoring/templates/vm/vmalert.yaml
+++ b/packages/extra/monitoring/templates/vm/vmalert.yaml
@@ -18,4 +18,5 @@ spec:
    url: http://vminsert-{{ .name }}.{{ $.Release.Namespace }}.svc:8480/insert/0/prometheus/api/v1/write
  resources: {}
  selectAllByDefault: true
 {{- break }}
 {{- end }}
--- a/packages/extra/monitoring/templates/vm/vmcluster.yaml
+++ b/packages/extra/monitoring/templates/vm/vmcluster.yaml
@@ -34,6 +34,12 @@ spec:
              storage: 2Gi
  vmstorage:
    replicaCount: 2
    resources:
      limits:
        memory: 1000Mi
      requests:
        cpu: 100m
        memory: 500Mi
    storage:
      volumeClaimTemplate:
        spec:
--- a/packages/extra/monitoring/values.schema.json
+++ b/packages/extra/monitoring/values.schema.json
@@ -45,18 +45,33 @@
                "token": {
                  "type": "string",
                  "description": "telegram token for your bot",
-                  "default": "7262461387:AAGtwq16iwuVtWtzoN6TUEMpF00fpC9Xz34"
+                  "default": ""
                },
                "chatID": {
                  "type": "string",
                  "description": "specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot",
-                  "default": "-4520856007"
+                  "default": ""
                }
              }
            }
          }
        }
      }
    },
    "grafana": {
      "type": "object",
      "properties": {
        "db": {
          "type": "object",
          "properties": {
            "size": {
              "type": "string",
              "description": "Persistent Volume size for grafana database",
              "default": "10Gi"
            }
          }
        }
      }
    }
  }
 }
--- a/packages/extra/monitoring/values.yaml
+++ b/packages/extra/monitoring/values.yaml
@@ -44,3 +44,9 @@ alerta:
    telegram:
      token: ""
      chatID: ""
 ## Configuration for Grafana
 ## @param grafana.db.size Persistent Volume size for grafana database
 grafana:
  db:
    size: 10Gi
--- a/packages/extra/versions_map
+++ b/packages/extra/versions_map
@@ -15,7 +15,9 @@ monitoring 1.2.1 4471b4ba
 monitoring 1.3.0 6c5cf5b
 monitoring 1.4.0 adaf603b
 monitoring 1.5.0 4b90bf5a
-monitoring 1.5.1 HEAD
+monitoring 1.5.1 57e90b70
 monitoring 1.5.2 898374b5
 monitoring 1.5.3 HEAD
 seaweedfs 0.1.0 5ca8823
 seaweedfs 0.2.0 9e33dc0
 seaweedfs 0.2.1 HEAD
--- a/packages/system/bucket/images/s3manager.tag
+++ b/packages/system/bucket/images/s3manager.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:b8891879e6f150a0e15afd00cd6aae1f024a245bbcca3d4569e6e3d71f512c3f
+ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:109b1f36e85353066b387472aaab936d7d5b691ac99547312acd26484e3ebe8e
--- a/packages/system/cilium/values.yaml
+++ b/packages/system/cilium/values.yaml
@@ -13,6 +13,6 @@ cilium:
  image:
    repository: ghcr.io/aenix-io/cozystack/cilium
    tag: 1.16.4
-    digest: "sha256:496f43b28953c44d3c08922fa850b812263935ab4d895ff63c9e282ab52f363e"
+    digest: "sha256:9c808dfa6ee2445f5606341db599b039f48e2a4a703a9236c0ae2f85c69f69a1"
  envoy:
    enabled: false
--- a/packages/system/cozystack-api/templates/configmap.yaml
+++ b/packages/system/cozystack-api/templates/configmap.yaml
@@ -71,7 +71,7 @@ data:
        labels:
          cozystack.io/ui: "true"
        chart:
-          name: http-cache
+          name: tcp-balancer
          sourceRef:
            kind: HelmRepository
            name: cozystack-apps
@@ -155,7 +155,7 @@ data:
        labels:
          cozystack.io/ui: "true"
        chart:
-          name: rabbitmq
+          name: redis
          sourceRef:
            kind: HelmRepository
            name: cozystack-apps
@@ -207,7 +207,7 @@ data:
        singular: kafka
        plural: kafkas
      release:
-        prefix: ferretdb-
+        prefix: kafka-
        labels:
          cozystack.io/ui: "true"
        chart:
--- a/packages/system/cozystack-api/values.yaml
+++ b/packages/system/cozystack-api/values.yaml
@@ -1,2 +1,2 @@
 cozystackAPI:
-  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.19.0@sha256:ae79f91f8cd9d5f379cda70c6beddb9fdb508082523b652fc42eb89e9500e964
+  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.21.0@sha256:1eb7f0387ea01754107a4aabe72c2e1e7d2c55303dc15cfe9caa2c0739c0215e
--- a/packages/system/dashboard/Makefile
+++ b/packages/system/dashboard/Makefile
@@ -25,7 +25,7 @@ update-dockerfiles:
 	version=$$(echo "$$tag" | sed 's/^v//') && \
 	sed -i "s/ARG VERSION=.*/ARG VERSION=$${version}/" images/dashboard/Dockerfile
-image-dashboard:
+image-dashboard: update-version
 	docker buildx build images/dashboard \
 		--provenance false \
 		--tag $(REGISTRY)/dashboard:$(call settag,$(TAG)) \
@@ -44,7 +44,7 @@ image-dashboard:
 		yq -i '.kubeapps.dashboard.image.digest = strenv(DIGEST)' values.yaml
 	rm -f images/dashboard.json
-image-kubeapps-apis:
+image-kubeapps-apis: update-version
 	docker buildx build images/kubeapps-apis \
 		--provenance false \
 		--tag $(REGISTRY)/kubeapps-apis:$(call settag,$(TAG)) \
@@ -62,3 +62,6 @@ image-kubeapps-apis:
 	DIGEST=$$(yq e '."containerimage.digest"' images/kubeapps-apis.json -o json -r) \
 		yq -i '.kubeapps.kubeappsapis.image.digest = strenv(DIGEST)' values.yaml
 	rm -f images/kubeapps-apis.json
 update-version:
 	sed -i "s|\(\"appVersion\":\).*|\1 \"$(TAG)\",|g" ./charts/kubeapps/templates/dashboard/configmap.yaml
--- a/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml
+++ b/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml
@@ -76,7 +76,7 @@ data:
      "kubeappsNamespace": {{ .Release.Namespace | quote }},
      "helmGlobalNamespace": {{ include "kubeapps.helmGlobalPackagingNamespace" . | quote }},
      "carvelGlobalNamespace": {{ .Values.kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace | quote }},
-      "appVersion": {{ printf "v%s" .Chart.AppVersion | quote }},
+      "appVersion": "v0.21.0",
      "authProxyEnabled": {{ .Values.authProxy.enabled }},
      "oauthLoginURI": {{ .Values.authProxy.oauthLoginURI | quote }},
      "oauthLogoutURI": {{ .Values.authProxy.oauthLogoutURI | quote }},
--- a/packages/system/dashboard/images/dashboard/Dockerfile
+++ b/packages/system/dashboard/images/dashboard/Dockerfile
--- a/packages/system/dashboard/images/dashboard/documentation.diff
+++ b/packages/system/dashboard/images/dashboard/documentation.diff
@@ -0,0 +1,13 @@
 diff --git a/dashboard/src/components/AppList/AppListGrid.tsx b/dashboard/src/components/AppList/AppListGrid.tsx
 index d3261e459..dee6a50c1 100644
 --- a/dashboard/src/components/AppList/AppListGrid.tsx
 +++ b/dashboard/src/components/AppList/AppListGrid.tsx
@@ -42,7 +42,7 @@ function AppListGrid(props: IAppListProps) {
           Start browsing your <Link to={url.app.catalog(cluster, namespace)}>favourite apps</Link>{" "}
           or check the{" "}
           <a
 -            href={`https://github.com/vmware-tanzu/kubeapps/blob/${appVersion}/site/content/docs/latest/tutorials/getting-started.md`}
 +            href={"https://cozystack.io/docs/"}
             target="_blank"
             rel="noopener noreferrer"
           >
--- a/packages/system/dashboard/images/dashboard/release-url.diff
+++ b/packages/system/dashboard/images/dashboard/release-url.diff
@@ -0,0 +1,34 @@
 diff --git a/dashboard/src/shared/url.ts b/dashboard/src/shared/url.ts
 index 7918652b0..64c3435af 100644
 --- a/dashboard/src/shared/url.ts
 +++ b/dashboard/src/shared/url.ts
@@ -36,7 +36,7 @@ export const app = {
       return `${app.apps.list(
         pkgCluster,
         pkgNamespace,
 -      )}/${pkgPluginName}/${pkgPluginVersion}/${pkgId}`;
 +      )}/${pkgPluginName}/${pkgPluginVersion}/${encodeURIComponent(pkgId)}`;
     },
     upgrade: (ref: InstalledPackageReference) => `${app.apps.get(ref)}/upgrade`,
     upgradeTo: (ref: InstalledPackageReference, version?: string) =>
 diff --git a/dashboard/src/components/DeploymentForm/DeploymentForm.tsx b/dashboard/src/components/DeploymentForm/DeploymentForm.tsx
 index 7ccb77b5d..589f72b65 100644
 --- a/dashboard/src/components/DeploymentForm/DeploymentForm.tsx
 +++ b/dashboard/src/components/DeploymentForm/DeploymentForm.tsx
@@ -144,13 +144,15 @@ export default function DeploymentForm() {
       );
       setDeploying(false);
       if (deployed) {
 +        const chartParts = packageId?.split("/") || [];
 +        const kind = chartParts[chartParts.length - 1];
         push(
           // Redirect to the installed package, note that the cluster/ns are the ones passed
           // in the URL, not the ones from the package.
