Talos Linux: update firmwares

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

- **New Features**
  - Updated Grafana to version 11.4.0
- Added new Grafana plugins: VictoriaMetrics logs datasource, Natel
Discrete Panel, and Worldmap Panel

- **Improvements**
  - Enhanced Grafana image build process
  - Dynamically manage Grafana image versioning
  - Updated plugin installation method

- **Version Update**
  - Monitoring package version bumped from 1.7.0 to 1.8.0

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

Makefile

@@ -6,6 +6,7 @@ build:
 	make -C packages/apps/mysql image
 	make -C packages/apps/clickhouse image
 	make -C packages/apps/kubernetes image
+	make -C packages/extra/monitoring image
 	make -C packages/system/cozystack-api image
 	make -C packages/system/cozystack-controller image
 	make -C packages/system/cilium image

cmd/cozystack-assets-server/main.go

@@ -0,0 +1,29 @@
+package main
+
+import (
+	"flag"
+	"log"
+	"net/http"
+	"path/filepath"
+)
+
+func main() {
+	addr := flag.String("address", ":8123", "Address to listen on")
+	dir := flag.String("dir", "/cozystack/assets", "Directory to serve files from")
+	flag.Parse()
+
+	absDir, err := filepath.Abs(*dir)
+	if err != nil {
+		log.Fatalf("Error getting absolute path for %s: %v", *dir, err)
+	}
+
+	fs := http.FileServer(http.Dir(absDir))
+	http.Handle("/", fs)
+
+	log.Printf("Server starting on %s, serving directory %s", *addr, absDir)
+
+	err = http.ListenAndServe(*addr, nil)
+	if err != nil {
+		log.Fatalf("Server failed to start: %v", err)
+	}
+}

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.22.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.23.1"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.22.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.23.1"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.15.0@sha256:973dc89e1fe1c9beb109d74a48297426ed5d340b43d0102b8e16f63dc2eb4016
+ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.15.0@sha256:538ee308f16c9e627ed16ee7c4aaa65919c2e6c4c2778f964a06e4797610d1cd

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.0@sha256:3a94fe11523b1411eab33bd72b26d6df42dda83086249ba72ad6f2aa1b209c1e
+ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.0@sha256:7716c88947d13dc90ccfcc3e60bfdd6e6fa9b201339a75e9c84bf825c76e2b1f

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.0@sha256:98d0493327d92e05f8893d864d312b79b1441b34e2a02f845470509e15c5dab9
+ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.0@sha256:be5e0eef92dada3ace5cddda5c68b30c9fe4682774c5e6e938ed31efba11ebbf

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.6.6
+version: 1.6.7

packages/apps/tenant/templates/kubeconfig.yaml

@@ -4,9 +4,13 @@
 
 {{- if $k8sClientSecret }}
 {{- $apiServerEndpoint := index $cozyConfig.data "api-server-endpoint" }}
+{{- $managementKubeconfigEndpoint := default "" (get $cozyConfig.data "management-kubeconfig-endpoint") }}
+{{- if and $managementKubeconfigEndpoint (ne $managementKubeconfigEndpoint "") }}
+{{- $apiServerEndpoint = $managementKubeconfigEndpoint }}
+{{- end }}
 {{- $k8sClient := index $k8sClientSecret.data "client-secret-key" | b64dec }}
 {{- $rootSaConfigMap := lookup "v1" "ConfigMap" "kube-system" "kube-root-ca.crt" }}
-{{- $k8sCa := index $rootSaConfigMap.data "ca.crt" | b64enc  }}
+{{- $k8sCa := index $rootSaConfigMap.data "ca.crt" | b64enc }}
 ---
 apiVersion: v1
 kind: Secret

packages/apps/versions_map

@@ -99,18 +99,23 @@ tenant 1.6.2 ccedc5fe
 tenant 1.6.3 2057bb96
 tenant 1.6.4 3c9e50a4
 tenant 1.6.5 f1e11451
-tenant 1.6.6 HEAD
+tenant 1.6.6 d4634797
+tenant 1.6.7 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823
 virtual-machine 0.3.0 b908400
 virtual-machine 0.4.0 4746d51
 virtual-machine 0.5.0 cad9cde
-virtual-machine 0.6.0 HEAD
+virtual-machine 0.6.0 0e728870
+virtual-machine 0.7.0 af58018a
+virtual-machine 0.7.1 HEAD
 vm-disk 0.1.0 HEAD
 vm-instance 0.1.0 ced8e5b9
 vm-instance 0.2.0 4f767ee3
-vm-instance 0.3.0 HEAD
+vm-instance 0.3.0 0e728870
+vm-instance 0.4.0 af58018a
+vm-instance 0.4.1 HEAD
 vpn 0.1.0 f642698
 vpn 0.2.0 7151424
 vpn 0.3.0 a2bcf100

packages/apps/virtual-machine/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.7.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.1"
+appVersion: "0.7.1"

packages/apps/virtual-machine/templates/vm-update-hook.yaml

@@ -0,0 +1,119 @@
+{{- $vmName := include "virtual-machine.fullname" . -}}
+{{- $namespace := .Release.Namespace -}}
+
+{{- $existingVM := lookup "kubevirt.io/v1" "VirtualMachine" $namespace $vmName -}}
+{{- $existingPVC := lookup "v1" "PersistentVolumeClaim" $namespace $vmName -}}
+
+{{- $instanceType := .Values.instanceType | default "" -}}
+{{- $instanceProfile := .Values.instanceProfile | default "" -}}
+{{- $desiredStorage := .Values.systemDisk.storage | default "" -}}
+
+{{- $needUpdateType := false -}}
+{{- $needUpdateProfile := false -}}
+{{- $needResizePVC := false -}}
+
+{{- if and $existingVM $instanceType -}}
+  {{- if not (eq $existingVM.spec.instancetype.name $instanceType) -}}
+    {{- $needUpdateType = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and $existingVM $instanceProfile -}}
+  {{- if not (eq $existingVM.spec.preference.name $instanceProfile) -}}
+    {{- $needUpdateProfile = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and $existingPVC $desiredStorage -}}
+  {{- $currentStorage := $existingPVC.spec.resources.requests.storage | toString -}}
+  {{- if not (eq $currentStorage $desiredStorage) -}}
+    {{- $needResizePVC = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if or $needUpdateType $needUpdateProfile $needResizePVC }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ $.Release.Name }}-update-hook"
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "0"
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      labels:
+        app: "{{ $.Release.Name }}-update-hook"
+        policy.cozystack.io/allow-to-apiserver: "true"
+    spec:
+      serviceAccountName: {{ $.Release.Name }}-update-hook
+      restartPolicy: Never
+      containers:
+        - name: update-resources
+          image: bitnami/kubectl:latest
+          command: ["sh", "-exc"]
+          args:
+            - |
+              {{- if $needUpdateType }}
+              echo "Patching VirtualMachine for instancetype update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"instancetype":{"name": "{{ $instanceType }}", "revisionName": null}}}'
+              {{- end }}
+              
+              {{- if $needUpdateProfile }}
+              echo "Patching VirtualMachine for preference update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"preference":{"name": "{{ $instanceProfile }}", "revisionName": null}}}'
+              {{- end }}
+
+              {{- if $needResizePVC }}
+              echo "Patching PVC for storage resize..."
+              kubectl patch pvc {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"resources":{"requests":{"storage":"{{ $desiredStorage }}"}}}}'
+              {{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+rules:
+  - apiGroups: ["kubevirt.io"]
+    resources: ["virtualmachines"]
+    verbs: ["patch", "get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["patch", "get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Release.Name }}-update-hook
+roleRef:
+  kind: Role
+  name: {{ $.Release.Name }}-update-hook
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

packages/apps/vm-instance/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.4.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.2.0"
+appVersion: "0.4.1"

packages/apps/vm-instance/templates/vm-update-hook.yaml

@@ -0,0 +1,99 @@
+{{- $vmName := include "virtual-machine.fullname" . -}}
+{{- $namespace := .Release.Namespace -}}
+
+{{- $existingVM := lookup "kubevirt.io/v1" "VirtualMachine" $namespace $vmName -}}
+
+{{- $instanceType := .Values.instanceType | default "" -}}
+{{- $instanceProfile := .Values.instanceProfile | default "" -}}
+
+{{- $needUpdateType := false -}}
+{{- $needUpdateProfile := false -}}
+
+{{- if and $existingVM $instanceType -}}
+  {{- if not (eq $existingVM.spec.instancetype.name $instanceType) -}}
+    {{- $needUpdateType = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and $existingVM $instanceProfile -}}
+  {{- if not (eq $existingVM.spec.preference.name $instanceProfile) -}}
+    {{- $needUpdateProfile = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if or $needUpdateType $needUpdateProfile }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ $.Release.Name }}-update-hook"
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "0"
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      labels:
+        app: "{{ $.Release.Name }}-update-hook"
+        policy.cozystack.io/allow-to-apiserver: "true"
+    spec:
+      serviceAccountName: {{ $.Release.Name }}-update-hook
+      restartPolicy: Never
+      containers:
+        - name: update-resources
+          image: bitnami/kubectl:latest
+          command: ["sh", "-exc"]
+          args:
+            - |
+              {{- if $needUpdateType }}
+              echo "Patching VirtualMachine for instancetype update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"instancetype":{"name": "{{ $instanceType }}", "revisionName": null}}}'
+              {{- end }}
+              
+              {{- if $needUpdateProfile }}
+              echo "Patching VirtualMachine for preference update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"preference":{"name": "{{ $instanceProfile }}", "revisionName": null}}}'
+              {{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+rules:
+  - apiGroups: ["kubevirt.io"]
+    resources: ["virtualmachines"]
+    verbs: ["patch", "get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Release.Name }}-update-hook
+roleRef:
+  kind: Role
+  name: {{ $.Release.Name }}-update-hook
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

packages/apps/vm-instance/templates/vm.yaml

@@ -17,15 +17,12 @@ spec:
   instancetype:
     kind: VirtualMachineClusterInstancetype
     name: {{ . }}
-    revisionName: null
-  {{- end }}
+    {{- end }}
   {{- with .Values.instanceProfile }}
   preference:
     kind: VirtualMachineClusterPreference
     name: {{ . }}
-    revisionName: null
-  {{- end }}
-
+    {{- end }}
   template:
     metadata:
       annotations:

packages/core/builder/values.yaml

@@ -1,3 +1,3 @@
 talos:
   imager:
-    image: ghcr.io/kvaps/talos/imager:v1.9.1-1-gac655f2d3-dirty
+    image: ghcr.io/siderolabs/imager:v1.9.2

packages/core/installer/Makefile

@@ -55,6 +55,8 @@ image-matchbox:  run-builder
 		--metadata-file images/matchbox.json \
 		--push=$(PUSH) \
 		--load=$(LOAD)
+	echo "$(REGISTRY)/matchbox:$(call settag,$(TAG))@$$(yq e '."containerimage.digest"' images/matchbox.json -o json -r)" \
+		> ../../extra/bootbox/images/matchbox.tag
 	rm -f images/matchbox.json
 
 assets: talos-iso talos-nocloud talos-metal

packages/core/installer/images/cozystack/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:alpine3.19 as k8s-await-election-builder
+FROM golang:alpine3.21 as k8s-await-election-builder
 
 ARG K8S_AWAIT_ELECTION_GITREPO=https://github.com/LINBIT/k8s-await-election
 ARG K8S_AWAIT_ELECTION_VERSION=0.4.1
@@ -13,7 +13,7 @@ RUN git clone ${K8S_AWAIT_ELECTION_GITREPO} /usr/local/go/k8s-await-election/ \
  && make \
  && mv ./out/k8s-await-election-${TARGETARCH} /k8s-await-election
 
-FROM alpine:3.19 AS builder
+FROM golang:alpine3.21 as builder
 
 RUN apk add --no-cache make git
 RUN apk add helm --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community
@@ -21,12 +21,14 @@ RUN apk add helm --repository=https://dl-cdn.alpinelinux.org/alpine/edge/communi
 COPY . /src/
 WORKDIR /src
 
+RUN go build -o /cozystack-assets-server -ldflags '-extldflags "-static" -w -s' ./cmd/cozystack-assets-server
+
 # Check that versions_map is not changed
 RUN make repos
 
-FROM alpine:3.19
+FROM alpine:3.21
 
-RUN apk add --no-cache make darkhttpd
+RUN apk add --no-cache make
 RUN apk add helm kubectl --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community
 
 COPY scripts /cozystack/scripts
@@ -34,6 +36,7 @@ COPY --from=builder /src/packages/core /cozystack/packages/core
 COPY --from=builder /src/packages/system /cozystack/packages/system
 COPY --from=builder /src/_out/repos /cozystack/assets/repos
 COPY --from=builder /src/_out/logos /cozystack/assets/logos
+COPY --from=builder /cozystack-assets-server /usr/bin/cozystack-assets-server
 COPY --from=k8s-await-election-builder /k8s-await-election /usr/bin/k8s-await-election
 COPY dashboards /cozystack/assets/dashboards
 

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250109
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: initramfs
   imageOptions: {}

packages/core/installer/images/talos/profiles/installer.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250109
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: installer
   imageOptions: {}

packages/core/installer/images/talos/profiles/iso.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250109
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: iso
   imageOptions: {}

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250109
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: kernel
   imageOptions: {}

packages/core/installer/images/talos/profiles/metal.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250109
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250109
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/templates/cozystack.yaml

@@ -67,13 +67,12 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-      - name: darkhttpd
+      - name: assets
         image: "{{ .Values.cozystack.image }}"
         command:
-        - /usr/bin/darkhttpd
-        - /cozystack/assets
-        - --port
-        - "8123"
+        - /usr/bin/cozystack-assets-server
+        - "-dir=/cozystack/assets"
+        - "-address=:8123"
         ports:
         - name: http
           containerPort: 8123

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.22.0@sha256:12e02a0d700373f119e45ee79777636207811b49448f485ce66173e1bd5a11ee
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.23.1@sha256:dfa803a3e02ec9ea221029d361aa9d7aef0b5eb0a36d66c949b265d4ac4fc114

packages/core/platform/bundles/distro-full.yaml

@@ -199,3 +199,11 @@ releases:
   namespace: cozy-keycloak
   optional: true
   dependsOn: [keycloak]
+
+- name: bootbox
+  releaseName: bootbox
+  chart: cozy-bootbox
+  namespace: cozy-bootbox
+  privileged: true
+  optional: true
+  dependsOn: [cilium]

packages/core/platform/bundles/paas-full.yaml

@@ -281,6 +281,14 @@ releases:
   optional: true
   dependsOn: [cilium,kubeovn]
 
+- name: bootbox
+  releaseName: bootbox
+  chart: cozy-bootbox
+  namespace: cozy-bootbox
+  privileged: true
+  optional: true
+  dependsOn: [cilium,kubeovn]
+
 {{- if $oidcEnabled }}
 - name: keycloak
   releaseName: keycloak
@@ -299,4 +307,7 @@ releases:
   chart: cozy-keycloak-configure
   namespace: cozy-keycloak
   dependsOn: [keycloak-operator]
+  values:
+    cozystack:
+      configHash: {{ $cozyConfig | toJson | sha256sum }}
 {{- end }}

packages/core/platform/bundles/paas-hosted.yaml

@@ -195,4 +195,7 @@ releases:
   chart: cozy-keycloak-configure
   namespace: cozy-keycloak
   dependsOn: [keycloak-operator]
+  values:
+    cozystack:
+      configHash: {{ $cozyConfig | toJson | sha256sum }}
 {{- end }}

