Introduce tinkerbell essentials

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.22.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.23.1"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.22.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.23.1"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.15.0@sha256:973dc89e1fe1c9beb109d74a48297426ed5d340b43d0102b8e16f63dc2eb4016
+ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.15.0@sha256:538ee308f16c9e627ed16ee7c4aaa65919c2e6c4c2778f964a06e4797610d1cd

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.0@sha256:3a94fe11523b1411eab33bd72b26d6df42dda83086249ba72ad6f2aa1b209c1e
+ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.0@sha256:7716c88947d13dc90ccfcc3e60bfdd6e6fa9b201339a75e9c84bf825c76e2b1f

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.0@sha256:98d0493327d92e05f8893d864d312b79b1441b34e2a02f845470509e15c5dab9
+ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.0@sha256:be5e0eef92dada3ace5cddda5c68b30c9fe4682774c5e6e938ed31efba11ebbf

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.6.6
+version: 1.6.7

packages/apps/tenant/templates/kubeconfig.yaml

@@ -4,9 +4,13 @@
 
 {{- if $k8sClientSecret }}
 {{- $apiServerEndpoint := index $cozyConfig.data "api-server-endpoint" }}
+{{- $managementKubeconfigEndpoint := default "" (get $cozyConfig.data "management-kubeconfig-endpoint") }}
+{{- if and $managementKubeconfigEndpoint (ne $managementKubeconfigEndpoint "") }}
+{{- $apiServerEndpoint = $managementKubeconfigEndpoint }}
+{{- end }}
 {{- $k8sClient := index $k8sClientSecret.data "client-secret-key" | b64dec }}
 {{- $rootSaConfigMap := lookup "v1" "ConfigMap" "kube-system" "kube-root-ca.crt" }}
-{{- $k8sCa := index $rootSaConfigMap.data "ca.crt" | b64enc  }}
+{{- $k8sCa := index $rootSaConfigMap.data "ca.crt" | b64enc }}
 ---
 apiVersion: v1
 kind: Secret

packages/apps/versions_map

@@ -99,18 +99,21 @@ tenant 1.6.2 ccedc5fe
 tenant 1.6.3 2057bb96
 tenant 1.6.4 3c9e50a4
 tenant 1.6.5 f1e11451
-tenant 1.6.6 HEAD
+tenant 1.6.6 d4634797
+tenant 1.6.7 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823
 virtual-machine 0.3.0 b908400
 virtual-machine 0.4.0 4746d51
 virtual-machine 0.5.0 cad9cde
-virtual-machine 0.6.0 HEAD
+virtual-machine 0.6.0 0e728870
+virtual-machine 0.7.0 HEAD
 vm-disk 0.1.0 HEAD
 vm-instance 0.1.0 ced8e5b9
 vm-instance 0.2.0 4f767ee3
-vm-instance 0.3.0 HEAD
+vm-instance 0.3.0 0e728870
+vm-instance 0.4.0 HEAD
 vpn 0.1.0 f642698
 vpn 0.2.0 7151424
 vpn 0.3.0 a2bcf100

packages/apps/virtual-machine/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.7.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.1"
+appVersion: "0.7.0"

packages/apps/virtual-machine/templates/vm-update-hook.yaml

@@ -0,0 +1,118 @@
+{{- $vmName := include "virtual-machine.fullname" . -}}
+{{- $namespace := .Release.Namespace -}}
+
+{{- $existingVM := lookup "kubevirt.io/v1" "VirtualMachine" $namespace $vmName -}}
+{{- $existingPVC := lookup "v1" "PersistentVolumeClaim" $namespace $vmName -}}
+
+{{- $instanceType := .Values.instanceType | default "" -}}
+{{- $instanceProfile := .Values.instanceProfile | default "" -}}
+{{- $desiredStorage := .Values.systemDisk.storage | default "" -}}
+
+{{- $needUpdateType := false -}}
+{{- $needUpdateProfile := false -}}
+{{- $needResizePVC := false -}}
+
+{{- if and $existingVM $instanceType -}}
+  {{- if not (eq $existingVM.spec.instancetype.name $instanceType) -}}
+    {{- $needUpdateType = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and $existingVM $instanceProfile -}}
+  {{- if not (eq $existingVM.spec.preference.name $instanceProfile) -}}
+    {{- $needUpdateProfile = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and $existingPVC $desiredStorage -}}
+  {{- $currentStorage := $existingPVC.spec.resources.requests.storage | toString -}}
+  {{- if not (eq $currentStorage $desiredStorage) -}}
+    {{- $needResizePVC = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if or $needUpdateType $needUpdateProfile $needResizePVC }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ $.Release.Name }}-update-hook"
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "0"
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      labels:
+        app: "{{ $.Release.Name }}-update-hook"
+    spec:
+      serviceAccountName: {{ $.Release.Name }}-update-hook
+      restartPolicy: Never
+      containers:
+        - name: update-resources
+          image: bitnami/kubectl:latest
+          command: ["sh", "-exc"]
+          args:
+            - |
+              {{- if $needUpdateType }}
+              echo "Patching VirtualMachine for instancetype update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"instancetype":{"name": "{{ $instanceType }}", "revisionName": null}}}'
+              {{- end }}
+              
+              {{- if $needUpdateProfile }}
+              echo "Patching VirtualMachine for preference update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"preference":{"name": "{{ $instanceProfile }}", "revisionName": null}}}'
+              {{- end }}
+
+              {{- if $needResizePVC }}
+              echo "Patching PVC for storage resize..."
+              kubectl patch pvc {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"resources":{"requests":{"storage":"{{ $desiredStorage }}"}}}}'
+              {{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+rules:
+  - apiGroups: ["kubevirt.io"]
+    resources: ["virtualmachines"]
+    verbs: ["patch", "get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["patch", "get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Release.Name }}-update-hook
+roleRef:
+  kind: Role
+  name: {{ $.Release.Name }}-update-hook
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

packages/apps/vm-instance/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.2.0"
+appVersion: "0.4.0"

packages/apps/vm-instance/templates/vm-update-hook.yaml

@@ -0,0 +1,98 @@
+{{- $vmName := include "virtual-machine.fullname" . -}}
+{{- $namespace := .Release.Namespace -}}
+
+{{- $existingVM := lookup "kubevirt.io/v1" "VirtualMachine" $namespace $vmName -}}
+
+{{- $instanceType := .Values.instanceType | default "" -}}
+{{- $instanceProfile := .Values.instanceProfile | default "" -}}
+
+{{- $needUpdateType := false -}}
+{{- $needUpdateProfile := false -}}
+
+{{- if and $existingVM $instanceType -}}
+  {{- if not (eq $existingVM.spec.instancetype.name $instanceType) -}}
+    {{- $needUpdateType = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and $existingVM $instanceProfile -}}
+  {{- if not (eq $existingVM.spec.preference.name $instanceProfile) -}}
+    {{- $needUpdateProfile = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if or $needUpdateType $needUpdateProfile }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ $.Release.Name }}-update-hook"
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "0"
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      labels:
+        app: "{{ $.Release.Name }}-update-hook"
+    spec:
+      serviceAccountName: {{ $.Release.Name }}-update-hook
+      restartPolicy: Never
+      containers:
+        - name: update-resources
+          image: bitnami/kubectl:latest
+          command: ["sh", "-exc"]
+          args:
+            - |
+              {{- if $needUpdateType }}
+              echo "Patching VirtualMachine for instancetype update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"instancetype":{"name": "{{ $instanceType }}", "revisionName": null}}}'
+              {{- end }}
+              
+              {{- if $needUpdateProfile }}
+              echo "Patching VirtualMachine for preference update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"preference":{"name": "{{ $instanceProfile }}", "revisionName": null}}}'
+              {{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+rules:
+  - apiGroups: ["kubevirt.io"]
+    resources: ["virtualmachines"]
+    verbs: ["patch", "get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Release.Name }}-update-hook
+roleRef:
+  kind: Role
+  name: {{ $.Release.Name }}-update-hook
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

packages/apps/vm-instance/templates/vm.yaml

@@ -17,15 +17,12 @@ spec:
   instancetype:
     kind: VirtualMachineClusterInstancetype
     name: {{ . }}
-    revisionName: null
+    {{- end }}
-  {{- end }}
   {{- with .Values.instanceProfile }}
   preference:
     kind: VirtualMachineClusterPreference
     name: {{ . }}
-    revisionName: null
+    {{- end }}
-  {{- end }}
-
   template:
     metadata:
       annotations:

packages/core/builder/values.yaml

@@ -1,3 +1,3 @@
 talos:
   imager:
-    image: ghcr.io/kvaps/talos/imager:v1.9.1-1-gac655f2d3-dirty
+    image: ghcr.io/siderolabs/imager:v1.9.2

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: initramfs
   imageOptions: {}

packages/core/installer/images/talos/profiles/installer.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: installer
   imageOptions: {}

packages/core/installer/images/talos/profiles/iso.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: iso
   imageOptions: {}

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: kernel
   imageOptions: {}

packages/core/installer/images/talos/profiles/metal.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.22.0@sha256:12e02a0d700373f119e45ee79777636207811b49448f485ce66173e1bd5a11ee
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.23.1@sha256:dfa803a3e02ec9ea221029d361aa9d7aef0b5eb0a36d66c949b265d4ac4fc114

packages/core/platform/bundles/distro-full.yaml

@@ -199,3 +199,10 @@ releases:
   namespace: cozy-keycloak
   optional: true
   dependsOn: [keycloak]
+
+- name: tinkerbell
+  releaseName: tinkerbell
+  chart: cozy-tinkerbell
+  namespace: cozy-tinkerbell
+  optional: true
+  dependsOn: [cilium,kubeovn]

packages/core/platform/bundles/paas-full.yaml

@@ -281,6 +281,13 @@ releases:
   optional: true
   dependsOn: [cilium,kubeovn]
 
+- name: tinkerbell
+  releaseName: tinkerbell
+  chart: cozy-tinkerbell
+  namespace: cozy-tinkerbell
+  optional: true
+  dependsOn: [cilium,kubeovn]
+
 {{- if $oidcEnabled }}
 - name: keycloak
   releaseName: keycloak
@@ -299,4 +306,7 @@ releases:
   chart: cozy-keycloak-configure
   namespace: cozy-keycloak
   dependsOn: [keycloak-operator]
+  values:
+    cozystack:
+      configHash: {{ $cozyConfig | toJson | sha256sum }}
 {{- end }}

packages/core/platform/bundles/paas-hosted.yaml

@@ -195,4 +195,7 @@ releases:
   chart: cozy-keycloak-configure
   namespace: cozy-keycloak
   dependsOn: [keycloak-operator]
+  values:
+    cozystack:
+      configHash: {{ $cozyConfig | toJson | sha256sum }}
 {{- end }}