           url.app.apps.get({
             context: { cluster: targetCluster, namespace: targetNamespace },
             plugin: pluginObj,
 -            identifier: releaseName,
 +            identifier: `${kind}%2F${releaseName}`,
           } as AvailablePackageReference),
         );
       }
--- a/packages/system/dashboard/images/dashboard/remove-manage-repositories.diff
+++ b/packages/system/dashboard/images/dashboard/remove-manage-repositories.diff
@@ -0,0 +1,66 @@
 diff --git a/dashboard/src/components/Catalog/Catalog.tsx b/dashboard/src/components/Catalog/Catalog.tsx
 index 5f2d2a1c5..093cb598d 100644
 --- a/dashboard/src/components/Catalog/Catalog.tsx
 +++ b/dashboard/src/components/Catalog/Catalog.tsx
@@ -15,7 +15,6 @@ import qs from "qs";
 import React, { useEffect } from "react";
 import { useDispatch, useSelector } from "react-redux";
 import * as ReactRouter from "react-router-dom";
 -import { Link } from "react-router-dom";
 import { IClusterServiceVersion, IStoreState } from "shared/types";
 import { app } from "shared/url";
 import { escapeRegExp, getPluginPackageName } from "shared/utils";
@@ -85,7 +84,6 @@ export default function Catalog() {
     operators,
     repos: { reposSummaries: repos },
     config: {
 -      appVersion,
       kubeappsCluster,
       helmGlobalNamespace,
       carvelGlobalNamespace,
@@ -420,24 +418,6 @@ export default function Catalog() {
         <div className="empty-catalog">
           <CdsIcon shape="bundle" />
           <p>The current catalog is empty.</p>
 -          <p>
 -            Manage your Package Repositories in Kubeapps by visiting the Package repositories
 -            configuration page.
 -          </p>
 -          <Link to={app.config.pkgrepositories(cluster || "", namespace || "")}>
 -            <CdsButton>Manage Package Repositories</CdsButton>
 -          </Link>
 -          <p>
 -            For help managing other packaging formats, such as Flux or Carvel, please refer to the{" "}
 -            <a
 -              target="_blank"
 -              rel="noopener noreferrer"
 -              href={`https://github.com/vmware-tanzu/kubeapps/tree/${appVersion}/site/content/docs/latest`}
 -            >
 -              Kubeapps documentation
 -            </a>
 -            .
 -          </p>
         </div>
       ) : (
         <Row>
 diff --git a/dashboard/src/components/Header/Menu.tsx b/dashboard/src/components/Header/Menu.tsx
 index c8ec1da8c..e59f90190 100644
 --- a/dashboard/src/components/Header/Menu.tsx
 +++ b/dashboard/src/components/Header/Menu.tsx
@@ -78,16 +78,6 @@ function Menu({ clusters, appVersion, logout }: IContextSelectorProps) {
           <div className="dropdown-menu dropdown-configuration-menu" role="menu" hidden={!open}>
             <div>
               <label className="dropdown-menu-padding dropdown-menu-label">Administration</label>
 -              <Link
 -                to={app.config.pkgrepositories(clusters.currentCluster, namespaceSelected)}
 -                className="dropdown-menu-link"
 -                onClick={toggleOpen}
 -              >
 -                <div className="dropdown-menu-item" role="menuitem">
 -                  <CdsIcon solid={true} size="md" shape="library" />{" "}
 -                  <span>Package Repositories</span>
 -                </div>
 -              </Link>
               <div className="dropdown-divider" role="separator" />
               {featureFlags?.operators && (
                 <Link
--- a/packages/system/dashboard/images/kubeapps-apis/Dockerfile
+++ b/packages/system/dashboard/images/kubeapps-apis/Dockerfile
@@ -4,20 +4,12 @@
 # syntax = docker/dockerfile:1
 FROM alpine as source
-ARG VERSION=v2.11.0
+ARG COMMIT_REF=e146cf8660c58a4f585611ab3cbce62ebfa4c5a3
 RUN apk add --no-cache patch
 WORKDIR /source
-RUN wget -O- https://github.com/vmware-tanzu/kubeapps/archive/refs/tags/${VERSION}.tar.gz | tar xzf - --strip-components=1
+RUN wget -O- https://github.com/aenix-io/kubeapps/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1
 COPY fluxcd.diff /patches/fluxcd.diff
 COPY labels.diff /patches/labels.diff
 COPY reconcile-strategy.diff /patches/reconcile-strategy.diff
 COPY dashboard-resource.diff /patches/dashboard-resource.diff
 RUN patch -p1 < /patches/fluxcd.diff
 RUN patch -p1 < /patches/labels.diff
 RUN patch -p1 < /patches/reconcile-strategy.diff
 RUN patch -p1 < /patches/dashboard-resource.diff
-FROM bitnami/golang:1.22.5 AS builder
+FROM bitnami/golang:1.23.4 AS builder
 WORKDIR /go/src/github.com/vmware-tanzu/kubeapps
 COPY --from=source /source/go.mod /source/go.sum ./
 ARG VERSION="devel"
@@ -45,7 +37,6 @@ RUN curl -sSL "https://github.com/bufbuild/buf/releases/download/v$BUF_VERSION/b
 # TODO: Remove and instead use built-in gRPC container probes once we're supporting >= 1.24 only. https://kubernetes.io/blog/2022/05/13/grpc-probes-now-in-beta/
 RUN curl -sSL "https://github.com/grpc-ecosystem/grpc-health-probe/releases/download/v${GRPC_HEALTH_PROBE_VERSION}/grpc_health_probe-linux-${TARGETARCH}" -o "/bin/grpc_health_probe" && chmod +x "/bin/grpc_health_probe"
 # With the trick below, Go's build cache is kept between builds.
 # https://github.com/golang/go/issues/27719#issuecomment-514747274
 RUN --mount=type=cache,target=/go/pkg/mod  \
--- a/packages/system/dashboard/images/kubeapps-apis/dashboard-resource.diff
+++ b/packages/system/dashboard/images/kubeapps-apis/dashboard-resource.diff
@@ -1,155 +0,0 @@
 diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server.go
 index 53fac6474..4602a1148 100644
 --- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server.go
 +++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server.go
@@ -5,6 +5,7 @@ package main
 import (
 	"context"
 +	"encoding/json"
 	"fmt"
 	"net/http"
@@ -16,7 +17,6 @@ import (
 	helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2"
 	sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2"
 	authorizationv1 "k8s.io/api/authorization/v1"
 -	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
@@ -28,12 +28,16 @@ import (
 	"github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/plugins/fluxv2/packages/v1alpha1"
 	"github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/cache"
 	"github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/common"
 -	"github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/pkg/clientgetter"
 	"github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/pkg/paginate"
 	"github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/pkg/pkgutils"
 -	"github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/pkg/resourcerefs"
 +	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	log "k8s.io/klog/v2"
 	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
 +
 +	"github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/pkg/clientgetter"
 +	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 +	"k8s.io/client-go/discovery/cached/memory"
 +	"k8s.io/client-go/restmapper"
 )
 // Compile-time statement to ensure this service implementation satisfies the core packaging API
@@ -135,6 +139,7 @@ func NewServer(configGetter core.KubernetesConfigGetter, kubeappsCluster string,
 			if err != nil {
 				log.Fatalf("%s", err)
 			}
 +
 			return &Server{
 				clientGetter:               clientProvider,
 				serviceAccountClientGetter: backgroundClientGetter,
@@ -462,36 +467,84 @@ func (s *Server) DeleteInstalledPackage(ctx context.Context, request *connect.Re
 // resources created by an installed package.
 func (s *Server) GetInstalledPackageResourceRefs(ctx context.Context, request *connect.Request[corev1.GetInstalledPackageResourceRefsRequest]) (*connect.Response[corev1.GetInstalledPackageResourceRefsResponse], error) {
 	pkgRef := request.Msg.GetInstalledPackageRef()
 -	identifier := pkgRef.GetIdentifier()
 -	log.InfoS("+fluxv2 GetInstalledPackageResourceRefs", "cluster", pkgRef.GetContext().GetCluster(), "namespace", pkgRef.GetContext().GetNamespace(), "id", identifier)
 +	log.InfoS("+fluxv2 GetInstalledPackageResourceRefs", "cluster", pkgRef.GetContext().GetCluster(), "namespace", pkgRef.GetContext().GetNamespace(), "id", pkgRef.GetIdentifier())
 -	key := types.NamespacedName{Namespace: pkgRef.Context.Namespace, Name: identifier}
 -	rel, err := s.getReleaseInCluster(ctx, request.Header(), key)
 +	// Getting dynamic client
 +	dynamicClient, err := s.clientGetter.Dynamic(request.Header(), pkgRef.GetContext().GetCluster())
 	if err != nil {
 +		log.Errorf("Failed to get dynamic client: %v", err)
 		return nil, err
 	}
 -	hrName := helmReleaseName(key, rel)
 -	refs, err := resourcerefs.GetInstalledPackageResourceRefs(request.Header(), hrName, s.actionConfigGetter)
 +
 +	// Getting Discovery Client to work with RESTMapper
 +	discoveryClient, err := s.clientGetter.Typed(request.Header(), pkgRef.GetContext().GetCluster())
 	if err != nil {
 +		log.Errorf("Failed to create discovery client: %v", err)
 		return nil, err
 -	} else {
 -		return connect.NewResponse(
 -			&corev1.GetInstalledPackageResourceRefsResponse{
 -				Context: &corev1.Context{
 -					Cluster: s.kubeappsCluster,
 -					// TODO (gfichtenholt) it is not specifically called out in the spec why there is a
 -					// need for a Context in the response and MORE imporantly what the value of Namespace
 -					// field should be. In particular, there is use case when Flux Helm Release in
 -					// installed in ns1 but specifies targetNamespace as test2. Should we:
 -					//  (a) return ns1 (the namespace where CRs are installed) OR
 -					//  (b) return ns2 (the namespace where flux installs the resources specified by the
 -					//    release).
