Prepare release v0.24.0 (#606)

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

## Release Notes for CozyStack v0.24.0

- **Image Updates**
  - Upgraded CozyStack core components to version v0.24.0
- Updated multiple system images, including cluster-autoscaler, kubevirt
cloud provider, and CSI driver
  - Refreshed images for dashboard, API, and controller components
  - Updated Grafana image to version 1.8.0

- **Infrastructure Changes**
- Replaced `darkhttpd` container with new `assets` container in
deployment configuration
  - Updated image digests across various system components

- **Version Bump**
  - Incremented CozyStack version from v0.23.1 to v0.24.0
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

MAINTAINERS.md

@@ -1,7 +1,12 @@
 # The Cozystack Maintainers
 
-| Maintainer | GitHub Username | Company |
-| ---------- | --------------- | ------- |
-| Andrei Kvapil | [@kvaps](https://github.com/kvaps) | Ænix |
-| George Gaál | [@gecube](https://github.com/gecube) | Ænix |
-| Eduard Generalov | [@egeneralov](https://github.com/egeneralov) | Ænix |
+| Maintainer | GitHub Username | Company |          Responsibility           |
+| ---------- | --------------- | ------- | --------------------------------- |
+| Andrei Kvapil | [@kvaps](https://github.com/kvaps) | Ænix | Core Maintainer |
+| George Gaál | [@gecube](https://github.com/gecube) | Ænix | DevOps Practices in Platform, Developers Advocate |
+| Kingdon Barrett | [@kingdonb](https://github.com/kingdonb) | Urmanac | FluxCD and flux-operator |
+| Timofei Larkin | [@lllamnyp](https://github.com/lllamnyp) | 3commas | Etcd-operator Lead |
+| Artem Bortnikov | [@aobort](https://github.com/aobort) | Timescale | Etcd-operator Lead |
+| Andrei Gumilev | [@chumkaska](https://github.com/chumkaska) | Ænix | Platform Documentation |
+| Timur Tukaev | [@tym83](https://github.com/tym83) | Ænix | Cozystack Website, Marketing, Community Management |
+| Kirill Klinchenkov | [@klinch0](https://github.com/klinch0) | Ænix | Core Maintainer |

Makefile

@@ -6,7 +6,9 @@ build:
 	make -C packages/apps/mysql image
 	make -C packages/apps/clickhouse image
 	make -C packages/apps/kubernetes image
+	make -C packages/extra/monitoring image
 	make -C packages/system/cozystack-api image
+	make -C packages/system/cozystack-controller image
 	make -C packages/system/cilium image
 	make -C packages/system/kubeovn image
 	make -C packages/system/dashboard image
@@ -37,3 +39,6 @@ test:
 	make -C packages/core/testing apply
 	make -C packages/core/testing test
 	make -C packages/core/testing test-applications
+
+generate:
+	hack/update-codegen.sh

api/api-rules/cozystack_api_violation_exceptions.list

@@ -1,4 +1,4 @@
-API rule violation: list_type_missing,github.com/aenix.io/cozystack/pkg/apis/apps/v1alpha1,ApplicationStatus,Conditions
+API rule violation: list_type_missing,github.com/aenix-io/cozystack/pkg/apis/apps/v1alpha1,ApplicationStatus,Conditions
 API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,Ref
 API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,Schema
 API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XEmbeddedResource

api/v1alpha1/groupversion_info.go

@@ -0,0 +1,36 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the  v1alpha1 API group.
+// +kubebuilder:object:generate=true
+// +groupName=cozystack.io
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects.
+	GroupVersion = schema.GroupVersion{Group: "cozystack.io", Version: "v1alpha1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)

api/v1alpha1/workload_types.go

@@ -0,0 +1,70 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// WorkloadStatus defines the observed state of Workload
+type WorkloadStatus struct {
+	// Kind represents the type of workload (redis, postgres, etc.)
+	// +required
+	Kind string `json:"kind"`
+
+	// Type represents the specific role of the workload (redis, sentinel, etc.)
+	// If not specified, defaults to Kind
+	// +optional
+	Type string `json:"type,omitempty"`
+
+	// Resources specifies the compute resources allocated to this workload
+	// +required
+	Resources map[string]resource.Quantity `json:"resources"`
+
+	// Operational indicates if all pods of the workload are ready
+	// +optional
+	Operational bool `json:"operational"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:printcolumn:name="Kind",type="string",JSONPath=".status.kind"
+// +kubebuilder:printcolumn:name="Type",type="string",JSONPath=".status.type"
+// +kubebuilder:printcolumn:name="CPU",type="string",JSONPath=".status.resources.cpu"
+// +kubebuilder:printcolumn:name="Memory",type="string",JSONPath=".status.resources.memory"
+// +kubebuilder:printcolumn:name="Operational",type="boolean",JSONPath=`.status.operational`
+
+// Workload is the Schema for the workloads API
+type Workload struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Status WorkloadStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// WorkloadList contains a list of Workload
+type WorkloadList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Workload `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Workload{}, &WorkloadList{})
+}

api/v1alpha1/workloadmonitor_types.go

@@ -0,0 +1,91 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// WorkloadMonitorSpec defines the desired state of WorkloadMonitor
+type WorkloadMonitorSpec struct {
+	// Selector is a label selector to find workloads to monitor
+	// +required
+	Selector map[string]string `json:"selector"`
+
+	// Kind specifies the kind of the workload
+	// +optional
+	Kind string `json:"kind,omitempty"`
+
+	// Type specifies the type of the workload
+	// +optional
+	Type string `json:"type,omitempty"`
+
+	// Version specifies the version of the workload
+	// +optional
+	Version string `json:"version,omitempty"`
+
+	// MinReplicas specifies the minimum number of replicas that should be available
+	// +kubebuilder:validation:Minimum=0
+	// +optional
+	MinReplicas *int32 `json:"minReplicas,omitempty"`
+
+	// Replicas is the desired number of replicas
+	// If not specified, will use observedReplicas as the target
+	// +kubebuilder:validation:Minimum=0
+	// +optional
+	Replicas *int32 `json:"replicas,omitempty"`
+}
+
+// WorkloadMonitorStatus defines the observed state of WorkloadMonitor
+type WorkloadMonitorStatus struct {
+	// Operational indicates if the workload meets all operational requirements
+	// +optional
+	Operational *bool `json:"operational,omitempty"`
+
+	// AvailableReplicas is the number of ready replicas
+	// +optional
+	AvailableReplicas int32 `json:"availableReplicas"`
+
+	// ObservedReplicas is the total number of pods observed
+	// +optional
+	ObservedReplicas int32 `json:"observedReplicas"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Kind",type="string",JSONPath=".spec.kind"
+// +kubebuilder:printcolumn:name="Type",type="string",JSONPath=".spec.type"
+// +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version"
+// +kubebuilder:printcolumn:name="Replicas",type="integer",JSONPath=".spec.replicas"
+// +kubebuilder:printcolumn:name="MinReplicas",type="integer",JSONPath=".spec.minReplicas"
+// +kubebuilder:printcolumn:name="Available",type="integer",JSONPath=".status.availableReplicas"
+// +kubebuilder:printcolumn:name="Observed",type="integer",JSONPath=".status.observedReplicas"
+// +kubebuilder:printcolumn:name="Operational",type="boolean",JSONPath=".status.operational"
+
+// WorkloadMonitor is the Schema for the workloadmonitors API
+type WorkloadMonitor struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   WorkloadMonitorSpec   `json:"spec,omitempty"`
+	Status WorkloadMonitorStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// WorkloadMonitorList contains a list of WorkloadMonitor
+type WorkloadMonitorList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []WorkloadMonitor `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&WorkloadMonitor{}, &WorkloadMonitorList{})
+}
+
+// GetSelector returns the label selector from metadata
+func (w *WorkloadMonitor) GetSelector() map[string]string {
+	return w.Spec.Selector
+}
+
+// Selector specifies the label selector for workloads
+type Selector map[string]string

api/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,238 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2025 The Cozystack Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/api/resource"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in Selector) DeepCopyInto(out *Selector) {
+	{
+		in := &in
+		*out = make(Selector, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Selector.
+func (in Selector) DeepCopy() Selector {
+	if in == nil {
+		return nil
+	}
+	out := new(Selector)
+	in.DeepCopyInto(out)
+	return *out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Workload) DeepCopyInto(out *Workload) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Workload.
+func (in *Workload) DeepCopy() *Workload {
+	if in == nil {
+		return nil
+	}
+	out := new(Workload)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Workload) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadList) DeepCopyInto(out *WorkloadList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Workload, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadList.
+func (in *WorkloadList) DeepCopy() *WorkloadList {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WorkloadList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadMonitor) DeepCopyInto(out *WorkloadMonitor) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadMonitor.
+func (in *WorkloadMonitor) DeepCopy() *WorkloadMonitor {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadMonitor)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WorkloadMonitor) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadMonitorList) DeepCopyInto(out *WorkloadMonitorList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]WorkloadMonitor, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadMonitorList.
+func (in *WorkloadMonitorList) DeepCopy() *WorkloadMonitorList {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadMonitorList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WorkloadMonitorList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadMonitorSpec) DeepCopyInto(out *WorkloadMonitorSpec) {
+	*out = *in
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.MinReplicas != nil {
+		in, out := &in.MinReplicas, &out.MinReplicas
+		*out = new(int32)
+		**out = **in
+	}
+	if in.Replicas != nil {
+		in, out := &in.Replicas, &out.Replicas
+		*out = new(int32)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadMonitorSpec.
+func (in *WorkloadMonitorSpec) DeepCopy() *WorkloadMonitorSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadMonitorSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadMonitorStatus) DeepCopyInto(out *WorkloadMonitorStatus) {
+	*out = *in
+	if in.Operational != nil {
+		in, out := &in.Operational, &out.Operational
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadMonitorStatus.
+func (in *WorkloadMonitorStatus) DeepCopy() *WorkloadMonitorStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadMonitorStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadStatus) DeepCopyInto(out *WorkloadStatus) {
+	*out = *in
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = make(map[string]resource.Quantity, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadStatus.
+func (in *WorkloadStatus) DeepCopy() *WorkloadStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadStatus)
+	in.DeepCopyInto(out)
+	return out
+}

cmd/cozystack-api/main.go

@@ -19,7 +19,7 @@ package main
 import (
 	"os"
 
-	"github.com/aenix.io/cozystack/pkg/cmd/server"
+	"github.com/aenix-io/cozystack/pkg/cmd/server"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	"k8s.io/component-base/cli"
 )

cmd/cozystack-assets-server/main.go

@@ -0,0 +1,29 @@
+package main
+
+import (
+	"flag"
+	"log"
+	"net/http"
+	"path/filepath"
+)
+
+func main() {
+	addr := flag.String("address", ":8123", "Address to listen on")
+	dir := flag.String("dir", "/cozystack/assets", "Directory to serve files from")
+	flag.Parse()
+
+	absDir, err := filepath.Abs(*dir)
+	if err != nil {
+		log.Fatalf("Error getting absolute path for %s: %v", *dir, err)
+	}
+
+	fs := http.FileServer(http.Dir(absDir))
+	http.Handle("/", fs)
+
+	log.Printf("Server starting on %s, serving directory %s", *addr, absDir)
+
+	err = http.ListenAndServe(*addr, nil)
+	if err != nil {
+		log.Fatalf("Server failed to start: %v", err)
+	}
+}

cmd/cozystack-controller/main.go

@@ -0,0 +1,210 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"os"
+	"time"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	// to ensure that exec-entrypoint and run can make use of them.
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
+	cozystackiov1alpha1 "github.com/aenix-io/cozystack/api/v1alpha1"
+	"github.com/aenix-io/cozystack/internal/controller"
+	"github.com/aenix-io/cozystack/internal/telemetry"
+	// +kubebuilder:scaffold:imports
+)
+
+var (
+	scheme   = runtime.NewScheme()
+	setupLog = ctrl.Log.WithName("setup")
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+
+	utilruntime.Must(cozystackiov1alpha1.AddToScheme(scheme))
+	// +kubebuilder:scaffold:scheme
+}
+
+func main() {
+	var metricsAddr string
+	var enableLeaderElection bool
+	var probeAddr string
+	var secureMetrics bool
+	var enableHTTP2 bool
+	var disableTelemetry bool
+	var telemetryEndpoint string
+	var telemetryInterval string
+	var cozystackVersion string
+	var tlsOpts []func(*tls.Config)
+	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
+		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
+	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	flag.BoolVar(&secureMetrics, "metrics-secure", true,
+		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	flag.BoolVar(&enableHTTP2, "enable-http2", false,
+		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
+	flag.BoolVar(&disableTelemetry, "disable-telemetry", false,
+		"Disable telemetry collection")
+	flag.StringVar(&telemetryEndpoint, "telemetry-endpoint", "https://telemetry.cozystack.io",
+		"Endpoint for sending telemetry data")
+	flag.StringVar(&telemetryInterval, "telemetry-interval", "15m",
+		"Interval between telemetry data collection (e.g. 15m, 1h)")
+	flag.StringVar(&cozystackVersion, "cozystack-version", "unknown",
+		"Version of Cozystack")
+	opts := zap.Options{
+		Development: false,
+	}
+	opts.BindFlags(flag.CommandLine)
+	flag.Parse()
+
+	// Parse telemetry interval
+	interval, err := time.ParseDuration(telemetryInterval)
+	if err != nil {
+		setupLog.Error(err, "invalid telemetry interval")
+		os.Exit(1)
+	}
+
+	// Configure telemetry
+	telemetryConfig := telemetry.Config{
+		Disabled:         disableTelemetry,
+		Endpoint:         telemetryEndpoint,
+		Interval:         interval,
+		CozystackVersion: cozystackVersion,
+	}
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
+
+	// if the enable-http2 flag is false (the default), http/2 should be disabled
+	// due to its vulnerabilities. More specifically, disabling http/2 will
+	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+	// Rapid Reset CVEs. For more information see:
+	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+	// - https://github.com/advisories/GHSA-4374-p667-p6c8
+	disableHTTP2 := func(c *tls.Config) {
+		setupLog.Info("disabling http/2")
+		c.NextProtos = []string{"http/1.1"}
+	}
+
+	if !enableHTTP2 {
+		tlsOpts = append(tlsOpts, disableHTTP2)
+	}
+
+	webhookServer := webhook.NewServer(webhook.Options{
+		TLSOpts: tlsOpts,
+	})
+
+	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
+	// More info:
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server
+	// - https://book.kubebuilder.io/reference/metrics.html
+	metricsServerOptions := metricsserver.Options{
+		BindAddress:   metricsAddr,
+		SecureServing: secureMetrics,
+		TLSOpts:       tlsOpts,
+	}
+
+	if secureMetrics {
+		// FilterProvider is used to protect the metrics endpoint with authn/authz.
+		// These configurations ensure that only authorized users and service accounts
+		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
+
+		// TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically
+		// generate self-signed certificates for the metrics server. While convenient for development and testing,
+		// this setup is not recommended for production.
+	}
+
+	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
+		Scheme:                 scheme,
+		Metrics:                metricsServerOptions,
+		WebhookServer:          webhookServer,
+		HealthProbeBindAddress: probeAddr,
+		LeaderElection:         enableLeaderElection,
+		LeaderElectionID:       "19a0338c.cozystack.io",
+		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
+		// when the Manager ends. This requires the binary to immediately end when the
+		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
+		// speeds up voluntary leader transitions as the new leader don't have to wait
+		// LeaseDuration time first.
+		//
+		// In the default scaffold provided, the program ends immediately after
+		// the manager stops, so would be fine to enable this option. However,
+		// if you are doing or is intended to do any operation such as perform cleanups
+		// after the manager stops then its usage might be unsafe.
+		// LeaderElectionReleaseOnCancel: true,
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to start manager")
+		os.Exit(1)
+	}
+
+	if err = (&controller.WorkloadMonitorReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "WorkloadMonitor")
+		os.Exit(1)
+	}
+	// +kubebuilder:scaffold:builder
+
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to set up ready check")
+		os.Exit(1)
+	}
+
+	// Initialize telemetry collector
+	collector, err := telemetry.NewCollector(mgr.GetClient(), &telemetryConfig, mgr.GetConfig())
+	if err != nil {
+		setupLog.V(1).Error(err, "unable to create telemetry collector, telemetry will be disabled")
+	}
+
+	if collector != nil {
+		if err := mgr.Add(collector); err != nil {
+			setupLog.Error(err, "unable to set up telemetry collector")
+			setupLog.V(1).Error(err, "unable to set up telemetry collector, continuing without telemetry")
+		}
+	}
+
+	setupLog.Info("starting manager")
+	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+		setupLog.Error(err, "problem running manager")
+		os.Exit(1)
+	}
+}