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.22.0@sha256:38229517c86e179984a6d39f5510b859d13d965e35b216bc01ce456f9ab5f8b5
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.23.1@sha256:0f4ffa7f23d6cdc633c0c4a0b852fde9710edbce96486fd9bd29c7d0d7710380

packages/extra/monitoring/Chart.yaml

@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.6.1
+version: 1.7.0

packages/extra/monitoring/README.md

@@ -4,13 +4,14 @@
 
 ### Common parameters
 
-| Name                            | Description                                                                                               | Value  |
+| Name                                      | Description                                                                                               | Value  |
-| ------------------------------- | --------------------------------------------------------------------------------------------------------- | ------ |
+| ----------------------------------------- | --------------------------------------------------------------------------------------------------------- | ------ |
-| `host`                          | The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host). | `""`   |
+| `host`                                    | The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host). | `""`   |
-| `metricsStorages`               | Configuration of metrics storage instances                                                                | `[]`   |
+| `metricsStorages`                         | Configuration of metrics storage instances                                                                | `[]`   |
-| `logsStorages`                  | Configuration of logs storage instances                                                                   | `[]`   |
+| `logsStorages`                            | Configuration of logs storage instances                                                                   | `[]`   |
-| `alerta.storage`                | Persistent Volume size for alerta database                                                                | `10Gi` |
+| `alerta.storage`                          | Persistent Volume size for alerta database                                                                | `10Gi` |
-| `alerta.storageClassName`       | StorageClass used to store the data                                                                       | `""`   |
+| `alerta.storageClassName`                 | StorageClass used to store the data                                                                       | `""`   |
-| `alerta.alerts.telegram.token`  | telegram token for your bot                                                                               | `""`   |
+| `alerta.alerts.telegram.token`            | telegram token for your bot                                                                               | `""`   |
-| `alerta.alerts.telegram.chatID` | specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot                       | `""`   |
+| `alerta.alerts.telegram.chatID`           | specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot                       | `""`   |
-| `grafana.db.size`               | Persistent Volume size for grafana database                                                               | `10Gi` |
+| `alerta.alerts.telegram.disabledSeverity` | list of severity without alerts, separated comma like: "informational,warning"                            | `""`   |
+| `grafana.db.size`                         | Persistent Volume size for grafana database                                                               | `10Gi` |

packages/extra/monitoring/templates/alerta/alerta.yaml

@@ -116,6 +116,8 @@ spec:
               value: "{{ .Values.alerta.alerts.telegram.token }}"
             - name: TELEGRAM_WEBHOOK_URL
               value: "https://{{ printf "alerta.%s" (.Values.host | default $host) }}/api/webhooks/telegram?api-key={{ $apiKey }}"
+            - name: TELEGRAM_DISABLE_NOTIFICATION_SEVERITY
+              value: "{{ .Values.alerta.alerts.telegram.disabledSeverity }}"
             {{- end }}
 
           ports:

packages/extra/monitoring/templates/vm/vmcluster.yaml

@@ -10,26 +10,26 @@ spec:
   vminsert:
     replicaCount: 2
     resources:
-      {{- if empty .vminsert.resources }}
+      {{- if and (hasKey . "vminsert") (hasKey .vminsert "resources") }}
+      {{- toYaml .vminsert.resources | nindent 6 }}
+      {{- else }}
       limits:
         memory: 1000Mi
       requests:
         cpu: 100m
         memory: 500Mi
-      {{- else }}
-      {{- toYaml .vminsert.resources | nindent 6 }}
       {{- end }}
   vmselect:
     replicaCount: 2
     resources:
-      {{- if empty .vmselect.resources }}
+      {{- if and (hasKey . "vmselect") (hasKey .vmselect "resources") }}
+      {{- toYaml .vmselect.resources | nindent 6 }}
+      {{- else }}
       limits:
         memory: 1000Mi
       requests:
         cpu: 100m
         memory: 500Mi
-      {{- else }}
-      {{- toYaml .vmselect.resources | nindent 6 }}
       {{- end }}
     extraArgs:
       search.maxUniqueTimeseries: "600000"
@@ -48,14 +48,14 @@ spec:
   vmstorage:
     replicaCount: 2
     resources:
-      {{- if empty .vmstorage.resources }}
+      {{- if and (hasKey . "vmstorage") (hasKey .vmstorage "resources") }}
+      {{- toYaml .vmstorage.resources | nindent 6 }}
+      {{- else }}
       limits:
         memory: 2048Mi
       requests:
         cpu: 100m
         memory: 500Mi
-      {{- else }}
-      {{- toYaml .vmstorage.resources | nindent 6 }}
       {{- end }}
     storage:
       volumeClaimTemplate:

packages/extra/monitoring/values.schema.json

@@ -51,6 +51,11 @@
                   "type": "string",
                   "description": "specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot",
                   "default": ""
+                },
+                "disabledSeverity": {
+                  "type": "string",
+                  "description": "list of severity without alerts, separated comma like: \"informational,warning\"",
+                  "default": ""
                 }
               }
             }

packages/extra/monitoring/values.yaml

@@ -78,14 +78,17 @@ alerta:
   alerts:
     ## @param alerta.alerts.telegram.token telegram token for your bot
     ## @param alerta.alerts.telegram.chatID specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot
+    ## @param alerta.alerts.telegram.disabledSeverity list of severity without alerts, separated comma like: "informational,warning"
     ## example:
     ##   telegram:
     ##     token: "7262461387:AAGtwq16iwuVtWtzoN6TUEMpF00fpC9Xz34"
     ##     chatID: "-4520856007"
+    ##     disabledSeverity: "informational,warning"
     ##
     telegram:
       token: ""
       chatID: ""
+      disabledSeverity: ""
 
 ## Configuration for Grafana
 ## @param grafana.db.size Persistent Volume size for grafana database

packages/extra/versions_map

@@ -22,7 +22,8 @@ monitoring 1.5.2 898374b5
 monitoring 1.5.3 c1ca19dc
 monitoring 1.5.4 d4634797
 monitoring 1.6.0 cb7b8158
-monitoring 1.6.1 HEAD
+monitoring 1.6.1 3bb97596
+monitoring 1.7.0 HEAD
 seaweedfs 0.1.0 5ca8823
 seaweedfs 0.2.0 9e33dc0
 seaweedfs 0.2.1 249bf35

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:9c8d38b1466d2333a1a916ddba4b3b644457361a4277bf4be132cb12f86e9281
+ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:35e9a8ba7e1a3b0cee634f6d2bd92d2b08c47c7ed3316559c9ea25ff733eb5d5

packages/system/cert-manager-crds/charts/cert-manager/Chart.yaml

@@ -6,7 +6,7 @@ annotations:
     fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
     url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
 apiVersion: v2
-appVersion: v1.16.1
+appVersion: v1.16.3
 description: A Helm chart for cert-manager
 home: https://cert-manager.io
 icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
@@ -23,4 +23,4 @@ maintainers:
 name: cert-manager
 sources:
 - https://github.com/cert-manager/cert-manager
-version: v1.16.1
+version: v1.16.3

packages/system/cert-manager-crds/charts/cert-manager/README.md

@@ -19,7 +19,7 @@ Before installing the chart, you must first install the cert-manager CustomResou
 This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources.
 
 ```bash
-$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.crds.yaml
+$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.3/cert-manager.crds.yaml
 ```
 
 To install the chart with the release name `cert-manager`:
@@ -29,7 +29,7 @@ To install the chart with the release name `cert-manager`:
 $ helm repo add jetstack https://charts.jetstack.io --force-update
 
 ## Install the cert-manager helm chart
-$ helm install cert-manager --namespace cert-manager --version v1.16.1 jetstack/cert-manager
+$ helm install cert-manager --namespace cert-manager --version v1.16.3 jetstack/cert-manager
 ```
 
 In order to begin issuing certificates, you will need to set up a ClusterIssuer
@@ -65,7 +65,7 @@ If you want to completely uninstall cert-manager from your cluster, you will als
 delete the previously installed CustomResourceDefinition resources:
 