 -					// For now lets use (a)
 -					Namespace: key.Namespace,
 -				},
 -				ResourceRefs: refs,
 -			}), nil
 	}
 +	mapper := restmapper.NewDeferredDiscoveryRESTMapper(memory.NewMemCacheClient(discoveryClient.Discovery()))
 +
 +	// Getting the role
 +	roleGVR := schema.GroupVersionResource{Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "roles"}
 +	roleName := fmt.Sprintf("%s-dashboard-resources", pkgRef.GetIdentifier())
 +	namespace := pkgRef.GetContext().GetNamespace()
 +	role, err := dynamicClient.Resource(roleGVR).Namespace(namespace).Get(ctx, roleName, metav1.GetOptions{})
 +	if err != nil {
 +		log.Errorf("Failed to get role %s: %v", roleName, err)
 +		return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("Unable to get role %s: %w", roleName, err))
 +	}
 +
 +	// Logging Role content for debugging
 +	roleContent, _ := json.Marshal(role)
 +	log.Infof("Role content: %s", string(roleContent))
 +
 +	// Parsing rules from Role and creating ResourceRefs
 +	resourcesFromRole := make([]*corev1.ResourceRef, 0)
 +	rules, found, _ := unstructured.NestedSlice(role.Object, "rules")
 +	if !found {
 +		log.Errorf("No rules found in role %s", roleName)
 +		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("No rules found in role %s", roleName))
 +	}
 +
 +	for _, rule := range rules {
 +		r := rule.(map[string]interface{})
 +		resources, _ := r["resources"].([]interface{})
 +		apiGroups, _ := r["apiGroups"].([]interface{})
 +
 +		for _, resource := range resources {
 +			resourceStr := resource.(string)
 +			for _, apiGroup := range apiGroups {
 +				apiGroupStr := apiGroup.(string)
 +
 +				// Using GroupVersionResource to get GroupVersionKind
 +				gvr := schema.GroupVersionResource{Group: apiGroupStr, Version: "v1", Resource: resourceStr}
 +				gvk, err := mapper.KindFor(gvr)
 +				if err != nil {
 +					log.Errorf("Failed to get GroupVersionKind for GVR %v: %v", gvr, err)
 +					continue
 +				}
 +
 +				resourceNames, _ := r["resourceNames"].([]interface{})
 +				for _, resourceName := range resourceNames {
 +					resourceNameStr := resourceName.(string)
 +					resourcesFromRole = append(resourcesFromRole, &corev1.ResourceRef{
 +						ApiVersion: gvk.GroupVersion().String(),
 +						Kind:       gvk.Kind,
 +						Name:       resourceNameStr,
 +						Namespace:  namespace,
 +					})
 +				}
 +			}
 +		}
 +	}
 +
 +	return connect.NewResponse(&corev1.GetInstalledPackageResourceRefsResponse{
 +		Context: &corev1.Context{
 +			Cluster:   s.kubeappsCluster,
 +			Namespace: namespace,
 +		},
 +		ResourceRefs: resourcesFromRole,
 +	}), nil
 }
 func (s *Server) AddPackageRepository(ctx context.Context, request *connect.Request[corev1.AddPackageRepositoryRequest]) (*connect.Response[corev1.AddPackageRepositoryResponse], error) {
--- a/packages/system/dashboard/images/kubeapps-apis/dockerfile.diff
+++ b/packages/system/dashboard/images/kubeapps-apis/dockerfile.diff
@@ -1,38 +0,0 @@
 --- b/system/kubeapps/images/kubeapps-apis/Dockerfile
 +++ a/system/kubeapps/images/kubeapps-apis/Dockerfile
@@ -3,9 +3,19 @@
 # syntax = docker/dockerfile:1
 +FROM alpine as source
 +ARG VERSION=v2.11.0
 +RUN apk add --no-cache patch
 +WORKDIR /source
 +RUN wget -O- https://github.com/vmware-tanzu/kubeapps/archive/refs/tags/${VERSION}.tar.gz | tar xzf - --strip-components=1
 +COPY fluxcd.diff /patches/fluxcd.diff
 +COPY labels.diff /patches/labels.diff
 +COPY reconcile-strategy.diff /patches/reconcile-strategy.diff
 +COPY dashboard-resource.diff /patches/dashboard-resource.diff
 +RUN patch -p1 < /patches/fluxcd.diff
 +RUN patch -p1 < /patches/labels.diff
 +RUN patch -p1 < /patches/reconcile-strategy.diff
 +RUN patch -p1 < /patches/dashboard-resource.diff
 +
 FROM bitnami/golang:1.22.2 as builder
 WORKDIR /go/src/github.com/vmware-tanzu/kubeapps
 -COPY go.mod go.sum ./
 +COPY --from=source /source/go.mod /source/go.sum ./
 ARG VERSION="devel"
 ARG TARGETARCH
@@ -40,8 +52,8 @@
 # We don't copy the pkg and cmd directories until here so the above layers can
 # be reused.
 -COPY pkg pkg
 -COPY cmd cmd
 +COPY --from=source /source/pkg pkg
 +COPY --from=source /source/cmd cmd
 RUN if [ ! -z ${lint:-} ]; then \
     # Run golangci-lint to detect issues
--- a/packages/system/dashboard/images/kubeapps-apis/fluxcd.diff
+++ b/packages/system/dashboard/images/kubeapps-apis/fluxcd.diff
--- a/packages/system/dashboard/images/kubeapps-apis/labels.diff
+++ b/packages/system/dashboard/images/kubeapps-apis/labels.diff
@@ -1,69 +0,0 @@
 diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go
 index c489cb6ca..8884a6484 100644
 --- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go
 +++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go
@@ -29,8 +29,10 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 +	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
 	log "k8s.io/klog/v2"
 +	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 )
@@ -54,7 +56,10 @@ func (s *Server) listReleasesInCluster(ctx context.Context, headers http.Header,
 	// see any results created/updated/deleted after the first request is issued
 	// To fix this, we must make use of resourceVersion := relList.GetResourceVersion()
 	var relList helmv2.HelmReleaseList
 -	if err = client.List(ctx, &relList); err != nil {
 +	listOptions := ctrlclient.ListOptions{
 +		LabelSelector: labels.SelectorFromSet(labels.Set{"cozystack.io/ui": "true"}),
 +	}
 +	if err = client.List(ctx, &relList, &listOptions); err != nil {
 		return nil, connecterror.FromK8sError("list", "HelmRelease", namespace+"/*", err)
 	} else {
 		return relList.Items, nil
@@ -512,6 +517,9 @@ func (s *Server) newFluxHelmRelease(chart *models.Chart, targetName types.Namesp
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      targetName.Name,
 			Namespace: targetName.Namespace,
 +			Labels: map[string]string{
 +				"cozystack.io/ui": "true",
 +			},
 		},
 		Spec: helmv2.HelmReleaseSpec{
 			Chart: helmv2.HelmChartTemplate{
 diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go
 index 790b21514..539276a17 100644
 --- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go
 +++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go
@@ -32,6 +32,7 @@ import (
 	apiv1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 +	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 	log "k8s.io/klog/v2"
@@ -64,7 +65,8 @@ func (s *Server) listReposInNamespace(ctx context.Context, headers http.Header,
 	var repoList sourcev1.HelmRepositoryList
 	listOptions := ctrlclient.ListOptions{
 -		Namespace: ns,
 +		Namespace:     ns,
 +		LabelSelector: labels.SelectorFromSet(labels.Set{"cozystack.io/ui": "true"}),
 	}
 	if err := client.List(backgroundCtx, &repoList, &listOptions); err != nil {
 		return nil, connecterror.FromK8sError("list", "HelmRepository", "", err)
@@ -927,6 +929,9 @@ func newFluxHelmRepo(
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      targetName.Name,
 			Namespace: targetName.Namespace,
 +			Labels: map[string]string{
 +				"cozystack.io/ui": "true",
 +			},
 		},
 		Spec: sourcev1.HelmRepositorySpec{
 			URL:      url,
--- a/packages/system/dashboard/images/kubeapps-apis/reconcile-strategy.diff
+++ b/packages/system/dashboard/images/kubeapps-apis/reconcile-strategy.diff
@@ -1,12 +0,0 @@
 diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go
 index 8884a6484..4bf77071c 100644
 --- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go
 +++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go
@@ -530,6 +530,7 @@ func (s *Server) newFluxHelmRelease(chart *models.Chart, targetName types.Namesp
 						Kind:      sourcev1.HelmRepositoryKind,
 						Namespace: chart.Repo.Namespace,
 					},
 +					ReconcileStrategy: "Revision",
 				},
 			},
 		},
--- a/packages/system/dashboard/values.yaml
+++ b/packages/system/dashboard/values.yaml
@@ -1,4 +1,11 @@
 kubeapps:
  ingress:
    annotations:
      nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
      nginx.ingress.kubernetes.io/client-max-body-size: 1m
      nginx.ingress.kubernetes.io/proxy-body-size: 100m
      nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
      nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
  fullnameOverride: dashboard
  postgresql:
    enabled: false
@@ -33,11 +40,310 @@ kubeapps:
    image:
      registry: ghcr.io/aenix-io/cozystack
      repository: dashboard
-      tag: v0.19.0
+      tag: v0.21.0
-      digest: "sha256:bc3474db3cff7937fb1b18bc6fa413fc245866ae727e9e9af6c93d3733e0316a"
+      digest: "sha256:4ec2a6b6e7b92351d5483cda6c65a2a3e9a9c6ff619a6f21b0bb96c469f871ad"
  kubeappsapis:
    image:
      registry: ghcr.io/aenix-io/cozystack
      repository: kubeapps-apis
-      tag: v0.19.0
+      tag: v0.21.0
-      digest: "sha256:da558e5ccdb129819e16db55d5501f7e62cd54b2ea0ce2fdee38bf89c17ff5ce"
+      digest: "sha256:ee4d0e44fc86c5c8b03a3c516233354e666f354ed2bb853e73403e9a3060ca2f"
    pluginConfig:
      flux:
        packages:
          v1alpha1:
            resources:
              - application:
                  kind: Bucket
                  singular: bucket
                  plural: buckets
                release:
                  prefix: bucket-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: bucket
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: ClickHouse
                  singular: clickhouse
                  plural: clickhouses
                release:
                  prefix: clickhouse-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: clickhouse
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: HTTPCache
                  singular: httpcache
                  plural: httpcaches
                release:
                  prefix: http-cache-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: http-cache
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: NATS
                  singular: nats
                  plural: natses
                release:
                  prefix: nats-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: nats
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: TCPBalancer
                  singular: tcpbalancer
                  plural: tcpbalancers
                release:
                  prefix: tcp-balancer-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: tcp-balancer