go.mod

@@ -1,22 +1,27 @@
 // This is a generated file. Do not edit directly.
 
-module github.com/aenix.io/cozystack
+module github.com/aenix-io/cozystack
 
 go 1.23.0
 
 require (
-	github.com/emicklei/go-restful/v3 v3.11.0
+	github.com/fluxcd/helm-controller/api v1.1.0
 	github.com/google/gofuzz v1.2.0
+	github.com/onsi/ginkgo/v2 v2.19.0
+	github.com/onsi/gomega v1.33.1
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
+	gopkg.in/yaml.v2 v2.4.0
+	k8s.io/api v0.31.2
 	k8s.io/apiextensions-apiserver v0.31.2
 	k8s.io/apimachinery v0.31.2
 	k8s.io/apiserver v0.31.2
 	k8s.io/client-go v0.31.2
-	k8s.io/code-generator v0.31.2
 	k8s.io/component-base v0.31.2
+	k8s.io/klog/v2 v2.130.1
 	k8s.io/kube-openapi v0.0.0-20240827152857-f7e401e7b4c2
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
+	sigs.k8s.io/controller-runtime v0.19.0
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1
 )
 
@@ -31,23 +36,27 @@ require (
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fluxcd/helm-controller/api v1.1.0 // indirect
 	github.com/fluxcd/pkg/apis/kustomize v1.6.1 // indirect
 	github.com/fluxcd/pkg/apis/meta v1.6.1 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/cel-go v0.21.0 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
@@ -84,7 +93,6 @@ require (
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/crypto v0.28.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/mod v0.21.0 // indirect
 	golang.org/x/net v0.30.0 // indirect
 	golang.org/x/oauth2 v0.23.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
@@ -93,6 +101,7 @@ require (
 	golang.org/x/text v0.19.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
 	golang.org/x/tools v0.26.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
 	google.golang.org/grpc v1.65.0 // indirect
@@ -100,14 +109,9 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.31.2 // indirect
-	k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9 // indirect
-	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kms v0.31.2 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 // indirect
-	sigs.k8s.io/controller-runtime v0.19.0 // indirect
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )

go.sum

@@ -26,6 +26,10 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/evanphx/json-patch v0.5.2 h1:xVCHIVMUu1wtM/VkR9jVZ45N3FhZfYMMYGorLCR8P3k=
+github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
+github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
+github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fluxcd/helm-controller/api v1.1.0 h1:NS5Wm3U6Kv4w7Cw2sDOV++vf2ecGfFV00x1+2Y3QcOY=
@@ -214,8 +218,6 @@ golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
-golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -252,6 +254,8 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
+gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
 google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY=
 google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4=
 google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 h1:7whR9kGa5LUwFtpLm2ArCEejtnxlGeLbAyjFY8sGNFw=
@@ -287,12 +291,8 @@ k8s.io/apiserver v0.31.2 h1:VUzOEUGRCDi6kX1OyQ801m4A7AUPglpsmGvdsekmcI4=
 k8s.io/apiserver v0.31.2/go.mod h1:o3nKZR7lPlJqkU5I3Ove+Zx3JuoFjQobGX1Gctw6XuE=
 k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc=
 k8s.io/client-go v0.31.2/go.mod h1:NPa74jSVR/+eez2dFsEIHNa+3o09vtNaWwWwb1qSxSs=
-k8s.io/code-generator v0.31.2 h1:xLWxG0HEpMSHfcM//3u3Ro2Hmc6AyyLINQS//Z2GEOI=
-k8s.io/code-generator v0.31.2/go.mod h1:eEQHXgBU/m7LDaToDoiz3t97dUUVyOblQdwOr8rivqc=
 k8s.io/component-base v0.31.2 h1:Z1J1LIaC0AV+nzcPRFqfK09af6bZ4D1nAOpWsy9owlA=
 k8s.io/component-base v0.31.2/go.mod h1:9PeyyFN/drHjtJZMCTkSpQJS3U9OXORnHQqMLDz0sUQ=
-k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9 h1:si3PfKm8dDYxgfbeA6orqrtLkvvIeH8UqffFJDl0bz4=
-k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kms v0.31.2 h1:pyx7l2qVOkClzFMIWMVF/FxsSkgd+OIGH7DecpbscJI=

hack/boilerplate.go.txt

@@ -1,5 +1,5 @@
 /*
-Copyright 2024 The Cozystack Authors.
+Copyright 2025 The Cozystack Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

hack/e2e.sh

@@ -113,8 +113,6 @@ machine:
         - usermode_helper=disabled
     - name: zfs
     - name: spl
-  install:
-    image: ghcr.io/aenix-io/cozystack/talos:v1.8.3
   files:
   - content: |
       [plugins]
@@ -142,6 +140,9 @@ EOT
 
 cat > patch-controlplane.yaml <<\EOT
 machine:
+  nodeLabels:
+    node.kubernetes.io/exclude-from-external-load-balancers:
+      $patch: delete
   network:
     interfaces:
     - interface: eth0
@@ -228,6 +229,7 @@ sleep 5
 kubectl get hr -A | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n " $1 " hr/" $2 " &"} END{print "wait"}' | sh -x
 
 # Wait for Cluster-API providers
+timeout 30 sh -c 'until kubectl get deploy -n cozy-cluster-api capi-controller-manager capi-kamaji-controller-manager capi-kubeadm-bootstrap-controller-manager capi-operator-cluster-api-operator capk-controller-manager; do sleep 1; done'
 kubectl wait deploy --timeout=30s --for=condition=available -n cozy-cluster-api capi-controller-manager capi-kamaji-controller-manager capi-kubeadm-bootstrap-controller-manager capi-operator-cluster-api-operator capk-controller-manager
 
 # Wait for linstor controller
@@ -296,6 +298,9 @@ spec:
   avoidBuggyIPs: false
 EOT
 
+# Wait for cozystack-api
+kubectl wait --for=condition=Available apiservices v1alpha1.apps.cozystack.io --timeout=2m
+
 kubectl patch -n tenant-root tenants.apps.cozystack.io root --type=merge -p '{"spec":{
   "host": "example.org",
   "ingress": true,

hack/update-codegen.sh

@@ -22,6 +22,7 @@ SCRIPT_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
 CODEGEN_PKG=${CODEGEN_PKG:-$(cd "${SCRIPT_ROOT}"; ls -d -1 ./vendor/k8s.io/code-generator 2>/dev/null || echo ../code-generator)}
 API_KNOWN_VIOLATIONS_DIR="${API_KNOWN_VIOLATIONS_DIR:-"${SCRIPT_ROOT}/api/api-rules"}"
 UPDATE_API_KNOWN_VIOLATIONS="${UPDATE_API_KNOWN_VIOLATIONS:-true}"
+CONTROLLER_GEN="go run sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.4"
 
 source "${CODEGEN_PKG}/kube_codegen.sh"
 
@@ -46,3 +47,6 @@ kube::codegen::gen_openapi \
     ${update_report:+"${update_report}"} \
     --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
     "${SCRIPT_ROOT}/pkg/apis"
+
+$CONTROLLER_GEN object:headerFile="hack/boilerplate.go.txt" paths="./api/..."
+$CONTROLLER_GEN rbac:roleName=manager-role crd paths="./api/..." output:crd:artifacts:config=packages/system/cozystack-controller/templates/crds

internal/controller/suite_test.go

@@ -0,0 +1,96 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"context"
+	"fmt"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+
+	cozystackiov1alpha1 "github.com/aenix-io/cozystack/api/v1alpha1"
+	// +kubebuilder:scaffold:imports
+)
+
+// These tests use Ginkgo (BDD-style Go testing framework). Refer to
+// http://onsi.github.io/ginkgo/ to learn more about Ginkgo.
+
+var cfg *rest.Config
+var k8sClient client.Client
+var testEnv *envtest.Environment
+var ctx context.Context
+var cancel context.CancelFunc
+
+func TestControllers(t *testing.T) {
+	RegisterFailHandler(Fail)
+
+	RunSpecs(t, "Controller Suite")
+}
+
+var _ = BeforeSuite(func() {
+	logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true)))
+
+	ctx, cancel = context.WithCancel(context.TODO())
+
+	By("bootstrapping test environment")
+	testEnv = &envtest.Environment{
+		CRDDirectoryPaths:     []string{filepath.Join("..", "..", "config", "crd", "bases")},
+		ErrorIfCRDPathMissing: true,
+
+		// The BinaryAssetsDirectory is only required if you want to run the tests directly
+		// without call the makefile target test. If not informed it will look for the
+		// default path defined in controller-runtime which is /usr/local/kubebuilder/.
+		// Note that you must have the required binaries setup under the bin directory to perform
+		// the tests directly. When we run make test it will be setup and used automatically.
+		BinaryAssetsDirectory: filepath.Join("..", "..", "bin", "k8s",
+			fmt.Sprintf("1.31.0-%s-%s", runtime.GOOS, runtime.GOARCH)),
+	}
+
+	var err error
+	// cfg is defined in this file globally.
+	cfg, err = testEnv.Start()
+	Expect(err).NotTo(HaveOccurred())
+	Expect(cfg).NotTo(BeNil())
+
+	err = cozystackiov1alpha1.AddToScheme(scheme.Scheme)
+	Expect(err).NotTo(HaveOccurred())
+
+	// +kubebuilder:scaffold:scheme
+
+	k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme})
+	Expect(err).NotTo(HaveOccurred())
+	Expect(k8sClient).NotTo(BeNil())
+
+})
+
+var _ = AfterSuite(func() {
+	By("tearing down the test environment")
+	cancel()
+	err := testEnv.Stop()
+	Expect(err).NotTo(HaveOccurred())
+})