 ```console
-$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.crds.yaml
+$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.3/cert-manager.crds.yaml
 ```
 
 ## Configuration

packages/system/cert-manager/charts/cert-manager/Chart.yaml

@@ -1,13 +1,15 @@
 annotations:
+  artifacthub.io/category: security
+  artifacthub.io/license: Apache-2.0
   artifacthub.io/prerelease: "false"
   artifacthub.io/signKey: |
     fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
     url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
-apiVersion: v1
+apiVersion: v2
-appVersion: v1.12.3
+appVersion: v1.16.3
 description: A Helm chart for cert-manager
-home: https://github.com/cert-manager/cert-manager
+home: https://cert-manager.io
-icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png
+icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
 keywords:
 - cert-manager
 - kube-lego
@@ -21,4 +23,4 @@ maintainers:
 name: cert-manager
 sources:
 - https://github.com/cert-manager/cert-manager
-version: v1.12.3
+version: v1.16.3

packages/system/cert-manager/charts/cert-manager/templates/NOTES.txt

@@ -1,3 +1,6 @@
+{{- if .Values.installCRDs }}
+⚠️  WARNING: `installCRDs` is deprecated, use `crds.enabled` instead.
+{{- end }}
 cert-manager {{ .Chart.AppVersion }} has been deployed successfully!
 
 In order to begin issuing certificates, you will need to set up a ClusterIssuer

packages/system/cert-manager/charts/cert-manager/templates/_helpers.tpl

@@ -152,7 +152,7 @@ Labels that should be added on each resource
 */}}
 {{- define "labels" -}}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- if eq (default "helm" .Values.creator) "helm" }}
+{{- if eq .Values.creator "helm" }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 helm.sh/chart: {{ include "chartName" . }}
 {{- end -}}
@@ -172,3 +172,31 @@ https://github.com/helm/helm/issues/5358
 {{- define "cert-manager.namespace" -}}
     {{ .Values.namespace | default .Release.Namespace }}
 {{- end -}}
+
+{{/*
+Util function for generating the image URL based on the provided options.
+IMPORTANT: This function is standardized across all charts in the cert-manager GH organization.
+Any changes to this function should also be made in cert-manager, trust-manager, approver-policy, ...
+See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linked PRs.
+*/}}
+{{- define "image" -}}
+{{- $defaultTag := index . 1 -}}
+{{- with index . 0 -}}
+{{- if .registry -}}{{ printf "%s/%s" .registry .repository }}{{- else -}}{{- .repository -}}{{- end -}}
+{{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
+{{- end }}
+{{- end }}
+
+{{/*
+Check that the user has not set both .installCRDs and .crds.enabled or
+set .installCRDs and disabled .crds.keep.
+.installCRDs is deprecated and users should use .crds.enabled and .crds.keep instead.
+*/}}
+{{- define "cert-manager.crd-check" -}}
+  {{- if and (.Values.installCRDs) (.Values.crds.enabled) }}
+    {{- fail "ERROR: the deprecated .installCRDs option cannot be enabled at the same time as its replacement .crds.enabled" }}
+  {{- end }}
+  {{- if and (.Values.installCRDs) (not .Values.crds.keep) }}
+    {{- fail "ERROR: .crds.keep is not compatible with .installCRDs, please use .crds.enabled and .crds.keep instead" }}
+  {{- end }}
+{{- end -}}

packages/system/cert-manager/charts/cert-manager/templates/cainjector-config.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.cainjector.config -}}
+{{- $config := .Values.cainjector.config -}}
+{{- $_ := set $config "apiVersion" (default "cainjector.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
+{{- $_ := set $config "kind" (default "CAInjectorConfiguration" $config.kind) -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cainjector.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- $config | toYaml | nindent 4 }}
+{{- end -}}

packages/system/cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml

@@ -16,6 +16,10 @@ metadata:
   {{- end }}
 spec:
   replicas: {{ .Values.cainjector.replicaCount }}
+  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  {{- end }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ include "cainjector.name" . }}
@@ -40,11 +44,20 @@ spec:
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
+      {{- if not .Values.cainjector.podAnnotations }}
+      annotations:
+      {{- end }}
+        prometheus.io/path: "/metrics"
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '9402'
+      {{- end }}
     spec:
       serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
       {{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
       {{- end }}
+      enableServiceLinks: {{ .Values.cainjector.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -54,14 +67,16 @@ spec:
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}-cainjector
-          {{- with .Values.cainjector.image }}
+          image: "{{ template "image" (tuple .Values.cainjector.image $.Chart.AppVersion) }}"
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-          {{- end }}
           imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }}
           args:
-          {{- if .Values.global.logLevel }}
+          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
           - --v={{ .Values.global.logLevel }}
           {{- end }}
+          {{- if .Values.cainjector.config }}
+          - --config=/var/cert-manager/config/config.yaml
+          {{- end }}
           {{- with .Values.global.leaderElection }}
           - --leader-election-namespace={{ .namespace }}
           {{- if .leaseDuration }}
@@ -74,14 +89,29 @@ spec:
           - --leader-election-retry-period={{ .retryPeriod }}
           {{- end }}
           {{- end }}
+          {{- with .Values.cainjector.featureGates}}
+          - --feature-gates={{ . }}
+          {{- end}}
           {{- with .Values.cainjector.extraArgs }}
           {{- toYaml . | nindent 10 }}
           {{- end }}
+          {{- if not .Values.prometheus.enabled }}
+          - --metrics-listen-address=0
+          {{- end }}
+          {{- if .Values.prometheus.enabled }}
+          ports:
+          - containerPort: 9402
+            name: http-metrics
+            protocol: TCP
+          {{- end }}
           env:
           - name: POD_NAMESPACE
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          {{- with .Values.cainjector.extraEnv }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
           {{- with .Values.cainjector.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
@@ -90,9 +120,15 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.cainjector.volumeMounts }}
+          {{- if or .Values.cainjector.config .Values.cainjector.volumeMounts }}
           volumeMounts:
+            {{- if .Values.cainjector.config }}
+            - name: config
+              mountPath: /var/cert-manager/config
+            {{- end }}
+            {{- with .Values.cainjector.volumeMounts }}
             {{- toYaml . | nindent 12 }}
+            {{- end }}
           {{- end }}
       {{- with .Values.cainjector.nodeSelector }}
       nodeSelector:
@@ -110,8 +146,15 @@ spec:
       topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.cainjector.volumes }}
+      {{- if or .Values.cainjector.volumes .Values.cainjector.config }}
       volumes:
+        {{- if .Values.cainjector.config }}
+        - name: config
+          configMap:
+            name: {{ include "cainjector.fullname" . }}
+        {{- end }}
+        {{ with .Values.cainjector.volumes }}
         {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml

@@ -17,10 +17,13 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "cainjector"
 
-  {{- with .Values.cainjector.podDisruptionBudget.minAvailable }}
+  {{- if not (or (hasKey .Values.cainjector.podDisruptionBudget "minAvailable") (hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable")) }}
-  minAvailable: {{ . }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
   {{- end }}
-  {{- with .Values.cainjector.podDisruptionBudget.maxUnavailable }}
+  {{- if hasKey .Values.cainjector.podDisruptionBudget "minAvailable" }}
-  maxUnavailable: {{ . }}
+  minAvailable: {{ .Values.cainjector.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.cainjector.podDisruptionBudget.maxUnavailable }}
   {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/cainjector-rbac.yaml

@@ -101,3 +101,56 @@ subjects:
     namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
 {{- end }}
+{{- $certmanagerNamespace := include "cert-manager.namespace" . }}
+{{- if (.Values.cainjector.config.metricsTLSConfig).dynamic }}
+{{- if $certmanagerNamespace | eq .Values.cainjector.config.metricsTLSConfig.dynamic.secretNamespace }}
+
+---
+
+# Metrics server dynamic TLS serving certificate rules
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "cainjector.fullname" . }}:dynamic-serving
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames:
+    # Allow cainjector to read and update the metrics CA Secret when dynamic TLS is
+    # enabled for the metrics server and if the Secret is configured to be in the
+    # same namespace as cert-manager.
+    - {{ .Values.cainjector.config.metricsTLSConfig.dynamic.secretName | quote }}
+    verbs: ["get", "list", "watch", "update"]
+  # It's not possible to grant CREATE permission on a single resourceName.
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "cainjector.fullname" . }}:dynamic-serving
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "cainjector.fullname" . }}:dynamic-serving
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "cainjector.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+{{- end }}

packages/system/cert-manager/charts/cert-manager/templates/cainjector-service.yaml

@@ -0,0 +1,30 @@
+{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "cainjector.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+{{- with .Values.cainjector.serviceAnnotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+    {{- with .Values.cainjector.serviceLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: ClusterIP
+  ports:
+  - protocol: TCP
+    port: 9402
+    name: http-metrics
+  selector:
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+{{- end }}

packages/system/cert-manager/charts/cert-manager/templates/controller-config.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.config -}}
+{{- $config := .Values.config -}}
+{{- $_ := set $config "apiVersion" (default "controller.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
+{{- $_ := set $config "kind" (default "ControllerConfiguration" $config.kind) -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cert-manager.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- $config | toYaml | nindent 4 }}
+{{- end -}}

packages/system/cert-manager/charts/cert-manager/templates/deployment.yaml

@@ -15,6 +15,10 @@ metadata:
   {{- end }}
 spec:
   replicas: {{ .Values.replicaCount }}
+  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  {{- end }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ template "cert-manager.name" . }}
@@ -39,7 +43,7 @@ spec:
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if and .Values.prometheus.enabled (not .Values.prometheus.servicemonitor.enabled) }}
+      {{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
       {{- if not .Values.podAnnotations }}
       annotations:
       {{- end }}
@@ -52,6 +56,7 @@ spec:
       {{- if hasKey .Values "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       {{- end }}
+      enableServiceLinks: {{ .Values.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -59,20 +64,30 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.volumes }}
+      {{- if or .Values.volumes .Values.config}}
       volumes:
+        {{- if .Values.config }}
+        - name: config 
+          configMap: 
+            name: {{ include "cert-manager.fullname" . }}
+        {{- end }}
+        {{ with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}-controller
-          {{- with .Values.image }}
+          image: "{{ template "image" (tuple .Values.image $.Chart.AppVersion) }}"
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-          {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
-          {{- if .Values.global.logLevel }}
+          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
           - --v={{ .Values.global.logLevel }}
           {{- end }}
+          {{- if .Values.config }}
+          - --config=/var/cert-manager/config/config.yaml
+          {{- end }}
+          {{- $config := default .Values.config "" }}
           {{- if .Values.clusterResourceNamespace }}
           - --cluster-resource-namespace={{ .Values.clusterResourceNamespace }}
           {{- else }}
@@ -122,6 +137,9 @@ spec:
           {{- with .Values.dns01RecursiveNameservers }}
           - --dns01-recursive-nameservers={{ . }}
           {{- end }}
+          {{- if .Values.disableAutoApproval }}
+          - --controllers=-certificaterequests-approver
+          {{- end }}
           ports:
           - containerPort: 9402
             name: http-metrics
@@ -133,9 +151,15 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.volumeMounts }}
+          {{- if or .Values.config .Values.volumeMounts }}
           volumeMounts:
+            {{- if .Values.config }}
+            - name: config 
+              mountPath: /var/cert-manager/config
+            {{- end }}
+            {{- with .Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
+            {{- end }}
           {{- end }}
           env:
           - name: POD_NAMESPACE
@@ -202,3 +226,6 @@ spec:
       dnsConfig:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.hostAliases }}
+      hostAliases: {{ toYaml . | nindent 8 }}
+      {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/extras-objects.yaml

@@ -0,0 +1,4 @@
+{{ range .Values.extraObjects }}
+---
+{{ tpl . $ }}
+{{ end }}

packages/system/cert-manager/charts/cert-manager/templates/networkpolicy-egress.yaml

@@ -11,13 +11,9 @@ spec:
     {{- end }}
   podSelector:
     matchLabels:
-      app: {{ include "webhook.name" . }}
       app.kubernetes.io/name: {{ include "webhook.name" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "webhook"
-      {{- with .Values.webhook.podLabels }}
-      {{- toYaml . | nindent 6 }}
-      {{- end }}
   policyTypes:
   - Egress
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/networkpolicy-webhooks.yaml

@@ -12,13 +12,9 @@ spec:
     {{- end }}
   podSelector:
     matchLabels:
-        app: {{ include "webhook.name" . }}
+      app.kubernetes.io/name: {{ include "webhook.name" . }}
-        app.kubernetes.io/name: {{ include "webhook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
-        app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "webhook"
-        app.kubernetes.io/component: "webhook"
-        {{- with .Values.webhook.podLabels }}
-        {{- toYaml . | nindent 6 }}
-        {{- end }}
   policyTypes:
   - Ingress
 

packages/system/cert-manager/charts/cert-manager/templates/poddisruptionbudget.yaml

@@ -17,10 +17,13 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "controller"
 
-  {{- with .Values.podDisruptionBudget.minAvailable }}
+  {{- if not (or (hasKey .Values.podDisruptionBudget "minAvailable") (hasKey .Values.podDisruptionBudget "maxUnavailable")) }}
-  minAvailable: {{ . }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
   {{- end }}
-  {{- with .Values.podDisruptionBudget.maxUnavailable }}
+  {{- if hasKey .Values.podDisruptionBudget "minAvailable" }}
-  maxUnavailable: {{ . }}
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
   {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/podmonitor.yaml

@@ -0,0 +1,63 @@