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: VirtualMachine
                  singular: virtualmachine
                  plural: virtualmachines
                release:
                  prefix: virtual-machine-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: virtual-machine
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: VPN
                  singular: vpn
                  plural: vpns
                release:
                  prefix: vpn-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: vpn
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: MySQL
                  singular: mysql
                  plural: mysqls
                release:
                  prefix: mysql-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: mysql
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: Tenant
                  singular: tenant
                  plural: tenants
                release:
                  prefix: tenant-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: tenant
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: Kubernetes
                  singular: kubernetes
                  plural: kuberneteses
                release:
                  prefix: kubernetes-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: kubernetes
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: Redis
                  singular: redis
                  plural: redises
                release:
                  prefix: redis-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: redis
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: RabbitMQ
                  singular: rabbitmq
                  plural: rabbitmqs
                release:
                  prefix: rabbitmq-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: rabbitmq
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: Postgres
                  singular: postgres
                  plural: postgreses
                release:
                  prefix: postgres-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: postgres
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: FerretDB
                  singular: ferretdb
                  plural: ferretdb
                release:
                  prefix: ferretdb-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: ferretdb
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: Kafka
                  singular: kafka
                  plural: kafkas
                release:
                  prefix: kafka-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: kafka
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: VMDisk
                  plural: vmdisks
                  singular: vmdisk
                release:
                  prefix: vm-disk-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: vm-disk
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: VMInstance
                  plural: vminstances
                  singular: vminstance
                release:
                  prefix: vm-instance-
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: vm-instance
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-apps
                      namespace: cozy-public
              - application:
                  kind: Monitoring
                  plural: monitorings
                  singular: monitoring
                release:
                  prefix: ""
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: monitoring
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-extra
                      namespace: cozy-public
              - application:
                  kind: Etcd
                  plural: etcds
                  singular: etcd
                release:
                  prefix: ""
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: etcd
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-extra
                      namespace: cozy-public
              - application:
                  kind: Ingress
                  plural: ingresses
                  singular: ingress
                release:
                  prefix: ""
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: ingress
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-extra
                      namespace: cozy-public
              - application:
                  kind: SeaweedFS
                  plural: seaweedfses
                  singular: seaweedfs
                release:
                  prefix: ""
                  labels:
                    cozystack.io/ui: "true"
                  chart:
                    name: seaweedfs
                    sourceRef:
                      kind: HelmRepository
                      name: cozystack-extra
                      namespace: cozy-public
--- a/packages/system/kamaji/values.yaml
+++ b/packages/system/kamaji/values.yaml
@@ -3,7 +3,7 @@ kamaji:
    deploy: false
  image:
    pullPolicy: IfNotPresent
-    tag: v0.19.0@sha256:3da74afcc569fa2e706d41d7fc14a473b3b972c8b07004a5ebaca0b59bf492e4
+    tag: v0.21.0@sha256:711950105680caabaab5532c6bf6f3d3d3c07b6aff39361a1102b4139611d894
    repository: ghcr.io/aenix-io/cozystack/kamaji
  resources:
    limits:
--- a/packages/system/keycloak-configure/templates/configure-kk.yaml
+++ b/packages/system/keycloak-configure/templates/configure-kk.yaml
@@ -112,8 +112,6 @@ spec:
 ---
 ---
 apiVersion: v1.edp.epam.com/v1
 kind: KeycloakClient
 metadata:
@@ -220,10 +218,10 @@ data:
 apiVersion: v1.edp.epam.com/v1
 kind: KeycloakRealmGroup
 metadata:
-  name: kubeapps-admin
+  name: cozystack-cluster-admin
-  namespace: cozy-dashboard
+  namespace: cozy-system
 spec:
-  name: kubeapps-admin
+  name: cozystack-cluster-admin
  realmRef:
    name: keycloakrealm-cozy
    kind: ClusterKeycloakRealm
--- a/packages/system/keycloak-configure/templates/rolebinding.yaml
+++ b/packages/system/keycloak-configure/templates/rolebinding.yaml
@@ -1,13 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: kubeapps-admin-group
+  name: cozystack-cluster-admin-group
  namespace: cozy-dashboard
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: admin
+  name: cozystack-cluster-admin
 subjects:
 - apiGroup: rbac.authorization.k8s.io
  kind: Group
-  name: kubeapps-admin
+  name: cozystack-cluster-admin
--- a/packages/system/keycloak-configure/templates/roles.yaml
+++ b/packages/system/keycloak-configure/templates/roles.yaml
@@ -0,0 +1,15 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: cozystack-cluster-admin
 rules:
 - apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
 - nonResourceURLs:
  - '*'
  verbs:
  - '*'
--- a/packages/system/kubeovn/Makefile
+++ b/packages/system/kubeovn/Makefile
@@ -8,8 +8,9 @@ include ../../../scripts/package.mk
 update:
 	rm -rf charts && mkdir -p charts/kube-ovn
-	curl -sSL https://github.com/kubeovn/kube-ovn/archive/refs/heads/master.tar.gz | \
+	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/kubeovn/kube-ovn | awk -F'[/^]' 'END{print $$3}') && \
-	tar xzvf - --strip 1 kube-ovn-master/charts
+	curl -sSL https://github.com/kubeovn/kube-ovn/archive/refs/tags/$${tag}.tar.gz | \
 	tar xzvf - --strip 1 kube-ovn-$${tag#*v}/charts
 	patch --no-backup-if-mismatch -p4 < patches/cozyconfig.diff
 	patch --no-backup-if-mismatch -p4 < patches/mtu.diff
--- a/packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl
@@ -75,3 +75,11 @@ Number of master nodes
    {{- end -}}
  {{- end -}}
 {{- end -}}
 {{- define "kubeovn.runAsUser" -}}
  {{- if $.Values.func.ENABLE_OVN_IPSEC -}}
    0
  {{- else -}}
    65534
  {{- end -}}
 {{- end -}}
--- a/packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml
@@ -40,15 +40,42 @@ spec:
      priorityClassName: system-cluster-critical
      serviceAccountName: ovn-ovs
      hostNetwork: true
      initContainers:
        - name: hostpath-init
          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command:
            - sh
            - -c
            - "chown -R nobody: /var/run/ovn /etc/ovn /var/log/ovn"
          securityContext:
            allowPrivilegeEscalation: true
            capabilities:
              drop:
                - ALL
            privileged: true
            runAsUser: 0
          volumeMounts:
            - mountPath: /var/run/ovn
              name: host-run-ovn
            - mountPath: /etc/ovn
              name: host-config-ovn
            - mountPath: /var/log/ovn
              name: host-log-ovn
      containers:
        - name: ovn-central
          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command: 
          - bash
          - /kube-ovn/start-db.sh
          securityContext:
            runAsUser: {{ include "kubeovn.runAsUser" . }}
            privileged: false
            capabilities:
-              add: ["SYS_NICE"]
+              add:
                - NET_BIND_SERVICE
                - SYS_NICE
          env:
            - name: ENABLE_SSL
              value: "{{ .Values.networking.ENABLE_SSL }}"
@@ -92,16 +119,10 @@ spec:
              cpu: {{ index .Values "ovn-central" "limits" "cpu" }}
              memory: {{ index .Values "ovn-central" "limits" "memory" }}
          volumeMounts:
            - mountPath: /var/run/openvswitch
              name: host-run-ovs
            - mountPath: /var/run/ovn
              name: host-run-ovn
            - mountPath: /etc/openvswitch
              name: host-config-openvswitch
            - mountPath: /etc/ovn
              name: host-config-ovn
            - mountPath: /var/log/openvswitch
              name: host-log-ovs
            - mountPath: /var/log/ovn
              name: host-log-ovn
            - mountPath: /etc/localtime
@@ -131,21 +152,12 @@ spec:
        {{ index . 0 }}: "{{ if eq (len .) 2 }}{{ index . 1 }}{{ end }}"
        {{- end }}
      volumes:
        - name: host-run-ovs
          hostPath:
            path: /run/openvswitch
        - name: host-run-ovn
          hostPath:
            path: /run/ovn
        - name: host-config-openvswitch
          hostPath:
            path: {{ .Values.OPENVSWITCH_DIR }}
        - name: host-config-ovn
          hostPath:
            path: {{ .Values.OVN_DIR }}
        - name: host-log-ovs
          hostPath:
            path: {{ .Values.log_conf.LOG_DIR }}/openvswitch