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.22.0@sha256:38229517c86e179984a6d39f5510b859d13d965e35b216bc01ce456f9ab5f8b5
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.23.1@sha256:0f4ffa7f23d6cdc633c0c4a0b852fde9710edbce96486fd9bd29c7d0d7710380

packages/extra/bootbox/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: bootbox
+description: PXE hardware provisioning
+icon: /logos/bootbox.svg
+type: application
+version: 0.1.0

packages/extra/bootbox/Makefile

@@ -0,0 +1,11 @@
+NAME=bootbox
+NAMESPACE=tenant-root
+
+include ../../../scripts/package.mk
+
+generate:
+	readme-generator -v values.yaml -s values.schema.json.tmp -r README.md
+	cat values.schema.json.tmp | \
+		jq '.properties.machines.items.type = "object"' \
+		> values.schema.json
+	rm -f values.schema.json.tmp

packages/extra/bootbox/README.md

@@ -0,0 +1,11 @@
+# BootBox
+
+## Parameters
+
+### Common parameters
+
+| Name            | Description                                           | Value  |
+| --------------- | ----------------------------------------------------- | ------ |
+| `whitelistHTTP` | Secure HTTP by enabling  client networks whitelisting | `true` |
+| `whitelist`     | List of client networks                               | `[]`   |
+| `machines`      | Configuration of physical machine instances           | `[]`   |

packages/extra/bootbox/hack/test.sh

@@ -0,0 +1,18 @@
+apk add iptables iproute2 qemu-system-x86_64 qemu-img
+
+iptables -t nat -D POSTROUTING -s 10.8.2.0/24 ! -d 10.8.2.0/24 -j MASQUERADE 2>/dev/null || true
+iptables -t nat -A POSTROUTING -s 10.8.2.0/24 ! -d 10.8.2.0/24 -j MASQUERADE
+
+ip link del tap0 2>/dev/null || true
+ip tuntap add dev tap0 mode tap
+ip link set tap0 up
+ip addr add 10.8.2.1/24 dev tap0
+
+
+rm -f data.img
+qemu-img create data.img 100G
+
+qemu-system-x86_64 -machine type=pc,accel=kvm -cpu host -smp 4 -m 8192 \
+  -device virtio-net,netdev=net0,mac=d6:fa:af:52:25:93 -netdev tap,id=net0,ifname=tap0,script=no,downscript=no \
+  -drive file=data.img,if=virtio,format=raw \
+  -nographic

packages/extra/bootbox/images/matchbox.tag

@@ -0,0 +1 @@
+ghcr.io/aenix-io/cozystack/matchbox:v0.23.1

packages/extra/bootbox/logos/bootbox.svg

@@ -0,0 +1,91 @@
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_linear_979_792)"/>
+<path d="M71.5698 76.5336C71.2374 76.5336 70.9036 76.4847 70.5829 76.3892L36.2079 66.0767C34.3885 65.5311 33.3562 63.6144 33.9017 61.7966C34.4489 59.9755 36.3657 58.9483 38.1817 59.4904L71.5698 69.5076L104.958 59.4904C106.776 58.96 108.691 59.9772 109.238 61.7966C109.783 63.6144 108.751 65.5311 106.932 66.0767L72.5567 76.3892C72.236 76.4847 71.9022 76.5336 71.5698 76.5336Z" fill="#231F20"/>
+<path d="M74.973 53.0214C74.7668 54.3276 73.8043 55.3933 72.5668 55.7714L38.1918 66.0839C37.848 66.187 37.5387 66.2214 37.1949 66.2214C36.3699 66.2214 35.5793 65.912 34.9262 65.362L21.1762 53.3308C20.248 52.5401 19.8355 51.2683 20.0762 50.0651C20.3168 48.862 21.1762 47.8651 22.3449 47.487L53.2824 37.1745C54.3137 36.8308 55.448 37.0026 56.3418 37.6214L73.5293 49.6526C74.6293 50.4089 75.1793 51.7151 74.973 53.0214Z" fill="#FFDC83"/>
+<path d="M121.964 53.3308L108.214 65.362C107.56 65.912 106.77 66.2214 105.945 66.2214C105.601 66.2214 105.292 66.187 104.948 66.0839L70.573 55.7714C69.3355 55.3933 68.373 54.3276 68.1667 53.0214C67.9605 51.7151 68.5105 50.4089 69.6105 49.6526L86.798 37.6214C87.6917 37.0026 88.8261 36.8308 89.8574 37.1745L120.795 47.487C121.964 47.8651 122.823 48.862 123.064 50.0651C123.304 51.2683 122.892 52.5401 121.964 53.3308Z" fill="#FFDC83"/>
+<path d="M109.382 63.6426V107.471C109.382 108.88 108.522 110.152 107.216 110.668L72.8412 124.418C72.4287 124.589 72.0162 124.658 71.5693 124.658C71.1225 124.658 70.71 124.589 70.2975 124.418L35.9225 110.668C34.6162 110.152 33.7568 108.88 33.7568 107.471V63.6426C33.7568 61.752 35.3037 60.2051 37.1943 60.2051H105.944C107.835 60.2051 109.382 61.752 109.382 63.6426Z" fill="#EABD4C"/>
+<path d="M107.999 61.4958C107.999 62.9812 107.037 64.2979 105.643 64.7368L72.4613 74.865C72.1295 74.9662 71.8308 75 71.499 75C71.1672 75 70.8686 74.9662 70.5368 74.865L37.3549 64.7368C35.9613 64.2979 34.999 62.9812 34.999 61.4958C34.999 60.0103 35.9613 58.6937 37.3549 58.2548L70.5368 48.1266C71.1672 47.9578 71.8308 47.9578 72.4613 48.1266L105.643 58.2548C107.037 58.6937 107.999 60.0103 107.999 61.4958Z" fill="#4C3825"/>
+<path d="M74.5118 77C75.35 77 76.1794 76.9628 77 76.9133V21.0867C76.1765 21.0347 75.3471 21 74.5059 21C73.6647 21 72.8294 21.0347 72 21.0867V76.9108C72.8265 76.9628 73.6588 76.9975 74.5 77H74.5118Z" fill="url(#paint1_linear_979_792)"/>
+<path d="M44.0282 38.1129L43.2078 37.2959C42.0773 38.9121 41.0746 40.614 40.2088 42.3861C50.1001 52.4354 51.1424 57.2835 51.1289 58.9074C51.0919 63.026 46.0522 69.4845 40.1416 75.4657C40.9996 77.2375 41.9933 78.9405 43.1137 80.5592C43.4499 80.223 43.7693 79.9137 44.0954 79.5842C52.625 70.9975 56.794 64.2498 56.8445 58.9477C56.8949 53.6457 52.7024 46.8879 44.0282 38.1129Z" fill="url(#paint2_linear_979_792)"/>
+<path d="M104.695 79.5975L105.676 80.5725C106.795 78.9492 107.787 77.2417 108.642 75.4655C102.735 69.4709 97.6948 62.9955 97.6545 58.8937C97.6175 54.8928 102.627 48.4208 108.568 42.359C107.703 40.5917 106.703 38.8944 105.576 37.2822L104.755 38.0992C96.081 46.8575 91.8885 53.6791 91.9389 58.9442C91.9894 64.2092 96.1583 71.0107 104.695 79.5975Z" fill="url(#paint3_linear_979_792)"/>
+<path d="M87.4396 58.9344C87.4396 51.5378 90.7378 39.2393 95.8179 27.6165C94.1979 26.5139 92.495 25.5382 90.7244 24.6982C85.1635 37.2287 81.7207 50.5561 81.7207 58.9478C81.7207 67.0673 85.4493 80.5425 91.111 93.1403C92.8468 92.2859 94.5147 91.3002 96.1004 90.1917C90.8589 78.4009 87.4396 66.0755 87.4396 58.9344Z" fill="url(#paint4_linear_979_792)"/>
+<path d="M67.0384 58.9353C67.0384 50.4998 63.4578 37.0985 57.9608 24.7227C56.2158 25.5613 54.5377 26.5325 52.9412 27.6275C58.0314 39.2435 61.3228 51.5454 61.3228 58.9353C61.3228 66.073 57.9036 78.395 52.6621 90.1724C54.2482 91.2802 55.9161 92.2658 57.6514 93.121C63.3199 80.5266 67.0384 67.0614 67.0384 58.9353Z" fill="url(#paint5_linear_979_792)"/>
+<path d="M74.4229 74.987L60.6729 95.612C60.0197 96.6089 58.9541 97.1589 57.8197 97.1589C57.4072 97.1589 56.9604 97.0901 56.5479 96.9183L22.1729 83.1683C21.1416 82.7558 20.3854 81.8964 20.1104 80.8651C19.8354 79.7995 20.076 78.6651 20.7635 77.8401L34.5135 60.6526C35.3729 59.5526 32.7391 57.8404 34.0797 58.2185L72.5666 69.7964C73.5979 70.1058 74.4229 70.8964 74.801 71.9276C75.1791 72.9589 75.0416 74.0933 74.4229 74.987Z" fill="#FFDC83"/>
+<path d="M123.029 80.6242C122.754 81.6555 121.998 82.5492 121.001 82.9274L86.6261 96.918C86.1792 97.0899 85.7667 97.1586 85.3199 97.1586C84.1855 97.1586 83.1199 96.6086 82.4667 95.6117L68.7167 74.9867C68.098 74.093 67.9605 72.9586 68.3386 71.9274C68.7167 70.8961 69.5417 70.1055 70.573 69.7961L108.469 58.4331C109.81 58.0206 107.732 59.5524 108.626 60.618L122.376 77.5992C123.064 78.4242 123.304 79.5586 123.029 80.6242Z" fill="#FFDC83"/>
+<defs>
+<linearGradient id="paint0_linear_979_792" x1="24" y1="3.5" x2="181" y2="147" gradientUnits="userSpaceOnUse">
+<stop stop-color="#480000"/>
+<stop offset="1" stop-color="#AE2300"/>
+</linearGradient>
+<linearGradient id="paint1_linear_979_792" x1="74.5" y1="17.2369" x2="74.5" y2="79.9133" gradientUnits="userSpaceOnUse">
+<stop stop-color="#FFD200"/>
+<stop offset="0.06" stop-color="#FFB500"/>
+<stop offset="0.14" stop-color="#FF8C00"/>
+<stop offset="0.21" stop-color="#FF7300"/>
+<stop offset="0.26" stop-color="#FF6A00"/>
+<stop offset="0.33" stop-color="#FC4F0E"/>
+<stop offset="0.43" stop-color="#F92F1E"/>
+<stop offset="0.51" stop-color="#F81B27"/>
+<stop offset="0.57" stop-color="#F7142B"/>
+<stop offset="0.68" stop-color="#DF162E"/>
+<stop offset="0.79" stop-color="#AF1A38"/>
+<stop offset="1" stop-color="#4B214C"/>
+</linearGradient>
+<linearGradient id="paint2_linear_979_792" x1="48.493" y1="15.8928" x2="48.493" y2="100.954" gradientUnits="userSpaceOnUse">
+<stop stop-color="#FFD200"/>
+<stop offset="0.06" stop-color="#FFB500"/>
+<stop offset="0.14" stop-color="#FF8C00"/>
+<stop offset="0.21" stop-color="#FF7300"/>
+<stop offset="0.26" stop-color="#FF6A00"/>
+<stop offset="0.33" stop-color="#FC4F0E"/>
+<stop offset="0.43" stop-color="#F92F1E"/>
+<stop offset="0.51" stop-color="#F81B27"/>
+<stop offset="0.57" stop-color="#F7142B"/>
+<stop offset="0.68" stop-color="#DF162E"/>
+<stop offset="0.79" stop-color="#AF1A38"/>
+<stop offset="1" stop-color="#4B214C"/>
+</linearGradient>
+<linearGradient id="paint3_linear_979_792" x1="100.29" y1="15.8926" x2="100.29" y2="100.953" gradientUnits="userSpaceOnUse">
+<stop stop-color="#FFD200"/>
+<stop offset="0.06" stop-color="#FFB500"/>
+<stop offset="0.14" stop-color="#FF8C00"/>
+<stop offset="0.21" stop-color="#FF7300"/>
+<stop offset="0.26" stop-color="#FF6A00"/>
+<stop offset="0.33" stop-color="#FC4F0E"/>
+<stop offset="0.43" stop-color="#F92F1E"/>
+<stop offset="0.51" stop-color="#F81B27"/>
+<stop offset="0.57" stop-color="#F7142B"/>
+<stop offset="0.68" stop-color="#DF162E"/>
+<stop offset="0.79" stop-color="#AF1A38"/>
+<stop offset="1" stop-color="#4B214C"/>
+</linearGradient>
+<linearGradient id="paint4_linear_979_792" x1="88.9122" y1="15.8929" x2="88.9122" y2="100.954" gradientUnits="userSpaceOnUse">
+<stop stop-color="#FFD200"/>
+<stop offset="0.06" stop-color="#FFB500"/>
+<stop offset="0.14" stop-color="#FF8C00"/>
+<stop offset="0.21" stop-color="#FF7300"/>
+<stop offset="0.26" stop-color="#FF6A00"/>
+<stop offset="0.33" stop-color="#FC4F0E"/>
+<stop offset="0.43" stop-color="#F92F1E"/>
+<stop offset="0.51" stop-color="#F81B27"/>
+<stop offset="0.57" stop-color="#F7142B"/>
+<stop offset="0.68" stop-color="#DF162E"/>
+<stop offset="0.79" stop-color="#AF1A38"/>
+<stop offset="1" stop-color="#4B214C"/>
+</linearGradient>
+<linearGradient id="paint5_linear_979_792" x1="59.857" y1="15.8938" x2="59.857" y2="100.955" gradientUnits="userSpaceOnUse">
+<stop stop-color="#FFD200"/>
+<stop offset="0.06" stop-color="#FFB500"/>
+<stop offset="0.14" stop-color="#FF8C00"/>
+<stop offset="0.21" stop-color="#FF7300"/>
+<stop offset="0.26" stop-color="#FF6A00"/>
+<stop offset="0.33" stop-color="#FC4F0E"/>
+<stop offset="0.43" stop-color="#F92F1E"/>
+<stop offset="0.51" stop-color="#F81B27"/>
+<stop offset="0.57" stop-color="#F7142B"/>
+<stop offset="0.68" stop-color="#DF162E"/>
+<stop offset="0.79" stop-color="#AF1A38"/>
+<stop offset="1" stop-color="#4B214C"/>
+</linearGradient>
+</defs>
+</svg>

packages/extra/bootbox/templates/check-release-name.yaml

@@ -0,0 +1,6 @@
+{{- if ne .Release.Name .Chart.Name }}
+{{- fail (printf "The name of the release MUST BE %s" .Chart.Name) }}
+{{- end -}}
+{{- if ne .Release.Namespace "tenant-root" }}
+{{- fail "The namespace of the release MUST BE tenant-root" }}
+{{- end -}}

packages/extra/bootbox/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,35 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  resourceNames:
+  - bootbox
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - grafana-admin-password
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - bootbox
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - bootbox-matchbox
+  verbs: ["get", "list", "watch"]
+
+

packages/extra/bootbox/templates/matchbox/configmaps.yaml

@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bootbox-profiles
+data:
+  default.json: |
+    {
+      "id": "default",
+      "name": "default",
+      "boot": {
+        "kernel": "/assets/vmlinuz",
+        "initrd": ["/assets/initramfs.xz"],
+        "args": [
+          "initrd=initramfs.xz",
+          "init_on_alloc=1",
+          "slab_nomerge",
+          "pti=on",
+          "console=tty0",
+          "console=ttyS0",
+          "printk.devkmsg=on",
+          "talos.platform=metal"
+        ]
+      }
+    }
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bootbox-groups
+data:
+  default.json: |
+    {
+      "id": "default",
+      "name": "default",
+      "profile": "default"
+    }
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bootbox-configs
+data:

packages/extra/bootbox/templates/matchbox/deployment.yaml

@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bootbox-matchbox
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bootbox-matchbox
+  template:
+    metadata:
+      labels:
+        app: bootbox-matchbox
+    spec:
+      containers:
+      - name: matchbox
+        image: "{{ $.Files.Get "images/matchbox.tag" | trim }}"
+        args:
+          - "-address=:8080"
+          - "-log-level=debug"
+        volumeMounts:
+          - name: profiles-volume
+            mountPath: /var/lib/matchbox/profiles
+          - name: groups-volume
+            mountPath: /var/lib/matchbox/groups
+          - name: configs-volume
+            mountPath: /var/lib/matchbox/assets/configs
+        ports:
+          - name: http
+            containerPort: 8080
+            protocol: TCP
+      volumes:
+        - name: profiles-volume
+          configMap:
+            name: bootbox-profiles
+        - name: groups-volume
+          configMap:
+            name: bootbox-groups
+        - name: configs-volume
+          configMap:
+            name: bootbox-configs
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: bootbox-matchbox
+spec:
+  replicas: 1
+  minReplicas: 1
+  kind: bootbox
+  type: matchbox
+  selector:
+    app: bootbox-matchbox
+  version: {{ $.Chart.Version }}

packages/extra/bootbox/templates/matchbox/ingress.yaml

@@ -0,0 +1,37 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
+
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bootbox
+  labels:
+    app: bootbox
+  annotations:
+    {{- if ne $issuerType "cloudflare" }}
+    acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
+    {{- end }}
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    {{- if .Values.whitelistHTTP }}
+    nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," (.Values.whitelist | default "0.0.0.0/32") }}"
+    {{- end }}
+spec:
+  ingressClassName: {{ $ingress }}
+  tls:
+    - hosts:
+        - "{{ printf "bootbox.%s" (.Values.host | default $host) }}"
+      secretName: bootbox-tls
+  rules:
+    - host: "{{ printf "bootbox.%s" (.Values.host | default $host) }}"
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: bootbox
+                port:
+                  name: http

packages/extra/bootbox/templates/matchbox/machines.yaml

@@ -0,0 +1,47 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
+
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+
+{{ range $m := .Values.machines }}
+---
+apiVersion: tinkerbell.org/v1alpha1
+kind: Hardware
+metadata:
+  name: {{ $m.hostname }}
+  namespace: cozy-bootbox
+spec:
+  interfaces:
+  {{- range $mac := $m.mac }}
+  - dhcp:
+      hostname: {{ $m.hostname }}
+      mac: {{ $mac }}
+      {{- with $m.arch }}
+      arch: {{ . }}
+      {{- end }}
+      {{- with $m.ip }}
+      ip:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $m.leaseTime }}
+      lease_time: {{ . }}
+      {{- end }}
+      {{- with $m.uefi }}
+      uefi: {{ . }}
+      {{- end }}
+      {{- with $m.nameServers }}
+      name_servers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $m.timeServers }}
+      time_servers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    netboot:
+      allowPXE: true
+      ipxe:
+        url: "https://{{ printf "bootbox.%s" ($.Values.host | default $host) }}/boot.ipxe"
+  {{- end }}
+{{- end }}

packages/extra/bootbox/templates/matchbox/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: bootbox
+spec:
+  selector:
+    app: bootbox-matchbox
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: http
+      name: http

packages/extra/bootbox/values.schema.json

@@ -0,0 +1,25 @@
+{
+  "title": "Chart Values",
+  "type": "object",
+  "properties": {
+    "whitelistHTTP": {
+      "type": "boolean",
+      "description": "Secure HTTP by enabling  client networks whitelisting",
+      "default": true
+    },
+    "whitelist": {
+      "type": "array",
+      "description": "List of client networks",
+      "default": [],
+      "items": {}
+    },
+    "machines": {
+      "type": "array",
+      "description": "Configuration of physical machine instances",
+      "default": "[]",
+      "items": {
+        "type": "object"
+      }
+    }
+  }
+}

packages/extra/bootbox/values.yaml

@@ -0,0 +1,30 @@
+## @section Common parameters
+
+## @param whitelistHTTP Secure HTTP by enabling  client networks whitelisting
+## @param whitelist List of client networks
+## Example:
+## whitelistHTTP: true
+## whitelist:
+## - "1.2.3.4"
+## - "10.8.0.0/16"
+##
+whitelistHTTP: true
+whitelist: []
+
+## @param machines [array] Configuration of physical machine instances
+##
+## Example:
+## machines:
+## - hostname: machine1
+##   arch: x86_64
+##   ip:
+##     address: 10.8.2.2
+##     gateway: 10.8.2.1
+##     netmask: 255.255.255.0
+##   leaseTime: 86400
+##   mac: [d6:fa:af:52:25:93]
+##   nameServers: [1.1.1.1,8.8.8.8]
+##   timeServers: [pool.ntp.org]
+##   uefi: true
+
+machines: []

packages/extra/monitoring/Chart.yaml

@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.6.1
+version: 1.8.0

packages/extra/monitoring/Makefile

@@ -1,5 +1,8 @@
+GRAFANA_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
+
 NAME=monitoring
 
+include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
 
 generate:
@@ -8,3 +11,16 @@ generate:
 		jq '.properties.metricsStorages.items.type = "object" | .properties.logsStorages.items.type = "object"' \
 		> values.schema.json
 	rm -f values.schema.json.tmp
+
+image:
+	docker buildx build --platform linux/amd64 images/grafana \
+		--provenance false \
+		--tag $(REGISTRY)/grafana:$(call settag,$(GRAFANA_TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/grafana:latest \
+		--cache-to type=inline \
+		--metadata-file images/grafana.json \
+		--push=$(PUSH) \
+		--load=$(LOAD)
+	echo "$(REGISTRY)/grafana:$(call settag,$(GRAFANA_TAG))@$$(yq e '."containerimage.digest"' images/grafana.json -o json -r)" \
+		> images/grafana.tag
+	rm -f images/grafana.json

packages/extra/monitoring/README.md

@@ -4,13 +4,14 @@
 
 ### Common parameters
 
-| Name                            | Description                                                                                               | Value  |
-| ------------------------------- | --------------------------------------------------------------------------------------------------------- | ------ |
-| `host`                          | The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host). | `""`   |
-| `metricsStorages`               | Configuration of metrics storage instances                                                                | `[]`   |
-| `logsStorages`                  | Configuration of logs storage instances                                                                   | `[]`   |
-| `alerta.storage`                | Persistent Volume size for alerta database                                                                | `10Gi` |
-| `alerta.storageClassName`       | StorageClass used to store the data                                                                       | `""`   |
-| `alerta.alerts.telegram.token`  | telegram token for your bot                                                                               | `""`   |
-| `alerta.alerts.telegram.chatID` | specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot                       | `""`   |
-| `grafana.db.size`               | Persistent Volume size for grafana database                                                               | `10Gi` |
+| Name                                      | Description                                                                                               | Value  |
+| ----------------------------------------- | --------------------------------------------------------------------------------------------------------- | ------ |
+| `host`                                    | The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host). | `""`   |
+| `metricsStorages`                         | Configuration of metrics storage instances                                                                | `[]`   |
+| `logsStorages`                            | Configuration of logs storage instances                                                                   | `[]`   |
+| `alerta.storage`                          | Persistent Volume size for alerta database                                                                | `10Gi` |
+| `alerta.storageClassName`                 | StorageClass used to store the data                                                                       | `""`   |
+| `alerta.alerts.telegram.token`            | telegram token for your bot                                                                               | `""`   |
+| `alerta.alerts.telegram.chatID`           | specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot                       | `""`   |
+| `alerta.alerts.telegram.disabledSeverity` | list of severity without alerts, separated comma like: "informational,warning"                            | `""`   |
+| `grafana.db.size`                         | Persistent Volume size for grafana database                                                               | `10Gi` |

packages/extra/monitoring/images/grafana.tag

@@ -0,0 +1 @@
+ghcr.io/aenix-io/cozystack/grafana:latest@sha256:0377abd3cb2c6e27b12ac297f1859aa4d550f1aa14989f824f2315d0dfd1a5b2

packages/extra/monitoring/images/grafana/Dockerfile

@@ -0,0 +1,15 @@
+FROM grafana/grafana:11.4.0
+
+USER root
+
+RUN mkdir -p /var/lib/grafana-plugins \
+ && chown -R grafana:0 /var/lib/grafana-plugins
+
+USER grafana
+
+ARG VLOGS_VERSION=v0.14.1
+RUN curl -L https://github.com/VictoriaMetrics/victorialogs-datasource/releases/download/${VLOGS_VERSION}/victoriametrics-logs-datasource-${VLOGS_VERSION}.tar.gz | \
+      tar -xzf - -C /var/lib/grafana-plugins
+
+RUN grafana-cli --pluginsDir /var/lib/grafana-plugins plugins install natel-discrete-panel
+RUN grafana-cli --pluginsDir /var/lib/grafana-plugins plugins install grafana-worldmap-panel

packages/extra/monitoring/templates/alerta/alerta.yaml

@@ -116,6 +116,8 @@ spec:
               value: "{{ .Values.alerta.alerts.telegram.token }}"
             - name: TELEGRAM_WEBHOOK_URL
               value: "https://{{ printf "alerta.%s" (.Values.host | default $host) }}/api/webhooks/telegram?api-key={{ $apiKey }}"
+            - name: TELEGRAM_DISABLE_NOTIFICATION_SEVERITY
+              value: "{{ .Values.alerta.alerts.telegram.disabledSeverity }}"
             {{- end }}
 
           ports:

packages/extra/monitoring/templates/grafana/grafana.yaml

@@ -36,38 +36,19 @@ spec:
       replicas: 2
       template:
         spec:
-          initContainers:
-            - name: "load-vm-ds-plugin"
-              image: "curlimages/curl:7.85.0"
-              command: [ "/bin/sh" ]
-              workingDir: "/var/lib/grafana"
-              securityContext:
-                runAsUser: 10001
-                runAsNonRoot: true
-                runAsGroup: 10001
-              args:
-                - "-c"
-                - |
-                  set -ex
-                  mkdir -p /var/lib/grafana/plugins/
-                  ver=$(curl -s https://api.github.com/repos/VictoriaMetrics/victorialogs-datasource/releases/latest | grep -oE 'v0\.13\.[0-9]+' | head -1)
-                  curl -L https://github.com/VictoriaMetrics/victorialogs-datasource/releases/download/$ver/victoriametrics-logs-datasource-$ver.tar.gz -o /var/lib/grafana/plugins/vl-plugin.tar.gz
-                  tar -xf /var/lib/grafana/plugins/vl-plugin.tar.gz -C /var/lib/grafana/plugins/
-                  rm /var/lib/grafana/plugins/vl-plugin.tar.gz
-              volumeMounts:
-                - name: grafana-data
-                  mountPath: /var/lib/grafana
           containers:
             - name: grafana
-              image: grafana/grafana:11.2.0
+              image: "{{ $.Files.Get "images/grafana.tag" | trim }}"
               securityContext:
                 allowPrivilegeEscalation: false
                 readOnlyRootFilesystem: false
               readinessProbe:
                 failureThreshold: 3
               env:
-              - name: GF_INSTALL_PLUGINS
-                value: grafana-worldmap-panel,natel-discrete-panel
+              #- name: GF_INSTALL_PLUGINS
+              #  value: grafana-worldmap-panel,natel-discrete-panel
+              - name: GF_PATHS_PLUGINS
+                value: /var/lib/grafana-plugins
               - name: ONCALL_API_URL
                 value: http://grafana-oncall-engine:8080
               - name: GF_DATABASE_HOST

packages/extra/monitoring/templates/vm/vmcluster.yaml

@@ -10,26 +10,26 @@ spec:
   vminsert:
     replicaCount: 2
     resources:
-      {{- if empty .vminsert.resources }}
+      {{- if and (hasKey . "vminsert") (hasKey .vminsert "resources") }}
+      {{- toYaml .vminsert.resources | nindent 6 }}
+      {{- else }}
       limits:
         memory: 1000Mi
       requests:
         cpu: 100m
         memory: 500Mi
-      {{- else }}
-      {{- toYaml .vminsert.resources | nindent 6 }}
       {{- end }}
   vmselect:
     replicaCount: 2
     resources:
-      {{- if empty .vmselect.resources }}
+      {{- if and (hasKey . "vmselect") (hasKey .vmselect "resources") }}
+      {{- toYaml .vmselect.resources | nindent 6 }}
+      {{- else }}
       limits:
         memory: 1000Mi
       requests:
         cpu: 100m
         memory: 500Mi
-      {{- else }}
-      {{- toYaml .vmselect.resources | nindent 6 }}
       {{- end }}
     extraArgs:
       search.maxUniqueTimeseries: "600000"
@@ -48,14 +48,14 @@ spec:
   vmstorage:
     replicaCount: 2
     resources:
-      {{- if empty .vmstorage.resources }}
+      {{- if and (hasKey . "vmstorage") (hasKey .vmstorage "resources") }}
+      {{- toYaml .vmstorage.resources | nindent 6 }}
+      {{- else }}
       limits:
         memory: 2048Mi
       requests:
         cpu: 100m
         memory: 500Mi
-      {{- else }}
-      {{- toYaml .vmstorage.resources | nindent 6 }}
       {{- end }}
     storage:
       volumeClaimTemplate:

packages/extra/monitoring/values.schema.json

@@ -51,6 +51,11 @@
                   "type": "string",
                   "description": "specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot",
                   "default": ""
+                },
+                "disabledSeverity": {
+                  "type": "string",
+                  "description": "list of severity without alerts, separated comma like: \"informational,warning\"",
+                  "default": ""
                 }
               }
             }

packages/extra/monitoring/values.yaml

@@ -78,14 +78,17 @@ alerta:
   alerts:
     ## @param alerta.alerts.telegram.token telegram token for your bot
     ## @param alerta.alerts.telegram.chatID specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot
+    ## @param alerta.alerts.telegram.disabledSeverity list of severity without alerts, separated comma like: "informational,warning"
     ## example:
     ##   telegram:
     ##     token: "7262461387:AAGtwq16iwuVtWtzoN6TUEMpF00fpC9Xz34"
     ##     chatID: "-4520856007"
+    ##     disabledSeverity: "informational,warning"
     ##
     telegram:
       token: ""
       chatID: ""
+      disabledSeverity: ""
 
 ## Configuration for Grafana
 ## @param grafana.db.size Persistent Volume size for grafana database

packages/extra/versions_map

@@ -1,3 +1,4 @@
+bootbox 0.1.0 HEAD
 etcd 1.0.0 f7eaab0
 etcd 2.0.0 a6d0f7cf
 etcd 2.0.1 6fc1cc7d
@@ -22,7 +23,9 @@ monitoring 1.5.2 898374b5
 monitoring 1.5.3 c1ca19dc
 monitoring 1.5.4 d4634797
 monitoring 1.6.0 cb7b8158
-monitoring 1.6.1 HEAD
+monitoring 1.6.1 3bb97596
+monitoring 1.7.0 749110aa
+monitoring 1.8.0 HEAD
 seaweedfs 0.1.0 5ca8823
 seaweedfs 0.2.0 9e33dc0
 seaweedfs 0.2.1 249bf35

packages/system/bootbox/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-smee
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/bootbox/Makefile