internal/controller/workloadmonitor_controller.go

@@ -0,0 +1,273 @@
+package controller
+
+import (
+	"context"
+	"encoding/json"
+	"sort"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/pointer"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	cozyv1alpha1 "github.com/aenix-io/cozystack/api/v1alpha1"
+)
+
+// WorkloadMonitorReconciler reconciles a WorkloadMonitor object
+type WorkloadMonitorReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+// +kubebuilder:rbac:groups=cozystack.io,resources=workloadmonitors,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=cozystack.io,resources=workloadmonitors/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=cozystack.io,resources=workloads,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=cozystack.io,resources=workloads/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch
+
+// isPodReady checks if the Pod is in the Ready condition.
+func (r *WorkloadMonitorReconciler) isPodReady(pod *corev1.Pod) bool {
+	for _, c := range pod.Status.Conditions {
+		if c.Type == corev1.PodReady && c.Status == corev1.ConditionTrue {
+			return true
+		}
+	}
+	return false
+}
+
+// updateOwnerReferences adds the given monitor as a new owner reference to the object if not already present.
+// It then sorts the owner references to enforce a consistent order.
+func updateOwnerReferences(obj metav1.Object, monitor client.Object) {
+	// Retrieve current owner references
+	owners := obj.GetOwnerReferences()
+
+	// Check if current monitor is already in owner references
+	var alreadyOwned bool
+	for _, ownerRef := range owners {
+		if ownerRef.UID == monitor.GetUID() {
+			alreadyOwned = true
+			break
+		}
+	}
+
+	runtimeObj, ok := monitor.(runtime.Object)
+	if !ok {
+		return
+	}
+	gvk := runtimeObj.GetObjectKind().GroupVersionKind()
+
+	// If not already present, add new owner reference without controller flag
+	if !alreadyOwned {
+		newOwnerRef := metav1.OwnerReference{
+			APIVersion: gvk.GroupVersion().String(),
+			Kind:       gvk.Kind,
+			Name:       monitor.GetName(),
+			UID:        monitor.GetUID(),
+			// Set Controller to false to avoid conflict as multiple controllers are not allowed
+			Controller:         pointer.BoolPtr(false),
+			BlockOwnerDeletion: pointer.BoolPtr(true),
+		}
+		owners = append(owners, newOwnerRef)
+	}
+
+	// Sort owner references to enforce a consistent order by UID
+	sort.SliceStable(owners, func(i, j int) bool {
+		return owners[i].UID < owners[j].UID
+	})
+
+	// Update the owner references of the object
+	obj.SetOwnerReferences(owners)
+}
+
+// reconcilePodForMonitor creates or updates a Workload object for the given Pod and WorkloadMonitor.
+func (r *WorkloadMonitorReconciler) reconcilePodForMonitor(
+	ctx context.Context,
+	monitor *cozyv1alpha1.WorkloadMonitor,
+	pod corev1.Pod,
+) error {
+	logger := log.FromContext(ctx)
+
+	// Combine both init containers and normal containers to sum resources properly
+	combinedContainers := append(pod.Spec.InitContainers, pod.Spec.Containers...)
+
+	// totalResources will store the sum of all container resource limits
+	totalResources := make(map[string]resource.Quantity)
+
+	// Iterate over all containers to aggregate their Limits
+	for _, container := range combinedContainers {
+		for name, qty := range container.Resources.Limits {
+			if existing, exists := totalResources[name.String()]; exists {
+				existing.Add(qty)
+				totalResources[name.String()] = existing
+			} else {
+				totalResources[name.String()] = qty.DeepCopy()
+			}
+		}
+	}
+
+	// If annotation "workload.cozystack.io/resources" is present, parse and merge
+	if resourcesStr, ok := pod.Annotations["workload.cozystack.io/resources"]; ok {
+		annRes := map[string]string{}
+		if err := json.Unmarshal([]byte(resourcesStr), &annRes); err != nil {
+			logger.Error(err, "Failed to parse resources annotation", "pod", pod.Name)
+		} else {
+			for k, v := range annRes {
+				parsed, err := resource.ParseQuantity(v)
+				if err != nil {
+					logger.Error(err, "Failed to parse resource quantity from annotation", "key", k, "value", v)
+					continue
+				}
+				totalResources[k] = parsed
+			}
+		}
+	}
+
+	workload := &cozyv1alpha1.Workload{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      pod.Name,
+			Namespace: pod.Namespace,
+		},
+	}
+
+	_, err := ctrl.CreateOrUpdate(ctx, r.Client, workload, func() error {
+		// Update owner references with the new monitor
+		updateOwnerReferences(workload.GetObjectMeta(), monitor)
+
+		// Copy labels from the Pod if needed
+		workload.Labels = pod.Labels
+
+		// Fill Workload status fields:
+		workload.Status.Kind = monitor.Spec.Kind
+		workload.Status.Type = monitor.Spec.Type
+		workload.Status.Resources = totalResources
+		workload.Status.Operational = r.isPodReady(&pod)
+
+		return nil
+	})
+	if err != nil {
+		logger.Error(err, "Failed to CreateOrUpdate Workload", "workload", workload.Name)
+		return err
+	}
+
+	return nil
+}
+
+// Reconcile is the main reconcile loop.
+// 1. It reconciles WorkloadMonitor objects themselves (create/update/delete).
+// 2. It also reconciles Pod events mapped to WorkloadMonitor via label selector.
+func (r *WorkloadMonitorReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	logger := log.FromContext(ctx)
+
+	// Fetch the WorkloadMonitor object if it exists
+	monitor := &cozyv1alpha1.WorkloadMonitor{}
+	err := r.Get(ctx, req.NamespacedName, monitor)
+	if err != nil {
+		// If the resource is not found, it may be a Pod event (mapFunc).
+		if apierrors.IsNotFound(err) {
+			return ctrl.Result{}, nil
+		}
+		logger.Error(err, "Unable to fetch WorkloadMonitor")
+		return ctrl.Result{}, err
+	}
+
+	// List Pods that match the WorkloadMonitor's selector
+	podList := &corev1.PodList{}
+	if err := r.List(
+		ctx,
+		podList,
+		client.InNamespace(monitor.Namespace),
+		client.MatchingLabels(monitor.Spec.Selector),
+	); err != nil {
+		logger.Error(err, "Unable to list Pods for WorkloadMonitor", "monitor", monitor.Name)
+		return ctrl.Result{}, err
+	}
+
+	var observedReplicas, availableReplicas int32
+
+	// For each matching Pod, reconcile the corresponding Workload
+	for _, pod := range podList.Items {
+		observedReplicas++
+		if err := r.reconcilePodForMonitor(ctx, monitor, pod); err != nil {
+			logger.Error(err, "Failed to reconcile Workload for Pod", "pod", pod.Name)
+			continue
+		}
+		if r.isPodReady(&pod) {
+			availableReplicas++
+		}
+	}
+
+	// Update WorkloadMonitor status based on observed pods
+	monitor.Status.ObservedReplicas = observedReplicas
+	monitor.Status.AvailableReplicas = availableReplicas
+
+	// Default to operational = true, but check MinReplicas if set
+	monitor.Status.Operational = pointer.Bool(true)
+	if monitor.Spec.MinReplicas != nil && availableReplicas < *monitor.Spec.MinReplicas {
+		monitor.Status.Operational = pointer.Bool(false)
+	}
+
+	// Update the WorkloadMonitor status in the cluster
+	if err := r.Status().Update(ctx, monitor); err != nil {
+		logger.Error(err, "Unable to update WorkloadMonitor status", "monitor", monitor.Name)
+		return ctrl.Result{}, err
+	}
+
+	// Return without requeue if we want purely event-driven reconciliations
+	return ctrl.Result{}, nil
+}
+
+// SetupWithManager registers our controller with the Manager and sets up watches.
+func (r *WorkloadMonitorReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		// Watch WorkloadMonitor objects
+		For(&cozyv1alpha1.WorkloadMonitor{}).
+		// Also watch Pod objects and map them back to WorkloadMonitor if labels match
+		Watches(
+			&corev1.Pod{},
+			handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, obj client.Object) []reconcile.Request {
+				pod, ok := obj.(*corev1.Pod)
+				if !ok {
+					return nil
+				}
+
+				var monitorList cozyv1alpha1.WorkloadMonitorList
+				// List all WorkloadMonitors in the same namespace
+				if err := r.List(ctx, &monitorList, client.InNamespace(pod.Namespace)); err != nil {
+					return nil
+				}
+
+				// Match each monitor's selector with the Pod's labels
+				var requests []reconcile.Request
+				for _, m := range monitorList.Items {
+					matches := true
+					for k, v := range m.Spec.Selector {
+						if podVal, exists := pod.Labels[k]; !exists || podVal != v {
+							matches = false
+							break
+						}
+					}
+					if matches {
+						requests = append(requests, reconcile.Request{
+							NamespacedName: types.NamespacedName{
+								Namespace: m.Namespace,
+								Name:      m.Name,
+							},
+						})
+					}
+				}
+				return requests
+			}),
+		).
+		// Watch for changes to Workload objects we create (owned by WorkloadMonitor)
+		Owns(&cozyv1alpha1.Workload{}).
+		Complete(r)
+}

internal/telemetry/collector.go

@@ -0,0 +1,292 @@
+package telemetry
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/rest"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	cozyv1alpha1 "github.com/aenix-io/cozystack/api/v1alpha1"
+)
+
+// Collector handles telemetry data collection and sending
+type Collector struct {
+	client          client.Client
+	discoveryClient discovery.DiscoveryInterface
+	config          *Config
+	ticker          *time.Ticker
+	stopCh          chan struct{}
+}
+
+// NewCollector creates a new telemetry collector
+func NewCollector(client client.Client, config *Config, kubeConfig *rest.Config) (*Collector, error) {
+	discoveryClient, err := discovery.NewDiscoveryClientForConfig(kubeConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create discovery client: %w", err)
+	}
+	return &Collector{
+		client:          client,
+		discoveryClient: discoveryClient,
+		config:          config,
+	}, nil
+}
+
+// Start implements manager.Runnable
+func (c *Collector) Start(ctx context.Context) error {
+	if c.config.Disabled {
+		return nil
+	}
+
+	c.ticker = time.NewTicker(c.config.Interval)
+	c.stopCh = make(chan struct{})
+
+	// Initial collection
+	c.collect(ctx)
+
+	for {
+		select {
+		case <-ctx.Done():
+			c.ticker.Stop()
+			close(c.stopCh)
+			return nil
+		case <-c.ticker.C:
+			c.collect(ctx)
+		}
+	}
+}
+
+// NeedLeaderElection implements manager.LeaderElectionRunnable
+func (c *Collector) NeedLeaderElection() bool {
+	// Only run telemetry collector on the leader
+	return true
+}
+
+// Stop halts telemetry collection
+func (c *Collector) Stop() {
+	close(c.stopCh)
+}
+
+// getSizeGroup returns the exponential size group for PVC
+func getSizeGroup(size resource.Quantity) string {
+	gb := size.Value() / (1024 * 1024 * 1024)
+	switch {
+	case gb <= 1:
+		return "1Gi"
+	case gb <= 5:
+		return "5Gi"
+	case gb <= 10:
+		return "10Gi"
+	case gb <= 25:
+		return "25Gi"
+	case gb <= 50:
+		return "50Gi"
+	case gb <= 100:
+		return "100Gi"
+	case gb <= 250:
+		return "250Gi"
+	case gb <= 500:
+		return "500Gi"
+	case gb <= 1024:
+		return "1Ti"
+	case gb <= 2048:
+		return "2Ti"
+	case gb <= 5120:
+		return "5Ti"
+	default:
+		return "10Ti"
+	}
+}
+
+// collect gathers and sends telemetry data
+func (c *Collector) collect(ctx context.Context) {
+	logger := log.FromContext(ctx).V(1)
+
+	// Get cluster ID from kube-system namespace
+	var kubeSystemNS corev1.Namespace
+	if err := c.client.Get(ctx, types.NamespacedName{Name: "kube-system"}, &kubeSystemNS); err != nil {
+		logger.Info(fmt.Sprintf("Failed to get kube-system namespace: %v", err))
+		return
+	}
+
+	clusterID := string(kubeSystemNS.UID)
+
+	var cozystackCM corev1.ConfigMap
+	if err := c.client.Get(ctx, types.NamespacedName{Namespace: "cozy-system", Name: "cozystack"}, &cozystackCM); err != nil {
+		logger.Info(fmt.Sprintf("Failed to get cozystack configmap in cozy-system namespace: %v", err))
+		return
+	}
+
+	oidcEnabled := cozystackCM.Data["oidc-enabled"]
+	bundle := cozystackCM.Data["bundle-name"]
+	bundleEnable := cozystackCM.Data["bundle-enable"]
+	bundleDisable := cozystackCM.Data["bundle-disable"]
+
+	// Get Kubernetes version from nodes
+	var nodeList corev1.NodeList
+	if err := c.client.List(ctx, &nodeList); err != nil {
+		logger.Info(fmt.Sprintf("Failed to list nodes: %v", err))
+		return
+	}
+
+	// Create metrics buffer
+	var metrics strings.Builder
+
+	// Add Cozystack info metric
+	if len(nodeList.Items) > 0 {
+		k8sVersion, _ := c.discoveryClient.ServerVersion()
+		metrics.WriteString(fmt.Sprintf(
+			"cozy_cluster_info{cozystack_version=\"%s\",kubernetes_version=\"%s\",oidc_enabled=\"%s\",bundle_name=\"%s\",bunde_enable=\"%s\",bunde_disable=\"%s\"} 1\n",
+			c.config.CozystackVersion,
+			k8sVersion,
+			oidcEnabled,
+			bundle,
+			bundleEnable,
+			bundleDisable,
+		))
+	}
+
+	// Collect node metrics
+	nodeOSCount := make(map[string]int)
+	for _, node := range nodeList.Items {
+		key := fmt.Sprintf("%s (%s)", node.Status.NodeInfo.OperatingSystem, node.Status.NodeInfo.OSImage)
+		nodeOSCount[key] = nodeOSCount[key] + 1
+	}
+
+	for osKey, count := range nodeOSCount {
+		metrics.WriteString(fmt.Sprintf(
+			"cozy_nodes_count{os=\"%s\",kernel=\"%s\"} %d\n",
+			osKey,
+			nodeList.Items[0].Status.NodeInfo.KernelVersion,
+			count,
+		))
+	}
+
+	// Collect LoadBalancer services metrics
+	var serviceList corev1.ServiceList
+	if err := c.client.List(ctx, &serviceList); err != nil {
+		logger.Info(fmt.Sprintf("Failed to list Services: %v", err))
+	} else {
+		lbCount := 0
+		for _, svc := range serviceList.Items {
+			if svc.Spec.Type == corev1.ServiceTypeLoadBalancer {
+				lbCount++
+			}
+		}
+		metrics.WriteString(fmt.Sprintf("cozy_loadbalancers_count %d\n", lbCount))
+	}
+
+	// Count tenant namespaces
+	var nsList corev1.NamespaceList
+	if err := c.client.List(ctx, &nsList); err != nil {
+		logger.Info(fmt.Sprintf("Failed to list Namespaces: %v", err))
+	} else {
+		tenantCount := 0
+		for _, ns := range nsList.Items {
+			if strings.HasPrefix(ns.Name, "tenant-") {
+				tenantCount++
+			}
+		}
+		metrics.WriteString(fmt.Sprintf("cozy_tenants_count %d\n", tenantCount))
+	}
+
+	// Collect PV metrics grouped by driver and size
+	var pvList corev1.PersistentVolumeList
+	if err := c.client.List(ctx, &pvList); err != nil {
+		logger.Info(fmt.Sprintf("Failed to list PVs: %v", err))
+	} else {
+		// Map to store counts by size and driver
+		pvMetrics := make(map[string]map[string]int)
+
+		for _, pv := range pvList.Items {
+			if capacity, ok := pv.Spec.Capacity[corev1.ResourceStorage]; ok {
+				sizeGroup := getSizeGroup(capacity)
+
+				// Get the CSI driver name
+				driver := "unknown"
+				if pv.Spec.CSI != nil {
+					driver = pv.Spec.CSI.Driver
+				} else if pv.Spec.HostPath != nil {
+					driver = "hostpath"
+				} else if pv.Spec.NFS != nil {
+					driver = "nfs"
+				}
+
+				// Initialize nested map if needed
+				if _, exists := pvMetrics[sizeGroup]; !exists {
+					pvMetrics[sizeGroup] = make(map[string]int)
+				}
+
+				// Increment count for this size/driver combination
+				pvMetrics[sizeGroup][driver]++
+			}
+		}
+
+		// Write metrics
+		for size, drivers := range pvMetrics {
+			for driver, count := range drivers {
+				metrics.WriteString(fmt.Sprintf(
+					"cozy_pvs_count{driver=\"%s\",size=\"%s\"} %d\n",
+					driver,
+					size,
+					count,
+				))
+			}
+		}
+	}
+
+	// Collect workload metrics
+	var monitorList cozyv1alpha1.WorkloadMonitorList
+	if err := c.client.List(ctx, &monitorList); err != nil {
+		logger.Info(fmt.Sprintf("Failed to list WorkloadMonitors: %v", err))
+		return
+	}
+
+	for _, monitor := range monitorList.Items {
+		metrics.WriteString(fmt.Sprintf(
+			"cozy_workloads_count{uid=\"%s\",kind=\"%s\",type=\"%s\",version=\"%s\"} %d\n",
+			monitor.UID,
+			monitor.Spec.Kind,
+			monitor.Spec.Type,
+			monitor.Spec.Version,
+			monitor.Status.ObservedReplicas,
+		))
+	}
+
+	// Send metrics
+	if err := c.sendMetrics(clusterID, metrics.String()); err != nil {
+		logger.Info(fmt.Sprintf("Failed to send metrics: %v", err))
+	}
+}
+
+// sendMetrics sends collected metrics to the configured endpoint
+func (c *Collector) sendMetrics(clusterID, metrics string) error {
+	req, err := http.NewRequest("POST", c.config.Endpoint, bytes.NewBufferString(metrics))
+	if err != nil {
+		return fmt.Errorf("failed to create request: %w", err)
+	}
+
+	req.Header.Set("Content-Type", "text/plain")
+	req.Header.Set("X-Cluster-ID", clusterID)
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to send request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("unexpected status code: %d", resp.StatusCode)
+	}
+
+	return nil
+}

internal/telemetry/config.go

@@ -0,0 +1,27 @@
+package telemetry
+
+import (
+	"time"
+)
+
+// Config holds telemetry configuration
+type Config struct {
+	// Disable telemetry collection if set to true
+	Disabled bool
+	// Endpoint to send telemetry data to
+	Endpoint string
+	// Interval between telemetry data collection
+	Interval time.Duration
+	// CozystackVersion represents the current version of Cozystack
+	CozystackVersion string
+}
+
+// DefaultConfig returns default telemetry configuration
+func DefaultConfig() *Config {
+	return &Config{
+		Disabled:         false,
+		Endpoint:         "https://telemetry.cozystack.io",
+		Interval:         15 * time.Minute,
+		CozystackVersion: "unknown",
+	}
+}