        - name: host-log-ovn
          hostPath:
            path: {{ .Values.log_conf.LOG_DIR }}/ovn
--- a/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml
@@ -47,6 +47,24 @@ spec:
      priorityClassName: system-cluster-critical
      serviceAccountName: ovn
      hostNetwork: true
      initContainers:
        - name: hostpath-init
          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command:
            - sh
            - -c
            - "chown -R nobody: /var/log/kube-ovn"
          securityContext:
            allowPrivilegeEscalation: true
            capabilities:
              drop:
                - ALL
            privileged: true
            runAsUser: 0
          volumeMounts:
            - name: kube-ovn-log
              mountPath: /var/log/kube-ovn
      containers:
        - name: kube-ovn-controller
          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
@@ -89,6 +107,17 @@ spec:
          - --keep-vm-ip={{- .Values.func.ENABLE_KEEP_VM_IP }}
          - --enable-metrics={{- .Values.networking.ENABLE_METRICS }}
          - --node-local-dns-ip={{- .Values.networking.NODE_LOCAL_DNS_IP }}
          - --secure-serving={{- .Values.func.SECURE_SERVING }}
          - --enable-ovn-ipsec={{- .Values.func.ENABLE_OVN_IPSEC }}
          - --enable-anp={{- .Values.func.ENABLE_ANP }}
          - --ovsdb-con-timeout={{- .Values.func.OVSDB_CON_TIMEOUT }}
          - --ovsdb-inactivity-timeout={{- .Values.func.OVSDB_INACTIVITY_TIMEOUT }}
          securityContext:
            runAsUser: {{ include "kubeovn.runAsUser" . }}
            privileged: false
            capabilities:
              add:
                - NET_BIND_SERVICE
          env:
            - name: ENABLE_SSL
              value: "{{ .Values.networking.ENABLE_SSL }}"
@@ -96,6 +125,10 @@ spec:
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: KUBE_NAMESPACE
              valueFrom:
                fieldRef:
@@ -106,6 +139,10 @@ spec:
                  fieldPath: spec.nodeName
            - name: OVN_DB_IPS
              value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}"
            - name: POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: POD_IPS
              valueFrom:
                fieldRef:
@@ -126,17 +163,21 @@ spec:
          readinessProbe:
            exec:
              command:
-                - /kube-ovn/kube-ovn-controller-healthcheck
+                - /kube-ovn/kube-ovn-healthcheck
                - --port=10660
                - --tls={{- .Values.func.SECURE_SERVING }}
            periodSeconds: 3
-            timeoutSeconds: 45
+            timeoutSeconds: 5
          livenessProbe:
            exec:
              command:
-                - /kube-ovn/kube-ovn-controller-healthcheck
+                - /kube-ovn/kube-ovn-healthcheck
                - --port=10660
                - --tls={{- .Values.func.SECURE_SERVING }}
            initialDelaySeconds: 300
            periodSeconds: 7
            failureThreshold: 5
-            timeoutSeconds: 45
+            timeoutSeconds: 5
          resources:
            requests:
              cpu: {{ index .Values "kube-ovn-controller" "requests" "cpu" }}
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml
@@ -41,6 +41,28 @@ spec:
      priorityClassName: system-cluster-critical
      serviceAccountName: ovn
      hostNetwork: true
      initContainers:
        - name: hostpath-init
          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command:
            - sh
            - -c
            - "chown -R nobody: /var/run/ovn /var/log/ovn /var/log/kube-ovn"
          securityContext:
            allowPrivilegeEscalation: true
            capabilities:
              drop:
                - ALL
            privileged: true
            runAsUser: 0
          volumeMounts:
            - mountPath: /var/run/ovn
              name: host-run-ovn
            - mountPath: /var/log/ovn
              name: host-log-ovn
            - name: kube-ovn-log
              mountPath: /var/log/kube-ovn
      containers:
        - name: ovn-ic-controller
          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
@@ -52,8 +74,12 @@ spec:
          - --logtostderr=false
          - --alsologtostderr=true
          securityContext:
            runAsUser: {{ include "kubeovn.runAsUser" . }}
            privileged: false
            capabilities:
-              add: ["SYS_NICE"]
+              add:
                - NET_BIND_SERVICE
                - SYS_NICE
          env:
            - name: ENABLE_SSL
              value: "{{ .Values.networking.ENABLE_SSL }}"
@@ -62,7 +88,7 @@ spec:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: OVN_DB_IPS
-              value: "{{ .Values.MASTER_NODES }}"
+              value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}"
          resources:
            requests:
              cpu: 300m
@@ -73,8 +99,6 @@ spec:
          volumeMounts:
            - mountPath: /var/run/ovn
              name: host-run-ovn
            - mountPath: /etc/ovn
              name: host-config-ovn
            - mountPath: /var/log/ovn
              name: host-log-ovn
            - mountPath: /etc/localtime
@@ -90,9 +114,6 @@ spec:
        - name: host-run-ovn
          hostPath:
            path: /run/ovn
        - name: host-config-ovn
          hostPath:
            path: /etc/origin/ovn
        - name: host-log-ovn
          hostPath:
            path: /var/log/ovn
--- a/packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml
@@ -503,6 +503,31 @@ spec:
                    type: string
                qosPolicy:
                  type: string
                bgpSpeaker:
                  type: object
                  properties:
                    enabled:
                      type: boolean
                    asn:
                      type: integer
                    remoteAsn:
                      type: integer
                    neighbors:
                      type: array
                      items:
                        type: string
                    holdTime:
                      type: string
                    routerId:
                      type: string
                    password:
                      type: string
                    enableGracefulRestart:
                      type: boolean
                    extraArgs:
                      type: array
                      items:
                        type: string
                tolerations:
                  type: array
                  items:
@@ -1300,8 +1325,12 @@ spec:
                  type: boolean
                v4Eip:
                  type: string
                v6Eip:
                  type: string
                v4Ip:
                  type: string
                v6Ip:
                  type: string
                vpc:
                  type: string
                conditions:
@@ -1493,8 +1522,12 @@ spec:
                  type: boolean
                v4Eip:
                  type: string
                v6Eip:
                  type: string
                v4Ip:
                  type: string
                v6Ip:
                  type: string
                vpc:
                  type: string
                externalPort:
@@ -1570,12 +1603,17 @@ spec:
        - jsonPath: .spec.namespaces
          name: Namespaces
          type: string
        - jsonPath: .status.defaultLogicalSwitch
          name: DefaultSubnet
          type: string
      name: v1
      schema:
        openAPIV3Schema:
          properties:
            spec:
              properties:
                defaultSubnet:
                  type: string
                enableExternal:
                  type: boolean
                enableBfd:
@@ -1976,6 +2014,10 @@ spec:
                  type: string
                u2oInterconnectionVPC:
                  type: string
                mcastQuerierIP:
                  type: string
                mcastQuerierMAC:
                  type: string
                v4usingIPrange:
                  type: string
                v4availableIPrange:
@@ -2156,6 +2198,28 @@ spec:
                  type: boolean
                routeTable:
                  type: string
                namespaceSelectors:
                  type: array
                  items:
                    type: object
                    properties:
                      matchLabels:
                        type: object
                        additionalProperties:
                          type: string
                      matchExpressions:
                        type: array
                        items:
                          type: object
                          properties:
                            key:
                              type: string
                            operator:
                              type: string
                            values:
                              type: array
                              items:
                                type: string
  scope: Cluster
  names:
    plural: subnets
--- a/packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml
@@ -38,19 +38,41 @@ spec:
      priorityClassName: system-cluster-critical
      serviceAccountName: kube-ovn-app
      hostNetwork: true
      initContainers:
        - name: hostpath-init
          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command:
            - sh
            - -c
            - "chown -R nobody: /var/log/kube-ovn"
          securityContext:
            allowPrivilegeEscalation: true
            capabilities:
              drop:
                - ALL
            privileged: true
            runAsUser: 0
          volumeMounts:
            - name: kube-ovn-log
              mountPath: /var/log/kube-ovn
      containers:
        - name: kube-ovn-monitor
          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command: ["/kube-ovn/start-ovn-monitor.sh"]
          args:
          - --secure-serving={{- .Values.func.SECURE_SERVING }}
          - --log_file=/var/log/kube-ovn/kube-ovn-monitor.log
          - --logtostderr=false
          - --alsologtostderr=true
          - --log_file_max_size=200
          securityContext:
-            runAsUser: 0