@@ -0,0 +1,16 @@
+export NAME=bootbox
+export NAMESPACE=cozy-$(NAME)
+
+include ../../../scripts/package.mk
+
+update:
+	rm -rf charts
+	mkdir -p charts
+	cd charts && \
+	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/tinkerbell/charts  | awk -F'[/^]' 'END{print $$3}') && \
+	curl -sSL https://github.com/tinkerbell/charts/archive/refs/tags/$${tag}.tar.gz | \
+	tar xzvf - --strip 2 charts-$${tag#*v}/tinkerbell
+	find charts -maxdepth 1 -mindepth 1 ! -name tink -and ! -name smee -exec rm -rf {} \;
+	mkdir -p charts/smee/crds
+	mv charts/tink/crds/hardware-crd.yaml charts/smee/crds
+	rm -rf charts/tink

packages/system/bootbox/charts/smee/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+name: smee
+description: Smee is the network boot service for Tinkerbell
+icon: https://github.com/tinkerbell/artwork/blob/6f07de53d75cb8932dbc7d14201e038cf3a3b230/Tinkerbell-Icon-Dark.png
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.6.2
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.15.1"

packages/system/bootbox/charts/smee/crds/hardware-crd.yaml

@@ -0,0 +1,388 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.3
+  name: hardware.tinkerbell.org
+spec:
+  group: tinkerbell.org
+  names:
+    categories:
+      - tinkerbell
+    kind: Hardware
+    listKind: HardwareList
+    plural: hardware
+    shortNames:
+      - hw
+    singular: hardware
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .status.state
+          name: State
+          type: string
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: Hardware is the Schema for the Hardware API.
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: HardwareSpec defines the desired state of Hardware.
+              properties:
+                bmcRef:
+                  description: |-
+                    BMCRef contains a relation to a BMC state management type in the same
+                    namespace as the Hardware. This may be used for BMC management by
+                    orchestrators.
+                  properties:
+                    apiGroup:
+                      description: |-
+                        APIGroup is the group for the resource being referenced.
+                        If APIGroup is not specified, the specified Kind must be in the core API group.
+                        For any other third-party types, APIGroup is required.
+                      type: string
+                    kind:
+                      description: Kind is the type of resource being referenced
+                      type: string
+                    name:
+                      description: Name is the name of resource being referenced
+                      type: string
+                  required:
+                    - kind
+                    - name
+                  type: object
+                  x-kubernetes-map-type: atomic
+                disks:
+                  items:
+                    description: Disk represents a disk device for Tinkerbell Hardware.
+                    properties:
+                      device:
+                        type: string
+                    type: object
+                  type: array
+                interfaces:
+                  items:
+                    description: Interface represents a network interface configuration for Hardware.
+                    properties:
+                      dhcp:
+                        description: DHCP configuration.
+                        properties:
+                          arch:
+                            type: string
+                          hostname:
+                            type: string
+                          iface_name:
+                            type: string
+                          ip:
+                            description: IP configuration.
+                            properties:
+                              address:
+                                type: string
+                              family:
+                                format: int64
+                                type: integer
+                              gateway:
+                                type: string
+                              netmask:
+                                type: string
+                            type: object
+                          lease_time:
+                            format: int64
+                            type: integer
+                          mac:
+                            pattern: ([0-9a-f]{2}[:]){5}([0-9a-f]{2})
+                            type: string
+                          name_servers:
+                            items:
+                              type: string
+                            type: array
+                          time_servers:
+                            items:
+                              type: string
+                            type: array
+                          uefi:
+                            type: boolean
+                          vlan_id:
+                            description: validation pattern for VLANDID is a string number between 0-4096
+                            pattern: ^(([0-9][0-9]{0,2}|[1-3][0-9][0-9][0-9]|40([0-8][0-9]|9[0-6]))(,[1-9][0-9]{0,2}|[1-3][0-9][0-9][0-9]|40([0-8][0-9]|9[0-6]))*)$
+                            type: string
+                        type: object
+                      disableDhcp:
+                        default: false
+                        description: DisableDHCP disables DHCP for this interface.
+                        type: boolean
+                      netboot:
+                        description: Netboot configuration.
+                        properties:
+                          allowPXE:
+                            type: boolean
+                          allowWorkflow:
+                            type: boolean
+                          ipxe:
+                            description: IPXE configuration.
+                            properties:
+                              contents:
+                                type: string
+                              url:
+                                type: string
+                            type: object
+                          osie:
+                            description: OSIE configuration.
+                            properties:
+                              baseURL:
+                                type: string
+                              initrd:
+                                type: string
+                              kernel:
+                                type: string
+                            type: object
+                        type: object
+                    type: object
+                  type: array
+                metadata:
+                  properties:
+                    bonding_mode:
+                      format: int64
+                      type: integer
+                    custom:
+                      properties:
+                        preinstalled_operating_system_version:
+                          properties:
+                            distro:
+                              type: string
+                            image_tag:
+                              type: string
+                            os_slug:
+                              type: string
+                            slug:
+                              type: string
+                            version:
+                              type: string
+                          type: object
+                        private_subnets:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    facility:
+                      properties:
+                        facility_code:
+                          type: string
+                        plan_slug:
+                          type: string
+                        plan_version_slug:
+                          type: string
+                      type: object
+                    instance:
+                      properties:
+                        allow_pxe:
+                          type: boolean
+                        always_pxe:
+                          type: boolean
+                        crypted_root_password:
+                          type: string
+                        hostname:
+                          type: string
+                        id:
+                          type: string
+                        ips:
+                          items:
+                            properties:
+                              address:
+                                type: string
+                              family:
+                                format: int64
+                                type: integer
+                              gateway:
+                                type: string
+                              management:
+                                type: boolean
+                              netmask:
+                                type: string
+                              public:
+                                type: boolean
+                            type: object
+                          type: array
+                        ipxe_script_url:
+                          type: string
+                        network_ready:
+                          type: boolean
+                        operating_system:
+                          properties:
+                            distro:
+                              type: string
+                            image_tag:
+                              type: string
+                            os_slug:
+                              type: string
+                            slug:
+                              type: string
+                            version:
+                              type: string
+                          type: object
+                        rescue:
+                          type: boolean
+                        ssh_keys:
+                          items:
+                            type: string
+                          type: array
+                        state:
+                          type: string
+                        storage:
+                          properties:
+                            disks:
+                              items:
+                                properties:
+                                  device:
+                                    type: string
+                                  partitions:
+                                    items:
+                                      properties:
+                                        label:
+                                          type: string
+                                        number:
+                                          format: int64
+                                          type: integer
+                                        size:
+                                          format: int64
+                                          type: integer
+                                        start:
+                                          format: int64
+                                          type: integer
+                                        type_guid:
+                                          type: string
+                                      type: object
+                                    type: array
+                                  wipe_table:
+                                    type: boolean
+                                type: object
+                              type: array
+                            filesystems:
+                              items:
+                                properties:
+                                  mount:
+                                    properties:
+                                      create:
+                                        properties:
+                                          force:
+                                            type: boolean
+                                          options:
+                                            items:
+                                              type: string
+                                            type: array
+                                        type: object
+                                      device:
+                                        type: string
+                                      files:
+                                        items:
+                                          properties:
+                                            contents:
+                                              type: string
+                                            gid:
+                                              format: int64
+                                              type: integer
+                                            mode:
+                                              format: int64
+                                              type: integer
+                                            path:
+                                              type: string
+                                            uid:
+                                              format: int64
+                                              type: integer
+                                          type: object
+                                        type: array
+                                      format:
+                                        type: string
+                                      point:
+                                        type: string
+                                    type: object
+                                type: object
+                              type: array
+                            raid:
+                              items:
+                                properties:
+                                  devices:
+                                    items:
+                                      type: string
+                                    type: array
+                                  level:
+                                    type: string
+                                  name:
+                                    type: string
+                                  spare:
+                                    format: int64
+                                    type: integer
+                                type: object
+                              type: array
+                          type: object
+                        tags:
+                          items:
+                            type: string
+                          type: array
+                        userdata:
+                          type: string
+                      type: object
+                    manufacturer:
+                      properties:
+                        id:
+                          type: string
+                        slug:
+                          type: string
+                      type: object
+                    state:
+                      type: string
+                  type: object
+                resources:
+                  additionalProperties:
+                    anyOf:
+                      - type: integer
+                      - type: string
+                    pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                    x-kubernetes-int-or-string: true
+                  description: |-
+                    Resources represents known resources that are available on a machine.
+                    Resources may be used for scheduling by orchestrators.
+                  type: object
+                tinkVersion:
+                  format: int64
+                  type: integer
+                userData:
+                  description: |-
+                    UserData is the user data to configure in the hardware's
+                    metadata
+                  type: string
+                vendorData:
+                  description: |-
+                    VendorData is the vendor data to configure in the hardware's
+                    metadata
+                  type: string
+              type: object
+            status:
+              description: HardwareStatus defines the observed state of Hardware.
+              properties:
+                state:
+                  description: HardwareState represents the hardware state.
+                  type: string
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}

packages/system/bootbox/charts/smee/templates/_ports.tpl

@@ -0,0 +1,24 @@
+{{ define "smee.ports" }}
+- {{ .PortKey }}: {{ .http.port }}
+  name: {{ .http.name }}
+  protocol: TCP
+- {{ .PortKey }}: {{ .syslog.port }}
+  name: {{ .syslog.name }}
+  protocol: UDP
+- {{ .PortKey }}: {{ .dhcp.port }}
+  name: {{ .dhcp.name }}
+  protocol: UDP
+- {{ .PortKey }}: {{ .tftp.port }}
+  name: {{ .tftp.name }}
+  protocol: UDP
+{{- end }}
+
+{{- define "urlJoiner" }}
+{{- if .urlDict.port }}
+{{- $host := printf "%v:%v" .urlDict.host .urlDict.port }}
+{{- $newDict := set .urlDict "host" $host }}
+{{- print (urlJoin $newDict) }}
+{{- else }}
+{{- print (urlJoin .urlDict) }}
+{{- end }}
+{{- end }}

packages/system/bootbox/charts/smee/templates/_scheduling.tpl

@@ -0,0 +1,12 @@
+{{- define "singleNodeClusterConfig" }}
+- effect: NoSchedule
+  key: node-role.kubernetes.io/control-plane
+{{- end }}
+
+{{- define "preferWorkerNodes" }}
+- weight: {{ .nodeAffinityWeight }}
+  preference:
+    matchExpressions:
+    - key: node-role.kubernetes.io/control-plane
+      operator: DoesNotExist
+{{- end }}

packages/system/bootbox/charts/smee/templates/deployment.yaml

@@ -0,0 +1,182 @@
+{{- if .Values.deploy }}
+{{- $publicIP := .Values.publicIP }}
+{{- $trustedProxies := .Values.trustedProxies }}
+{{- $roleType := .Values.rbac.type }}
+{{- $nodeSelector := .Values.nodeSelector }}
+{{- if .Values.global }}
+{{- $publicIP = coalesce .Values.publicIP .Values.global.publicIP }}
+{{- $trustedProxies = coalesce .Values.trustedProxies .Values.global.trustedProxies }}
+{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
+{{- $nodeSelector = coalesce .Values.nodeSelector .Values.global.nodeSelector }}
+{{- end }}
+{{- $_ := set .Values.dhcp "syslogIp" (default $publicIP .Values.dhcp.syslogIp) }}
+{{- $_ := set .Values.dhcp "ipForPacket" (default $publicIP .Values.dhcp.ipForPacket) }}
+{{- $_ := set .Values.dhcp "tftpIp" (default $publicIP .Values.dhcp.tftpIp) }}
+{{- $_ := set .Values.dhcp.httpIPXE.binaryUrl "host" (default $publicIP .Values.dhcp.httpIPXE.binaryUrl.host) }}
+{{- $_ := set .Values.dhcp.httpIPXE.scriptUrl "host" (default $publicIP .Values.dhcp.httpIPXE.scriptUrl.host) }}
+{{- $_ := set .Values.http.tinkServer "ip" (default $publicIP .Values.http.tinkServer.ip) }}
+{{- $_ := set .Values.http.osieUrl "host" (default $publicIP .Values.http.osieUrl.host) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: {{ .Values.name }}
+  name: {{ .Values.name }}
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app: {{ .Values.name }}
+      stack: tinkerbell
+      {{- with .Values.selector }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+  strategy:
+    type: {{ .Values.deployment.strategy.type }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.name }}
+        stack: tinkerbell
+        {{- with .Values.selector }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      containers:
+        - image: {{ .Values.image }}
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          args:
+          {{- range .Values.additionalArgs }}
+            - {{ . }}
+          {{- end }}
+          env:
+            - name: SMEE_LOG_LEVEL
+              value: {{ .Values.logLevel | quote }}
+            - name: SMEE_DHCP_ADDR
+              value: {{ printf "%v:%v" .Values.dhcp.ip .Values.dhcp.port | quote }}
+            - name: SMEE_DHCP_ENABLED
+              value: {{ .Values.dhcp.enabled | quote }}
+            - name: SMEE_DHCP_TFTP_PORT
+              value: {{ .Values.dhcp.tftpPort | quote }}
+            - name: SMEE_DHCP_HTTP_IPXE_BINARY_PATH
+              value: {{ .Values.dhcp.httpIPXE.binaryUrl.path | quote }}
+            - name: SMEE_DHCP_HTTP_IPXE_BINARY_PORT
+              value: {{ .Values.dhcp.httpIPXE.binaryUrl.port | quote }}
+            - name: SMEE_DHCP_HTTP_IPXE_BINARY_SCHEME
+              value: {{ .Values.dhcp.httpIPXE.binaryUrl.scheme | quote }}
+            - name: SMEE_DHCP_HTTP_IPXE_SCRIPT_PATH
+              value: {{ .Values.dhcp.httpIPXE.scriptUrl.path | quote }}
+            - name: SMEE_DHCP_HTTP_IPXE_SCRIPT_PORT
+              value: {{ .Values.dhcp.httpIPXE.scriptUrl.port | quote }}
+            - name: SMEE_DHCP_HTTP_IPXE_SCRIPT_SCHEME
+              value: {{ .Values.dhcp.httpIPXE.scriptUrl.scheme | quote }}
+            - name: SMEE_DHCP_MODE
+              value: {{ .Values.dhcp.mode | quote }}
+            - name: SMEE_EXTRA_KERNEL_ARGS
+              value: {{ join " " ( append .Values.http.additionalKernelArgs ( printf "tink_worker_image=%s" ( required "missing tinkWorkerImage" .Values.tinkWorkerImage ) ) ) | quote }}
+            - name: SMEE_HTTP_IPXE_BINARY_ENABLED
+              value: {{ .Values.http.ipxeBinaryEnabled | quote }}
+            - name: SMEE_HTTP_IPXE_SCRIPT_ENABLED
+              value: {{ .Values.http.ipxeScriptEnabled | quote }}
+            - name: SMEE_HTTP_PORT
+              value: {{ .Values.http.port | quote }}
+            - name: SMEE_OSIE_URL
+              value: {{include "urlJoiner" (dict "urlDict" .Values.http.osieUrl) | quote }}
+            - name: SMEE_TINK_SERVER
+              value: {{ printf "%v:%v" .Values.http.tinkServer.ip .Values.http.tinkServer.port | quote }}
+            - name: SMEE_TINK_SERVER_TLS
+              value: {{ .Values.http.tinkServer.tls | quote }}
+            - name: SMEE_TINK_SERVER_INSECURE_TLS
+              value: {{ .Values.http.tinkServer.insecureTLS | quote }}
+            - name: SMEE_TRUSTED_PROXIES
+              value: {{ required "missing trustedProxies" ( join "," $trustedProxies ) | quote }}
+            - name: SMEE_SYSLOG_ENABLED
+              value: {{ .Values.syslog.enabled | quote }}
+            - name: SMEE_IPXE_SCRIPT_PATCH
+              value: {{ .Values.ipxeScriptPatch | quote }}
+            - name: SMEE_TFTP_ENABLED
+              value: {{ .Values.tftp.enabled | quote }}
+            - name: SMEE_TFTP_TIMEOUT
+              value: {{ .Values.tftp.timeout | quote }}
+            - name: SMEE_TFTP_PORT
+              value: {{ .Values.tftp.port | quote }}
+            - name: SMEE_SYSLOG_PORT
+              value: {{ .Values.syslog.port | quote }}
+            - name: SMEE_HTTP_ADDR
+              value: {{ .Values.http.ip | quote }}
+            - name: SMEE_SYSLOG_ADDR
+              value: {{ .Values.syslog.ip | quote }}
+            - name: SMEE_TFTP_ADDR
+              value: {{ .Values.tftp.ip | quote }}
+            - name: SMEE_DHCP_HTTP_IPXE_BINARY_HOST
+              value: {{ .Values.dhcp.httpIPXE.binaryUrl.host | quote }}
+            - name: SMEE_DHCP_HTTP_IPXE_SCRIPT_HOST
+              value: {{ .Values.dhcp.httpIPXE.scriptUrl.host | quote }}
+            - name: SMEE_DHCP_SYSLOG_IP
+              value: {{ .Values.dhcp.syslogIp | quote }}
+            - name: SMEE_DHCP_TFTP_IP
+              value: {{ .Values.dhcp.tftpIp | quote }}
+            - name: SMEE_DHCP_IP_FOR_PACKET
+              value: {{ .Values.dhcp.ipForPacket | quote }}
+            - name: SMEE_ISO_ENABLED
+              value: {{ .Values.iso.enabled | quote }}
+            - name: SMEE_ISO_URL
+              value: {{ .Values.iso.url | quote }}
+            - name: SMEE_ISO_MAGIC_STRING
+              value: {{ .Values.iso.magicString | quote }}
+            - name: SMEE_ISO_STATIC_IPAM_ENABLED
+              value: {{ .Values.iso.staticIPAMEnabled | quote }}
+            {{- if eq $roleType "Role"}}
+            - name: SMEE_BACKEND_KUBE_NAMESPACE
+              value: {{ .Release.Namespace | quote }}
+            {{- end }}
+            {{- range .Values.additionalEnv }}
+            - name: {{ .name | quote }}
+              value: {{ .value | quote }}
+            {{- end }}
+          {{- if not .Values.hostNetwork }}
+          ports:
+            {{- include "smee.ports" ( merge ( dict "PortKey" "containerPort" ) .Values  ) | indent 12 }}
+          {{- end }}
+          name: {{ .Values.name }}
+          resources:
+            limits:
+              cpu: {{ .Values.resources.limits.cpu }}
+              memory: {{ .Values.resources.limits.memory }}
+            requests:
+              cpu: {{ .Values.resources.requests.cpu }}
+              memory: {{ .Values.resources.requests.memory }}
+          {{- with .Values.additionalVolumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.additionalVolumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ .Values.name }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      {{- with $nodeSelector }}
+      nodeSelector:
+      {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.deployment.tolerations .Values.singleNodeClusterConfig.controlPlaneTolerationsEnabled }}
+      tolerations:
+      {{- .Values.deployment.tolerations | toYaml | nindent 8 }}
+      {{- if .Values.singleNodeClusterConfig.controlPlaneTolerationsEnabled }}
+      {{- include "singleNodeClusterConfig" . | indent 6 }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.deployment.affinity }}
+      affinity:
+        {{- .Values.deployment.affinity | toYaml | nindent 8 }}
+      {{- else if .Values.singleNodeClusterConfig.controlPlaneTolerationsEnabled }}
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          {{- include "preferWorkerNodes" (dict "nodeAffinityWeight" .Values.singleNodeClusterConfig.nodeAffinityWeight) | indent 10 }}
+      {{- end }}
+{{- end }}