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.20.2"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.24.0"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -86,13 +86,12 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-      - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.20.2"
+      - name: assets
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.24.0"
         command:
-        - /usr/bin/darkhttpd
-        - /cozystack/assets
-        - --port
-        - "8123"
+        - /usr/bin/cozystack-assets-server
+        - "-dir=/cozystack/assets"
+        - "-address=:8123"
         ports:
         - name: http
           containerPort: 8123

packages/apps/clickhouse/images/clickhouse-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/clickhouse-backup:0.6.1@sha256:dda84420cb8648721299221268a00d72a05c7af5b7fb452619bac727068b9e61
+ghcr.io/aenix-io/cozystack/clickhouse-backup:0.6.1@sha256:7a99cabdfd541f863aa5d1b2f7b49afd39838fb94c8448986634a1dc9050751c

packages/apps/ferretdb/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:406d2c5a30fa8b6fe10eab3cba45c06fea3876e81fd123ead6dc3c19347762d0
+ghcr.io/aenix-io/cozystack/postgres-backup:0.8.0@sha256:6a8ec7e7052f2d02ec5457d7cbac6ee52b3ed93a883988a192d1394fc7c88117

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:27112d470a31725b75b29b29919af06b4ce1339e3b502b08889a92ab7099adde
+ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:a3c25199acb8e8426e6952658ccc4acaadb50fe2cfa6359743b64e5166b3fc70

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.14.1
+version: 0.15.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.14.1@sha256:b63293bc295e8c04574900bb711ebfe51db6774beb6bc3a58791562ec11b406b
+ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.15.0@sha256:88773436a4f2441869a43fb0999181874d38add09906bb9a91ff438dbc474bca

packages/apps/kubernetes/images/cluster-autoscaler/Dockerfile

@@ -1,12 +1,14 @@
 # Source: https://raw.githubusercontent.com/kubernetes/autoscaler/refs/heads/master/cluster-autoscaler/Dockerfile.amd64
-ARG builder_image=docker.io/library/golang:1.22.5
+ARG builder_image=docker.io/library/golang:1.23.4
 ARG BASEIMAGE=gcr.io/distroless/static:nonroot-amd64
 FROM ${builder_image} AS builder
 RUN git clone https://github.com/kubernetes/autoscaler /src/autoscaler \
  && cd /src/autoscaler/cluster-autoscaler \
- && git checkout cluster-autoscaler-1.31.0
+ && git checkout cluster-autoscaler-1.32.0
 
 WORKDIR /src/autoscaler/cluster-autoscaler
+COPY fix-downscale.diff /fix-downscale.diff
+RUN git apply /fix-downscale.diff
 RUN make build
 
 FROM $BASEIMAGE

packages/apps/kubernetes/images/cluster-autoscaler/fix-downscale.diff

@@ -0,0 +1,13 @@
+diff --git a/cluster-autoscaler/cloudprovider/clusterapi/clusterapi_unstructured.go b/cluster-autoscaler/cloudprovider/clusterapi/clusterapi_unstructured.go
+index 4eec0e4bf..f28fd9241 100644
+--- a/cluster-autoscaler/cloudprovider/clusterapi/clusterapi_unstructured.go
++++ b/cluster-autoscaler/cloudprovider/clusterapi/clusterapi_unstructured.go
+@@ -106,8 +106,6 @@ func (r unstructuredScalableResource) Replicas() (int, error) {
+ 
+ func (r unstructuredScalableResource) SetSize(nreplicas int) error {
+ 	switch {
+-	case nreplicas > r.maxSize:
+-		return fmt.Errorf("size increase too large - desired:%d max:%d", nreplicas, r.maxSize)
+ 	case nreplicas < r.minSize:
+ 		return fmt.Errorf("size decrease too large - desired:%d min:%d", nreplicas, r.minSize)
+ 	}

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.14.1@sha256:c0561a342e6b55d066f3363182f442e8fa30a0b6b448d89d15a1a855c999b98e
+ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.0@sha256:f947e82c50533df847e31f0d33597f10589065fccb1e462b6a9182772642d98e

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.14.1@sha256:4b84a077e7f1b75bdf8b272c8f147e4ef3b67b9bea83383a399e9149868384ac
+ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.0@sha256:f0367f809ec9f717e98b840d4d362b7afb366831f4692908c978dc23ffd885b3

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:91ec9c31472f8e94ae5f6f5a2568058eb28b3f57ab7e203d8d4a0993911fffc3
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:8392f00a7182294ce6fd417d254f7c2aa09fb9203d829dec70344a8050369430

packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml

@@ -30,6 +30,12 @@ spec:
         - /cluster-autoscaler
         args:
         - --cloud-provider=clusterapi
+        - --enforce-node-group-min-size=true
+        - --ignore-daemonsets-utilization=true
+        - --ignore-mirror-pods-utilization=true
+        - --scale-down-unneeded-time=30s
+        - --scan-interval=25s
+        - --force-delete-unregistered-nodes=true
         - --kubeconfig=/etc/kubernetes/kubeconfig/super-admin.svc
         - --clusterapi-cloud-config-authoritative
         - --node-group-auto-discovery=clusterapi:namespace={{ .Release.Namespace }},clusterName={{ .Release.Name }}

packages/apps/kubernetes/templates/cluster.yaml

@@ -29,6 +29,7 @@ spec:
             {{- range .group.roles }}
             node-role.kubernetes.io/{{ . }}: ""
             {{- end }}
+            cluster.x-k8s.io/deployment-name: {{ $.Release.Name }}-{{ .groupName }}
         spec:
           domain:
             {{- if and .group.resources .group.resources.cpu }}
@@ -126,6 +127,21 @@ spec:
   replicas: 2
   version: 1.30.1
 ---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 2
+  minReplicas: 1
+  kind: kubernetes
+  type: control-plane
+  selector:
+    kamaji.clastix.io/component: deployment
+    kamaji.clastix.io/name: {{ .Release.Name }}
+  version: {{ $.Chart.Version }}
+---
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
 kind: KubevirtCluster
 metadata:
@@ -172,6 +188,7 @@ spec:
 ---
 {{- $context := deepCopy $ }}
 {{- $_ := set $context "group" $group }}
+{{- $_ := set $context "groupName" $groupName }}
 {{- $kubevirtmachinetemplate := include "kubevirtmachinetemplate" $context }}
 {{- $kubevirtmachinetemplateHash := $kubevirtmachinetemplate | sha256sum | trunc 6 }}
 {{- $kubevirtmachinetemplateName := printf "%s-%s-%s" $.Release.Name $groupName $kubevirtmachinetemplateHash }}
@@ -255,6 +272,21 @@ spec:
   - type: Ready
     status: "False"
     timeout: 300s
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-{{ $groupName }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+  minReplicas: {{ $group.minReplicas }}
+  kind: kubernetes
+  type: worker
+  selector:
+    cluster.x-k8s.io/cluster-name: {{ $.Release.Name }}
+    cluster.x-k8s.io/deployment-name: {{ $.Release.Name }}-{{ $groupName }}
+    cluster.x-k8s.io/role: worker
+  version: {{ $.Chart.Version }}
 {{- end }}
 ---
 {{- /*

packages/apps/kubernetes/templates/dashboard-resourcemap.yaml

@@ -24,3 +24,13 @@ rules:
   resourceNames:
   - {{ .Release.Name }}
   verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  {{- range $groupName, $group := .Values.nodeGroups }}
+  - {{ $.Release.Name }}-{{ $groupName }}
+  {{- end }}
+  verbs: ["get", "list", "watch"]

packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml

@@ -48,7 +48,6 @@ spec:
         tenant: {{ .Release.Namespace }}
       remoteWrite:
         url: http://vminsert-shortterm.{{ $targetTenant }}.svc:8480/insert/0/prometheus
-
     fluent-bit:
       readinessProbe:
         httpGet:

packages/apps/mysql/images/mariadb-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:f6435ce02b1bf4d7b2422676e84bc2299725ed2cfb93922e40f40a695d54b9d3
+ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:4bbfbb397bd7ecea45507ca47989c51429c4a24f40853ac92583e5b5b352fbea

packages/apps/postgres/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.1
+version: 0.8.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/postgres/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.7.1@sha256:406d2c5a30fa8b6fe10eab3cba45c06fea3876e81fd123ead6dc3c19347762d0
+ghcr.io/aenix-io/cozystack/postgres-backup:0.8.0@sha256:6a8ec7e7052f2d02ec5457d7cbac6ee52b3ed93a883988a192d1394fc7c88117

packages/apps/postgres/templates/dashboard-resourcemap.yaml

@@ -19,3 +19,10 @@ rules:
   resourceNames:
   - {{ .Release.Name }}-credentials
   verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/apps/postgres/templates/db.yaml

@@ -29,3 +29,17 @@ spec:
   inheritedMetadata:
     labels:
       policy.cozystack.io/allow-to-apiserver: "true"
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: 1
+  kind: postgres
+  type: postgres
+  selector:
+    cnpg.io/cluster: {{ .Release.Name }}
+    cnpg.io/podRole: instance
+  version: {{ $.Chart.Version }}

packages/apps/redis/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.1
+version: 0.5.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/redis/README.md

@@ -19,5 +19,6 @@ Service utilizes the Spotahome Redis Operator for efficient management and orche
 | `size`         | Persistent Volume size                          | `1Gi`   |
 | `replicas`     | Number of Redis replicas                        | `2`     |
 | `storageClass` | StorageClass used to store the data             | `""`    |
+| `authEnabled`  | Enable password generation                      | `true`  |
 
 

packages/apps/redis/templates/dashboard-resourcemap.yaml

@@ -13,3 +13,18 @@ rules:
   - rfrs-{{ .Release.Name }}
   - "{{ .Release.Name }}-external-lb"
   verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - "{{ .Release.Name }}-auth"
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}-redis
+  - {{ .Release.Name }}-sentinel
+  verbs: ["get", "list", "watch"]

packages/apps/redis/templates/redisfailover.yaml

@@ -1,3 +1,20 @@
+{{- if .Values.authEnabled }}
+  {{- $existingPassword := lookup "v1" "Secret" .Release.Namespace (printf "%s-auth" .Release.Name) }}
+  {{- $password := randAlphaNum 32 | b64enc }}
+  {{- if $existingPassword }}
+    {{- $password = index $existingPassword.data "password" }}
+  {{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-auth
+data:
+  password: {{ $password }}
+{{- end }}
+
+---
+
 apiVersion: databases.spotahome.com/v1
 kind: RedisFailover
 metadata:
@@ -52,3 +69,38 @@ spec:
       - appendonly no
       - save ""
       {{- end }}
+  {{- if .Values.authEnabled }}
+  auth:
+    secretPath: {{ .Release.Name }}-auth
+  {{- end }}
+
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-redis
+  namespace: {{ $.Release.Namespace }}
+spec:
+  minReplicas: 1
+  replicas: {{ .Values.replicas }}
+  kind: redis
+  type: redis
+  selector:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+  version: {{ $.Chart.Version }}
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-sentinel
+  namespace: {{ $.Release.Namespace }}
+spec:
+  minReplicas: 2
+  replicas: 3
+  kind: redis
+  type: sentinel
+  selector:
+    app.kubernetes.io/component: sentinel
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+  version: {{ $.Chart.Version }}

packages/apps/redis/values.schema.json

@@ -21,6 +21,11 @@
             "type": "string",
             "description": "StorageClass used to store the data",
             "default": ""
+        },
+        "authEnabled": {
+            "type": "boolean",
+            "description": "Enable password generation",
+            "default": true
         }
     }
 }

packages/apps/redis/values.yaml

@@ -4,8 +4,10 @@
 ## @param size Persistent Volume size
 ## @param replicas Number of Redis replicas
 ## @param storageClass StorageClass used to store the data
+## @param authEnabled Enable password generation
 ##
 external: false
 size: 1Gi
 replicas: 2
 storageClass: ""
+authEnabled: true