+{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
+{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
+{{- else if and .Values.prometheus.enabled .Values.prometheus.podmonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ template "cert-manager.fullname" . }}
+{{- if .Values.prometheus.podmonitor.namespace }}
+  namespace: {{ .Values.prometheus.podmonitor.namespace }}
+{{- else }}
+  namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+    prometheus: {{ .Values.prometheus.podmonitor.prometheusInstance }}
+    {{- with .Values.prometheus.podmonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- if .Values.prometheus.podmonitor.annotations }}
+  annotations:
+    {{- with .Values.prometheus.podmonitor.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}
+spec:
+  jobLabel: {{ template "cert-manager.fullname" . }}
+  selector:
+    matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: In
+        values:
+        - {{ include "cainjector.name" . }}
+        - {{ template "cert-manager.name" . }}
+        - {{ include "webhook.name" . }}
+      - key: app.kubernetes.io/instance
+        operator: In
+        values:
+        - {{ .Release.Name }}
+      - key: app.kubernetes.io/component
+        operator: In
+        values:
+        - cainjector
+        - controller
+        - webhook
+{{- if .Values.prometheus.podmonitor.namespace }}
+  namespaceSelector:
+    matchNames:
+      - {{ include "cert-manager.namespace" . }}
+{{- end }}
+  podMetricsEndpoints:
+    - port: http-metrics
+      path: {{ .Values.prometheus.podmonitor.path }}
+      interval: {{ .Values.prometheus.podmonitor.interval }}
+      scrapeTimeout: {{ .Values.prometheus.podmonitor.scrapeTimeout }}
+      honorLabels: {{ .Values.prometheus.podmonitor.honorLabels }}
+      {{- with .Values.prometheus.podmonitor.endpointAdditionalProperties }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end }}

packages/system/cert-manager/charts/cert-manager/templates/rbac.yaml

@@ -39,13 +39,56 @@ roleRef:
   kind: Role
   name: {{ template "cert-manager.fullname" . }}:leaderelection
 subjects:
-  - apiGroup: ""
+  - kind: ServiceAccount
-    kind: ServiceAccount
     name: {{ template "cert-manager.serviceAccountName" . }}
     namespace: {{ include "cert-manager.namespace" . }}
 
 ---
 
+{{- if .Values.serviceAccount.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "cert-manager.serviceAccountName" . }}-tokenrequest
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["serviceaccounts/token"]
+    resourceNames: ["{{ template "cert-manager.serviceAccountName" . }}"]
+    verbs: ["create"]
+
+---
+
+# grant cert-manager permission to create tokens for the serviceaccount
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "cert-manager.fullname" . }}-{{ template "cert-manager.serviceAccountName" .  }}-tokenrequest
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "cert-manager.serviceAccountName" . }}-tokenrequest
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "cert-manager.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+
+---
+
 # Issuer controller role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -398,6 +441,26 @@ subjects:
     namespace: {{ include "cert-manager.namespace" . }}
     kind: ServiceAccount
 
+{{- if .Values.global.rbac.aggregateClusterRoles }}
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-cluster-view
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers"]
+    verbs: ["get", "list", "watch"]
+
+{{- end }}
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
@@ -414,6 +477,7 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
     {{- end }}
 rules:
   - apiGroups: ["cert-manager.io"]
@@ -453,6 +517,8 @@ rules:
 
 ---
 
+{{- if not .Values.disableAutoApproval -}}
+
 # Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -468,7 +534,12 @@ rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["signers"]
     verbs: ["approve"]
-    resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
+    {{- with .Values.approveSignerNames }}
+    resourceNames:
+    {{- range . }}
+    - {{ . | quote }}
+    {{- end  }}
+    {{- end }}
 
 ---
 
@@ -493,8 +564,10 @@ subjects:
 
 ---
 
+{{- end -}}
+
 # Permission to:
-# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
+# - Update and sign CertificateSigningRequests referencing cert-manager.io Issuers and ClusterIssuers
 # - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

packages/system/cert-manager/charts/cert-manager/templates/service.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.prometheus.enabled }}
+{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -19,6 +19,12 @@ metadata:
     {{- end }}
 spec:
   type: ClusterIP
+  {{- if .Values.serviceIPFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.serviceIPFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.serviceIPFamilies }}
+  ipFamilies: {{ .Values.serviceIPFamilies | toYaml | nindent 2 }}
+  {{- end }}
   ports:
   - protocol: TCP
     port: 9402

packages/system/cert-manager/charts/cert-manager/templates/serviceaccount.yaml

@@ -20,6 +20,6 @@ metadata:
     app.kubernetes.io/component: "controller"
     {{- include "labels" . | nindent 4 }}
     {{- with .Values.serviceAccount.labels }}
-      {{ toYaml . | nindent 4 }}
+      {{- toYaml . | nindent 4 }}
     {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/servicemonitor.yaml

@@ -1,4 +1,6 @@
-{{- if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
+{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
+{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
+{{- else if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -27,10 +29,23 @@ metadata:
 spec:
   jobLabel: {{ template "cert-manager.fullname" . }}
   selector:
-    matchLabels:
+    matchExpressions:
-      app.kubernetes.io/name: {{ template "cert-manager.name" . }}
+      - key: app.kubernetes.io/name
-      app.kubernetes.io/instance: {{ .Release.Name }}
+        operator: In
-      app.kubernetes.io/component: "controller"
+        values:
+        - {{ include "cainjector.name" . }}
+        - {{ template "cert-manager.name" . }}
+        - {{ include "webhook.name" . }}
+      - key: app.kubernetes.io/instance
+        operator: In
+        values:
+        - {{ .Release.Name }}
+      - key: app.kubernetes.io/component
+        operator: In
+        values:
+        - cainjector
+        - controller
+        - webhook
 {{- if .Values.prometheus.servicemonitor.namespace }}
   namespaceSelector:
     matchNames:
@@ -42,4 +57,7 @@ spec:
     interval: {{ .Values.prometheus.servicemonitor.interval }}
     scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
     honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
+    {{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/startupapicheck-job.yaml

@@ -37,6 +37,7 @@ spec:
       {{- if hasKey .Values.startupapicheck "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.startupapicheck.automountServiceAccountToken }}
       {{- end }}
+      enableServiceLinks: {{ .Values.startupapicheck.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -46,9 +47,7 @@ spec:
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}-startupapicheck
-          {{- with .Values.startupapicheck.image }}
+          image: "{{ template "image" (tuple .Values.startupapicheck.image $.Chart.AppVersion) }}"
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-          {{- end }}
           imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }}
           args:
           - check
@@ -61,6 +60,14 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          {{- with .Values.startupapicheck.extraEnv }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
           {{- with .Values.startupapicheck.resources }}
           resources:
             {{- toYaml . | nindent 12 }}

packages/system/cert-manager/charts/cert-manager/templates/startupapicheck-rbac.yaml

@@ -18,7 +18,7 @@ metadata:
   {{- end }}
 rules:
   - apiGroups: ["cert-manager.io"]
-    resources: ["certificates"]
+    resources: ["certificaterequests"]
     verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1

packages/system/cert-manager/charts/cert-manager/templates/webhook-config.yaml

@@ -1,12 +1,7 @@
 {{- if .Values.webhook.config -}}
-  {{- if not .Values.webhook.config.apiVersion -}}
+{{- $config := .Values.webhook.config -}}
-    {{- fail "webhook.config.apiVersion must be set" -}}
+{{- $_ := set $config "apiVersion" (default "webhook.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
-  {{- end -}}
+{{- $_ := set $config "kind" (default "WebhookConfiguration" $config.kind) -}}
-
-  {{- if not .Values.webhook.config.kind -}}
-    {{- fail "webhook.config.kind must be set" -}}
-  {{- end -}}
-{{- end -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -19,7 +14,6 @@ metadata:
     app.kubernetes.io/component: "webhook"
     {{- include "labels" . | nindent 4 }}
 data:
-  {{- if .Values.webhook.config }}
   config.yaml: |
-    {{ .Values.webhook.config | toYaml | nindent 4 }}
+    {{- $config | toYaml | nindent 4 }}
-  {{- end }}
+{{- end -}}

packages/system/cert-manager/charts/cert-manager/templates/webhook-deployment.yaml

@@ -15,6 +15,10 @@ metadata:
   {{- end }}
 spec:
   replicas: {{ .Values.webhook.replicaCount }}
+  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  {{- end }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ include "webhook.name" . }}
@@ -39,11 +43,20 @@ spec:
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
+      {{- if not .Values.webhook.podAnnotations }}
+      annotations:
+      {{- end }}
+        prometheus.io/path: "/metrics"
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '9402'
+      {{- end }}
     spec:
       serviceAccountName: {{ template "webhook.serviceAccountName" . }}
       {{- if hasKey .Values.webhook "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
       {{- end }}
+      enableServiceLinks: {{ .Values.webhook.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -54,14 +67,16 @@ spec:
       {{- if .Values.webhook.hostNetwork }}
       hostNetwork: true
       {{- end }}
+      {{- if .Values.webhook.hostNetwork }}
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}-webhook
-          {{- with .Values.webhook.image }}
+          image: "{{ template "image" (tuple .Values.webhook.image $.Chart.AppVersion) }}"
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-          {{- end }}
           imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
           args:
-          {{- if .Values.global.logLevel }}
+          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
           - --v={{ .Values.global.logLevel }}
           {{- end }}
           {{- if .Values.webhook.config }}
@@ -71,8 +86,8 @@ spec:
           {{ if not $config.securePort -}}
           - --secure-port={{ .Values.webhook.securePort }}
           {{- end }}
-          {{- if .Values.featureGates }}
+          {{- if .Values.webhook.featureGates }}
-          - --feature-gates={{ .Values.featureGates }}
+          - --feature-gates={{ .Values.webhook.featureGates }}
           {{- end }}
           {{- $tlsConfig := default $config.tlsConfig "" }}
           {{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
@@ -88,6 +103,9 @@ spec:
           {{- with .Values.webhook.extraArgs }}
           {{- toYaml . | nindent 10 }}
           {{- end }}
+          {{- if not .Values.prometheus.enabled }}
+          - --metrics-listen-address=0
+          {{- end }}
           ports:
           - name: https
             protocol: TCP
@@ -105,6 +123,11 @@ spec:
             {{- else }}
             containerPort: 6080
             {{- end }}
+          {{- if .Values.prometheus.enabled }}
+          - containerPort: 9402
+            name: http-metrics
+            protocol: TCP
+          {{- end }}
           livenessProbe:
             httpGet:
               path: /livez
@@ -142,6 +165,9 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          {{- with .Values.webhook.extraEnv }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
           {{- with .Values.webhook.resources }}
           resources:
             {{- toYaml . | nindent 12 }}
@@ -152,8 +178,8 @@ spec:
             - name: config
               mountPath: /var/cert-manager/config
             {{- end }}
-            {{- if .Values.webhook.volumeMounts }}
+            {{- with .Values.webhook.volumeMounts }}
-            {{- toYaml .Values.webhook.volumeMounts | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
             {{- end }}
           {{- end }}
       {{- with .Values.webhook.nodeSelector }}
@@ -179,7 +205,7 @@ spec:
           configMap:
             name: {{ include "webhook.fullname" . }}
         {{- end }}
-        {{- if .Values.webhook.volumes }}
+        {{- with .Values.webhook.volumes }}
-        {{- toYaml .Values.webhook.volumes | nindent 8 }}
+        {{- toYaml . | nindent 8 }}
         {{- end }}
       {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/webhook-mutating-webhook.yaml

@@ -15,17 +15,19 @@ metadata:
     {{- end }}
 webhooks:
   - name: webhook.cert-manager.io
+    {{- with .Values.webhook.mutatingWebhookConfiguration.namespaceSelector }}
+    namespaceSelector:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
     rules:
       - apiGroups:
           - "cert-manager.io"
-          - "acme.cert-manager.io"
         apiVersions:
           - "v1"
         operations:
           - CREATE
-          - UPDATE
         resources:
-          - "*/*"
+          - "certificaterequests"
     admissionReviewVersions: ["v1"]
     # This webhook only accepts v1 cert-manager resources.
     # Equivalent matchPolicy ensures that non-v1 resource requests are sent to

packages/system/cert-manager/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml

@@ -17,10 +17,13 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "webhook"
 
-  {{- with .Values.webhook.podDisruptionBudget.minAvailable }}
+  {{- if not (or (hasKey .Values.webhook.podDisruptionBudget "minAvailable") (hasKey .Values.webhook.podDisruptionBudget "maxUnavailable")) }}
-  minAvailable: {{ . }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
   {{- end }}
-  {{- with .Values.webhook.podDisruptionBudget.maxUnavailable }}
+  {{- if hasKey .Values.webhook.podDisruptionBudget "minAvailable" }}
-  maxUnavailable: {{ . }}
+  minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.webhook.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }}
   {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/webhook-rbac.yaml

@@ -15,6 +15,15 @@ rules:
   resources: ["secrets"]
   resourceNames:
   - '{{ template "webhook.fullname" . }}-ca'
+  {{- $certmanagerNamespace := include "cert-manager.namespace" . }}
+  {{- with (.Values.webhook.config.metricsTLSConfig).dynamic }}
+  {{- if $certmanagerNamespace | eq .secretNamespace }}
+  # Allow webhook to read and update the metrics CA Secret when dynamic TLS is
+  # enabled for the metrics server and if the Secret is configured to be in the
+  # same namespace as cert-manager.
+  - {{ .secretName | quote }}
+  {{- end }}
+  {{- end }}
   verbs: ["get", "list", "watch", "update"]
 # It's not possible to grant CREATE permission on a single resourceName.
 - apiGroups: [""]
@@ -38,8 +47,7 @@ roleRef:
   kind: Role
   name: {{ template "webhook.fullname" . }}:dynamic-serving
 subjects:
-- apiGroup: ""
+- kind: ServiceAccount
-  kind: ServiceAccount
   name: {{ template "webhook.serviceAccountName" . }}
   namespace: {{ include "cert-manager.namespace" . }}
 
@@ -76,8 +84,7 @@ roleRef:
   kind: ClusterRole
   name: {{ template "webhook.fullname" . }}:subjectaccessreviews
 subjects:
-- apiGroup: ""
+- kind: ServiceAccount
-  kind: ServiceAccount
   name: {{ template "webhook.serviceAccountName" . }}
   namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/webhook-service.yaml

@@ -18,6 +18,12 @@ metadata:
     {{- end }}
 spec:
   type: {{ .Values.webhook.serviceType }}
+  {{- if .Values.webhook.serviceIPFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.webhook.serviceIPFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.webhook.serviceIPFamilies }}
+  ipFamilies: {{ .Values.webhook.serviceIPFamilies | toYaml | nindent 2 }}
+  {{- end }}
   {{- with .Values.webhook.loadBalancerIP }}
   loadBalancerIP: {{ . }}
   {{- end }}
@@ -26,6 +32,12 @@ spec:
     port: 443
     protocol: TCP
     targetPort: "https"
+{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
+  - name: metrics
+    port: 9402
+    protocol: TCP
+    targetPort: "http-metrics"
+{{- end }}
   selector:
     app.kubernetes.io/name: {{ include "webhook.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}

packages/system/cert-manager/charts/cert-manager/templates/webhook-validating-webhook.yaml

@@ -15,16 +15,10 @@ metadata:
     {{- end }}
 webhooks:
   - name: webhook.cert-manager.io
+    {{- with .Values.webhook.validatingWebhookConfiguration.namespaceSelector }}
     namespaceSelector:
-      matchExpressions:
+      {{- toYaml . | nindent 6 }}
-      - key: "cert-manager.io/disable-validation"
+    {{- end }}
-        operator: "NotIn"
-        values:
-        - "true"
-      - key: "name"
-        operator: "NotIn"
-        values:
-        - {{ include "cert-manager.namespace" . }}
     rules:
       - apiGroups:
           - "cert-manager.io"

packages/system/cozystack-api/values.yaml

@@ -1,2 +1,2 @@
 cozystackAPI:
-  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.22.0@sha256:14c53970dec8a90e320675f8b35a098279cabd08fbd1fbddbe7a67e24a0811d5
+  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.23.1@sha256:b25faba99a8b98c1d3576b47986266c4f391c1998d89b599e9139f43727c5b4c

packages/system/cozystack-controller/values.yaml

@@ -1,5 +1,5 @@
 cozystackController:
-  image: ghcr.io/aenix-io/cozystack/cozystack-controller:v0.22.0@sha256:c5075188357f574a605fd89262e2e89633b42e6245575d5436e16ef57f3b914f
+  image: ghcr.io/aenix-io/cozystack/cozystack-controller:v0.23.1@sha256:ca7801e33fbd38e01b3abe9645956bb235ba7b0f2381bd622d18d4dc5e280020
   debug: false
   disableTelemetry: false
-  cozystackVersion: "v0.22.0"
+  cozystackVersion: "v0.23.1"

packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml

@@ -76,7 +76,7 @@ data:
       "kubeappsNamespace": {{ .Release.Namespace | quote }},
       "helmGlobalNamespace": {{ include "kubeapps.helmGlobalPackagingNamespace" . | quote }},
       "carvelGlobalNamespace": {{ .Values.kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace | quote }},
-      "appVersion": "v0.22.0",
+      "appVersion": "v0.23.1",
       "authProxyEnabled": {{ .Values.authProxy.enabled }},
       "oauthLoginURI": {{ .Values.authProxy.oauthLoginURI | quote }},
       "oauthLogoutURI": {{ .Values.authProxy.oauthLogoutURI | quote }},

packages/system/dashboard/images/dashboard/Dockerfile

@@ -1,7 +1,7 @@
 FROM bitnami/node:20.15.1 AS build
 WORKDIR /app
 
-ARG COMMIT_REF=215c323b0754c8f7328819df9a253e0e507eccb4
+ARG COMMIT_REF=dd02680d796c962b8dcc4e5ea70960a846c1acdc
 RUN wget -O- https://github.com/aenix-io/kubeapps/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=2 kubeapps-${COMMIT_REF}/dashboard
 
 RUN yarn install --frozen-lockfile

packages/system/dashboard/images/kubeapps-apis/Dockerfile

@@ -4,7 +4,7 @@
 # syntax = docker/dockerfile:1
 
 FROM alpine as source
-ARG COMMIT_REF=215c323b0754c8f7328819df9a253e0e507eccb4
+ARG COMMIT_REF=dd02680d796c962b8dcc4e5ea70960a846c1acdc
 RUN apk add --no-cache patch
 WORKDIR /source
 RUN wget -O- https://github.com/aenix-io/kubeapps/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1

packages/system/dashboard/values.yaml

@@ -40,14 +40,14 @@ kubeapps:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: dashboard
-      tag: v0.22.0
+      tag: v0.23.1
-      digest: "sha256:b4c5b9a59e95b562c350a03bb1b639e906b3eb9a51fe48de9553c86318b0e270"
+      digest: "sha256:81e7b625c667bce5fc339eb97c8e115eafb82f66df4501550b3677ac53f6e234"
   kubeappsapis:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: kubeapps-apis
-      tag: v0.22.0
+      tag: v0.23.1
-      digest: "sha256:91128543e22c612a0ddc07fa193bf1dc315cb4ebc15302dfa6eb9daff779f3ea"
+      digest: "sha256:d3767354cf6c785447f30e87bb2017ec45843edfc02635f526d2ecacc82f5d26"
     pluginConfig:
       flux:
         packages:

packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml

@@ -8,7 +8,7 @@ annotations:
     - name: Upstream Project
       url: https://github.com/controlplaneio-fluxcd/flux-operator
 apiVersion: v2
-appVersion: v0.12.0
+appVersion: v0.13.0
 description: 'A Helm chart for deploying the Flux Operator. '
 home: https://github.com/controlplaneio-fluxcd
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
@@ -25,4 +25,4 @@ sources:
 - https://github.com/controlplaneio-fluxcd/flux-operator
 - https://github.com/controlplaneio-fluxcd/charts
 type: application
-version: 0.12.0
+version: 0.13.0

packages/system/fluxcd-operator/charts/flux-operator/README.md

@@ -1,6 +1,6 @@
 # flux-operator
 
-![Version: 0.12.0](https://img.shields.io/badge/Version-0.12.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.0](https://img.shields.io/badge/AppVersion-v0.12.0-informational?style=flat-square)
+![Version: 0.13.0](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.13.0](https://img.shields.io/badge/AppVersion-v0.13.0-informational?style=flat-square)
 
 The [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator) provides a
 declarative API for the installation and upgrade of CNCF [Flux](https://fluxcd.io) and the

packages/system/fluxcd/charts/flux-instance/Chart.yaml

@@ -8,7 +8,7 @@ annotations:
     - name: Upstream Project
       url: https://github.com/controlplaneio-fluxcd/flux-operator
 apiVersion: v2
-appVersion: v0.12.0
+appVersion: v0.13.0
 description: 'A Helm chart for deploying a Flux instance managed by Flux Operator. '
 home: https://github.com/controlplaneio-fluxcd
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
@@ -25,4 +25,4 @@ sources:
 - https://github.com/controlplaneio-fluxcd/flux-operator
 - https://github.com/controlplaneio-fluxcd/charts
 type: application
-version: 0.12.0
+version: 0.13.0

packages/system/fluxcd/charts/flux-instance/README.md

@@ -1,6 +1,6 @@
 # flux-instance
 
-![Version: 0.12.0](https://img.shields.io/badge/Version-0.12.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.0](https://img.shields.io/badge/AppVersion-v0.12.0-informational?style=flat-square)
+![Version: 0.13.0](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.13.0](https://img.shields.io/badge/AppVersion-v0.13.0-informational?style=flat-square)
 
 This chart is a thin wrapper around the `FluxInstance` custom resource, which is
 used by the [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator)
@@ -38,12 +38,13 @@ helm -n flux-system uninstall flux
 | commonLabels | object | `{}` | Common labels to add to all deployed objects including pods. |
 | fullnameOverride | string | `"flux"` |  |
 | instance.cluster | object | `{"domain":"cluster.local","multitenant":false,"networkPolicy":true,"tenantDefaultServiceAccount":"default","type":"kubernetes"}` | Cluster https://fluxcd.control-plane.io/operator/fluxinstance/#cluster-configuration |
+| instance.commonMetadata | object | `{"annotations":{},"labels":{}}` | Common metadata https://fluxcd.control-plane.io/operator/fluxinstance/#common-metadata |
 | instance.components | list | `["source-controller","kustomize-controller","helm-controller","notification-controller"]` | Components https://fluxcd.control-plane.io/operator/fluxinstance/#components-configuration |
 | instance.distribution | object | `{"artifact":"oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests:latest","imagePullSecret":"","registry":"ghcr.io/fluxcd","version":"2.x"}` | Distribution https://fluxcd.control-plane.io/operator/fluxinstance/#distribution-configuration |
 | instance.kustomize.patches | list | `[]` | Kustomize patches https://fluxcd.control-plane.io/operator/fluxinstance/#kustomize-patches |
 | instance.sharding | object | `{"key":"sharding.fluxcd.io/key","shards":[]}` | Sharding https://fluxcd.control-plane.io/operator/fluxinstance/#sharding-configuration |
 | instance.storage | object | `{"class":"","size":""}` | Storage https://fluxcd.control-plane.io/operator/fluxinstance/#storage-configuration |
-| instance.sync | object | `{"kind":"GitRepository","path":"","pullSecret":"","ref":"","url":""}` | Sync https://fluxcd.control-plane.io/operator/fluxinstance/#sync-configuration |
+| instance.sync | object | `{"kind":"GitRepository","name":"","path":"","pullSecret":"","ref":"","url":""}` | Sync https://fluxcd.control-plane.io/operator/fluxinstance/#sync-configuration |
 | nameOverride | string | `""` |  |
 
 ## Source Code

packages/system/fluxcd/charts/flux-instance/templates/instance.yaml

@@ -22,6 +22,17 @@ spec:
     {{- end }}
   components: {{ .Values.instance.components | toYaml | nindent 4 }}
   cluster: {{ .Values.instance.cluster | toYaml | nindent 4 }}
+  {{- if or .Values.instance.commonMetadata.annotations  .Values.instance.commonMetadata.labels }}
+  commonMetadata:
+    {{- with .Values.instance.commonMetadata.annotations }}
+    annotations:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.instance.commonMetadata.labels }}
+    labels:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  {{- end }}
   kustomize: {{ .Values.instance.kustomize | toYaml | nindent 4 }}
   {{- if .Values.instance.sync.url }}
   sync:
@@ -29,6 +40,9 @@ spec:
     url: {{ .Values.instance.sync.url }}
     ref: {{ .Values.instance.sync.ref }}
     path: {{ .Values.instance.sync.path }}
+    {{- if .Values.instance.sync.name }}
+    name: {{ .Values.instance.sync.name }}
+    {{- end }}
     {{- if .Values.instance.sync.pullSecret }}
     pullSecret: {{ .Values.instance.sync.pullSecret }}
     {{- end }}

packages/system/fluxcd/charts/flux-instance/values.schema.json

@@ -41,6 +41,19 @@
                     },
                     "type": "object"
                 },
+                "commonMetadata": {
+                    "properties": {
+                        "annotations": {
+                            "properties": {},
+                            "type": "object"
+                        },
+                        "labels": {
+                            "properties": {},
+                            "type": "object"
+                        }
+                    },
+                    "type": "object"
+                },
                 "components": {
                     "items": {
                         "enum": [
@@ -123,6 +136,9 @@
                             ],
                             "type": "string"
                         },
+                        "name": {
+                            "type": "string"
+                        },
                         "path": {
                             "type": "string"
                         },

packages/system/fluxcd/charts/flux-instance/values.yaml

@@ -23,6 +23,10 @@ instance:
     networkPolicy: true
     multitenant: false
     tenantDefaultServiceAccount: "default"
+  # -- Common metadata https://fluxcd.control-plane.io/operator/fluxinstance/#common-metadata
+  commonMetadata: # @schema required: false
+    labels: { }
+    annotations: { }
   # -- Storage https://fluxcd.control-plane.io/operator/fluxinstance/#storage-configuration
   storage: # @schema required: false
     class: ""
@@ -38,6 +42,7 @@ instance:
     ref: ""
     path: ""
     pullSecret: ""
+    name: ""
   kustomize: # @schema required: false
     # -- Kustomize patches https://fluxcd.control-plane.io/operator/fluxinstance/#kustomize-patches
     patches: [] # @schema item: object

packages/system/kamaji/values.yaml

@@ -3,7 +3,7 @@ kamaji:
     deploy: false
   image:
     pullPolicy: IfNotPresent
-    tag: v0.22.0@sha256:63b45c237ac26851236fb4d1d724067b8b8f614bb5fd0f523a3811cf50c570ef
+    tag: v0.23.1@sha256:87166056685e4dab9de030ad9389ce58f0d96e7f6c191674fe93483fbe99490f
     repository: ghcr.io/aenix-io/cozystack/kamaji
   resources:
     limits:

packages/system/kubeovn/values.yaml

@@ -22,4 +22,4 @@ global:
   images:
     kubeovn:
       repository: kubeovn
-      tag: v1.13.2@sha256:9ed2b3ec3f93832a1871a327f97eeedebf57dc01a98d52471312c4c47c265241
+      tag: v1.13.2@sha256:ee658a003cd77a1f7b9df1d108255a8b5a69e67dd59fa6a6161c869b00207d4f

packages/system/tinkerbell/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-tinkerbell
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/tinkerbell/Makefile

@@ -0,0 +1,16 @@
+export NAME=tinkerbell
+export NAMESPACE=cozy-$(NAME)
+
+include ../../../scripts/package.mk
+
+update:
+	rm -rf charts
+	mkdir -p charts
+	cd charts && \
+	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/tinkerbell/charts  | awk -F'[/^]' 'END{print $$3}') && \
+	curl -sSL https://github.com/tinkerbell/charts/archive/refs/tags/$${tag}.tar.gz | \
+	tar xzvf - --strip 2 charts-$${tag#*v}/tinkerbell
+	find charts -maxdepth 1 -mindepth 1 ! -name tink -and ! -name smee -and ! -name rufio -exec rm -rf {} \;
+	mkdir -p charts/smee/crds
+	mv charts/tink/crds/hardware-crd.yaml charts/smee/crds
+	rm -rf charts/tink

packages/system/tinkerbell/charts/rufio/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+name: rufio
+description: Rufio handles BMC interactions for Tinkerbell
+icon: https://github.com/tinkerbell/artwork/blob/6f07de53d75cb8932dbc7d14201e038cf3a3b230/Tinkerbell-Icon-Dark.png
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.4.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.6.1"

packages/system/tinkerbell/charts/rufio/crds/bmc.tinkerbell.org_jobs.yaml

@@ -0,0 +1,166 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: jobs.bmc.tinkerbell.org
+spec:
+  group: bmc.tinkerbell.org
+  names:
+    categories:
+    - tinkerbell
+    kind: Job
+    listKind: JobList
+    plural: jobs
+    shortNames:
+    - j
+    singular: job
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Job is the Schema for the bmcjobs API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: JobSpec defines the desired state of Job.
+            properties:
+              machineRef:
+                description: |-
+                  MachineRef represents the Machine resource to execute the job.
+                  All the tasks in the job are executed for the same Machine.
+                properties:
+                  name:
+                    description: Name of the Machine.
+                    type: string
+                  namespace:
+                    description: Namespace the Machine resides in.
+                    type: string
+                required:
+                - name
+                - namespace
+                type: object
+              tasks:
+                description: |-
+                  Tasks represents a list of baseboard management actions to be executed.
+                  The tasks are executed sequentially. Controller waits for one task to complete before executing the next.
+                  If a single task fails, job execution stops and sets condition Failed.
+                  Condition Completed is set only if all the tasks were successful.
+                items:
+                  description: |-
+                    Action represents the action to be performed.
+                    A single task can only perform one type of action.