packages/system/bootbox/charts/smee/templates/role-binding.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.deploy }}
+{{- $roleType := .Values.rbac.type }}
+{{- if .Values.global }}
+{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
+{{- end }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ printf "%sBinding" $roleType }}
+metadata:
+  name: {{ .Values.rbac.bindingName }}
+  {{- if eq $roleType "Role"  }}
+  namespace: {{ .Release.Namespace | quote }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ $roleType }}
+  name: {{ .Values.rbac.name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.name }}
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}

packages/system/bootbox/charts/smee/templates/role.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.deploy }}
+{{- $roleType := .Values.rbac.type }}
+{{- if .Values.global }}
+{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
+{{- end }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ $roleType }}
+metadata:
+  name: {{ .Values.rbac.name }}
+  {{- if eq $roleType "Role"  }}
+  namespace: {{ .Release.Namespace | quote }}
+  {{- end }}
+rules:
+  - apiGroups: ["tinkerbell.org"]
+    resources: ["hardware", "hardware/status"]
+    verbs: ["get", "list", "watch"]
+{{- end }}

packages/system/bootbox/charts/smee/templates/service-account.yaml

@@ -0,0 +1,7 @@
+{{- if .Values.deploy }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.name }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- end }}

packages/system/bootbox/charts/smee/templates/service.yaml

@@ -0,0 +1,31 @@
+{{- if .Values.deploy }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: {{ .Values.name }}
+  name: {{ .Values.name }}
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: tftp
+    port: 69
+    targetPort: 69
+    protocol: UDP
+  - name: http
+    port: {{ .Values.http.port }}
+    targetPort: {{ .Values.http.port }}
+    protocol: TCP
+  - name: syslog
+    port: {{ .Values.syslog.port }}
+    targetPort: {{ .Values.syslog.port }}
+    protocol: UDP
+  - name: dhcp
+    port: 67
+    targetPort: 67
+    protocol: UDP
+  selector:
+    app: {{ .Values.name }}
+{{- end }}

packages/system/bootbox/charts/smee/values.schema.json

@@ -0,0 +1,41 @@
+{
+    "$schema": "http://json-schema.org/draft-04/schema#",
+    "type": "object",
+    "properties": {
+      "http": {
+        "type": "object",
+        "properties": {
+          "trustedProxies": {
+            "type": "array",
+            "items": {
+              "type": "string",
+              "description": "Specifies one or more IPv4/IPv6 addresses expressed using CIDR notation.",
+              "anyOf": [
+                {
+                  "pattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$"
+                },
+                {
+                  "pattern": "^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$"
+                }
+              ]
+            }
+          }
+        }
+      },
+      "rbac": {
+        "type": "object",
+        "properties": {
+          "type": {
+            "type": "string",
+            "enum": ["Role", "ClusterRole"]
+          },
+          "name": {
+            "type": "string"
+          },
+          "bindingName": {
+            "type": "string"
+          }
+        }
+      }
+    }
+  }

packages/system/bootbox/charts/smee/values.yaml

@@ -0,0 +1,166 @@
+# Toggle deployment of the service.
+deploy: true
+
+# Name of the service used as the deployment name and label selectors.
+name: smee
+
+# The image used to launch the container.
+image: quay.io/tinkerbell/smee:v0.15.1
+imagePullPolicy: IfNotPresent
+
+# The number of pods to run.
+replicas: 1
+
+# Resources bounds applied to the container.
+resources:
+  limits:
+    cpu: 500m
+    memory: 128Mi
+  requests:
+    cpu: 10m
+    memory: 64Mi
+
+deployment:
+  strategy:
+    type: RollingUpdate
+  tolerations: []
+  affinity: {}
+
+# The log level for the container.
+logLevel: "info"
+
+# The network mode to launch the smee container. When true, the smee container will use the
+# host network.
+hostNetwork: false
+
+# nodeSelector when defined will be constrain Pods to nodes with specific labels
+nodeSelector: {}
+
+# publicIP when defined will be used as the IP in the following locations if they are not defined:
+# dhcp.httpIPXE.binaryUrl.host, dhcp.httpIPXE.scriptUrl.host, tinkServer.ip, http.osieUrl.host, dhcp.ipForPacket, dhcp.tftpIp
+# This is useful when all Tinkerbell services are running behind the same IP.
+publicIP: ""
+
+# DHCP server configuration. Name is an identifier used across Kubernetes manifests for port
+# identification, ip is the IP address to bind to, and port is the port to bind to.
+dhcp:
+  enabled: true
+  name: smee-dhcp
+  mode: reservation
+  ip: 0.0.0.0
+  port: 67
+  ipForPacket: ""
+  tftpIp: ""
+  tftpPort: 69
+  syslogIp: ""
+  httpIPXE:
+      binaryUrl: # http://<host>:<port>/ipxe
+        scheme: "http"
+        host: ""
+        port: 7171
+        path: "/ipxe"
+      scriptUrl: # http://<host>:<port>/auto.ipxe
+        scheme: "http"
+        host: ""
+        port: 7171
+        path: "/auto.ipxe"
+
+
+# TFTP server configuration used to serve iPXE binaries. Name is an identifier used across
+# Kubernetes manifests for port identification, ip is the IP address to bind to, and port is the
+# port to bind to.
+tftp:
+  enabled: true
+  name: smee-tftp
+  ip: 0.0.0.0
+  port: 69
+  timeout: 5s
+
+# HTTP server configuration used to serve iPXE scripts. Name is an identifier used across
+# Kubernetes manifests for port identification, ip is the IP address to bind to, and port is the
+# port to bind to.
+http:
+  enabled: true
+  name: smee-http
+  ip: 0.0.0.0
+  port: 7171
+  # Tink Server configuration passed to the Tink Worker to establish a gRPC connection.
+  tinkServer:
+    ip: ""
+    port: 42113
+    tls: false
+    insecureTLS: false
+  osieUrl:
+    scheme: "http"
+    host: ""
+    port: 8080
+    path: ""
+  # Additional kernel arguments to pass to the OSIE. (k=v k=v) that are appended to the kernel cmdline in the iPXE script
+  additionalKernelArgs: []
+  # enable iPXE HTTP binary server
+  ipxeBinaryEnabled: true
+  # enable iPXE HTTP script server
+  ipxeScriptEnabled: true
+
+# ISO settings
+iso:
+  enabled: false
+  # the string pattern to match for in the source ISO, defaults to the one defined in HookOS
+  magicString: ""
+  # enable static IPAM for HookOS
+  staticIPAMEnabled: false
+  # an HTTP(S) URL target to an OSIE that is used for patching
+  url: ""
+
+# Trusted proxies defines a list of IP or CIDR ranges that are allowed to set the X-Forwarded-For
+  # header. This typically requires all Pod CIDRs in the cluster.
+  trustedProxies: []
+
+# Syslog server configuration for the smee hosted syslog server. Name is an identifier used across
+# Kubernetes manifests for port identification, ip is the IP address to bind to, and port is the
+# port to bind to.
+syslog:
+  enabled: true
+  name: smee-syslog
+  ip: 0.0.0.0
+  port: 514
+
+# The Tink Worker image passed to OSIE as a kernel arg for launching.
+tinkWorkerImage: quay.io/tinkerbell/tink-worker:v0.12.1
+
+
+# Additional arguments to pass to the smee container. Some arguments are already defined - refer
+# to the deployment.yaml template for details.
+additionalArgs: []
+
+# Additional environment variables to pass to the smee container. Each entry is expected to have a
+# name and value key. Some keys are already defined - refer to the deployment.yaml template for
+# details.
+#
+# Example
+#   - name: MY_ENV_VAR
+#     value: my-value
+additionalEnv: []
+
+# singleNodeClusterConfig to add tolerations for deployments on control plane nodes. This is defaulted to false.
+singleNodeClusterConfig:
+  controlPlaneTolerationsEnabled: false
+  nodeAffinityWeight: 1
+
+# Additional volumes on the output Deployment definition.
+additionalVolumes: [ ]
+#  - name: foo
+#    secret:
+#      secretName: mysecret
+#      optional: false
+
+# Additional volumeMounts on the Smee container
+additionalVolumeMounts: [ ]
+#  - name: foo
+#    mountPath: "/etc/foo"
+#    readOnly: true
+
+rbac:
+  type: Role # or ClusterRole
+  name: smee-role # or smee-cluster-role
+  bindingName: smee-rolebinding # or smee-cluster-rolebinding

packages/system/bootbox/templates/bootbox.yaml

@@ -0,0 +1,21 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  annotations:
+    helm.sh/resource-policy: keep
+  labels:
+    cozystack.io/ui: "true"
+  name: bootbox
+  namespace: tenant-root
+spec:
+  chart:
+    spec:
+      chart: bootbox
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-extra
+        namespace: cozy-public
+      version: '*'
+  interval: 1m0s
+  timeout: 5m0s

packages/system/bootbox/values.yaml

@@ -0,0 +1,6 @@
+smee:
+  hostNetwork: true
+  trustedProxies:
+    - 0.0.0.0/0
+  syslog:
+    enabled: false

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:9c8d38b1466d2333a1a916ddba4b3b644457361a4277bf4be132cb12f86e9281
+ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:35e9a8ba7e1a3b0cee634f6d2bd92d2b08c47c7ed3316559c9ea25ff733eb5d5

packages/system/cert-manager-crds/charts/cert-manager/Chart.yaml

@@ -6,7 +6,7 @@ annotations:
     fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
     url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
 apiVersion: v2
-appVersion: v1.16.1
+appVersion: v1.16.3
 description: A Helm chart for cert-manager
 home: https://cert-manager.io
 icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
@@ -23,4 +23,4 @@ maintainers:
 name: cert-manager
 sources:
 - https://github.com/cert-manager/cert-manager
-version: v1.16.1
+version: v1.16.3

packages/system/cert-manager-crds/charts/cert-manager/README.md

@@ -19,7 +19,7 @@ Before installing the chart, you must first install the cert-manager CustomResou
 This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources.
 
 ```bash
-$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.crds.yaml
+$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.3/cert-manager.crds.yaml
 ```
 
 To install the chart with the release name `cert-manager`:
@@ -29,7 +29,7 @@ To install the chart with the release name `cert-manager`:
 $ helm repo add jetstack https://charts.jetstack.io --force-update
 
 ## Install the cert-manager helm chart
-$ helm install cert-manager --namespace cert-manager --version v1.16.1 jetstack/cert-manager
+$ helm install cert-manager --namespace cert-manager --version v1.16.3 jetstack/cert-manager
 ```
 
 In order to begin issuing certificates, you will need to set up a ClusterIssuer
@@ -65,7 +65,7 @@ If you want to completely uninstall cert-manager from your cluster, you will als
 delete the previously installed CustomResourceDefinition resources:
 
 ```console
-$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.crds.yaml
+$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.3/cert-manager.crds.yaml
 ```
 
 ## Configuration
@@ -79,8 +79,8 @@ $ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/downlo
 > []
 > ```
 
-Reference to one or more secrets to be used when pulling images. For more information, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).
-
+Reference to one or more secrets to be used when pulling images. For more information, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).  
+  
 For example:
 