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.6.2
+version: 1.6.7

packages/apps/tenant/templates/kubeconfig.yaml

@@ -4,9 +4,13 @@
 
 {{- if $k8sClientSecret }}
 {{- $apiServerEndpoint := index $cozyConfig.data "api-server-endpoint" }}
+{{- $managementKubeconfigEndpoint := default "" (get $cozyConfig.data "management-kubeconfig-endpoint") }}
+{{- if and $managementKubeconfigEndpoint (ne $managementKubeconfigEndpoint "") }}
+{{- $apiServerEndpoint = $managementKubeconfigEndpoint }}
+{{- end }}
 {{- $k8sClient := index $k8sClientSecret.data "client-secret-key" | b64dec }}
 {{- $rootSaConfigMap := lookup "v1" "ConfigMap" "kube-system" "kube-root-ca.crt" }}
-{{- $k8sCa := index $rootSaConfigMap.data "ca.crt" | b64enc  }}
+{{- $k8sCa := index $rootSaConfigMap.data "ca.crt" | b64enc }}
 ---
 apiVersion: v1
 kind: Secret

packages/apps/tenant/templates/monitoring.yaml

@@ -26,12 +26,24 @@ spec:
     metricsStorages:
     - name: shortterm
       retentionPeriod: "3d"
-      deduplicationInterval: "5m"
-      storage: 10Gi
-    - name: longterm
-      retentionPeriod: "14d"
       deduplicationInterval: "15s"
       storage: 10Gi
+      vminsert:
+        resources: {}
+      vmselect:
+        resources: {}
+      vmstorage:
+        resources: {}
+    - name: longterm
+      retentionPeriod: "14d"
+      deduplicationInterval: "5m"
+      storage: 10Gi
+      vminsert:
+        resources: {}
+      vmselect:
+        resources: {}
+      vmstorage:
+        resources: {}
     oncall:
       enabled: false
 {{- end }}

packages/apps/tenant/templates/tenant.yaml

@@ -14,6 +14,8 @@ metadata:
     kubernetes.io/service-account.name: {{ include "tenant.name" . }}
 type: kubernetes.io/service-account-token
 ---
+# == default role ==
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -29,9 +31,10 @@ rules:
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources: ["roles"]
   verbs: ["get"]
-- apiGroups: ["helm.toolkit.fluxcd.io"]
-  resources: ["helmreleases"]
-  verbs: ["*"]
+- apiGroups: ["apps.cozystack.io"]
+  resources: ['*']
+  verbs: ['*']
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -62,18 +65,7 @@ roleRef:
   name: {{ include "tenant.name" . }}
   apiGroup: rbac.authorization.k8s.io
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "tenant.name" . }}
-  namespace: cozy-public
-rules:
-- apiGroups: ["source.toolkit.fluxcd.io"]
-  resources: ["helmrepositories"]
-  verbs: ["get", "list"]
-- apiGroups: ["source.toolkit.fluxcd.io"]
-  resources: ["helmcharts"]
-  verbs: ["*"]
+# == view role ==
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
@@ -95,14 +87,6 @@ rules:
       - get
       - list
       - watch
-  - apiGroups:
-      - helm.toolkit.fluxcd.io
-    resources:
-      - helmreleases
-    verbs:
-      - get
-      - list
-      - watch
   - apiGroups:
       - ""
     resources:
@@ -119,22 +103,38 @@ rules:
       - get
       - list
       - watch
-
 ---
-
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ include "tenant.name" . }}-view
   namespace: {{ include "tenant.name" . }}
 subjects:
-  - kind: Group
-    name: {{ include "tenant.name" . }}-view
-    apiGroup: rbac.authorization.k8s.io
+{{- if ne .Release.Namespace "tenant-root" }}
+- kind: Group
+  name: tenant-root-view
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+- kind: Group
+  name: {{ include "tenant.name" . }}-view
+  apiGroup: rbac.authorization.k8s.io
+{{- if hasPrefix "tenant-" .Release.Namespace }}
+{{- $parts := splitList "-" .Release.Namespace }}
+{{- range $i, $v := $parts }}
+{{- if ne $i 0 }}
+- kind: Group
+  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-view
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}
+{{- end }}
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-view
   apiGroup: rbac.authorization.k8s.io
+
+---
+# == use role ==
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
@@ -154,13 +154,6 @@ rules:
     - get
     - list
     - watch
-  - apiGroups: ["helm.toolkit.fluxcd.io"]
-    resources:
-    - helmreleases
-    verbs:
-    - get
-    - list
-    - watch
   - apiGroups: [""]
     resources:
     - "*"
@@ -189,14 +182,31 @@ metadata:
   name: {{ include "tenant.name" . }}-use
   namespace: {{ include "tenant.name" . }}
 subjects:
-  - kind: Group
-    name: {{ include "tenant.name" . }}-use
-    apiGroup: rbac.authorization.k8s.io
+{{- if ne .Release.Namespace "tenant-root" }}
+- kind: Group
+  name: tenant-root-use
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+- kind: Group
+  name: {{ include "tenant.name" . }}-use
+  apiGroup: rbac.authorization.k8s.io
+{{- if hasPrefix "tenant-" .Release.Namespace }}
+{{- $parts := splitList "-" .Release.Namespace }}
+{{- range $i, $v := $parts }}
+{{- if ne $i 0 }}
+- kind: Group
+  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-use
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}
+{{- end }}
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-use
   apiGroup: rbac.authorization.k8s.io
 ---
+# == admin role ==
+---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -216,13 +226,6 @@ rules:
     - list
     - watch
     - delete
-  - apiGroups: ["helm.toolkit.fluxcd.io"]
-    resources:
-    - helmreleases
-    verbs:
-    - get
-    - list
-    - watch
   - apiGroups: ["kubevirt.io"]
     resources:
     - virtualmachines
@@ -263,64 +266,6 @@ rules:
     - update
     - patch
     - delete
-
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "tenant.name" . }}-admin
-  namespace: cozy-public
-rules:
-  - apiGroups: ["source.toolkit.fluxcd.io"]
-    resources: ["helmrepositories"]
-    verbs:
-    - get
-    - list
-  - apiGroups:
-    - source.toolkit.fluxcd.io
-    resources:
-    - helmcharts
-    verbs:
-    - get
-    - list
-  - apiGroups: ["source.toolkit.fluxcd.io"]
-    resources:
-    - helmcharts
-    verbs: ["*"]
-    resourceNames:
-    - bucket
-    - clickhouse
-    - ferretdb
-    - foo
-    - httpcache
-    - kafka
-    - kubernetes
-    - mysql
-    - nats
-    - postgres
-    - rabbitmq
-    - redis
-    - seaweedfs
-    - tcpbalancer
-    - virtualmachine
-    - vmdisk
-    - vminstance
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "tenant.name" . }}-admin
-  namespace: cozy-public
-subjects:
-- kind: Group
-  name: {{ include "tenant.name" . }}-admin
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: Role
-  name: {{ include "tenant.name" . }}-admin
-  apiGroup: rbac.authorization.k8s.io
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -328,14 +273,31 @@ metadata:
   name: {{ include "tenant.name" . }}-admin
   namespace: {{ include "tenant.name" . }}
 subjects:
-  - kind: Group
-    name: {{ include "tenant.name" . }}-admin
-    apiGroup: rbac.authorization.k8s.io
+{{- if ne .Release.Namespace "tenant-root" }}
+- kind: Group
+  name: tenant-root-admin
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+- kind: Group
+  name: {{ include "tenant.name" . }}-admin
+  apiGroup: rbac.authorization.k8s.io
+{{- if hasPrefix "tenant-" .Release.Namespace }}
+{{- $parts := splitList "-" .Release.Namespace }}
+{{- range $i, $v := $parts }}
+{{- if ne $i 0 }}
+- kind: Group
+  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-admin
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}
+{{- end }}
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-admin
   apiGroup: rbac.authorization.k8s.io
 ---
+# == super admin role ==
+---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -355,11 +317,6 @@ rules:
     - list
     - watch
     - delete
-  - apiGroups: ["helm.toolkit.fluxcd.io"]
-    resources:
-    - helmreleases
-    verbs:
-    - '*'
   - apiGroups: ["kubevirt.io"]
     resources:
     - virtualmachines
@@ -377,38 +334,6 @@ rules:
     - '*'
     verbs:
     - '*'
-
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "tenant.name" . }}-super-admin
-  namespace: cozy-public
-rules:
-  - apiGroups: ["source.toolkit.fluxcd.io"]
-    resources: ["helmrepositories"]
-    verbs:
-    - get
-    - list
-  - apiGroups: ["source.toolkit.fluxcd.io"]
-    resources:
-    - helmcharts
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "tenant.name" . }}-super-admin
-  namespace: cozy-public
-subjects:
-- kind: Group
-  name: {{ include "tenant.name" . }}-super-admin
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: Role
-  name: {{ include "tenant.name" . }}-super-admin
-  apiGroup: rbac.authorization.k8s.io
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -416,6 +341,14 @@ metadata:
   name: {{ include "tenant.name" . }}-super-admin
   namespace: {{ include "tenant.name" . }}
 subjects:
+{{- if ne .Release.Namespace "tenant-root" }}
+- kind: Group
+  name: tenant-root-super-admin
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+- kind: Group
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
 {{- if hasPrefix "tenant-" .Release.Namespace }}
 {{- $parts := splitList "-" .Release.Namespace }}
 {{- range $i, $v := $parts }}
@@ -426,10 +359,48 @@ subjects:
 {{- end }}
 {{- end }}
 {{- end }}
-- kind: Group
-  name: {{ include "tenant.name" . }}-super-admin
-  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-super-admin
   apiGroup: rbac.authorization.k8s.io
+---
+# == dashboard role ==
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "tenant.name" . }}
+  namespace: cozy-public
+rules:
+- apiGroups: ["source.toolkit.fluxcd.io"]
+  resources: ["helmrepositories"]
+  verbs: ["get", "list"]
+- apiGroups: ["source.toolkit.fluxcd.io"]
+  resources: ["helmcharts"]
+  verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "tenant.name" . }}
+  namespace: cozy-public
+subjects:
+- kind: Group
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: {{ include "tenant.name" . }}-admin
+  apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: {{ include "tenant.name" . }}-use
+  apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: {{ include "tenant.name" . }}-view
+  apiGroup: rbac.authorization.k8s.io
+- kind: ServiceAccount
+  name: {{ include "tenant.name" . }}
+  namespace: {{ include "tenant.name" . }}
+roleRef:
+  kind: Role
+  name: {{ include "tenant.name" . }}
+  apiGroup: rbac.authorization.k8s.io

packages/apps/versions_map

@@ -42,7 +42,8 @@ kubernetes 0.12.0 74649f8
 kubernetes 0.12.1 28fca4e
 kubernetes 0.13.0 ced8e5b9
 kubernetes 0.14.0 bfbde07c
-kubernetes 0.14.1 HEAD
+kubernetes 0.14.1 fde4bcfa
+kubernetes 0.15.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
@@ -65,7 +66,8 @@ postgres 0.5.0 c07c4bbd
 postgres 0.6.0 2a4768a
 postgres 0.6.2 54fd61c
 postgres 0.7.0 dc9d8bb
-postgres 0.7.1 HEAD
+postgres 0.7.1 175a65f
+postgres 0.8.0 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 5ca8823
 rabbitmq 0.3.0 9e33dc0
@@ -76,7 +78,9 @@ rabbitmq 0.4.3 HEAD
 redis 0.1.1 f642698
 redis 0.2.0 5ca8823
 redis 0.3.0 c07c4bbd
-redis 0.3.1 HEAD
+redis 0.3.1 b7375f73
+redis 0.4.0 abc8f082
+redis 0.5.0 HEAD
 tcp-balancer 0.1.0 f642698
 tcp-balancer 0.2.0 HEAD
 tenant 0.1.3 3d1b86c
@@ -91,15 +95,27 @@ tenant 1.4.0 94c688f7
 tenant 1.5.0 48128743
 tenant 1.6.0 df448b99
 tenant 1.6.1 edbbb9be
-tenant 1.6.2 HEAD
+tenant 1.6.2 ccedc5fe
+tenant 1.6.3 2057bb96
+tenant 1.6.4 3c9e50a4
+tenant 1.6.5 f1e11451
+tenant 1.6.6 d4634797
+tenant 1.6.7 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823
 virtual-machine 0.3.0 b908400
 virtual-machine 0.4.0 4746d51
-virtual-machine 0.5.0 HEAD
+virtual-machine 0.5.0 cad9cde
+virtual-machine 0.6.0 0e728870
+virtual-machine 0.7.0 af58018a
+virtual-machine 0.7.1 HEAD
 vm-disk 0.1.0 HEAD
-vm-instance 0.1.0 HEAD
+vm-instance 0.1.0 ced8e5b9
+vm-instance 0.2.0 4f767ee3
+vm-instance 0.3.0 0e728870
+vm-instance 0.4.0 af58018a
+vm-instance 0.4.1 HEAD
 vpn 0.1.0 f642698
 vpn 0.2.0 7151424
 vpn 0.3.0 a2bcf100

packages/apps/virtual-machine/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.7.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.1"
+appVersion: "0.7.1"

packages/apps/virtual-machine/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: 1
+  minReplicas: 1
+  kind: virtual-machine
+  type: virtual-machine
+  selector:
+    vm.kubevirt.io/name: {{ .Release.Name }}
+  version: {{ $.Chart.Version }}

packages/apps/virtual-machine/templates/vm-update-hook.yaml

@@ -0,0 +1,119 @@
+{{- $vmName := include "virtual-machine.fullname" . -}}
+{{- $namespace := .Release.Namespace -}}
+
+{{- $existingVM := lookup "kubevirt.io/v1" "VirtualMachine" $namespace $vmName -}}
+{{- $existingPVC := lookup "v1" "PersistentVolumeClaim" $namespace $vmName -}}
+
+{{- $instanceType := .Values.instanceType | default "" -}}
+{{- $instanceProfile := .Values.instanceProfile | default "" -}}
+{{- $desiredStorage := .Values.systemDisk.storage | default "" -}}
+
+{{- $needUpdateType := false -}}
+{{- $needUpdateProfile := false -}}
+{{- $needResizePVC := false -}}
+
+{{- if and $existingVM $instanceType -}}
+  {{- if not (eq $existingVM.spec.instancetype.name $instanceType) -}}
+    {{- $needUpdateType = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and $existingVM $instanceProfile -}}
+  {{- if not (eq $existingVM.spec.preference.name $instanceProfile) -}}
+    {{- $needUpdateProfile = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and $existingPVC $desiredStorage -}}
+  {{- $currentStorage := $existingPVC.spec.resources.requests.storage | toString -}}
+  {{- if not (eq $currentStorage $desiredStorage) -}}
+    {{- $needResizePVC = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if or $needUpdateType $needUpdateProfile $needResizePVC }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ $.Release.Name }}-update-hook"
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "0"
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      labels:
+        app: "{{ $.Release.Name }}-update-hook"
+        policy.cozystack.io/allow-to-apiserver: "true"
+    spec:
+      serviceAccountName: {{ $.Release.Name }}-update-hook
+      restartPolicy: Never
+      containers:
+        - name: update-resources
+          image: bitnami/kubectl:latest
+          command: ["sh", "-exc"]
+          args:
+            - |
+              {{- if $needUpdateType }}
+              echo "Patching VirtualMachine for instancetype update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"instancetype":{"name": "{{ $instanceType }}", "revisionName": null}}}'
+              {{- end }}
+              
+              {{- if $needUpdateProfile }}
+              echo "Patching VirtualMachine for preference update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"preference":{"name": "{{ $instanceProfile }}", "revisionName": null}}}'
+              {{- end }}
+
+              {{- if $needResizePVC }}
+              echo "Patching PVC for storage resize..."
+              kubectl patch pvc {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"resources":{"requests":{"storage":"{{ $desiredStorage }}"}}}}'
+              {{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+rules:
+  - apiGroups: ["kubevirt.io"]
+    resources: ["virtualmachines"]
+    verbs: ["patch", "get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["patch", "get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Release.Name }}-update-hook
+roleRef:
+  kind: Role
+  name: {{ $.Release.Name }}-update-hook
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