+                    For example either PowerAction or OneTimeBootDeviceAction.
+                  maxProperties: 1
+                  properties:
+                    oneTimeBootDeviceAction:
+                      description: OneTimeBootDeviceAction represents a baseboard
+                        management one time set boot device operation.
+                      properties:
+                        device:
+                          description: |-
+                            Devices represents the boot devices, in order for setting one time boot.
+                            Currently only the first device in the slice is used to set one time boot.
+                          items:
+                            description: BootDevice represents boot device of the
+                              Machine.
+                            type: string
+                          type: array
+                        efiBoot:
+                          description: EFIBoot instructs the machine to use EFI boot.
+                          type: boolean
+                      required:
+                      - device
+                      type: object
+                    powerAction:
+                      description: PowerAction represents a baseboard management power
+                        operation.
+                      enum:
+                      - "on"
+                      - "off"
+                      - soft
+                      - status
+                      - cycle
+                      - reset
+                      type: string
+                    virtualMediaAction:
+                      description: VirtualMediaAction represents a baseboard management
+                        virtual media insert/eject.
+                      properties:
+                        kind:
+                          type: string
+                        mediaURL:
+                          description: |-
+                            mediaURL represents the URL of the image to be inserted into the virtual media, or empty to
+                            eject media.
+                          type: string
+                      required:
+                      - kind
+                      type: object
+                  type: object
+                minItems: 1
+                type: array
+            required:
+            - machineRef
+            - tasks
+            type: object
+          status:
+            description: JobStatus defines the observed state of Job.
+            properties:
+              completionTime:
+                description: |-
+                  CompletionTime represents time when the job was completed.
+                  The completion time is only set when the job finishes successfully.
+                format: date-time
+                type: string
+              conditions:
+                description: Conditions represents the latest available observations
+                  of an object's current state.
+                items:
+                  properties:
+                    message:
+                      description: Message represents human readable message indicating
+                        details about last transition.
+                      type: string
+                    status:
+                      description: |-
+                        Status is the status of the Job condition.
+                        Can be True or False.
+                      type: string
+                    type:
+                      description: Type of the Job condition.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              startTime:
+                description: StartTime represents time when the Job controller started
+                  processing a job.
+                format: date-time
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

packages/system/tinkerbell/charts/rufio/crds/bmc.tinkerbell.org_machines.yaml

@@ -0,0 +1,294 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: machines.bmc.tinkerbell.org
+spec:
+  group: bmc.tinkerbell.org
+  names:
+    categories:
+    - tinkerbell
+    kind: Machine
+    listKind: MachineList
+    plural: machines
+    singular: machine
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Machine is the Schema for the machines API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MachineSpec defines desired machine state.
+            properties:
+              connection:
+                description: Connection contains connection data for a Baseboard Management
+                  Controller.
+                properties:
+                  authSecretRef:
+                    description: |-
+                      AuthSecretRef is the SecretReference that contains authentication information of the Machine.
+                      The Secret must contain username and password keys. This is optional as it is not required when using
+                      the RPC provider.
+                    properties:
+                      name:
+                        description: name is unique within a namespace to reference
+                          a secret resource.
+                        type: string
+                      namespace:
+                        description: namespace defines the space within which the
+                          secret name must be unique.
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  host:
+                    description: Host is the host IP address or hostname of the Machine.
+                    minLength: 1
+                    type: string
+                  insecureTLS:
+                    description: InsecureTLS specifies trusted TLS connections.
+                    type: boolean
+                  port:
+                    default: 623
+                    description: Port is the port number for connecting with the Machine.
+                    type: integer
+                  providerOptions:
+                    description: ProviderOptions contains provider specific options.
+                    properties:
+                      intelAMT:
+                        description: IntelAMT contains the options to customize the
+                          IntelAMT provider.
+                        properties:
+                          hostScheme:
+                            default: http
+                            description: HostScheme determines whether to use http
+                              or https for intelAMT calls.
+                            enum:
+                            - http
+                            - https
+                            type: string
+                          port:
+                            description: Port that intelAMT will use for calls.
+                            type: integer
+                        type: object
+                      ipmitool:
+                        description: IPMITOOL contains the options to customize the
+                          Ipmitool provider.
+                        properties:
+                          cipherSuite:
+                            description: CipherSuite that ipmitool will use for calls.
+                            type: string
+                          port:
+                            description: Port that ipmitool will use for calls.
+                            type: integer
+                        type: object
+                      preferredOrder:
+                        description: |-
+                          PreferredOrder allows customizing the order that BMC providers are called.
+                          Providers added to this list will be moved to the front of the default order.
+                          Provider names are case insensitive.
+                          The default order is: ipmitool, asrockrack, gofish, intelamt, dell, supermicro, openbmc.
+                        items:
+                          description: ProviderName is the bmclib specific provider
+                            name. Names are case insensitive.
+                          pattern: (?i)^(ipmitool|asrockrack|gofish|IntelAMT|dell|supermicro|openbmc)$
+                          type: string
+                        type: array
+                      redfish:
+                        description: Redfish contains the options to customize the
+                          Redfish provider.
+                        properties:
+                          port:
+                            description: Port that redfish will use for calls.
+                            type: integer
+                          systemName:
+                            description: |-
+                              SystemName is the name of the system to use for redfish calls.
+                              With redfish implementations that manage multiple systems via a single endpoint, this allows for specifying the system to manage.
+                            type: string
+                          useBasicAuth:
+                            description: UseBasicAuth for redfish calls. The default
+                              is false which means token based auth is used.
+                            type: boolean
+                        type: object
+                      rpc:
+                        description: RPC contains the options to customize the RPC
+                          provider.
+                        properties:
+                          consumerURL:
+                            description: |-
+                              ConsumerURL is the URL where an rpc consumer/listener is running
+                              and to which we will send and receive all notifications.
+                            type: string
+                          experimental:
+                            description: Experimental options.
+                            properties:
+                              customRequestPayload:
+                                description: CustomRequestPayload must be in json.
+                                type: string
+                              dotPath:
+                                description: 'DotPath is the path to the json object
+                                  where the bmclib RequestPayload{} struct will be
+                                  embedded. For example: object.data.body'
+                                type: string
+                            type: object
+                          hmac:
+                            description: HMAC is the options used to create a HMAC
+                              signature.
+                            properties:
+                              prefixSigDisabled:
+                                description: 'PrefixSigDisabled determines whether
+                                  the algorithm will be prefixed to the signature.
+                                  Example: sha256=abc123'
+                                type: boolean
+                              secrets:
+                                additionalProperties:
+                                  items:
+                                    description: |-
+                                      SecretReference represents a Secret Reference. It has enough information to retrieve secret
+                                      in any namespace
+                                    properties:
+                                      name:
+                                        description: name is unique within a namespace
+                                          to reference a secret resource.
+                                        type: string
+                                      namespace:
+                                        description: namespace defines the space within
+                                          which the secret name must be unique.
+                                        type: string
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  type: array
+                                description: Secrets are a map of algorithms to secrets
+                                  used for signing.
+                                type: object
+                            type: object
+                          logNotificationsDisabled:
+                            description: LogNotificationsDisabled determines whether
+                              responses from rpc consumer/listeners will be logged
+                              or not.
+                            type: boolean
+                          request:
+                            description: Request is the options used to create the
+                              rpc HTTP request.
+                            properties:
+                              httpContentType:
+                                description: HTTPContentType is the content type to
+                                  use for the rpc request notification.
+                                type: string
+                              httpMethod:
+                                description: HTTPMethod is the HTTP method to use
+                                  for the rpc request notification.
+                                type: string
+                              staticHeaders:
+                                additionalProperties:
+                                  items:
+                                    type: string
+                                  type: array
+                                description: StaticHeaders are predefined headers
+                                  that will be added to every request.
+                                type: object
+                              timestampFormat:
+                                description: TimestampFormat is the time format for
+                                  the timestamp header.
+                                type: string
+                              timestampHeader:
+                                description: 'TimestampHeader is the header name that
+                                  should contain the timestamp. Example: X-BMCLIB-Timestamp'
+                                type: string
+                            type: object
+                          signature:
+                            description: Signature is the options used for adding
+                              an HMAC signature to an HTTP request.
+                            properties:
+                              appendAlgoToHeaderDisabled:
+                                description: |-
+                                  AppendAlgoToHeaderDisabled decides whether to append the algorithm to the signature header or not.
+                                  Example: X-BMCLIB-Signature becomes X-BMCLIB-Signature-256
+                                  When set to true, a header will be added for each algorithm. Example: X-BMCLIB-Signature-256 and X-BMCLIB-Signature-512
+                                type: boolean
+                              headerName:
+                                description: 'HeaderName is the header name that should
+                                  contain the signature(s). Example: X-BMCLIB-Signature'
+                                type: string
+                              includedPayloadHeaders:
+                                description: |-
+                                  IncludedPayloadHeaders are headers whose values will be included in the signature payload. Example: X-BMCLIB-My-Custom-Header
+                                  All headers will be deduplicated.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                        required:
+                        - consumerURL