+            runAsUser: {{ include "kubeovn.runAsUser" . }}
            privileged: false
            capabilities:
              add:
                - NET_BIND_SERVICE
          env:
            - name: ENABLE_SSL
              value: "{{ .Values.networking.ENABLE_SSL }}"
@@ -58,6 +80,18 @@ spec:
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: POD_IPS
              valueFrom:
                fieldRef:
@@ -72,12 +106,8 @@ spec:
              cpu: {{ index .Values "kube-ovn-monitor" "limits" "cpu" }}
              memory: {{ index .Values "kube-ovn-monitor" "limits" "memory" }}
          volumeMounts:
            - mountPath: /var/run/openvswitch
              name: host-run-ovs
            - mountPath: /var/run/ovn
              name: host-run-ovn
            - mountPath: /etc/openvswitch
              name: host-config-openvswitch
            - mountPath: /etc/ovn
              name: host-config-ovn
            - mountPath: /var/log/ovn
@@ -95,32 +125,32 @@ spec:
            initialDelaySeconds: 30
            periodSeconds: 7
            successThreshold: 1
-            tcpSocket:
+            exec:
-              port: 10661
+              command:
-            timeoutSeconds: 3
+                - /kube-ovn/kube-ovn-healthcheck
                - --port=10661
                - --tls={{- .Values.func.SECURE_SERVING }}
            timeoutSeconds: 5
          readinessProbe:
            failureThreshold: 3
            initialDelaySeconds: 30
            periodSeconds: 7
            successThreshold: 1
-            tcpSocket:
+            exec:
-              port: 10661
+              command:
-            timeoutSeconds: 3
+                - /kube-ovn/kube-ovn-healthcheck
                - --port=10661
                - --tls={{- .Values.func.SECURE_SERVING }}
            timeoutSeconds: 5
      nodeSelector:
        kubernetes.io/os: "linux"
        {{- with splitList "=" .Values.MASTER_NODES_LABEL }}
        {{ index . 0 }}: "{{ if eq (len .) 2 }}{{ index . 1 }}{{ end }}"
        {{- end }}
      volumes:
        - name: host-run-ovs
          hostPath:
            path: /run/openvswitch
        - name: host-run-ovn
          hostPath:
            path: /run/ovn
        - name: host-config-openvswitch
          hostPath:
            path: {{ .Values.OPENVSWITCH_DIR }}
        - name: host-config-ovn
          hostPath:
            path: {{ .Values.OVN_DIR }}
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CR.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CR.yaml
@@ -163,7 +163,49 @@ rules:
      - get
      - list
      - watch
-
+  - apiGroups:
      - authentication.k8s.io
    resources:
      - tokenreviews
    verbs:
      - create
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
  - apiGroups: 
      - "certificates.k8s.io"
    resources: 
      - "certificatesigningrequests"
    verbs: 
      - "get"
      - "list"
      - "watch"
  - apiGroups:
    - certificates.k8s.io
    resources:
    - certificatesigningrequests/status
    - certificatesigningrequests/approval
    verbs:
    - update
  - apiGroups:
    - ""
    resources:
    - secrets
    verbs:
    - get
    - create
  - apiGroups:
    - certificates.k8s.io
    resourceNames:
    - kubeovn.io/signer
    resources:
    - signers
    verbs:
    - approve
    - sign
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -248,7 +290,34 @@ rules:
      - get
      - list
      - watch
-
+  - apiGroups:
      - authentication.k8s.io
    resources:
      - tokenreviews
    verbs:
      - create
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
  - apiGroups: 
      - "certificates.k8s.io"
    resources: 
      - "certificatesigningrequests"
    verbs: 
      - "create" 
      - "get"
      - "list"
      - "watch"
      - "delete"
  - apiGroups:
      - ""
    resources:
      - "secrets"
    verbs:
      - "get"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -271,3 +340,15 @@ rules:
      - daemonsets
    verbs:
      - get
  - apiGroups:
      - authentication.k8s.io
    resources:
      - tokenreviews
    verbs:
      - create
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CRB.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CRB.yaml
@@ -10,7 +10,20 @@ subjects:
  - kind: ServiceAccount
    name: ovn
    namespace: {{ .Values.namespace }}
-
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: ovn
  namespace: {{ .Values.namespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
 subjects:
  - kind: ServiceAccount
    name: ovn
    namespace: {{ .Values.namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -38,7 +51,20 @@ subjects:
  - kind: ServiceAccount
    name: kube-ovn-cni
    namespace: {{ .Values.namespace }}
-
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: kube-ovn-cni
  namespace: {{ .Values.namespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
 subjects:
  - kind: ServiceAccount
    name: kube-ovn-cni
    namespace: {{ .Values.namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -52,3 +78,17 @@ subjects:
  - kind: ServiceAccount
    name: kube-ovn-app
    namespace: {{ .Values.namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: kube-ovn-app
  namespace: {{ .Values.namespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
 subjects:
  - kind: ServiceAccount
    name: kube-ovn-app
    namespace: {{ .Values.namespace }}
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovn-sa.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovn-sa.yaml
@@ -18,6 +18,14 @@ kind: ServiceAccount
 metadata:
  name: ovn-ovs
  namespace: {{ .Values.namespace }}
 {{-  if .Values.global.registry.imagePullSecrets }}
 imagePullSecrets:
 {{- range $index, $secret := .Values.global.registry.imagePullSecrets }}
 {{- if $secret }}
 - name: {{ $secret | quote}}
 {{- end }}
 {{- end }}
 {{- end }}
 ---
 apiVersion: v1
@@ -25,6 +33,14 @@ kind: ServiceAccount
 metadata:
  name: kube-ovn-cni
  namespace: {{ .Values.namespace }}
 {{-  if .Values.global.registry.imagePullSecrets }}
 imagePullSecrets:
 {{- range $index, $secret := .Values.global.registry.imagePullSecrets }}
 {{- if $secret }}
 - name: {{ $secret | quote}}
 {{- end }}
 {{- end }}
 {{- end }}
 ---
 apiVersion: v1
@@ -32,3 +48,11 @@ kind: ServiceAccount
 metadata:
  name: kube-ovn-app
  namespace: {{ .Values.namespace }}
 {{-  if .Values.global.registry.imagePullSecrets }}
 imagePullSecrets:
 {{- range $index, $secret := .Values.global.registry.imagePullSecrets }}
 {{- if $secret }}
 - name: {{ $secret | quote}}
 {{- end }}
 {{- end }}
 {{- end }}
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
@@ -29,16 +29,52 @@ spec:
      hostNetwork: true
      hostPID: true
      initContainers:
      - name: hostpath-init
        image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        command:
          - sh
          - -xec
          - {{ if not .Values.DISABLE_MODULES_MANAGEMENT -}}
            iptables -V
            {{- else -}}
            echo "nothing to do"
            {{- end }}
        securityContext:
          allowPrivilegeEscalation: true
          capabilities:
            drop:
              - ALL
          privileged: true
          runAsUser: 0
          runAsGroup: 0
        volumeMounts:
          - name: usr-local-sbin
            mountPath: /usr/local/sbin
          - mountPath: /run/xtables.lock
            name: xtables-lock
            readOnly: false
          - mountPath: /var/run/netns
            name: host-ns
            readOnly: false
          - name: kube-ovn-log
            mountPath: /var/log/kube-ovn
      - name: install-cni
        image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
        imagePullPolicy: {{ .Values.image.pullPolicy }}
-        command: ["/kube-ovn/install-cni.sh"]
+        command:
          - /kube-ovn/install-cni.sh
          - --cni-conf-dir={{ .Values.cni_conf.CNI_CONF_DIR }}
          - --cni-conf-file={{ .Values.cni_conf.CNI_CONF_FILE }}
          - --cni-conf-name={{- .Values.cni_conf.CNI_CONFIG_PRIORITY -}}-kube-ovn.conflist
        securityContext:
          runAsUser: 0
          privileged: true
        volumeMounts:
          - mountPath: /opt/cni/bin
            name: cni-bin
          - mountPath: /etc/cni/net.d
            name: cni-conf
          {{- if .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }}
          - mountPath: /usr/local/bin
            name: local-bin
@@ -65,9 +101,6 @@ spec:
          - --dpdk-tunnel-iface={{- .Values.networking.DPDK_TUNNEL_IFACE }}
          - --network-type={{- .Values.networking.TUNNEL_TYPE }}
          - --default-interface-name={{- .Values.networking.vlan.VLAN_INTERFACE_NAME }}
          - --cni-conf-dir={{ .Values.cni_conf.CNI_CONF_DIR }}
          - --cni-conf-file={{ .Values.cni_conf.CNI_CONF_FILE }}
          - --cni-conf-name={{- .Values.cni_conf.CNI_CONFIG_PRIORITY -}}-kube-ovn.conflist
          - --logtostderr=false
          - --alsologtostderr=true
          - --log_file=/var/log/kube-ovn/kube-ovn-cni.log
@@ -76,12 +109,26 @@ spec:
          - --kubelet-dir={{ .Values.kubelet_conf.KUBELET_DIR }}
          - --enable-tproxy={{ .Values.func.ENABLE_TPROXY }}
          - --ovs-vsctl-concurrency={{ .Values.performance.OVS_VSCTL_CONCURRENCY }}
          - --secure-serving={{- .Values.func.SECURE_SERVING }}
          - --enable-ovn-ipsec={{- .Values.func.ENABLE_OVN_IPSEC }}
          - --set-vxlan-tx-off={{- .Values.func.SET_VXLAN_TX_OFF }}
          {{- with .Values.mtu }}
          - --mtu={{ . }}
          {{- end }}
        securityContext:
          runAsUser: 0
-          privileged: true
+          privileged: false
          capabilities:
            add:
              - NET_ADMIN
              - NET_BIND_SERVICE
              - NET_RAW
              - SYS_ADMIN
              - SYS_PTRACE
              {{- if not .Values.DISABLE_MODULES_MANAGEMENT }}
              - SYS_MODULE
              {{- end }}
              - SYS_NICE
        env:
          - name: ENABLE_SSL
            value: "{{ .Values.networking.ENABLE_SSL }}"
@@ -93,6 +140,14 @@ spec:
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: POD_IPS
            valueFrom:
              fieldRef:
@@ -102,19 +157,22 @@ spec:
          - name: DBUS_SYSTEM_BUS_ADDRESS
            value: "unix:path=/host/var/run/dbus/system_bus_socket"