packages/apps/vm-instance/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.4.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.0"
+appVersion: "0.4.1"

packages/apps/vm-instance/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+  replicas: 1
+  minReplicas: 1
+  kind: virtual-machine
+  type: virtual-machine
+  selector:
+    vm.kubevirt.io/name: {{ $.Release.Name }}
+  version: {{ $.Chart.Version }}

packages/apps/vm-instance/templates/vm-update-hook.yaml

@@ -0,0 +1,99 @@
+{{- $vmName := include "virtual-machine.fullname" . -}}
+{{- $namespace := .Release.Namespace -}}
+
+{{- $existingVM := lookup "kubevirt.io/v1" "VirtualMachine" $namespace $vmName -}}
+
+{{- $instanceType := .Values.instanceType | default "" -}}
+{{- $instanceProfile := .Values.instanceProfile | default "" -}}
+
+{{- $needUpdateType := false -}}
+{{- $needUpdateProfile := false -}}
+
+{{- if and $existingVM $instanceType -}}
+  {{- if not (eq $existingVM.spec.instancetype.name $instanceType) -}}
+    {{- $needUpdateType = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and $existingVM $instanceProfile -}}
+  {{- if not (eq $existingVM.spec.preference.name $instanceProfile) -}}
+    {{- $needUpdateProfile = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if or $needUpdateType $needUpdateProfile }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ $.Release.Name }}-update-hook"
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "0"
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      labels:
+        app: "{{ $.Release.Name }}-update-hook"
+        policy.cozystack.io/allow-to-apiserver: "true"
+    spec:
+      serviceAccountName: {{ $.Release.Name }}-update-hook
+      restartPolicy: Never
+      containers:
+        - name: update-resources
+          image: bitnami/kubectl:latest
+          command: ["sh", "-exc"]
+          args:
+            - |
+              {{- if $needUpdateType }}
+              echo "Patching VirtualMachine for instancetype update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"instancetype":{"name": "{{ $instanceType }}", "revisionName": null}}}'
+              {{- end }}
+              
+              {{- if $needUpdateProfile }}
+              echo "Patching VirtualMachine for preference update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"preference":{"name": "{{ $instanceProfile }}", "revisionName": null}}}'
+              {{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+rules:
+  - apiGroups: ["kubevirt.io"]
+    resources: ["virtualmachines"]
+    verbs: ["patch", "get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Release.Name }}-update-hook
+roleRef:
+  kind: Role
+  name: {{ $.Release.Name }}-update-hook
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

packages/apps/vm-instance/templates/vm.yaml

@@ -17,15 +17,12 @@ spec:
   instancetype:
     kind: VirtualMachineClusterInstancetype
     name: {{ . }}
-    revisionName: null
-  {{- end }}
+    {{- end }}
   {{- with .Values.instanceProfile }}
   preference:
     kind: VirtualMachineClusterPreference
     name: {{ . }}
-    revisionName: null
-  {{- end }}
-
+    {{- end }}
   template:
     metadata:
       annotations:
@@ -47,7 +44,7 @@ spec:
           disks:
           {{- range $i, $disk := .Values.disks }}
           - name: disk-{{ .name }}
-            {{- $disk := lookup "cdi.kubevirt.io/v1beta1" "DataVolume" $.Release.Namespace .name }}
+            {{- $disk := lookup "cdi.kubevirt.io/v1beta1" "DataVolume" $.Release.Namespace (printf "vm-disk-%s" .name) }}
             {{- if $disk }}
             {{- if and (hasKey $disk.metadata.annotations "vm-disk.cozystack.io/optical") (eq (index $disk.metadata.annotations "vm-disk.cozystack.io/optical") "true") }}
             cdrom: {}
@@ -85,7 +82,7 @@ spec:
       {{- range .Values.disks }}
       - name: disk-{{ .name }}
         dataVolume:
-          name: {{ .name }}
+          name: vm-disk-{{ .name }}
       {{- end }}
       {{- if or .Values.sshKeys .Values.cloudInit }}
       - name: cloudinitdisk

packages/apps/vm-instance/values.yaml

@@ -18,8 +18,8 @@ instanceProfile: ubuntu
 ## @param disks [array] List of disks to attach
 ## Example:
 ## disks:
-## - name: vm-disk-example-system
-## - name: vm-disk-example-data
+## - name: example-system
+## - name: example-data
 disks: []
 
 ## @param resources.cpu The number of CPU cores allocated to the virtual machine

packages/core/builder/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: builder
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/core/builder/Makefile

@@ -0,0 +1,35 @@
+NAMESPACE=cozy-builder
+NAME := builder
+
+TALOS_VERSION=$(shell awk '/^version:/ {print $$2}' ../installer/images/talos/profiles/installer.yaml)
+
+include ../../../scripts/common-envs.mk
+
+help: ## Show this help.
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
+
+show:
+	helm template -n $(NAMESPACE) $(NAME) .
+
+apply: ## Create builder sandbox in existing Kubernetes cluster.
+	helm template -n $(NAMESPACE) $(NAME) . | kubectl apply -f -
+	docker buildx ls | grep -q '^buildkit-builder*' || docker buildx create \
+		--bootstrap \
+		--name=buildkit-$(NAME) \
+		--driver=kubernetes \
+		--driver-opt=namespace=$(NAMESPACE),replicas=1 \
+		--platform=linux/amd64 \
+		--platform=linux/arm64 \
+		--use \
+		--config config.toml
+
+diff:
+	helm template -n $(NAMESPACE) $(NAME) . | kubectl diff -f -
+
+delete: ## Remove builder sandbox from existing Kubernetes cluster.
+	kubectl delete deploy -n $(NAMESPACE) $(NAME)-talos-imager
+	docker buildx rm buildkit-$(NAME)
+
+wait-for-builder:
+	kubectl wait deploy --for=condition=Progressing -n $(NAMESPACE) $(NAME)-talos-imager
+	kubectl wait pod --for=condition=Ready -n $(NAMESPACE) -l app=$(NAME)-talos-imager

packages/core/builder/config.toml

@@ -0,0 +1,11 @@
+[worker.oci]
+  gc = true
+  gckeepstorage = 50000
+
+  [[worker.oci.gcpolicy]]
+    keepBytes = 10737418240
+    keepDuration = 604800
+    filters = [ "type==source.local", "type==exec.cachemount", "type==source.git.checkout"]
+  [[worker.oci.gcpolicy]]
+    all = true
+    keepBytes = 53687091200

packages/core/builder/templates/sandbox.yaml

@@ -0,0 +1,43 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Release.Namespace }}
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-talos-imager
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-talos-imager
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-talos-imager
+    spec:
+      automountServiceAccountToken: false
+      terminationGracePeriodSeconds: 1
+      containers:
+      - name: imager
+        image: "{{ .Values.talos.imager.image }}"
+        securityContext:
+          privileged: true
+        command:
+        - sleep
+        - infinity
+        volumeMounts:
+        - mountPath: /dev
+          name: dev
+      volumes:
+      - hostPath:
+          path: /dev
+          type: Directory
+        name: dev

packages/core/builder/values.yaml

@@ -0,0 +1,3 @@
+talos:
+  imager:
+    image: ghcr.io/siderolabs/imager:v1.9.2

packages/core/installer/Makefile

@@ -19,10 +19,12 @@ diff:
 
 update:
 	hack/gen-profiles.sh
+	IMAGE=$$(yq '.input.baseInstaller.imageRef | sub("/installer:", "/imager:")' images/talos/profiles/installer.yaml) \
+		yq -i '.talos.imager.image = strenv(IMAGE)' ../builder/values.yaml
 
 image: pre-checks image-cozystack image-talos image-matchbox
 
-image-cozystack:
+image-cozystack: run-builder
 	make -C ../../.. repos
 	docker buildx build -f images/cozystack/Dockerfile ../../.. \
 		--provenance false \
@@ -37,13 +39,11 @@ image-cozystack:
 		yq -i '.cozystack.image = strenv(IMAGE)' values.yaml
 	rm -f images/cozystack.json
 
-image-talos:
+image-talos: run-builder
 	test -f ../../../_out/assets/installer-amd64.tar || make talos-installer
-	docker load -i ../../../_out/assets/installer-amd64.tar
-	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
-	docker push $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
+	skopeo copy docker-archive:../../../_out/assets/installer-amd64.tar docker://$(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
 
-image-matchbox:
+image-matchbox:  run-builder
 	test -f ../../../_out/assets/kernel-amd64 || make talos-kernel
 	test -f ../../../_out/assets/initramfs-metal-amd64.xz || make talos-initramfs
 	docker buildx build -f images/matchbox/Dockerfile ../../.. \
@@ -55,6 +55,8 @@ image-matchbox:
 		--metadata-file images/matchbox.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
+	echo "$(REGISTRY)/matchbox:$(call settag,$(TAG))@$$(yq e '."containerimage.digest"' images/matchbox.json -o json -r)" \
+		> ../../extra/bootbox/images/matchbox.tag
 	rm -f images/matchbox.json
 
 assets: talos-iso talos-nocloud talos-metal
@@ -62,5 +64,8 @@ assets: talos-iso talos-nocloud talos-metal
 talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud talos-metal:
 	mkdir -p ../../../_out/assets
 	cat images/talos/profiles/$(subst talos-,,$@).yaml | \
-		docker run --rm -i -v /dev:/dev --privileged "ghcr.io/siderolabs/imager:$(TALOS_VERSION)" --tar-to-stdout - | \
+		kubectl exec -i -n cozy-builder deploy/builder-talos-imager -- imager --tar-to-stdout - | \
 		tar -C ../../../_out/assets -xzf-
+
+run-builder:
+	make -C ../builder/ apply wait-for-builder

packages/core/installer/images/cozystack/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:alpine3.19 as k8s-await-election-builder
+FROM golang:alpine3.21 as k8s-await-election-builder
 
 ARG K8S_AWAIT_ELECTION_GITREPO=https://github.com/LINBIT/k8s-await-election
 ARG K8S_AWAIT_ELECTION_VERSION=0.4.1
@@ -13,7 +13,7 @@ RUN git clone ${K8S_AWAIT_ELECTION_GITREPO} /usr/local/go/k8s-await-election/ \
  && make \
  && mv ./out/k8s-await-election-${TARGETARCH} /k8s-await-election
 
-FROM alpine:3.19 AS builder
+FROM golang:alpine3.21 as builder
 
 RUN apk add --no-cache make git
 RUN apk add helm --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community
@@ -21,12 +21,14 @@ RUN apk add helm --repository=https://dl-cdn.alpinelinux.org/alpine/edge/communi
 COPY . /src/
 WORKDIR /src
 
+RUN go build -o /cozystack-assets-server -ldflags '-extldflags "-static" -w -s' ./cmd/cozystack-assets-server
+
 # Check that versions_map is not changed
 RUN make repos
 
-FROM alpine:3.19
+FROM alpine:3.21
 
-RUN apk add --no-cache make darkhttpd
+RUN apk add --no-cache make
 RUN apk add helm kubectl --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community
 
 COPY scripts /cozystack/scripts
@@ -34,6 +36,7 @@ COPY --from=builder /src/packages/core /cozystack/packages/core
 COPY --from=builder /src/packages/system /cozystack/packages/system
 COPY --from=builder /src/_out/repos /cozystack/assets/repos
 COPY --from=builder /src/_out/logos /cozystack/assets/logos
+COPY --from=builder /cozystack-assets-server /usr/bin/cozystack-assets-server
 COPY --from=k8s-await-election-builder /k8s-await-election /usr/bin/k8s-await-election
 COPY dashboards /cozystack/assets/dashboards
 

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.3
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.3
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: initramfs
   imageOptions: {}

packages/core/installer/images/talos/profiles/installer.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.3
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.3
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: installer
   imageOptions: {}

packages/core/installer/images/talos/profiles/iso.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.3
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.3
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: iso
   imageOptions: {}

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.3
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.3
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: kernel
   imageOptions: {}

packages/core/installer/images/talos/profiles/metal.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.3
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.3
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.8.3
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.3
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241110
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241110
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241110
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.3
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.3
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/templates/cozystack.yaml

@@ -67,13 +67,12 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-      - name: darkhttpd
+      - name: assets
         image: "{{ .Values.cozystack.image }}"
         command:
-        - /usr/bin/darkhttpd
-        - /cozystack/assets
-        - --port
-        - "8123"
+        - /usr/bin/cozystack-assets-server
+        - "-dir=/cozystack/assets"
+        - "-address=:8123"
         ports:
         - name: http
           containerPort: 8123

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.20.2@sha256:061668fa81344302f1097482418fe7925d77ca74ccc856dcb739119590523136
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.24.0@sha256:3560daf09e41b5a729b4377341cc01d51b272122640bd7c4db9d1f5fcb8008a9

packages/core/platform/bundles/distro-full.yaml

@@ -37,6 +37,17 @@ releases:
   namespace: cozy-cert-manager
   dependsOn: [cilium]
 
+- name: cozystack-controller
+  releaseName: cozystack-controller
+  chart: cozy-cozystack-controller
+  namespace: cozy-system
+  dependsOn: [cilium]
+  {{- if eq (index $cozyConfig.data "telemetry-enabled") "false" }}
+  values:
+    cozystackController:
+      disableTelemetry: true
+  {{- end }}
+
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
@@ -98,7 +109,7 @@ releases:
   chart: cozy-postgres-operator
   namespace: cozy-postgres-operator
   optional: true
-  dependsOn: [cilium,cert-manager]
+  dependsOn: [cilium,cert-manager,victoria-metrics-operator]
 
 - name: kafka-operator
   releaseName: kafka-operator
@@ -188,3 +199,11 @@ releases:
   namespace: cozy-keycloak
   optional: true
   dependsOn: [keycloak]
+
+- name: bootbox
+  releaseName: bootbox
+  chart: cozy-bootbox
+  namespace: cozy-bootbox
+  privileged: true
+  optional: true
+  dependsOn: [cilium]

packages/core/platform/bundles/distro-hosted.yaml

@@ -20,6 +20,17 @@ releases:
   namespace: cozy-cert-manager
   dependsOn: []
 