 ```yaml
@@ -93,9 +93,9 @@ imagePullSecrets:
 > {}
 > ```
 
-Labels to apply to all resources.
-Please note that this does not add labels to the resources created dynamically by the controllers. For these resources, you have to add the labels in the template in the cert-manager custom resource: For example, podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress. For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress).
-For example, secretTemplate in CertificateSpec
+Labels to apply to all resources.  
+Please note that this does not add labels to the resources created dynamically by the controllers. For these resources, you have to add the labels in the template in the cert-manager custom resource: For example, podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress. For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress).  
+For example, secretTemplate in CertificateSpec  
 For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec).
 #### **global.revisionHistoryLimit** ~ `number`
 
@@ -128,8 +128,8 @@ Aggregate ClusterRoles to Kubernetes default user-facing roles. For more informa
 > false
 > ```
 
-Create PodSecurityPolicy for cert-manager.
-
+Create PodSecurityPolicy for cert-manager.  
+  
 Note that PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in Kubernetes 1.25.
 #### **global.podSecurityPolicy.useAppArmor** ~ `bool`
 > Default value:
@@ -184,7 +184,7 @@ This option decides if the CRDs should be installed as part of the Helm installa
 > true
 > ```
 
-This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled. WARNING: when the CRDs are removed, all cert-manager custom resources
+This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled. WARNING: when the CRDs are removed, all cert-manager custom resources  
 (Certificates, Issuers, ...) will be removed too by the garbage collector.
 ### Controller
 
@@ -194,12 +194,12 @@ This option makes it so that the "helm.sh/resource-policy": keep annotation is a
 > 1
 > ```
 
-The number of replicas of the cert-manager controller to run.
-
-The default is 1, but in production set this to 2 or 3 to provide high availability.
-
-If `replicas > 1`, consider setting `podDisruptionBudget.enabled=true`.
-
+The number of replicas of the cert-manager controller to run.  
+  
+The default is 1, but in production set this to 2 or 3 to provide high availability.  
+  
+If `replicas > 1`, consider setting `podDisruptionBudget.enabled=true`.  
+  
 Note that cert-manager uses leader election to ensure that there can only be a single instance active at a time.
 #### **strategy** ~ `object`
 > Default value:
@@ -207,8 +207,8 @@ Note that cert-manager uses leader election to ensure that there can only be a s
 > {}
 > ```
 
-Deployment update strategy for the cert-manager controller deployment. For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).
-
+Deployment update strategy for the cert-manager controller deployment. For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).  
+  
 For example:
 
 ```yaml
@@ -224,13 +224,13 @@ strategy:
 > false
 > ```
 
-Enable or disable the PodDisruptionBudget resource.
-
-This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager
+Enable or disable the PodDisruptionBudget resource.  
+  
+This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager  
 Pod is currently running.
 #### **podDisruptionBudget.minAvailable** ~ `unknown`
 
-This configures the minimum available pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+This configures the minimum available pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
 It cannot be used if `maxUnavailable` is set.
 
 
@@ -311,7 +311,7 @@ Override the "cert-manager.name" value, which is used to annotate some of the re
 Specifies whether a service account should be created.
 #### **serviceAccount.name** ~ `string`
 
-The name of the service account to use.
+The name of the service account to use.  
 If not set and create is true, a name is generated using the fullname template.
 
 #### **serviceAccount.annotations** ~ `object`
@@ -346,10 +346,10 @@ When this flag is enabled, secrets will be automatically removed when the certif
 > {}
 > ```
 
-This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.
-
-If `apiVersion` and `kind` are unspecified they default to the current latest version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.
-
+This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.  
+  
+If `apiVersion` and `kind` are unspecified they default to the current latest version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.  
+  
 For example:
 
 ```yaml
@@ -412,7 +412,7 @@ Option to disable cert-manager's build-in auto-approver. The auto-approver appro
 > - clusterissuers.cert-manager.io/*
 > ```
 
-List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because eg. you are using approver-policy, you can enable 'disableAutoApproval'.
+List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because eg. you are using approver-policy, you can enable 'disableAutoApproval'.  
 ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
 
 #### **extraArgs** ~ `array`
@@ -421,10 +421,10 @@ ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
 > []
 > ```
 
-Additional command line flags to pass to cert-manager controller binary. To see all available flags run `docker run quay.io/jetstack/cert-manager-controller:<version> --help`.
-
-Use this flag to enable or disable arbitrary controllers. For example, to disable the CertificateRequests approver.
-
+Additional command line flags to pass to cert-manager controller binary. To see all available flags run `docker run quay.io/jetstack/cert-manager-controller:<version> --help`.  
+  
+Use this flag to enable or disable arbitrary controllers. For example, to disable the CertificateRequests approver.  
+  
 For example:
 
 ```yaml
@@ -437,7 +437,7 @@ extraArgs:
 > []
 > ```
 
-Additional environment variables to pass to cert-manager controller binary.
+Additional environment variables to pass to cert-manager controller binary.  
 For example:
 
 ```yaml
@@ -451,8 +451,8 @@ extraEnv:
 > {}
 > ```
 
-Resources to provide to the cert-manager controller pod.
-
+Resources to provide to the cert-manager controller pod.  
+  
 For example:
 
 ```yaml
@@ -470,7 +470,7 @@ For more information, see [Resource Management for Pods and Containers](https://
 >   type: RuntimeDefault
 > ```
 
-Pod Security Context.
+Pod Security Context.  
 For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
 
 #### **containerSecurityContext** ~ `object`
@@ -532,7 +532,7 @@ Optionally set the IP families for the controller Service that should be support
 
 #### **podDnsPolicy** ~ `string`
 
-Pod DNS policy.
+Pod DNS policy.  
 For more information, see [Pod's DNS Policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy).
 
 #### **podDnsConfig** ~ `object`
@@ -552,8 +552,8 @@ Optional hostAliases for cert-manager-controller pods. May be useful when perfor
 > kubernetes.io/os: linux
 > ```
 
-The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
-
+The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).  
+  
 This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
 
 #### **ingressShim.defaultIssuerName** ~ `string`
@@ -586,8 +586,8 @@ Configures the NO_PROXY environment variable where a HTTP proxy is required, but
 > {}
 > ```
 
-A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
-
+A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).  
+  
 For example:
 
 ```yaml
@@ -607,8 +607,8 @@ affinity:
 > []
 > ```
 
-A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
-
+A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).  
+  
 For example:
 
 ```yaml
@@ -624,8 +624,8 @@ tolerations:
 > []
 > ```
 
-A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
-
+A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core  
+  
 For example:
 
 ```yaml
@@ -649,9 +649,9 @@ topologySpreadConstraints:
 > timeoutSeconds: 15
 > ```
 
-LivenessProbe settings for the controller container of the controller Pod.
-
-This is enabled by default, in order to enable the clock-skew liveness probe that restarts the controller in case of a skew between the system clock and the monotonic clock. LivenessProbe durations and thresholds are based on those used for the Kubernetes controller-manager. For more information see the following on the
+LivenessProbe settings for the controller container of the controller Pod.  
+  
+This is enabled by default, in order to enable the clock-skew liveness probe that restarts the controller in case of a skew between the system clock and the monotonic clock. LivenessProbe durations and thresholds are based on those used for the Kubernetes controller-manager. For more information see the following on the  
 [Kubernetes GitHub repository](https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245)
 
 #### **enableServiceLinks** ~ `bool`
@@ -669,8 +669,8 @@ enableServiceLinks indicates whether information about services should be inject
 > true
 > ```
 
-Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a
-ServiceMonitor resource.
+Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a  
+ServiceMonitor resource.  
 Otherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.
 #### **prometheus.servicemonitor.enabled** ~ `bool`
 > Default value:
@@ -745,8 +745,8 @@ Keep labels from scraped data, overriding server-side labels.
 > {}
 > ```
 
-EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.
-
+EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.  
+  
 For example:
 
 ```yaml
@@ -826,8 +826,8 @@ Keep labels from scraped data, overriding server-side labels.
 > {}
 > ```
 
-EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.
-
+EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.  
+  
 For example:
 
 ```yaml
@@ -858,10 +858,10 @@ endpointAdditionalProperties:
 > 1
 > ```
 
-Number of replicas of the cert-manager webhook to run.
-
-The default is 1, but in production set this to 2 or 3 to provide high availability.
-
+Number of replicas of the cert-manager webhook to run.  
+  
+The default is 1, but in production set this to 2 or 3 to provide high availability.  
+  
 If `replicas > 1`, consider setting `webhook.podDisruptionBudget.enabled=true`.
 #### **webhook.timeoutSeconds** ~ `number`
 > Default value:
@@ -869,9 +869,9 @@ If `replicas > 1`, consider setting `webhook.podDisruptionBudget.enabled=true`.
 > 30
 > ```
 
-The number of seconds the API server should wait for the webhook to respond before treating the call as a failure. The value must be between 1 and 30 seconds. For more information, see
-[Validating webhook configuration v1](https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/).
-
+The number of seconds the API server should wait for the webhook to respond before treating the call as a failure. The value must be between 1 and 30 seconds. For more information, see  
+[Validating webhook configuration v1](https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/).  
+  
 The default is set to the maximum value of 30 seconds as users sometimes report that the connection between the K8S API server and the cert-manager webhook server times out. If *this* timeout is reached, the error message will be "context deadline exceeded", which doesn't help the user diagnose what phase of the HTTPS connection timed out. For example, it could be during DNS resolution, TCP connection, TLS negotiation, HTTP negotiation, or slow HTTP response from the webhook server. By setting this timeout to its maximum value the underlying timeout error message has more chance of being returned to the end user.
 #### **webhook.config** ~ `object`
 > Default value:
@@ -879,10 +879,10 @@ The default is set to the maximum value of 30 seconds as users sometimes report
 > {}
 > ```
 
-This is used to configure options for the webhook pod. This allows setting options that would usually be provided using flags.
-
-If `apiVersion` and `kind` are unspecified they default to the current latest version (currently `webhook.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.
-
+This is used to configure options for the webhook pod. This allows setting options that would usually be provided using flags.  
+  
+If `apiVersion` and `kind` are unspecified they default to the current latest version (currently `webhook.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.  
+  
 For example:
 
 ```yaml
@@ -911,8 +911,8 @@ metricsTLSConfig:
 > {}
 > ```
 
-The update strategy for the cert-manager webhook deployment. For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy)
-
+The update strategy for the cert-manager webhook deployment. For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy)  
+  
 For example:
 
 ```yaml
@@ -950,19 +950,19 @@ Container Security Context to be set on the webhook component container. For mor
 > false
 > ```
 
-Enable or disable the PodDisruptionBudget resource.
-
-This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager
+Enable or disable the PodDisruptionBudget resource.  
+  
+This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager  
 Pod is currently running.
 #### **webhook.podDisruptionBudget.minAvailable** ~ `unknown`
 
-This property configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+This property configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
 It cannot be used if `maxUnavailable` is set.
 
 
 #### **webhook.podDisruptionBudget.maxUnavailable** ~ `unknown`
 
-This property configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+This property configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
 It cannot be used if `minAvailable` is set.
 
 
@@ -1019,7 +1019,7 @@ Additional command line flags to pass to cert-manager webhook binary. To see all
 > []
 > ```
 
-Additional environment variables to pass to cert-manager webhook binary.
+Additional environment variables to pass to cert-manager webhook binary.  
 For example:
 
 ```yaml
@@ -1040,8 +1040,8 @@ Comma separated list of feature gates that should be enabled on the webhook pod.
 > {}
 > ```
 
-Resources to provide to the cert-manager webhook pod.
-
+Resources to provide to the cert-manager webhook pod.  
+  
 For example:
 
 ```yaml
@@ -1061,7 +1061,7 @@ For more information, see [Resource Management for Pods and Containers](https://
 > timeoutSeconds: 1
 > ```
 
-Liveness probe values.
+Liveness probe values.  
 For more information, see [Container probes](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
 
 #### **webhook.readinessProbe** ~ `object`
@@ -1074,7 +1074,7 @@ For more information, see [Container probes](https://kubernetes.io/docs/concepts
 > timeoutSeconds: 1
 > ```
 
-Readiness probe values.
+Readiness probe values.  
 For more information, see [Container probes](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
 
 #### **webhook.nodeSelector** ~ `object`
@@ -1083,8 +1083,8 @@ For more information, see [Container probes](https://kubernetes.io/docs/concepts
 > kubernetes.io/os: linux
 > ```
 
-The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
-
+The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).  
+  
 This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
 
 #### **webhook.affinity** ~ `object`
@@ -1093,8 +1093,8 @@ This default ensures that Pods are only scheduled to Linux nodes. It prevents Po
 > {}
 > ```
 
-A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
-
+A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).  
+  
 For example:
 
 ```yaml
@@ -1114,8 +1114,8 @@ affinity:
 > []
 > ```
 
-A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
-
+A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).  
+  
 For example:
 
 ```yaml
@@ -1131,8 +1131,8 @@ tolerations:
 > []
 > ```
 
-A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).
-
+A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).  
+  
 For example:
 
 ```yaml
@@ -1209,7 +1209,7 @@ Kubernetes imagePullPolicy on Deployment.
 Specifies whether a service account should be created.
 #### **webhook.serviceAccount.name** ~ `string`
 
-The name of the service account to use.
+The name of the service account to use.  
 If not set and create is true, a name is generated using the fullname template.
 
 #### **webhook.serviceAccount.annotations** ~ `object`
@@ -1244,10 +1244,10 @@ The port that the webhook listens on for requests. In GKE private clusters, by d
 > false
 > ```
 
-Specifies if the webhook should be started in hostNetwork mode.
-
-Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working
-
+Specifies if the webhook should be started in hostNetwork mode.  
+  
+Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working  
+  
 Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode.
 #### **webhook.serviceType** ~ `string`
 > Default value:
@@ -1341,12 +1341,12 @@ Create the CA Injector deployment
 > 1
 > ```
 
-The number of replicas of the cert-manager cainjector to run.
-
-The default is 1, but in production set this to 2 or 3 to provide high availability.
-
-If `replicas > 1`, consider setting `cainjector.podDisruptionBudget.enabled=true`.
-
+The number of replicas of the cert-manager cainjector to run.  
+  
+The default is 1, but in production set this to 2 or 3 to provide high availability.  
+  
+If `replicas > 1`, consider setting `cainjector.podDisruptionBudget.enabled=true`.  
+  
 Note that cert-manager uses leader election to ensure that there can only be a single instance active at a time.
 #### **cainjector.config** ~ `object`
 > Default value:
@@ -1354,10 +1354,10 @@ Note that cert-manager uses leader election to ensure that there can only be a s
 > {}
 > ```
 
-This is used to configure options for the cainjector pod. It allows setting options that are usually provided via flags.
-
-If `apiVersion` and `kind` are unspecified they default to the current latest version (currently `cainjector.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.
-
+This is used to configure options for the cainjector pod. It allows setting options that are usually provided via flags.  
+  
+If `apiVersion` and `kind` are unspecified they default to the current latest version (currently `cainjector.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.  
+  
 For example:
 