        volumeMounts:
          - name: usr-local-sbin
            mountPath: /usr/local/sbin
          - name: host-modules
            mountPath: /lib/modules
            readOnly: true
          - mountPath: /run/xtables.lock
            name: xtables-lock
            readOnly: false
          - name: shared-dir
            mountPath: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods
          - mountPath: /etc/openvswitch
            name: systemid
            readOnly: true
          - mountPath: /etc/cni/net.d
            name: cni-conf
          - mountPath: /run/openvswitch
            name: host-run-ovs
-            mountPropagation: Bidirectional
+            mountPropagation: HostToContainer
          - mountPath: /run/ovn
            name: host-run-ovn
          - mountPath: /host/var/run/dbus
@@ -132,21 +190,31 @@ spec:
          - mountPath: /etc/localtime
            name: localtime
            readOnly: true
        {{- if .Values.func.ENABLE_OVN_IPSEC }}
          - mountPath: /etc/ovs_ipsec_keys
            name: ovs-ipsec-keys
        {{- end }}
        readinessProbe:
          failureThreshold: 3
          periodSeconds: 7
          successThreshold: 1
-          tcpSocket:
+          exec:
-            port: 10665
+            command:
-          timeoutSeconds: 3
+              - /kube-ovn/kube-ovn-healthcheck
              - --port=10665
              - --tls={{- .Values.func.SECURE_SERVING }}
          timeoutSeconds: 5
        livenessProbe:
          failureThreshold: 3
          initialDelaySeconds: 30
          periodSeconds: 7
          successThreshold: 1
-          tcpSocket:
+          exec:
-            port: 10665
+            command:
-          timeoutSeconds: 3
+              - /kube-ovn/kube-ovn-healthcheck
              - --port=10665
              - --tls={{- .Values.func.SECURE_SERVING }}
          timeoutSeconds: 5
        resources:
          requests:
            cpu: {{ index .Values "kube-ovn-cni" "requests" "cpu" }}
@@ -157,9 +225,15 @@ spec:
      nodeSelector:
        kubernetes.io/os: "linux"
      volumes:
        - name: usr-local-sbin
          emptyDir: {}
        - name: host-modules
          hostPath:
            path: /lib/modules
        - name: xtables-lock
          hostPath:
            path: /run/xtables.lock
            type: FileOrCreate
        - name: shared-dir
          hostPath:
            path: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods
@@ -201,3 +275,8 @@ spec:
          hostPath:
            path: {{ .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }}
        {{- end }}
        {{- if .Values.func.ENABLE_OVN_IPSEC }}
        - name: ovs-ipsec-keys
          hostPath:
            path: /etc/origin/ovs_ipsec_keys
        {{- end }}
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml
@@ -36,6 +36,46 @@ spec:
      serviceAccountName: ovn-ovs
      hostNetwork: true
      hostPID: true
      initContainers:
        - name: hostpath-init
          {{- if .Values.DPDK }}
          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.dpdkRepository }}:{{ .Values.DPDK_VERSION }}-{{ .Values.global.images.kubeovn.tag }}
          {{- else }}
          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
          {{- end }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command:
            - sh
            - -xec
            - |
              chown -R nobody: /var/run/ovn /var/log/ovn /etc/openvswitch /var/run/openvswitch /var/log/openvswitch
              {{- if not .Values.DISABLE_MODULES_MANAGEMENT }}
              iptables -V
              {{- else }}
              ln -sf /bin/true /usr/local/sbin/modprobe
              ln -sf /bin/true /usr/local/sbin/modinfo
              ln -sf /bin/true /usr/local/sbin/rmmod
              {{- end }}
          securityContext:
            allowPrivilegeEscalation: true
            capabilities:
              drop:
                - ALL
            privileged: true
            runAsUser: 0
          volumeMounts:
            - mountPath: /usr/local/sbin
              name: usr-local-sbin
            - mountPath: /var/log/ovn
              name: host-log-ovn
            - mountPath: /var/run/ovn
              name: host-run-ovn
            - mountPath: /etc/openvswitch
              name: host-config-openvswitch
            - mountPath: /var/run/openvswitch
              name: host-run-ovs
            - mountPath: /var/log/openvswitch
              name: host-log-ovs
      containers:
        - name: openvswitch
          {{- if .Values.DPDK }}
@@ -47,22 +87,20 @@ spec:
          {{- if .Values.DPDK }}
          command: ["/kube-ovn/start-ovs-dpdk.sh"]
          {{- else }}
-          command: 
+          command: ["/kube-ovn/start-ovs.sh"]
          {{- if .Values.DISABLE_MODULES_MANAGEMENT }}
          - /bin/sh
          - -ec
          - |
              ln -sf /bin/true /usr/sbin/modprobe
              ln -sf /bin/true /usr/sbin/modinfo
              ln -sf /bin/true /usr/sbin/rmmod
              exec /kube-ovn/start-ovs.sh
          {{- else }}
          - /kube-ovn/start-ovs.sh
          {{- end }}
          {{- end }}
          securityContext:
-            runAsUser: 0
+            runAsUser: {{ include "kubeovn.runAsUser" . }}
-            privileged: true
+            privileged: false
            capabilities:
              add:
                - NET_ADMIN
                - NET_BIND_SERVICE
                {{- if not .Values.DISABLE_MODULES_MANAGEMENT }}
                - SYS_MODULE
                {{- end }}
                - SYS_NICE
                - SYS_ADMIN
          env:
            - name: ENABLE_SSL
              value: "{{ .Values.networking.ENABLE_SSL }}"
@@ -93,9 +131,8 @@ spec:
            - name: OVN_REMOTE_OPENFLOW_INTERVAL
              value: "{{ .Values.networking.OVN_REMOTE_OPENFLOW_INTERVAL }}"
          volumeMounts:
-            - mountPath: /var/run/netns
+            - mountPath: /usr/local/sbin
-              name: host-ns
+              name: usr-local-sbin
              mountPropagation: HostToContainer
            - mountPath: /lib/modules
              name: host-modules
              readOnly: true
@@ -105,8 +142,6 @@ spec:
              name: host-run-ovn
            - mountPath: /etc/openvswitch
              name: host-config-openvswitch
            - mountPath: /etc/ovn
              name: host-config-ovn
            - mountPath: /var/log/openvswitch
              name: host-log-ovs
            - mountPath: /var/log/ovn
@@ -175,6 +210,8 @@ spec:
      nodeSelector:
        kubernetes.io/os: "linux"
      volumes:
        - name: usr-local-sbin
          emptyDir: {}
        - name: host-modules
          hostPath:
            path: /lib/modules
@@ -187,9 +224,6 @@ spec:
        - name: host-config-openvswitch
          hostPath:
            path: {{ .Values.OPENVSWITCH_DIR }}
        - name: host-config-ovn
          hostPath:
            path: {{ .Values.OVN_DIR }}
        - name: host-log-ovs
          hostPath:
            path: {{ .Values.log_conf.LOG_DIR }}/openvswitch
@@ -203,9 +237,6 @@ spec:
          secret:
            optional: true
            secretName: kube-ovn-tls
        - name: host-ns
          hostPath:
            path: /var/run/netns
        - hostPath:
            path: /var/run/containerd
          name: cruntime
--- a/packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml
@@ -29,6 +29,24 @@ spec:
          operator: Exists
      serviceAccountName: kube-ovn-app
      hostPID: true
      initContainers:
        - name: hostpath-init
          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command:
            - sh
            - -c
            - "chown -R nobody: /var/log/kube-ovn"
          securityContext:
            allowPrivilegeEscalation: true
            capabilities:
              drop:
                - ALL
            privileged: true
            runAsUser: 0
          volumeMounts:
            - name: kube-ovn-log
              mountPath: /var/log/kube-ovn
      containers:
        - name: pinger
          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
@@ -59,8 +77,12 @@ spec:
          - --enable-metrics={{- .Values.networking.ENABLE_METRICS }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          securityContext:
-            runAsUser: 0
+            runAsUser: {{ include "kubeovn.runAsUser" . }}
            privileged: false
            capabilities:
              add:
                - NET_BIND_SERVICE
                - NET_RAW
          env:
            - name: ENABLE_SSL
              value: "{{ .Values.networking.ENABLE_SSL }}"
--- a/packages/system/kubeovn/charts/kube-ovn/values.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/values.yaml
@@ -58,7 +58,6 @@ networking:
 func:
  ENABLE_LB: true
  ENABLE_NP: true
  ENABLE_EIP_SNAT: true
  ENABLE_EXTERNAL_VPC: true
  HW_OFFLOAD: false
  ENABLE_LB_SVC: false
@@ -68,10 +67,16 @@ func:
  CHECK_GATEWAY: true
  LOGICAL_GATEWAY: false
  ENABLE_BIND_LOCAL_IP: true
  SECURE_SERVING: false
  U2O_INTERCONNECTION: false
  ENABLE_TPROXY: false
  ENABLE_IC: false
  ENABLE_NAT_GW: true
  ENABLE_OVN_IPSEC: false
  ENABLE_ANP: false
  SET_VXLAN_TX_OFF: false
  OVSDB_CON_TIMEOUT: 3
  OVSDB_INACTIVITY_TIMEOUT: 10
 ipv4:
  PINGER_EXTERNAL_ADDRESS: "1.1.1.1"
@@ -120,7 +125,6 @@ OPENVSWITCH_DIR: "/etc/origin/openvswitch"
 OVN_DIR: "/etc/origin/ovn"
 DISABLE_MODULES_MANAGEMENT: false
 imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
@@ -132,8 +136,8 @@ HUGEPAGES: 1Gi
 # DPDK
 DPDK: false
 DPDK_VERSION: "19.11"
-DPDK_CPU: "1000m"                        # Default CPU configuration
+DPDK_CPU: "1000m" # Default CPU configuration
-DPDK_MEMORY: "2Gi"                       # Default Memory configuration
+DPDK_MEMORY: "2Gi" # Default Memory configuration
 ovn-central:
  requests:
--- a/packages/system/kubeovn/images/kubeovn/Dockerfile
+++ b/packages/system/kubeovn/images/kubeovn/Dockerfile
@@ -1,45 +1,54 @@
-ARG VERSION=v1.12.19
+# syntax = docker/dockerfile:experimental
 ARG VERSION=v1.13.0
 ARG BASE_TAG=$VERSION
-FROM golang:1.22-bookworm as builder
+FROM golang:1.23-bookworm as builder
-ARG COMMIT_REF=e1310e1
+ARG TAG=v1.13.0