+- name: cozystack-controller
+  releaseName: cozystack-controller
+  chart: cozy-cozystack-controller
+  namespace: cozy-system
+  dependsOn: [cilium]
+  {{- if eq (index $cozyConfig.data "telemetry-enabled") "false" }}
+  values:
+    cozystackController:
+      disableTelemetry: true
+  {{- end }}
+
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
@@ -74,7 +85,7 @@ releases:
   chart: cozy-postgres-operator
   namespace: cozy-postgres-operator
   optional: true
-  dependsOn: [cert-manager]
+  dependsOn: [victoria-metrics-operator]
 
 - name: kafka-operator
   releaseName: kafka-operator

packages/core/platform/bundles/paas-full.yaml

@@ -62,6 +62,17 @@ releases:
   namespace: cozy-system
   dependsOn: [cilium,kubeovn]
 
+- name: cozystack-controller
+  releaseName: cozystack-controller
+  chart: cozy-cozystack-controller
+  namespace: cozy-system
+  dependsOn: [cilium,kubeovn]
+  {{- if eq (index $cozyConfig.data "telemetry-enabled") "false" }}
+  values:
+    cozystackController:
+      disableTelemetry: true
+  {{- end }}
+
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
@@ -91,7 +102,7 @@ releases:
   releaseName: kubevirt-operator
   chart: cozy-kubevirt-operator
   namespace: cozy-kubevirt
-  dependsOn: [cilium,kubeovn]
+  dependsOn: [cilium,kubeovn,victoria-metrics-operator]
 
 - name: kubevirt
   releaseName: kubevirt
@@ -210,25 +221,28 @@ releases:
   chart: cozy-dashboard
   namespace: cozy-dashboard
   dependsOn: [cilium,kubeovn,keycloak-configure]
-  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
-  {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
   values:
-      redis:
-        master:
-          podAnnotations:
-            {{- range $index, $repo := . }}
-            {{- with (($repo.status).artifact).revision }}
-            repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
-            {{- end }}
-            {{- end }}
-  {{- end }}
-  {{- end }}
+    {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
+    {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
+    redis:
+      master:
+        podAnnotations:
+          {{- range $index, $repo := . }}
+          {{- with (($repo.status).artifact).revision }}
+          repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
+          {{- end }}
+          {{- end }}
+    {{- end }}
+    {{- end }}
+
+    {{- $dashboardKCconfig := lookup "v1" "ConfigMap" "cozy-dashboard" "kubeapps-auth-config" }}
+    {{- $dashboardKCValues := dig "data" "values.yaml" "" $dashboardKCconfig }}
+    {{- if $dashboardKCValues }}
+    {{- $dashboardKCValues | nindent 4 }}
+    {{- end }}
+
   {{- if eq $oidcEnabled "true" }}
   dependsOn: [keycloak-configure]
-  valuesFrom:
-    - kind: ConfigMap
-      name: kubeapps-auth-config
-      valuesKey: values.yaml
   {{- else }}
   dependsOn: []
   {{- end }}
@@ -267,6 +281,14 @@ releases:
   optional: true
   dependsOn: [cilium,kubeovn]
 
+- name: bootbox
+  releaseName: bootbox
+  chart: cozy-bootbox
+  namespace: cozy-bootbox
+  privileged: true
+  optional: true
+  dependsOn: [cilium,kubeovn]
+
 {{- if $oidcEnabled }}
 - name: keycloak
   releaseName: keycloak
@@ -285,4 +307,7 @@ releases:
   chart: cozy-keycloak-configure
   namespace: cozy-keycloak
   dependsOn: [keycloak-operator]
+  values:
+    cozystack:
+      configHash: {{ $cozyConfig | toJson | sha256sum }}
 {{- end }}

packages/core/platform/bundles/paas-hosted.yaml

@@ -35,6 +35,17 @@ releases:
   namespace: cozy-system
   dependsOn: []
 
+- name: cozystack-controller
+  releaseName: cozystack-controller
+  chart: cozy-cozystack-controller
+  namespace: cozy-system
+  dependsOn: []
+  {{- if eq (index $cozyConfig.data "telemetry-enabled") "false" }}
+  values:
+    cozystackController:
+      disableTelemetry: true
+  {{- end }}
+
 - name: cert-manager
   releaseName: cert-manager
   chart: cozy-cert-manager
@@ -82,7 +93,7 @@ releases:
   releaseName: postgres-operator
   chart: cozy-postgres-operator
   namespace: cozy-postgres-operator
-  dependsOn: [cert-manager]
+  dependsOn: [cert-manager,victoria-metrics-operator]
 
 - name: kafka-operator
   releaseName: kafka-operator
@@ -139,9 +150,9 @@ releases:
   releaseName: dashboard
   chart: cozy-dashboard
   namespace: cozy-dashboard
-  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
-  {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
   values:
+    {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
+    {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
     kubeapps:
       redis:
         master:
@@ -151,14 +162,17 @@ releases:
             repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
             {{- end }}
             {{- end }}
-  {{- end }}
-  {{- end }}
+    {{- end }}
+    {{- end }}
+
+    {{- $dashboardKCconfig := lookup "v1" "ConfigMap" "cozy-dashboard" "kubeapps-auth-config" }}
+    {{- $dashboardKCValues := dig "data" "values.yaml" "" $dashboardKCconfig }}
+    {{- if $dashboardKCValues }}
+    {{- $dashboardKCValues | nindent 4 }}
+    {{- end }}
+
   {{- if eq $oidcEnabled "true" }}
   dependsOn: [keycloak-configure]
-  valuesFrom:
-    - kind: ConfigMap
-      name: kubeapps-auth-config
-      valuesKey: values.yaml
   {{- else }}
   dependsOn: []
   {{- end }}
@@ -181,4 +195,7 @@ releases:
   chart: cozy-keycloak-configure
   namespace: cozy-keycloak
   dependsOn: [keycloak-operator]
+  values:
+    cozystack:
+      configHash: {{ $cozyConfig | toJson | sha256sum }}
 {{- end }}

packages/core/testing/Makefile

@@ -36,7 +36,10 @@ image-e2e-sandbox:
 copy-hack-dir:
 	tar -C ../../../ -cf- hack | kubectl exec -i -n $(NAMESPACE) deploy/cozystack-e2e-$(NAME) -- tar -xf-
 
-test: wait-for-sandbox copy-hack-dir ## Run the end-to-end tests in existing sandbox.
+copy-image:
+	cat ../../../_out/assets/nocloud-amd64.raw.xz | kubectl exec -i -n $(NAMESPACE) deploy/cozystack-e2e-$(NAME) -- sh -xec 'xz --decompress > /nocloud-amd64.raw'
+
+test: wait-for-sandbox copy-hack-dir copy-image ## Run the end-to-end tests in existing sandbox.
 	helm template -n cozy-system installer ../installer | kubectl exec -i -n $(NAMESPACE) deploy/cozystack-e2e-$(NAME) -- sh -c 'cat > /cozystack-installer.yaml'
 	kubectl exec -ti -n $(NAMESPACE) deploy/cozystack-e2e-$(NAME) -- sh -c 'export COZYSTACK_INSTALLER_YAML=$$(cat /cozystack-installer.yaml) && /hack/e2e.sh'
 

packages/core/testing/images/e2e-sandbox/Dockerfile

@@ -1,8 +1,8 @@
 FROM ubuntu:22.04
 
-ARG KUBECTL_VERSION=1.31.0
-ARG TALOSCTL_VERSION=1.7.6
-ARG HELM_VERSION=3.15.4
+ARG KUBECTL_VERSION=1.32.0
+ARG TALOSCTL_VERSION=1.8.4
+ARG HELM_VERSION=3.16.4
 
 RUN apt-get update
 RUN apt-get -y install genisoimage qemu-kvm qemu-utils iproute2 iptables wget xz-utils netcat curl jq

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.20.2@sha256:1a26a511b9e269bcb607e2d80f878d7c2d993b7a2a7a3a2a1042470c8c56b061
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.24.0@sha256:38229517c86e179984a6d39f5510b859d13d965e35b216bc01ce456f9ab5f8b5

packages/extra/bootbox/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: bootbox
+description: PXE hardware provisioning
+icon: /logos/bootbox.svg
+type: application
+version: 0.1.0

packages/extra/bootbox/Makefile

@@ -0,0 +1,11 @@
+NAME=bootbox
+NAMESPACE=tenant-root
+
+include ../../../scripts/package.mk
+
+generate:
+	readme-generator -v values.yaml -s values.schema.json.tmp -r README.md
+	cat values.schema.json.tmp | \
+		jq '.properties.machines.items.type = "object"' \
+		> values.schema.json
+	rm -f values.schema.json.tmp

packages/extra/bootbox/README.md

@@ -0,0 +1,11 @@
+# BootBox
+
+## Parameters
+
+### Common parameters
+
+| Name            | Description                                           | Value  |
+| --------------- | ----------------------------------------------------- | ------ |
+| `whitelistHTTP` | Secure HTTP by enabling  client networks whitelisting | `true` |
+| `whitelist`     | List of client networks                               | `[]`   |
+| `machines`      | Configuration of physical machine instances           | `[]`   |

packages/extra/bootbox/hack/test.sh

@@ -0,0 +1,18 @@
+apk add iptables iproute2 qemu-system-x86_64 qemu-img
+
+iptables -t nat -D POSTROUTING -s 10.8.2.0/24 ! -d 10.8.2.0/24 -j MASQUERADE 2>/dev/null || true
+iptables -t nat -A POSTROUTING -s 10.8.2.0/24 ! -d 10.8.2.0/24 -j MASQUERADE
+
+ip link del tap0 2>/dev/null || true
+ip tuntap add dev tap0 mode tap
+ip link set tap0 up
+ip addr add 10.8.2.1/24 dev tap0
+
+
+rm -f data.img
+qemu-img create data.img 100G
+
+qemu-system-x86_64 -machine type=pc,accel=kvm -cpu host -smp 4 -m 8192 \
+  -device virtio-net,netdev=net0,mac=d6:fa:af:52:25:93 -netdev tap,id=net0,ifname=tap0,script=no,downscript=no \
+  -drive file=data.img,if=virtio,format=raw \
+  -nographic

packages/extra/bootbox/images/matchbox.tag

@@ -0,0 +1 @@
+ghcr.io/aenix-io/cozystack/matchbox:v0.24.0@sha256:6402f92454bfad6d81ff4d07c21c46e44bc2b890769963d5c0d8b6b31300384f