 ```yaml
@@ -1383,8 +1383,8 @@ metricsTLSConfig:
 > {}
 > ```
 
-Deployment update strategy for the cert-manager cainjector deployment. For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).
-
+Deployment update strategy for the cert-manager cainjector deployment. For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).  
+  
 For example:
 
 ```yaml
@@ -1422,21 +1422,21 @@ Container Security Context to be set on the cainjector component container. For
 > false
 > ```
 
-Enable or disable the PodDisruptionBudget resource.
-
-This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager
+Enable or disable the PodDisruptionBudget resource.  
+  
+This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager  
 Pod is currently running.
 #### **cainjector.podDisruptionBudget.minAvailable** ~ `unknown`
 
-`minAvailable` configures the minimum available pods for disruptions. It can either be set to
-an integer (e.g. 1) or a percentage value (e.g. 25%).
+`minAvailable` configures the minimum available pods for disruptions. It can either be set to  
+an integer (e.g. 1) or a percentage value (e.g. 25%).  
 Cannot be used if `maxUnavailable` is set.
 
 
 #### **cainjector.podDisruptionBudget.maxUnavailable** ~ `unknown`
 
-`maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to
-an integer (e.g. 1) or a percentage value (e.g. 25%).
+`maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to  
+an integer (e.g. 1) or a percentage value (e.g. 25%).  
 Cannot be used if `minAvailable` is set.
 
 
@@ -1465,7 +1465,7 @@ Additional command line flags to pass to cert-manager cainjector binary. To see
 > []
 > ```
 
-Additional environment variables to pass to cert-manager cainjector binary.
+Additional environment variables to pass to cert-manager cainjector binary.  
 For example:
 
 ```yaml
@@ -1486,8 +1486,8 @@ Comma separated list of feature gates that should be enabled on the cainjector p
 > {}
 > ```
 
-Resources to provide to the cert-manager cainjector pod.
-
+Resources to provide to the cert-manager cainjector pod.  
+  
 For example:
 
 ```yaml
@@ -1503,8 +1503,8 @@ For more information, see [Resource Management for Pods and Containers](https://
 > kubernetes.io/os: linux
 > ```
 
-The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
-
+The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).  
+  
 This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
 
 #### **cainjector.affinity** ~ `object`
@@ -1513,8 +1513,8 @@ This default ensures that Pods are only scheduled to Linux nodes. It prevents Po
 > {}
 > ```
 
-A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
-
+A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).  
+  
 For example:
 
 ```yaml
@@ -1534,8 +1534,8 @@ affinity:
 > []
 > ```
 
-A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
-
+A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).  
+  
 For example:
 
 ```yaml
@@ -1551,8 +1551,8 @@ tolerations:
 > []
 > ```
 
-A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).
-
+A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).  
+  
 For example:
 
 ```yaml
@@ -1615,7 +1615,7 @@ Kubernetes imagePullPolicy on Deployment.
 Specifies whether a service account should be created.
 #### **cainjector.serviceAccount.name** ~ `string`
 
-The name of the service account to use.
+The name of the service account to use.  
 If not set and create is true, a name is generated using the fullname template
 
 #### **cainjector.serviceAccount.annotations** ~ `object`
@@ -1754,8 +1754,8 @@ Optional additional annotations to add to the startupapicheck Pods.
 > - -v
 > ```
 
-Additional command line flags to pass to startupapicheck binary. To see all available flags run `docker run quay.io/jetstack/cert-manager-startupapicheck:<version> --help`.
-
+Additional command line flags to pass to startupapicheck binary. To see all available flags run `docker run quay.io/jetstack/cert-manager-startupapicheck:<version> --help`.  
+  
 Verbose logging is enabled by default so that if startupapicheck fails, you can know what exactly caused the failure. Verbose logs include details of the webhook URL, IP address and TCP connect errors for example.
 
 #### **startupapicheck.extraEnv** ~ `array`
@@ -1764,7 +1764,7 @@ Verbose logging is enabled by default so that if startupapicheck fails, you can
 > []
 > ```
 
-Additional environment variables to pass to cert-manager startupapicheck binary.
+Additional environment variables to pass to cert-manager startupapicheck binary.  
 For example:
 
 ```yaml
@@ -1778,8 +1778,8 @@ extraEnv:
 > {}
 > ```
 
-Resources to provide to the cert-manager controller pod.
-
+Resources to provide to the cert-manager controller pod.  
+  
 For example:
 
 ```yaml
@@ -1795,8 +1795,8 @@ For more information, see [Resource Management for Pods and Containers](https://
 > kubernetes.io/os: linux
 > ```
 
-The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
-
+The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).  
+  
 This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
 
 #### **startupapicheck.affinity** ~ `object`
@@ -1805,7 +1805,7 @@ This default ensures that Pods are only scheduled to Linux nodes. It prevents Po
 > {}
 > ```
 
-A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
+A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).  
 For example:
 
 ```yaml
@@ -1825,8 +1825,8 @@ affinity:
 > []
 > ```
 
-A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
-
+A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).  
+  
 For example:
 
 ```yaml
@@ -1893,7 +1893,7 @@ Automounting API credentials for a particular pod.
 Specifies whether a service account should be created.
 #### **startupapicheck.serviceAccount.name** ~ `string`
 
-The name of the service account to use.
+The name of the service account to use.  
 If not set and create is true, a name is generated using the fullname template.
 
 #### **startupapicheck.serviceAccount.annotations** ~ `object`
@@ -1945,8 +1945,8 @@ enableServiceLinks indicates whether information about services should be inject
 > []
 > ```
 