 RUN git clone --branch ${TAG} --depth 1 https://github.com/kubeovn/kube-ovn /source
 WORKDIR /source
 COPY patches /patches
 RUN wget -O- https://github.com/kubeovn/kube-ovn/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1
 RUN git apply /patches/*.diff
 RUN sed -i 's|-z now|-z now -static|' Makefile
 RUN make build-go
 WORKDIR /source/dist/images
 # imported from https://github.com/kubeovn/kube-ovn/blob/master/dist/images/Dockerfile
-FROM kubeovn/kube-ovn-base:$BASE_TAG
+FROM kubeovn/kube-ovn-base:$BASE_TAG AS setcap
 COPY --from=builder /source/dist/images/*.sh /kube-ovn/
 COPY --from=builder /source/dist/images/kubectl-ko /kube-ovn/kubectl-ko
 COPY --from=builder /source/dist/images/01-kube-ovn.conflist /kube-ovn/01-kube-ovn.conflist
 COPY --from=builder /source/dist/images/logrotate/* /etc/logrotate.d/
 COPY --from=builder /source/dist/images/grace_stop_ovn_controller /usr/share/ovn/scripts/grace_stop_ovn_controller
 WORKDIR /kube-ovn
 RUN /kube-ovn/iptables-wrapper-installer.sh --no-sanity-check
 RUN rm -f /usr/bin/nc &&\
    rm -f /usr/bin/netcat &&\
    rm -f /usr/lib/apt/methods/mirror
 RUN deluser sync
 COPY --from=builder /source/dist/images/kube-ovn /kube-ovn/kube-ovn
 COPY --from=builder /source/dist/images/kube-ovn-cmd /kube-ovn/kube-ovn-cmd
-COPY --from=builder /source/dist/images/kube-ovn-webhook /kube-ovn/kube-ovn-webhook
+COPY --from=builder /source/dist/images/kube-ovn-daemon /kube-ovn/kube-ovn-daemon
 COPY --from=builder /source/dist/images/kube-ovn-pinger /kube-ovn/kube-ovn-pinger
 RUN ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-controller && \
    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-daemon && \
    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-monitor && \
    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-pinger && \
    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-speaker && \
-    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-controller-healthcheck && \
+    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-webhook && \
    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-healthcheck && \
    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-leader-checker && \
-    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-ic-controller
+    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-ic-controller && \
    setcap CAP_NET_BIND_SERVICE+eip /kube-ovn/kube-ovn-cmd && \
    setcap CAP_NET_RAW,CAP_NET_BIND_SERVICE+eip /kube-ovn/kube-ovn-pinger && \
    setcap CAP_NET_ADMIN,CAP_NET_RAW,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /kube-ovn/kube-ovn-daemon
 FROM kubeovn/kube-ovn-base:$BASE_TAG
 COPY --chmod=0644 --from=builder /source/dist/images/logrotate/* /etc/logrotate.d/
 COPY --from=builder /source/dist/images/grace_stop_ovn_controller /usr/share/ovn/scripts/grace_stop_ovn_controller
 COPY --from=setcap /kube-ovn /kube-ovn
 RUN /kube-ovn/iptables-wrapper-installer.sh --no-sanity-check
 WORKDIR /kube-ovn
 # Fix https://github.com/kubeovn/kube-ovn/issues/4526
 RUN setcap CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /usr/lib/openvswitch-switch/ovs-vswitchd \
 && setcap CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /usr/sbin/xtables-legacy-multi \
 && setcap CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /usr/sbin/xtables-nft-multi \
 && setcap CAP_NET_ADMIN,CAP_NET_RAW,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /usr/sbin/ipset
--- a/packages/system/kubeovn/patches/mtu.diff
+++ b/packages/system/kubeovn/patches/mtu.diff
@@ -1,14 +1,14 @@
 diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
-index c6834ef..423f66b 100644
+index 63f4258..dafe1fd 100644
 --- a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
 +++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
-@@ -76,6 +76,9 @@ spec:
+@@ -112,6 +112,9 @@ spec:
-           - --kubelet-dir={{ .Values.kubelet_conf.KUBELET_DIR }}
+           - --secure-serving={{- .Values.func.SECURE_SERVING }}
-           - --enable-tproxy={{ .Values.func.ENABLE_TPROXY }}
+           - --enable-ovn-ipsec={{- .Values.func.ENABLE_OVN_IPSEC }}
-           - --ovs-vsctl-concurrency={{ .Values.performance.OVS_VSCTL_CONCURRENCY }}
+           - --set-vxlan-tx-off={{- .Values.func.SET_VXLAN_TX_OFF }}
 +          {{- with .Values.mtu }}
 +          - --mtu={{ . }}
 +          {{- end }}
         securityContext:
           runAsUser: 0
-           privileged: true
+           privileged: false
--- a/packages/system/kubeovn/values.yaml
+++ b/packages/system/kubeovn/values.yaml
@@ -22,4 +22,4 @@ global:
  images:
    kubeovn:
      repository: kubeovn
-      tag: v1.13.0@sha256:f8b1a3d3459bf896b3e2122fd6856b790ab6919dba1d22395eeb63f4af63d16c
+      tag: v1.13.0@sha256:be0bf28b0e669b63b2c6d859a1ba80dcc1d848d2d0dc124480023cc90cd59c38
--- a/packages/system/monitoring-agents/alerts/flux.yaml
+++ b/packages/system/monitoring-agents/alerts/flux.yaml
@@ -1,18 +1,7 @@
 apiVersion: operator.victoriametrics.com/v1beta1
 kind: VMRule
 metadata:
  annotations:
    meta.helm.sh/release-name: monitoring
    meta.helm.sh/release-namespace: cozy-monitoring
  labels:
    app: victoria-metrics-k8s-stack
    app.kubernetes.io/instance: monitoring
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: victoria-metrics-k8s-stack
    app.kubernetes.io/version: v1.102.1
    helm.sh/chart: victoria-metrics-k8s-stack-0.25.17
  name: alerts-flux-resources
  namespace: cozy-monitoring
 spec:
  groups:
  - name: flux-resources-alerts
--- a/packages/system/monitoring-agents/templates/kube-state-metrics-scrape.yaml
+++ b/packages/system/monitoring-agents/templates/kube-state-metrics-scrape.yaml
@@ -8,7 +8,6 @@ spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: kube-state-metrics
      app.kubernetes.io/instance: "monitoring"
  endpoints:
  - port: http
    honorLabels: true
--- a/packages/system/monitoring-agents/values.yaml
+++ b/packages/system/monitoring-agents/values.yaml
@@ -305,3 +305,57 @@ vmagent:
    tenant: tenant-root
  remoteWrite:
    url: http://vminsert-shortterm.tenant-root.svc:8480/insert/0/prometheus
 fluent-bit:
  readinessProbe:
    httpGet:
      path: /
  daemonSetVolumes:
    - name: varlog
      hostPath:
        path: /var/log
    - name: varlibdockercontainers
      hostPath:
        path: /var/lib/docker/containers
  daemonSetVolumeMounts:
    - name: varlog
      mountPath: /var/log
    - name: varlibdockercontainers
      mountPath: /var/lib/docker/containers
      readOnly: true
  config:
    outputs: |
      [OUTPUT]
          Name http
          Match kube.*
          Host vlogs-generic.tenant-root.svc
          port 9428
          compress gzip
          uri /insert/jsonline?_stream_fields=stream,kubernetes_pod_name,kubernetes_container_name,kubernetes_namespace_name&_msg_field=log&_time_field=date
          format json_lines
          json_date_format iso8601
          header AccountID 0
          header ProjectID 0
    filters: |
      [FILTER]
          Name kubernetes
          Match kube.*
          Merge_Log On
          Keep_Log On
          K8S-Logging.Parser On
          K8S-Logging.Exclude On
      [FILTER]
          Name                nest
          Match               *
          Wildcard            pod_name
          Operation lift
          Nested_under kubernetes
          Add_prefix   kubernetes_
      [FILTER]
          Name modify
          Match *
          Add tenant tenant-root
      [FILTER]
          Name modify
          Match *
          Add cluster root-cluster
--- a/Show More
+++ b/Show More
`@@ -1 +1 @@`
	`ghcr.io/aenix-io/cozystack/clickhouse-backup:0.6.1@sha256:3f76662144e31acf75f9495879da0c358a6729d08cfa0a4721cf495ff9a4c659`	`ghcr.io/aenix-io/cozystack/clickhouse-backup:0.6.1@sha256:dda84420cb8648721299221268a00d72a05c7af5b7fb452619bac727068b9e61`
`@@ -1 +1 @@`
	`ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:034a480a119986da8a8e0532f09f66c58ed919e18612987b1a847fe8a59b6f3c`	`ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:4d2271b345240c6c5b37599996745646012004b0f57e31c4c9deb1aba7408a51`
`@@ -1 +1 @@`
	`ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:3030c5b58dcb38dab3892fb1b4241381fc04707b2aa66550ef446231077add6e`	`ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:3e8ae1bd576858a88c995aefb1431a1b89f55b7a1ef60575fecae4bbf5aa0d4e`
`@@ -1 +1 @@`
	`ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.14.0@sha256:c80c305a7c0ff5d64664eea9aefc9a2e68c3bd500cf341d820ef8dd460f3174b`	`ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.14.1@sha256:0ea139c71e08db5adb275d81a7efa9a0d8b8db61a1fc1a67167a33a347c07fd8`
`@@ -1 +1 @@`
	`ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.14.0@sha256:55b78220b60773eefb7b7d3451d7ab9fe89fb6b989e8fe2ae214aab164f00293`	`ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.14.1@sha256:f595d50689405a504249c2af4b84562e8a0d16bdf9287d4eedf7c87959c4fba1`
`@@ -1 +1 @@`
	`ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.14.0@sha256:bc61dba787ca79f9b8d7288a631cbaecf8de9f87b6a2ad44e1513f730362621f`	`ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.14.1@sha256:644379ba92c72dbbf07257d70f88ef3e5c1f1fb88f161c03758c13588d33ac2d`
`@@ -1 +1 @@`
	`ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:8258747003f40f0f8dd54317e52e98baf4674c5ac14ad851ac6b2871d29e4b2d`	`ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:a64fefbd94535be2f8ac92943f0cad076a7b4c61c289a6ac0086a40859ed9d0e`
`@@ -1 +1 @@`
	`ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:c14e21d439600caf6239b767d204b2fd75146e782e35991c6d803490197660bf`	`ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:948d41556939d90bdc37b4406b18935d46490dcb3f38a27aa117a4c3973e5604`
`@@ -1,2 +1,2 @@`
	`cozystack:`	`cozystack:`
	`image: ghcr.io/aenix-io/cozystack/cozystack:latest@sha256:78cad710dec0f941694871cec338d9169db05f42ea13749c0a6503285540e1cc`	`image: ghcr.io/aenix-io/cozystack/cozystack:v0.21.0@sha256:90487dafccb12705b5e9760595b43c0352f3a94551c55c5fa7778bf9173d1737`
`@@ -1,2 +1,2 @@`
	`e2e:`	`e2e:`
	`image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.19.0@sha256:1a26a511b9e269bcb607e2d80f878d7c2d993b7a2a7a3a2a1042470c8c56b061`	`image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.21.0@sha256:38229517c86e179984a6d39f5510b859d13d965e35b216bc01ce456f9ab5f8b5`