packages/extra/bootbox/logos/bootbox.svg

@@ -0,0 +1,91 @@
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear_979_792)"/>
+<path d="M71.5698 76.5336C71.2374 76.5336 70.9036 76.4847 70.5829 76.3892L36.2079 66.0767C34.3885 65.5311 33.3562 63.6144 33.9017 61.7966C34.4489 59.9755 36.3657 58.9483 38.1817 59.4904L71.5698 69.5076L104.958 59.4904C106.776 58.96 108.691 59.9772 109.238 61.7966C109.783 63.6144 108.751 65.5311 106.932 66.0767L72.5567 76.3892C72.236 76.4847 71.9022 76.5336 71.5698 76.5336Z" fill="#231F20"/>
+<path d="M74.973 53.0214C74.7668 54.3276 73.8043 55.3933 72.5668 55.7714L38.1918 66.0839C37.848 66.187 37.5387 66.2214 37.1949 66.2214C36.3699 66.2214 35.5793 65.912 34.9262 65.362L21.1762 53.3308C20.248 52.5401 19.8355 51.2683 20.0762 50.0651C20.3168 48.862 21.1762 47.8651 22.3449 47.487L53.2824 37.1745C54.3137 36.8308 55.448 37.0026 56.3418 37.6214L73.5293 49.6526C74.6293 50.4089 75.1793 51.7151 74.973 53.0214Z" fill="#FFDC83"/>
+<path d="M121.964 53.3308L108.214 65.362C107.56 65.912 106.77 66.2214 105.945 66.2214C105.601 66.2214 105.292 66.187 104.948 66.0839L70.573 55.7714C69.3355 55.3933 68.373 54.3276 68.1667 53.0214C67.9605 51.7151 68.5105 50.4089 69.6105 49.6526L86.798 37.6214C87.6917 37.0026 88.8261 36.8308 89.8574 37.1745L120.795 47.487C121.964 47.8651 122.823 48.862 123.064 50.0651C123.304 51.2683 122.892 52.5401 121.964 53.3308Z" fill="#FFDC83"/>
+<path d="M109.382 63.6426V107.471C109.382 108.88 108.522 110.152 107.216 110.668L72.8412 124.418C72.4287 124.589 72.0162 124.658 71.5693 124.658C71.1225 124.658 70.71 124.589 70.2975 124.418L35.9225 110.668C34.6162 110.152 33.7568 108.88 33.7568 107.471V63.6426C33.7568 61.752 35.3037 60.2051 37.1943 60.2051H105.944C107.835 60.2051 109.382 61.752 109.382 63.6426Z" fill="#EABD4C"/>
+<path d="M107.999 61.4958C107.999 62.9812 107.037 64.2979 105.643 64.7368L72.4613 74.865C72.1295 74.9662 71.8308 75 71.499 75C71.1672 75 70.8686 74.9662 70.5368 74.865L37.3549 64.7368C35.9613 64.2979 34.999 62.9812 34.999 61.4958C34.999 60.0103 35.9613 58.6937 37.3549 58.2548L70.5368 48.1266C71.1672 47.9578 71.8308 47.9578 72.4613 48.1266L105.643 58.2548C107.037 58.6937 107.999 60.0103 107.999 61.4958Z" fill="#4C3825"/>
+<path d="M74.5118 77C75.35 77 76.1794 76.9628 77 76.9133V21.0867C76.1765 21.0347 75.3471 21 74.5059 21C73.6647 21 72.8294 21.0347 72 21.0867V76.9108C72.8265 76.9628 73.6588 76.9975 74.5 77H74.5118Z" fill="url(#paint1_linear_979_792)"/>
+<path d="M44.0282 38.1129L43.2078 37.2959C42.0773 38.9121 41.0746 40.614 40.2088 42.3861C50.1001 52.4354 51.1424 57.2835 51.1289 58.9074C51.0919 63.026 46.0522 69.4845 40.1416 75.4657C40.9996 77.2375 41.9933 78.9405 43.1137 80.5592C43.4499 80.223 43.7693 79.9137 44.0954 79.5842C52.625 70.9975 56.794 64.2498 56.8445 58.9477C56.8949 53.6457 52.7024 46.8879 44.0282 38.1129Z" fill="url(#paint2_linear_979_792)"/>
+<path d="M104.695 79.5975L105.676 80.5725C106.795 78.9492 107.787 77.2417 108.642 75.4655C102.735 69.4709 97.6948 62.9955 97.6545 58.8937C97.6175 54.8928 102.627 48.4208 108.568 42.359C107.703 40.5917 106.703 38.8944 105.576 37.2822L104.755 38.0992C96.081 46.8575 91.8885 53.6791 91.9389 58.9442C91.9894 64.2092 96.1583 71.0107 104.695 79.5975Z" fill="url(#paint3_linear_979_792)"/>
+<path d="M87.4396 58.9344C87.4396 51.5378 90.7378 39.2393 95.8179 27.6165C94.1979 26.5139 92.495 25.5382 90.7244 24.6982C85.1635 37.2287 81.7207 50.5561 81.7207 58.9478C81.7207 67.0673 85.4493 80.5425 91.111 93.1403C92.8468 92.2859 94.5147 91.3002 96.1004 90.1917C90.8589 78.4009 87.4396 66.0755 87.4396 58.9344Z" fill="url(#paint4_linear_979_792)"/>
+<path d="M67.0384 58.9353C67.0384 50.4998 63.4578 37.0985 57.9608 24.7227C56.2158 25.5613 54.5377 26.5325 52.9412 27.6275C58.0314 39.2435 61.3228 51.5454 61.3228 58.9353C61.3228 66.073 57.9036 78.395 52.6621 90.1724C54.2482 91.2802 55.9161 92.2658 57.6514 93.121C63.3199 80.5266 67.0384 67.0614 67.0384 58.9353Z" fill="url(#paint5_linear_979_792)"/>
+<path d="M74.4229 74.987L60.6729 95.612C60.0197 96.6089 58.9541 97.1589 57.8197 97.1589C57.4072 97.1589 56.9604 97.0901 56.5479 96.9183L22.1729 83.1683C21.1416 82.7558 20.3854 81.8964 20.1104 80.8651C19.8354 79.7995 20.076 78.6651 20.7635 77.8401L34.5135 60.6526C35.3729 59.5526 32.7391 57.8404 34.0797 58.2185L72.5666 69.7964C73.5979 70.1058 74.4229 70.8964 74.801 71.9276C75.1791 72.9589 75.0416 74.0933 74.4229 74.987Z" fill="#FFDC83"/>
+<path d="M123.029 80.6242C122.754 81.6555 121.998 82.5492 121.001 82.9274L86.6261 96.918C86.1792 97.0899 85.7667 97.1586 85.3199 97.1586C84.1855 97.1586 83.1199 96.6086 82.4667 95.6117L68.7167 74.9867C68.098 74.093 67.9605 72.9586 68.3386 71.9274C68.7167 70.8961 69.5417 70.1055 70.573 69.7961L108.469 58.4331C109.81 58.0206 107.732 59.5524 108.626 60.618L122.376 77.5992C123.064 78.4242 123.304 79.5586 123.029 80.6242Z" fill="#FFDC83"/>
+<defs>
+<linearGradient id="paint0_linear_979_792" x1="24" y1="3.5" x2="181" y2="147" gradientUnits="userSpaceOnUse">
+<stop stop-color="#480000"/>
+<stop offset="1" stop-color="#AE2300"/>
+</linearGradient>
+<linearGradient id="paint1_linear_979_792" x1="74.5" y1="17.2369" x2="74.5" y2="79.9133" gradientUnits="userSpaceOnUse">
+<stop stop-color="#FFD200"/>
+<stop offset="0.06" stop-color="#FFB500"/>
+<stop offset="0.14" stop-color="#FF8C00"/>
+<stop offset="0.21" stop-color="#FF7300"/>
+<stop offset="0.26" stop-color="#FF6A00"/>
+<stop offset="0.33" stop-color="#FC4F0E"/>
+<stop offset="0.43" stop-color="#F92F1E"/>
+<stop offset="0.51" stop-color="#F81B27"/>
+<stop offset="0.57" stop-color="#F7142B"/>
+<stop offset="0.68" stop-color="#DF162E"/>
+<stop offset="0.79" stop-color="#AF1A38"/>
+<stop offset="1" stop-color="#4B214C"/>
+</linearGradient>
+<linearGradient id="paint2_linear_979_792" x1="48.493" y1="15.8928" x2="48.493" y2="100.954" gradientUnits="userSpaceOnUse">
+<stop stop-color="#FFD200"/>
+<stop offset="0.06" stop-color="#FFB500"/>
+<stop offset="0.14" stop-color="#FF8C00"/>
+<stop offset="0.21" stop-color="#FF7300"/>
+<stop offset="0.26" stop-color="#FF6A00"/>
+<stop offset="0.33" stop-color="#FC4F0E"/>
+<stop offset="0.43" stop-color="#F92F1E"/>
+<stop offset="0.51" stop-color="#F81B27"/>
+<stop offset="0.57" stop-color="#F7142B"/>
+<stop offset="0.68" stop-color="#DF162E"/>
+<stop offset="0.79" stop-color="#AF1A38"/>
+<stop offset="1" stop-color="#4B214C"/>
+</linearGradient>
+<linearGradient id="paint3_linear_979_792" x1="100.29" y1="15.8926" x2="100.29" y2="100.953" gradientUnits="userSpaceOnUse">
+<stop stop-color="#FFD200"/>
+<stop offset="0.06" stop-color="#FFB500"/>
+<stop offset="0.14" stop-color="#FF8C00"/>
+<stop offset="0.21" stop-color="#FF7300"/>
+<stop offset="0.26" stop-color="#FF6A00"/>
+<stop offset="0.33" stop-color="#FC4F0E"/>
+<stop offset="0.43" stop-color="#F92F1E"/>
+<stop offset="0.51" stop-color="#F81B27"/>
+<stop offset="0.57" stop-color="#F7142B"/>
+<stop offset="0.68" stop-color="#DF162E"/>
+<stop offset="0.79" stop-color="#AF1A38"/>
+<stop offset="1" stop-color="#4B214C"/>
+</linearGradient>
+<linearGradient id="paint4_linear_979_792" x1="88.9122" y1="15.8929" x2="88.9122" y2="100.954" gradientUnits="userSpaceOnUse">
+<stop stop-color="#FFD200"/>
+<stop offset="0.06" stop-color="#FFB500"/>
+<stop offset="0.14" stop-color="#FF8C00"/>
+<stop offset="0.21" stop-color="#FF7300"/>
+<stop offset="0.26" stop-color="#FF6A00"/>
+<stop offset="0.33" stop-color="#FC4F0E"/>
+<stop offset="0.43" stop-color="#F92F1E"/>
+<stop offset="0.51" stop-color="#F81B27"/>
+<stop offset="0.57" stop-color="#F7142B"/>
+<stop offset="0.68" stop-color="#DF162E"/>
+<stop offset="0.79" stop-color="#AF1A38"/>
+<stop offset="1" stop-color="#4B214C"/>
+</linearGradient>
+<linearGradient id="paint5_linear_979_792" x1="59.857" y1="15.8938" x2="59.857" y2="100.955" gradientUnits="userSpaceOnUse">
+<stop stop-color="#FFD200"/>
+<stop offset="0.06" stop-color="#FFB500"/>
+<stop offset="0.14" stop-color="#FF8C00"/>
+<stop offset="0.21" stop-color="#FF7300"/>
+<stop offset="0.26" stop-color="#FF6A00"/>
+<stop offset="0.33" stop-color="#FC4F0E"/>
+<stop offset="0.43" stop-color="#F92F1E"/>
+<stop offset="0.51" stop-color="#F81B27"/>
+<stop offset="0.57" stop-color="#F7142B"/>
+<stop offset="0.68" stop-color="#DF162E"/>
+<stop offset="0.79" stop-color="#AF1A38"/>
+<stop offset="1" stop-color="#4B214C"/>
+</linearGradient>
+</defs>
+</svg>

packages/extra/bootbox/templates/check-release-name.yaml

@@ -0,0 +1,6 @@
+{{- if ne .Release.Name .Chart.Name }}
+{{- fail (printf "The name of the release MUST BE %s" .Chart.Name) }}
+{{- end -}}
+{{- if ne .Release.Namespace "tenant-root" }}
+{{- fail "The namespace of the release MUST BE tenant-root" }}
+{{- end -}}

packages/extra/bootbox/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,35 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  resourceNames:
+  - bootbox
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - grafana-admin-password
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - bootbox
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - bootbox-matchbox
+  verbs: ["get", "list", "watch"]
+
+

packages/extra/bootbox/templates/matchbox/configmaps.yaml

@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bootbox-profiles
+data:
+  default.json: |
+    {
+      "id": "default",
+      "name": "default",
+      "boot": {
+        "kernel": "/assets/vmlinuz",
+        "initrd": ["/assets/initramfs.xz"],
+        "args": [
+          "initrd=initramfs.xz",
+          "init_on_alloc=1",
+          "slab_nomerge",
+          "pti=on",
+          "console=tty0",
+          "console=ttyS0",
+          "printk.devkmsg=on",
+          "talos.platform=metal"
+        ]
+      }
+    }
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bootbox-groups
+data:
+  default.json: |
+    {
+      "id": "default",
+      "name": "default",
+      "profile": "default"
+    }
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bootbox-configs
+data:

packages/extra/bootbox/templates/matchbox/deployment.yaml

@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bootbox-matchbox
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bootbox-matchbox
+  template:
+    metadata:
+      labels:
+        app: bootbox-matchbox
+    spec:
+      containers:
+      - name: matchbox
+        image: "{{ $.Files.Get "images/matchbox.tag" | trim }}"
+        args:
+          - "-address=:8080"
+          - "-log-level=debug"
+        volumeMounts:
+          - name: profiles-volume
+            mountPath: /var/lib/matchbox/profiles
+          - name: groups-volume
+            mountPath: /var/lib/matchbox/groups
+          - name: configs-volume
+            mountPath: /var/lib/matchbox/assets/configs
+        ports:
+          - name: http
+            containerPort: 8080
+            protocol: TCP
+      volumes:
+        - name: profiles-volume
+          configMap:
+            name: bootbox-profiles
+        - name: groups-volume
+          configMap:
+            name: bootbox-groups
+        - name: configs-volume
+          configMap:
+            name: bootbox-configs
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: bootbox-matchbox
+spec:
+  replicas: 1
+  minReplicas: 1
+  kind: bootbox
+  type: matchbox
+  selector:
+    app: bootbox-matchbox
+  version: {{ $.Chart.Version }}

packages/extra/bootbox/templates/matchbox/ingress.yaml

@@ -0,0 +1,37 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
+
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bootbox
+  labels:
+    app: bootbox
+  annotations:
+    {{- if ne $issuerType "cloudflare" }}
+    acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
+    {{- end }}
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    {{- if .Values.whitelistHTTP }}
+    nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," (.Values.whitelist | default "0.0.0.0/32") }}"
+    {{- end }}
+spec:
+  ingressClassName: {{ $ingress }}
+  tls:
+    - hosts:
+        - "{{ printf "bootbox.%s" (.Values.host | default $host) }}"
+      secretName: bootbox-tls
+  rules:
+    - host: "{{ printf "bootbox.%s" (.Values.host | default $host) }}"
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: bootbox
+                port:
+                  name: http

packages/extra/bootbox/templates/matchbox/machines.yaml

@@ -0,0 +1,47 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
+
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+
+{{ range $m := .Values.machines }}
+---
+apiVersion: tinkerbell.org/v1alpha1
+kind: Hardware
+metadata:
+  name: {{ $m.hostname }}
+  namespace: cozy-bootbox
+spec:
+  interfaces:
+  {{- range $mac := $m.mac }}
+  - dhcp:
+      hostname: {{ $m.hostname }}
+      mac: {{ $mac }}
+      {{- with $m.arch }}
+      arch: {{ . }}
+      {{- end }}
+      {{- with $m.ip }}
+      ip:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $m.leaseTime }}
+      lease_time: {{ . }}
+      {{- end }}
+      {{- with $m.uefi }}
+      uefi: {{ . }}
+      {{- end }}
+      {{- with $m.nameServers }}
+      name_servers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $m.timeServers }}
+      time_servers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    netboot:
+      allowPXE: true
+      ipxe:
+        url: "https://{{ printf "bootbox.%s" ($.Values.host | default $host) }}/boot.ipxe"
+  {{- end }}
+{{- end }}

packages/extra/bootbox/templates/matchbox/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: bootbox
+spec:
+  selector:
+    app: bootbox-matchbox
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: http
+      name: http

packages/extra/bootbox/values.schema.json

@@ -0,0 +1,25 @@
+{
+  "title": "Chart Values",
+  "type": "object",
+  "properties": {
+    "whitelistHTTP": {
+      "type": "boolean",
+      "description": "Secure HTTP by enabling  client networks whitelisting",
+      "default": true
+    },
+    "whitelist": {
+      "type": "array",
+      "description": "List of client networks",
+      "default": [],
+      "items": {}
+    },
+    "machines": {
+      "type": "array",
+      "description": "Configuration of physical machine instances",
+      "default": "[]",
+      "items": {
+        "type": "object"
+      }
+    }
+  }
+}

packages/extra/bootbox/values.yaml

@@ -0,0 +1,30 @@
+## @section Common parameters
+
+## @param whitelistHTTP Secure HTTP by enabling  client networks whitelisting
+## @param whitelist List of client networks
+## Example:
+## whitelistHTTP: true
+## whitelist:
+## - "1.2.3.4"
+## - "10.8.0.0/16"
+##
+whitelistHTTP: true
+whitelist: []
+
+## @param machines [array] Configuration of physical machine instances
+##
+## Example:
+## machines:
+## - hostname: machine1
+##   arch: x86_64
+##   ip:
+##     address: 10.8.2.2
+##     gateway: 10.8.2.1
+##     netmask: 255.255.255.0
+##   leaseTime: 86400
+##   mac: [d6:fa:af:52:25:93]
+##   nameServers: [1.1.1.1,8.8.8.8]
+##   timeServers: [pool.ntp.org]
+##   uefi: true
+
+machines: []

packages/extra/etcd/Chart.yaml

@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: /logos/etcd.svg
 type: application
-version: 2.3.0
+version: 2.4.0

packages/extra/etcd/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - etcd
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/extra/etcd/templates/etcd-cluster.yaml

@@ -193,3 +193,19 @@ spec:
   issuerRef:
     name: etcd-issuer
     kind: Issuer
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: {{ div .Values.replicas 2 | add1 }}
+  kind: etcd
+  type: etcd
+  selector:
+    app.kubernetes.io/instance: etcd
+    app.kubernetes.io/managed-by: etcd-operator
+    app.kubernetes.io/name: etcd
+  version: {{ $.Chart.Version }}

packages/extra/ingress/Chart.yaml

@@ -3,4 +3,4 @@ name: ingress
 description: NGINX Ingress Controller
 icon: /logos/ingress-nginx.svg
 type: application
-version: 1.3.0
+version: 1.4.0