-Create dynamic manifests via values.
-
+Create dynamic manifests via values.  
+  
 For example:
 
 ```yaml

packages/system/cert-manager/charts/cert-manager/Chart.yaml

@@ -1,13 +1,15 @@
 annotations:
+  artifacthub.io/category: security
+  artifacthub.io/license: Apache-2.0
   artifacthub.io/prerelease: "false"
   artifacthub.io/signKey: |
     fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
     url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
-apiVersion: v1
-appVersion: v1.12.3
+apiVersion: v2
+appVersion: v1.16.3
 description: A Helm chart for cert-manager
-home: https://github.com/cert-manager/cert-manager
-icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png
+home: https://cert-manager.io
+icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
 keywords:
 - cert-manager
 - kube-lego
@@ -21,4 +23,4 @@ maintainers:
 name: cert-manager
 sources:
 - https://github.com/cert-manager/cert-manager
-version: v1.12.3
+version: v1.16.3

packages/system/cert-manager/charts/cert-manager/templates/NOTES.txt

@@ -1,3 +1,6 @@
+{{- if .Values.installCRDs }}
+⚠️  WARNING: `installCRDs` is deprecated, use `crds.enabled` instead.
+{{- end }}
 cert-manager {{ .Chart.AppVersion }} has been deployed successfully!
 
 In order to begin issuing certificates, you will need to set up a ClusterIssuer

packages/system/cert-manager/charts/cert-manager/templates/_helpers.tpl

@@ -152,7 +152,7 @@ Labels that should be added on each resource
 */}}
 {{- define "labels" -}}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- if eq (default "helm" .Values.creator) "helm" }}
+{{- if eq .Values.creator "helm" }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 helm.sh/chart: {{ include "chartName" . }}
 {{- end -}}
@@ -172,3 +172,31 @@ https://github.com/helm/helm/issues/5358
 {{- define "cert-manager.namespace" -}}
     {{ .Values.namespace | default .Release.Namespace }}
 {{- end -}}
+
+{{/*
+Util function for generating the image URL based on the provided options.
+IMPORTANT: This function is standardized across all charts in the cert-manager GH organization.
+Any changes to this function should also be made in cert-manager, trust-manager, approver-policy, ...
+See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linked PRs.
+*/}}
+{{- define "image" -}}
+{{- $defaultTag := index . 1 -}}
+{{- with index . 0 -}}
+{{- if .registry -}}{{ printf "%s/%s" .registry .repository }}{{- else -}}{{- .repository -}}{{- end -}}
+{{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
+{{- end }}
+{{- end }}
+
+{{/*
+Check that the user has not set both .installCRDs and .crds.enabled or
+set .installCRDs and disabled .crds.keep.
+.installCRDs is deprecated and users should use .crds.enabled and .crds.keep instead.
+*/}}
+{{- define "cert-manager.crd-check" -}}
+  {{- if and (.Values.installCRDs) (.Values.crds.enabled) }}
+    {{- fail "ERROR: the deprecated .installCRDs option cannot be enabled at the same time as its replacement .crds.enabled" }}
+  {{- end }}
+  {{- if and (.Values.installCRDs) (not .Values.crds.keep) }}
+    {{- fail "ERROR: .crds.keep is not compatible with .installCRDs, please use .crds.enabled and .crds.keep instead" }}
+  {{- end }}
+{{- end -}}

packages/system/cert-manager/charts/cert-manager/templates/cainjector-config.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.cainjector.config -}}
+{{- $config := .Values.cainjector.config -}}
+{{- $_ := set $config "apiVersion" (default "cainjector.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
+{{- $_ := set $config "kind" (default "CAInjectorConfiguration" $config.kind) -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cainjector.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- $config | toYaml | nindent 4 }}
+{{- end -}}

packages/system/cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml

@@ -16,6 +16,10 @@ metadata:
   {{- end }}
 spec:
   replicas: {{ .Values.cainjector.replicaCount }}
+  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  {{- end }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ include "cainjector.name" . }}
@@ -40,11 +44,20 @@ spec:
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
+      {{- if not .Values.cainjector.podAnnotations }}
+      annotations:
+      {{- end }}
+        prometheus.io/path: "/metrics"
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '9402'
+      {{- end }}
     spec:
       serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
       {{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
       {{- end }}
+      enableServiceLinks: {{ .Values.cainjector.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -54,14 +67,16 @@ spec:
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}-cainjector
-          {{- with .Values.cainjector.image }}
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-          {{- end }}
+          image: "{{ template "image" (tuple .Values.cainjector.image $.Chart.AppVersion) }}"
           imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }}
           args:
-          {{- if .Values.global.logLevel }}
+          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
           - --v={{ .Values.global.logLevel }}
           {{- end }}
+          {{- if .Values.cainjector.config }}
+          - --config=/var/cert-manager/config/config.yaml
+          {{- end }}
           {{- with .Values.global.leaderElection }}
           - --leader-election-namespace={{ .namespace }}
           {{- if .leaseDuration }}
@@ -74,14 +89,29 @@ spec:
           - --leader-election-retry-period={{ .retryPeriod }}
           {{- end }}
           {{- end }}
+          {{- with .Values.cainjector.featureGates}}
+          - --feature-gates={{ . }}
+          {{- end}}
           {{- with .Values.cainjector.extraArgs }}
           {{- toYaml . | nindent 10 }}
           {{- end }}
+          {{- if not .Values.prometheus.enabled }}
+          - --metrics-listen-address=0
+          {{- end }}
+          {{- if .Values.prometheus.enabled }}
+          ports:
+          - containerPort: 9402
+            name: http-metrics
+            protocol: TCP
+          {{- end }}
           env:
           - name: POD_NAMESPACE
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          {{- with .Values.cainjector.extraEnv }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
           {{- with .Values.cainjector.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
@@ -90,9 +120,15 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.cainjector.volumeMounts }}
+          {{- if or .Values.cainjector.config .Values.cainjector.volumeMounts }}
           volumeMounts:
+            {{- if .Values.cainjector.config }}
+            - name: config
+              mountPath: /var/cert-manager/config
+            {{- end }}
+            {{- with .Values.cainjector.volumeMounts }}
             {{- toYaml . | nindent 12 }}
+            {{- end }}
           {{- end }}
       {{- with .Values.cainjector.nodeSelector }}
       nodeSelector:
@@ -110,8 +146,15 @@ spec:
       topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.cainjector.volumes }}
+      {{- if or .Values.cainjector.volumes .Values.cainjector.config }}
       volumes:
+        {{- if .Values.cainjector.config }}
+        - name: config
+          configMap:
+            name: {{ include "cainjector.fullname" . }}
+        {{- end }}
+        {{ with .Values.cainjector.volumes }}
         {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml

@@ -17,10 +17,13 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "cainjector"
 
-  {{- with .Values.cainjector.podDisruptionBudget.minAvailable }}
-  minAvailable: {{ . }}
+  {{- if not (or (hasKey .Values.cainjector.podDisruptionBudget "minAvailable") (hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable")) }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
   {{- end }}
-  {{- with .Values.cainjector.podDisruptionBudget.maxUnavailable }}
-  maxUnavailable: {{ . }}
+  {{- if hasKey .Values.cainjector.podDisruptionBudget "minAvailable" }}
+  minAvailable: {{ .Values.cainjector.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.cainjector.podDisruptionBudget.maxUnavailable }}
   {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/cainjector-rbac.yaml

@@ -101,3 +101,56 @@ subjects:
     namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
 {{- end }}
+{{- $certmanagerNamespace := include "cert-manager.namespace" . }}
+{{- if (.Values.cainjector.config.metricsTLSConfig).dynamic }}
+{{- if $certmanagerNamespace | eq .Values.cainjector.config.metricsTLSConfig.dynamic.secretNamespace }}
+
+---
+
+# Metrics server dynamic TLS serving certificate rules
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "cainjector.fullname" . }}:dynamic-serving
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames:
+    # Allow cainjector to read and update the metrics CA Secret when dynamic TLS is
+    # enabled for the metrics server and if the Secret is configured to be in the
+    # same namespace as cert-manager.
+    - {{ .Values.cainjector.config.metricsTLSConfig.dynamic.secretName | quote }}
+    verbs: ["get", "list", "watch", "update"]
+  # It's not possible to grant CREATE permission on a single resourceName.
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "cainjector.fullname" . }}:dynamic-serving
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "cainjector.fullname" . }}:dynamic-serving
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "cainjector.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+{{- end }}

packages/system/cert-manager/charts/cert-manager/templates/cainjector-service.yaml

@@ -0,0 +1,30 @@
+{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "cainjector.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+{{- with .Values.cainjector.serviceAnnotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+    {{- with .Values.cainjector.serviceLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: ClusterIP
+  ports:
+  - protocol: TCP
+    port: 9402
+    name: http-metrics
+  selector:
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+{{- end }}

packages/system/cert-manager/charts/cert-manager/templates/controller-config.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.config -}}
+{{- $config := .Values.config -}}
+{{- $_ := set $config "apiVersion" (default "controller.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
+{{- $_ := set $config "kind" (default "ControllerConfiguration" $config.kind) -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cert-manager.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- $config | toYaml | nindent 4 }}
+{{- end -}}

packages/system/cert-manager/charts/cert-manager/templates/deployment.yaml

@@ -15,6 +15,10 @@ metadata:
   {{- end }}
 spec:
   replicas: {{ .Values.replicaCount }}
+  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  {{- end }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ template "cert-manager.name" . }}
@@ -39,7 +43,7 @@ spec:
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if and .Values.prometheus.enabled (not .Values.prometheus.servicemonitor.enabled) }}
+      {{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
       {{- if not .Values.podAnnotations }}
       annotations:
       {{- end }}
@@ -52,6 +56,7 @@ spec:
       {{- if hasKey .Values "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       {{- end }}
+      enableServiceLinks: {{ .Values.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -59,20 +64,30 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.volumes }}
+      {{- if or .Values.volumes .Values.config}}
       volumes:
+        {{- if .Values.config }}
+        - name: config 
+          configMap: 
+            name: {{ include "cert-manager.fullname" . }}
+        {{- end }}
+        {{ with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}-controller
-          {{- with .Values.image }}
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-          {{- end }}
+          image: "{{ template "image" (tuple .Values.image $.Chart.AppVersion) }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
-          {{- if .Values.global.logLevel }}
+          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
           - --v={{ .Values.global.logLevel }}
           {{- end }}
+          {{- if .Values.config }}
+          - --config=/var/cert-manager/config/config.yaml
+          {{- end }}
+          {{- $config := default .Values.config "" }}
           {{- if .Values.clusterResourceNamespace }}
           - --cluster-resource-namespace={{ .Values.clusterResourceNamespace }}
           {{- else }}
@@ -122,6 +137,9 @@ spec:
           {{- with .Values.dns01RecursiveNameservers }}
           - --dns01-recursive-nameservers={{ . }}
           {{- end }}
+          {{- if .Values.disableAutoApproval }}
+          - --controllers=-certificaterequests-approver
+          {{- end }}
           ports:
           - containerPort: 9402
             name: http-metrics
@@ -133,9 +151,15 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.volumeMounts }}
+          {{- if or .Values.config .Values.volumeMounts }}
           volumeMounts:
+            {{- if .Values.config }}
+            - name: config 
+              mountPath: /var/cert-manager/config
+            {{- end }}
+            {{- with .Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
+            {{- end }}
           {{- end }}
           env:
           - name: POD_NAMESPACE
@@ -202,3 +226,6 @@ spec:
       dnsConfig:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.hostAliases }}
+      hostAliases: {{ toYaml . | nindent 8 }}
+      {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/extras-objects.yaml

@@ -0,0 +1,4 @@
+{{ range .Values.extraObjects }}
+---
+{{ tpl . $ }}
+{{ end }}

packages/system/cert-manager/charts/cert-manager/templates/networkpolicy-egress.yaml

@@ -11,13 +11,9 @@ spec:
     {{- end }}
   podSelector:
     matchLabels:
-      app: {{ include "webhook.name" . }}
       app.kubernetes.io/name: {{ include "webhook.name" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "webhook"
-      {{- with .Values.webhook.podLabels }}
-      {{- toYaml . | nindent 6 }}
-      {{- end }}
   policyTypes:
   - Egress
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/networkpolicy-webhooks.yaml

@@ -12,13 +12,9 @@ spec:
     {{- end }}
   podSelector:
     matchLabels:
-        app: {{ include "webhook.name" . }}
-        app.kubernetes.io/name: {{ include "webhook.name" . }}
-        app.kubernetes.io/instance: {{ .Release.Name }}
-        app.kubernetes.io/component: "webhook"
-        {{- with .Values.webhook.podLabels }}
-        {{- toYaml . | nindent 6 }}
-        {{- end }}
+      app.kubernetes.io/name: {{ include "webhook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "webhook"
   policyTypes:
   - Ingress
 

packages/system/cert-manager/charts/cert-manager/templates/poddisruptionbudget.yaml

@@ -17,10 +17,13 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "controller"
 
-  {{- with .Values.podDisruptionBudget.minAvailable }}
-  minAvailable: {{ . }}
+  {{- if not (or (hasKey .Values.podDisruptionBudget "minAvailable") (hasKey .Values.podDisruptionBudget "maxUnavailable")) }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
   {{- end }}
-  {{- with .Values.podDisruptionBudget.maxUnavailable }}
-  maxUnavailable: {{ . }}
+  {{- if hasKey .Values.podDisruptionBudget "minAvailable" }}
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
   {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/podmonitor.yaml

@@ -0,0 +1,63 @@
+{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
+{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
+{{- else if and .Values.prometheus.enabled .Values.prometheus.podmonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ template "cert-manager.fullname" . }}
+{{- if .Values.prometheus.podmonitor.namespace }}
+  namespace: {{ .Values.prometheus.podmonitor.namespace }}
+{{- else }}
+  namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+    prometheus: {{ .Values.prometheus.podmonitor.prometheusInstance }}
+    {{- with .Values.prometheus.podmonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- if .Values.prometheus.podmonitor.annotations }}
+  annotations:
+    {{- with .Values.prometheus.podmonitor.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}
+spec:
+  jobLabel: {{ template "cert-manager.fullname" . }}
+  selector:
+    matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: In
+        values:
+        - {{ include "cainjector.name" . }}
+        - {{ template "cert-manager.name" . }}
+        - {{ include "webhook.name" . }}
+      - key: app.kubernetes.io/instance
+        operator: In
+        values:
+        - {{ .Release.Name }}
+      - key: app.kubernetes.io/component
+        operator: In
+        values:
+        - cainjector
+        - controller
+        - webhook
+{{- if .Values.prometheus.podmonitor.namespace }}
+  namespaceSelector:
+    matchNames:
+      - {{ include "cert-manager.namespace" . }}
+{{- end }}
+  podMetricsEndpoints:
+    - port: http-metrics
+      path: {{ .Values.prometheus.podmonitor.path }}
+      interval: {{ .Values.prometheus.podmonitor.interval }}
+      scrapeTimeout: {{ .Values.prometheus.podmonitor.scrapeTimeout }}
+      honorLabels: {{ .Values.prometheus.podmonitor.honorLabels }}
+      {{- with .Values.prometheus.podmonitor.endpointAdditionalProperties }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end }}

packages/system/cert-manager/charts/cert-manager/templates/rbac.yaml

@@ -39,13 +39,56 @@ roleRef:
   kind: Role
   name: {{ template "cert-manager.fullname" . }}:leaderelection
 subjects:
-  - apiGroup: ""
-    kind: ServiceAccount
+  - kind: ServiceAccount
     name: {{ template "cert-manager.serviceAccountName" . }}
     namespace: {{ include "cert-manager.namespace" . }}
 
 ---
 
+{{- if .Values.serviceAccount.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "cert-manager.serviceAccountName" . }}-tokenrequest
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["serviceaccounts/token"]
+    resourceNames: ["{{ template "cert-manager.serviceAccountName" . }}"]
+    verbs: ["create"]
+
+---
+
+# grant cert-manager permission to create tokens for the serviceaccount
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "cert-manager.fullname" . }}-{{ template "cert-manager.serviceAccountName" .  }}-tokenrequest
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "cert-manager.serviceAccountName" . }}-tokenrequest
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "cert-manager.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+
+---
+
 # Issuer controller role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -398,6 +441,26 @@ subjects:
     namespace: {{ include "cert-manager.namespace" . }}
     kind: ServiceAccount
 
+{{- if .Values.global.rbac.aggregateClusterRoles }}
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-cluster-view
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers"]
+    verbs: ["get", "list", "watch"]
+
+{{- end }}
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
@@ -414,6 +477,7 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
     {{- end }}
 rules:
   - apiGroups: ["cert-manager.io"]
@@ -453,6 +517,8 @@ rules:
 
 ---
 
+{{- if not .Values.disableAutoApproval -}}
+
 # Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -468,7 +534,12 @@ rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["signers"]
     verbs: ["approve"]
-    resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
+    {{- with .Values.approveSignerNames }}
+    resourceNames:
+    {{- range . }}
+    - {{ . | quote }}
+    {{- end  }}
+    {{- end }}
 
 ---
 
@@ -493,8 +564,10 @@ subjects:
 
 ---
 
+{{- end -}}
+
 # Permission to:
-# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
+# - Update and sign CertificateSigningRequests referencing cert-manager.io Issuers and ClusterIssuers
 # - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

packages/system/cert-manager/charts/cert-manager/templates/service.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.prometheus.enabled }}
+{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -19,6 +19,12 @@ metadata:
     {{- end }}
 spec:
   type: ClusterIP
+  {{- if .Values.serviceIPFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.serviceIPFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.serviceIPFamilies }}
+  ipFamilies: {{ .Values.serviceIPFamilies | toYaml | nindent 2 }}
+  {{- end }}
   ports:
   - protocol: TCP
     port: 9402

packages/system/cert-manager/charts/cert-manager/templates/serviceaccount.yaml

@@ -20,6 +20,6 @@ metadata:
     app.kubernetes.io/component: "controller"
     {{- include "labels" . | nindent 4 }}
     {{- with .Values.serviceAccount.labels }}
-      {{ toYaml . | nindent 4 }}
+      {{- toYaml . | nindent 4 }}
     {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/servicemonitor.yaml

@@ -1,4 +1,6 @@
-{{- if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
+{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
+{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
+{{- else if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -27,10 +29,23 @@ metadata:
 spec:
   jobLabel: {{ template "cert-manager.fullname" . }}
   selector:
-    matchLabels:
-      app.kubernetes.io/name: {{ template "cert-manager.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-      app.kubernetes.io/component: "controller"
+    matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: In
+        values:
+        - {{ include "cainjector.name" . }}
+        - {{ template "cert-manager.name" . }}
+        - {{ include "webhook.name" . }}
+      - key: app.kubernetes.io/instance
+        operator: In
+        values:
+        - {{ .Release.Name }}
+      - key: app.kubernetes.io/component
+        operator: In
+        values:
+        - cainjector
+        - controller
+        - webhook
 {{- if .Values.prometheus.servicemonitor.namespace }}
   namespaceSelector:
     matchNames:
@@ -42,4 +57,7 @@ spec:
     interval: {{ .Values.prometheus.servicemonitor.interval }}
     scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
     honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
+    {{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/startupapicheck-job.yaml

@@ -37,6 +37,7 @@ spec:
       {{- if hasKey .Values.startupapicheck "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.startupapicheck.automountServiceAccountToken }}
       {{- end }}
+      enableServiceLinks: {{ .Values.startupapicheck.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -46,9 +47,7 @@ spec:
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}-startupapicheck
-          {{- with .Values.startupapicheck.image }}
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-          {{- end }}
+          image: "{{ template "image" (tuple .Values.startupapicheck.image $.Chart.AppVersion) }}"
           imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }}
           args:
           - check
@@ -61,6 +60,14 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          {{- with .Values.startupapicheck.extraEnv }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
           {{- with .Values.startupapicheck.resources }}
           resources:
             {{- toYaml . | nindent 12 }}

packages/system/cert-manager/charts/cert-manager/templates/startupapicheck-rbac.yaml

@@ -18,7 +18,7 @@ metadata:
   {{- end }}
 rules:
   - apiGroups: ["cert-manager.io"]
-    resources: ["certificates"]
+    resources: ["certificaterequests"]
     verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1

packages/system/cert-manager/charts/cert-manager/templates/webhook-config.yaml

@@ -1,12 +1,7 @@
 {{- if .Values.webhook.config -}}
-  {{- if not .Values.webhook.config.apiVersion -}}
-    {{- fail "webhook.config.apiVersion must be set" -}}
-  {{- end -}}
-
-  {{- if not .Values.webhook.config.kind -}}
-    {{- fail "webhook.config.kind must be set" -}}
-  {{- end -}}
-{{- end -}}
+{{- $config := .Values.webhook.config -}}
+{{- $_ := set $config "apiVersion" (default "webhook.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
+{{- $_ := set $config "kind" (default "WebhookConfiguration" $config.kind) -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -19,7 +14,6 @@ metadata:
     app.kubernetes.io/component: "webhook"
     {{- include "labels" . | nindent 4 }}
 data:
-  {{- if .Values.webhook.config }}
   config.yaml: |
-    {{ .Values.webhook.config | toYaml | nindent 4 }}
-  {{- end }}
+    {{- $config | toYaml | nindent 4 }}
+{{- end -}}

packages/system/cert-manager/charts/cert-manager/templates/webhook-deployment.yaml

@@ -15,6 +15,10 @@ metadata:
   {{- end }}
 spec:
   replicas: {{ .Values.webhook.replicaCount }}
+  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  {{- end }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ include "webhook.name" . }}
@@ -39,11 +43,20 @@ spec:
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
+      {{- if not .Values.webhook.podAnnotations }}
+      annotations:
+      {{- end }}
+        prometheus.io/path: "/metrics"
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '9402'
+      {{- end }}
     spec:
       serviceAccountName: {{ template "webhook.serviceAccountName" . }}
       {{- if hasKey .Values.webhook "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
       {{- end }}
+      enableServiceLinks: {{ .Values.webhook.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -54,14 +67,16 @@ spec:
       {{- if .Values.webhook.hostNetwork }}
       hostNetwork: true
       {{- end }}
+      {{- if .Values.webhook.hostNetwork }}
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}-webhook
-          {{- with .Values.webhook.image }}
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-          {{- end }}
+          image: "{{ template "image" (tuple .Values.webhook.image $.Chart.AppVersion) }}"
           imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
           args:
-          {{- if .Values.global.logLevel }}
+          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
           - --v={{ .Values.global.logLevel }}
           {{- end }}
           {{- if .Values.webhook.config }}
@@ -71,8 +86,8 @@ spec:
           {{ if not $config.securePort -}}
           - --secure-port={{ .Values.webhook.securePort }}
           {{- end }}
-          {{- if .Values.featureGates }}
-          - --feature-gates={{ .Values.featureGates }}
+          {{- if .Values.webhook.featureGates }}
+          - --feature-gates={{ .Values.webhook.featureGates }}
           {{- end }}
           {{- $tlsConfig := default $config.tlsConfig "" }}
           {{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
@@ -88,6 +103,9 @@ spec:
           {{- with .Values.webhook.extraArgs }}
           {{- toYaml . | nindent 10 }}
           {{- end }}
+          {{- if not .Values.prometheus.enabled }}
+          - --metrics-listen-address=0
+          {{- end }}
           ports:
           - name: https
             protocol: TCP
@@ -105,6 +123,11 @@ spec:
             {{- else }}
             containerPort: 6080
             {{- end }}
+          {{- if .Values.prometheus.enabled }}
+          - containerPort: 9402
+            name: http-metrics
+            protocol: TCP
+          {{- end }}
           livenessProbe:
             httpGet:
               path: /livez
@@ -142,6 +165,9 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          {{- with .Values.webhook.extraEnv }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
           {{- with .Values.webhook.resources }}
           resources:
             {{- toYaml . | nindent 12 }}
@@ -152,8 +178,8 @@ spec:
             - name: config
               mountPath: /var/cert-manager/config
             {{- end }}
-            {{- if .Values.webhook.volumeMounts }}
-            {{- toYaml .Values.webhook.volumeMounts | nindent 12 }}
+            {{- with .Values.webhook.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
             {{- end }}
           {{- end }}
       {{- with .Values.webhook.nodeSelector }}
@@ -179,7 +205,7 @@ spec:
           configMap:
             name: {{ include "webhook.fullname" . }}
         {{- end }}
-        {{- if .Values.webhook.volumes }}
-        {{- toYaml .Values.webhook.volumes | nindent 8 }}
+        {{- with .Values.webhook.volumes }}
+        {{- toYaml . | nindent 8 }}
         {{- end }}
       {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/webhook-mutating-webhook.yaml

@@ -15,17 +15,19 @@ metadata:
     {{- end }}
 webhooks:
   - name: webhook.cert-manager.io
+    {{- with .Values.webhook.mutatingWebhookConfiguration.namespaceSelector }}
+    namespaceSelector:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
     rules:
       - apiGroups:
           - "cert-manager.io"
-          - "acme.cert-manager.io"
         apiVersions:
           - "v1"
         operations:
           - CREATE
-          - UPDATE
         resources:
-          - "*/*"
+          - "certificaterequests"
     admissionReviewVersions: ["v1"]
     # This webhook only accepts v1 cert-manager resources.
     # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
@@ -43,4 +45,4 @@ webhooks:
         name: {{ template "webhook.fullname" . }}
         namespace: {{ include "cert-manager.namespace" . }}
         path: /mutate
-      {{- end }}
+      {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml

@@ -17,10 +17,13 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "webhook"
 
-  {{- with .Values.webhook.podDisruptionBudget.minAvailable }}
-  minAvailable: {{ . }}
+  {{- if not (or (hasKey .Values.webhook.podDisruptionBudget "minAvailable") (hasKey .Values.webhook.podDisruptionBudget "maxUnavailable")) }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
   {{- end }}
-  {{- with .Values.webhook.podDisruptionBudget.maxUnavailable }}
-  maxUnavailable: {{ . }}
+  {{- if hasKey .Values.webhook.podDisruptionBudget "minAvailable" }}
+  minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.webhook.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }}
   {{- end }}
 {{- end }}