+                        type: object
+                    type: object
+                required:
+                - host
+                - insecureTLS
+                type: object
+            required:
+            - connection
+            type: object
+          status:
+            description: MachineStatus defines the observed state of Machine.
+            properties:
+              conditions:
+                description: Conditions represents the latest available observations
+                  of an object's current state.
+                items:
+                  description: MachineCondition defines an observed condition of a
+                    Machine.
+                  properties:
+                    lastUpdateTime:
+                      description: LastUpdateTime of the condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable message indicating
+                        with details of the last transition.
+                      type: string
+                    status:
+                      description: Status of the condition.
+                      type: string
+                    type:
+                      description: Type of the Machine condition.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              powerState:
+                description: Power is the current power state of the Machine.
+                enum:
+                - "on"
+                - "off"
+                - unknown
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

packages/system/tinkerbell/charts/rufio/crds/bmc.tinkerbell.org_tasks.yaml

@@ -0,0 +1,342 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: tasks.bmc.tinkerbell.org
+spec:
+  group: bmc.tinkerbell.org
+  names:
+    categories:
+    - tinkerbell
+    kind: Task
+    listKind: TaskList
+    plural: tasks
+    shortNames:
+    - t
+    singular: task
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Task is the Schema for the Task API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TaskSpec defines the desired state of Task.
+            properties:
+              connection:
+                description: Connection represents the Machine connectivity information.
+                properties:
+                  authSecretRef:
+                    description: |-
+                      AuthSecretRef is the SecretReference that contains authentication information of the Machine.
+                      The Secret must contain username and password keys. This is optional as it is not required when using
+                      the RPC provider.
+                    properties:
+                      name:
+                        description: name is unique within a namespace to reference
+                          a secret resource.
+                        type: string
+                      namespace:
+                        description: namespace defines the space within which the
+                          secret name must be unique.
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  host:
+                    description: Host is the host IP address or hostname of the Machine.
+                    minLength: 1
+                    type: string
+                  insecureTLS:
+                    description: InsecureTLS specifies trusted TLS connections.
+                    type: boolean
+                  port:
+                    default: 623
+                    description: Port is the port number for connecting with the Machine.
+                    type: integer
+                  providerOptions:
+                    description: ProviderOptions contains provider specific options.
+                    properties:
+                      intelAMT:
+                        description: IntelAMT contains the options to customize the
+                          IntelAMT provider.
+                        properties:
+                          hostScheme:
+                            default: http
+                            description: HostScheme determines whether to use http
+                              or https for intelAMT calls.
+                            enum:
+                            - http
+                            - https
+                            type: string
+                          port:
+                            description: Port that intelAMT will use for calls.
+                            type: integer
+                        type: object
+                      ipmitool:
+                        description: IPMITOOL contains the options to customize the
+                          Ipmitool provider.
+                        properties:
+                          cipherSuite:
+                            description: CipherSuite that ipmitool will use for calls.
+                            type: string
+                          port:
+                            description: Port that ipmitool will use for calls.
+                            type: integer
+                        type: object
+                      preferredOrder:
+                        description: |-
+                          PreferredOrder allows customizing the order that BMC providers are called.
+                          Providers added to this list will be moved to the front of the default order.
+                          Provider names are case insensitive.
+                          The default order is: ipmitool, asrockrack, gofish, intelamt, dell, supermicro, openbmc.
+                        items:
+                          description: ProviderName is the bmclib specific provider
+                            name. Names are case insensitive.
+                          pattern: (?i)^(ipmitool|asrockrack|gofish|IntelAMT|dell|supermicro|openbmc)$
+                          type: string
+                        type: array
+                      redfish:
+                        description: Redfish contains the options to customize the
+                          Redfish provider.
+                        properties:
+                          port:
+                            description: Port that redfish will use for calls.
+                            type: integer
+                          systemName:
+                            description: |-
+                              SystemName is the name of the system to use for redfish calls.
+                              With redfish implementations that manage multiple systems via a single endpoint, this allows for specifying the system to manage.
+                            type: string
+                          useBasicAuth:
+                            description: UseBasicAuth for redfish calls. The default
+                              is false which means token based auth is used.
+                            type: boolean
+                        type: object
+                      rpc:
+                        description: RPC contains the options to customize the RPC
+                          provider.
+                        properties:
+                          consumerURL:
+                            description: |-
+                              ConsumerURL is the URL where an rpc consumer/listener is running
+                              and to which we will send and receive all notifications.
+                            type: string
+                          experimental:
+                            description: Experimental options.
+                            properties:
+                              customRequestPayload:
+                                description: CustomRequestPayload must be in json.
+                                type: string
+                              dotPath:
+                                description: 'DotPath is the path to the json object
+                                  where the bmclib RequestPayload{} struct will be
+                                  embedded. For example: object.data.body'
+                                type: string
+                            type: object
+                          hmac:
+                            description: HMAC is the options used to create a HMAC
+                              signature.
+                            properties:
+                              prefixSigDisabled:
+                                description: 'PrefixSigDisabled determines whether
+                                  the algorithm will be prefixed to the signature.
+                                  Example: sha256=abc123'
+                                type: boolean
+                              secrets:
+                                additionalProperties:
+                                  items:
+                                    description: |-
+                                      SecretReference represents a Secret Reference. It has enough information to retrieve secret
+                                      in any namespace
+                                    properties:
+                                      name:
+                                        description: name is unique within a namespace
+                                          to reference a secret resource.
+                                        type: string
+                                      namespace:
+                                        description: namespace defines the space within
+                                          which the secret name must be unique.
+                                        type: string
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  type: array
+                                description: Secrets are a map of algorithms to secrets
+                                  used for signing.
+                                type: object
+                            type: object
+                          logNotificationsDisabled:
+                            description: LogNotificationsDisabled determines whether
+                              responses from rpc consumer/listeners will be logged
+                              or not.
+                            type: boolean
+                          request:
+                            description: Request is the options used to create the
+                              rpc HTTP request.
+                            properties:
+                              httpContentType:
+                                description: HTTPContentType is the content type to
+                                  use for the rpc request notification.
+                                type: string
+                              httpMethod:
+                                description: HTTPMethod is the HTTP method to use
+                                  for the rpc request notification.
+                                type: string
+                              staticHeaders:
+                                additionalProperties:
+                                  items:
+                                    type: string
+                                  type: array
+                                description: StaticHeaders are predefined headers
+                                  that will be added to every request.
+                                type: object
+                              timestampFormat:
+                                description: TimestampFormat is the time format for
+                                  the timestamp header.
+                                type: string
+                              timestampHeader:
+                                description: 'TimestampHeader is the header name that
+                                  should contain the timestamp. Example: X-BMCLIB-Timestamp'
+                                type: string
+                            type: object
+                          signature:
+                            description: Signature is the options used for adding
+                              an HMAC signature to an HTTP request.
+                            properties:
+                              appendAlgoToHeaderDisabled:
+                                description: |-
+                                  AppendAlgoToHeaderDisabled decides whether to append the algorithm to the signature header or not.
+                                  Example: X-BMCLIB-Signature becomes X-BMCLIB-Signature-256
+                                  When set to true, a header will be added for each algorithm. Example: X-BMCLIB-Signature-256 and X-BMCLIB-Signature-512
+                                type: boolean
+                              headerName:
+                                description: 'HeaderName is the header name that should
+                                  contain the signature(s). Example: X-BMCLIB-Signature'
+                                type: string
+                              includedPayloadHeaders:
+                                description: |-
+                                  IncludedPayloadHeaders are headers whose values will be included in the signature payload. Example: X-BMCLIB-My-Custom-Header
+                                  All headers will be deduplicated.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                        required:
+                        - consumerURL
+                        type: object
+                    type: object
+                required:
+                - host
+                - insecureTLS
+                type: object
+              task:
+                description: Task defines the specific action to be performed.
+                maxProperties: 1
+                properties:
+                  oneTimeBootDeviceAction:
+                    description: OneTimeBootDeviceAction represents a baseboard management
+                      one time set boot device operation.
+                    properties:
+                      device:
+                        description: |-
+                          Devices represents the boot devices, in order for setting one time boot.
+                          Currently only the first device in the slice is used to set one time boot.
+                        items:
+                          description: BootDevice represents boot device of the Machine.
+                          type: string
+                        type: array
+                      efiBoot:
+                        description: EFIBoot instructs the machine to use EFI boot.
+                        type: boolean
+                    required:
+                    - device
+                    type: object
+                  powerAction:
+                    description: PowerAction represents a baseboard management power
+                      operation.
+                    enum:
+                    - "on"
+                    - "off"
+                    - soft
+                    - status
+                    - cycle
+                    - reset
+                    type: string
+                  virtualMediaAction:
+                    description: VirtualMediaAction represents a baseboard management
+                      virtual media insert/eject.
+                    properties:
+                      kind:
+                        type: string
+                      mediaURL:
+                        description: |-
+                          mediaURL represents the URL of the image to be inserted into the virtual media, or empty to
+                          eject media.
+                        type: string
+                    required:
+                    - kind
+                    type: object
+                type: object
+            required:
+            - task
+            type: object
+          status:
+            description: TaskStatus defines the observed state of Task.
+            properties:
+              completionTime:
+                description: |-
+                  CompletionTime represents time when the task was completed.
+                  The completion time is only set when the task finishes successfully.
+                format: date-time
+                type: string
+              conditions:
+                description: Conditions represents the latest available observations
+                  of an object's current state.
+                items:
+                  properties:
+                    message:
+                      description: Message represents human readable message indicating
+                        details about last transition.
+                      type: string
+                    status:
+                      description: |-
+                        Status is the status of the Task condition.
+                        Can be True or False.
+                      type: string
+                    type:
+                      description: Type of the Task condition.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              startTime:
+                description: StartTime represents time when the Task started processing.
+                format: date-time
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

packages/system/tinkerbell/charts/rufio/templates/_scheduling.tpl

@@ -0,0 +1,12 @@
+{{- define "singleNodeClusterConfig" }}
+- effect: NoSchedule
+  key: node-role.kubernetes.io/control-plane
+{{- end }}
+
+{{- define "preferWorkerNodes" }}
+- weight: {{ .nodeAffinityWeight }}
+  preference:
+    matchExpressions:
+    - key: node-role.kubernetes.io/control-plane
+      operator: DoesNotExist
+{{- end }}

packages/system/tinkerbell/charts/rufio/templates/deployment.yaml

@@ -0,0 +1,87 @@
+{{- if .Values.deploy }}
+{{- $roleType := .Values.rbac.type }}
+{{- $nodeSelector := .Values.nodeSelector }}
+{{- if .Values.global }}
+{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
+{{- $nodeSelector = coalesce .Values.nodeSelector .Values.global.nodeSelector }}
+{{- end }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: {{ .Values.name }}
+    control-plane: controller-manager
+  name: {{ .Values.name }}
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Values.name }}
+      control-plane: controller-manager
+      stack: tinkerbell
+  replicas: 1
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: manager
+      labels:
+        app: {{ .Values.name }}
+        control-plane: controller-manager
+        stack: tinkerbell
+    spec:
+      {{- if .Values.hostNetwork }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
+      securityContext:
+        runAsNonRoot: true
+      containers:
+      - name: manager
+        image: {{ .Values.image }}
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
+        command:
+        - /manager
+        args:
+        - --leader-elect
+        {{- if eq $roleType "Role" }}
+        - -kube-namespace={{ .Release.Namespace }}
+        {{- end }}
+        {{- range .Values.additionalArgs }}
+        - {{ . }}
+        {{- end }}
+        securityContext:
+          allowPrivilegeEscalation: false
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          limits:
+            cpu: {{ .Values.resources.limits.cpu }}
+            memory: {{ .Values.resources.limits.memory }}
+          requests:
+            cpu: {{ .Values.resources.requests.cpu }}
+            memory: {{ .Values.resources.requests.memory }}
+      serviceAccountName: {{ .Values.serviceAccountName }}
+      terminationGracePeriodSeconds: 10
+      {{- with $nodeSelector }}
+      nodeSelector:
+      {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.singleNodeClusterConfig.controlPlaneTolerationsEnabled }}
+      tolerations:
+      {{- include "singleNodeClusterConfig" . | indent 6 }}
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          {{- include "preferWorkerNodes" (dict "nodeAffinityWeight" .Values.singleNodeClusterConfig.nodeAffinityWeight) | indent 10 }}
+      {{- end }}
+{{- end }}

packages/system/tinkerbell/charts/rufio/templates/leader-election-role-binding.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.deploy }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.rufioLeaderElectionRoleBindingName }}
+  namespace: {{ .Release.Namespace | quote }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Values.rufioLeaderElectionRoleName }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.serviceAccountName }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- end }}

packages/system/tinkerbell/charts/rufio/templates/leader-election-role.yaml

@@ -0,0 +1,39 @@
+{{- if .Values.deploy }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Values.rufioLeaderElectionRoleName }}
+  namespace: {{ .Release.Namespace | quote }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+{{- end }}

packages/system/tinkerbell/charts/rufio/templates/role-binding.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.deploy }}
+{{- $roleType := .Values.rbac.type }}
+{{- if .Values.global }}
+{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
+{{- end }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ printf "%sBinding" $roleType }}
+metadata:
+  name: {{ .Values.rbac.bindingName }}
+  {{- if eq $roleType "Role"  }}
+  namespace: {{ .Release.Namespace | quote }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ $roleType }}
+  name: {{ .Values.rbac.name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.serviceAccountName }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- end }}

packages/system/tinkerbell/charts/rufio/templates/role.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.deploy }}
+{{- $roleType := .Values.rbac.type }}
+{{- if .Values.global }}
+{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
+{{- end }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ $roleType }}
+metadata:
+  name: {{ .Values.rbac.name }}
+  {{- if eq $roleType "Role"  }}
+  namespace: {{ .Release.Namespace | quote }}
+  {{- end }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["bmc.tinkerbell.org"]
+  resources: ["jobs", "jobs/status", "machines", "machines/status", "tasks", "tasks/status"]
+  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+- apiGroups: ["bmc.tinkerbell.org"]
+  resources: ["jobs/finalizers", "machines/finalizers", "tasks/finalizers"]
+  verbs: ["update"]
+{{- end }}

packages/system/tinkerbell/charts/rufio/templates/service-account.yaml

@@ -0,0 +1,7 @@
+{{- if .Values.deploy }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccountName }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- end }}

packages/system/tinkerbell/charts/rufio/values.schema.json

@@ -0,0 +1,21 @@
+{
+    "$schema": "http://json-schema.org/draft-04/schema#",
+    "type": "object",
+    "properties": {
+      "rbac": {
+        "type": "object",
+        "properties": {
+          "type": {
+            "type": "string",
+            "enum": ["Role", "ClusterRole"]
+          },
+          "name": {
+            "type": "string"
+          },
+          "bindingName": {
+            "type": "string"
+          }
+        }
+      }
+    }
+  }

packages/system/tinkerbell/charts/rufio/values.yaml

@@ -0,0 +1,26 @@
+deploy: true
+name: rufio
+image: quay.io/tinkerbell/rufio:v0.6.1
+imagePullPolicy: IfNotPresent
+resources:
+  requests:
+    cpu: 10m
+    memory: 64Mi
+  limits:
+    cpu: 500m
+    memory: 128Mi
+additionalArgs: []
+serviceAccountName: rufio-controller-manager
+rufioLeaderElectionRoleName: rufio-leader-election-role
+rufioLeaderElectionRoleBindingName: rufio-leader-election-rolebinding
+nodeSelector: {}
+hostNetwork: false
+# singleNodeClusterConfig to add tolerations for deployments on control plane nodes. This is defaulted to false.
+singleNodeClusterConfig:
+  controlPlaneTolerationsEnabled: false
+  nodeAffinityWeight: 1
+
+rbac:
+  type: Role # or ClusterRole
+  name: rufio-role # or rufio-cluster-role
+  bindingName: rufio-rolebinding # or rufio-cluster-rolebinding

packages/system/tinkerbell/charts/smee/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+name: smee
+description: Smee is the network boot service for Tinkerbell
+icon: https://github.com/tinkerbell/artwork/blob/6f07de53d75cb8932dbc7d14201e038cf3a3b230/Tinkerbell-Icon-Dark.png
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.6.2
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.15.1"

packages/system/tinkerbell/charts/smee/crds/hardware-crd.yaml

@@ -0,0 +1,388 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.3
+  name: hardware.tinkerbell.org
+spec:
+  group: tinkerbell.org
+  names:
+    categories:
+      - tinkerbell
+    kind: Hardware
+    listKind: HardwareList
+    plural: hardware
+    shortNames:
+      - hw
+    singular: hardware
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .status.state
+          name: State
+          type: string
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: Hardware is the Schema for the Hardware API.
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: HardwareSpec defines the desired state of Hardware.
+              properties:
+                bmcRef:
+                  description: |-
+                    BMCRef contains a relation to a BMC state management type in the same
+                    namespace as the Hardware. This may be used for BMC management by
+                    orchestrators.
+                  properties:
+                    apiGroup:
+                      description: |-
+                        APIGroup is the group for the resource being referenced.
+                        If APIGroup is not specified, the specified Kind must be in the core API group.
+                        For any other third-party types, APIGroup is required.
+                      type: string
+                    kind:
+                      description: Kind is the type of resource being referenced
+                      type: string
+                    name:
+                      description: Name is the name of resource being referenced
+                      type: string
+                  required:
+                    - kind
+                    - name
+                  type: object
+                  x-kubernetes-map-type: atomic
+                disks:
+                  items:
+                    description: Disk represents a disk device for Tinkerbell Hardware.
+                    properties:
+                      device:
+                        type: string
+                    type: object
+                  type: array
+                interfaces:
+                  items:
+                    description: Interface represents a network interface configuration for Hardware.
+                    properties:
+                      dhcp:
+                        description: DHCP configuration.
+                        properties:
+                          arch:
+                            type: string
+                          hostname:
+                            type: string
+                          iface_name:
+                            type: string
+                          ip:
+                            description: IP configuration.
+                            properties:
+                              address:
+                                type: string
+                              family:
+                                format: int64
+                                type: integer
+                              gateway:
+                                type: string
+                              netmask:
+                                type: string
+                            type: object
+                          lease_time:
+                            format: int64
+                            type: integer
+                          mac:
+                            pattern: ([0-9a-f]{2}[:]){5}([0-9a-f]{2})
+                            type: string
+                          name_servers:
+                            items:
+                              type: string
+                            type: array
+                          time_servers:
+                            items:
+                              type: string
+                            type: array
+                          uefi:
+                            type: boolean
+                          vlan_id:
+                            description: validation pattern for VLANDID is a string number between 0-4096
+                            pattern: ^(([0-9][0-9]{0,2}|[1-3][0-9][0-9][0-9]|40([0-8][0-9]|9[0-6]))(,[1-9][0-9]{0,2}|[1-3][0-9][0-9][0-9]|40([0-8][0-9]|9[0-6]))*)$
+                            type: string
+                        type: object
+                      disableDhcp:
+                        default: false
+                        description: DisableDHCP disables DHCP for this interface.
+                        type: boolean
+                      netboot:
+                        description: Netboot configuration.
+                        properties:
+                          allowPXE:
+                            type: boolean
+                          allowWorkflow:
+                            type: boolean
+                          ipxe:
+                            description: IPXE configuration.
+                            properties:
+                              contents:
+                                type: string
+                              url:
+                                type: string
+                            type: object
+                          osie:
+                            description: OSIE configuration.
+                            properties:
+                              baseURL:
+                                type: string
+                              initrd:
+                                type: string
+                              kernel:
+                                type: string
+                            type: object
+                        type: object
+                    type: object
+                  type: array
+                metadata:
+                  properties:
+                    bonding_mode:
+                      format: int64
+                      type: integer
+                    custom:
+                      properties:
+                        preinstalled_operating_system_version:
+                          properties:
+                            distro:
+                              type: string
+                            image_tag:
+                              type: string
+                            os_slug:
+                              type: string
+                            slug:
+                              type: string
+                            version:
+                              type: string
+                          type: object
+                        private_subnets:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    facility:
+                      properties:
+                        facility_code:
+                          type: string
+                        plan_slug:
+                          type: string
+                        plan_version_slug:
+                          type: string
+                      type: object
+                    instance:
+                      properties:
+                        allow_pxe:
+                          type: boolean
+                        always_pxe:
+                          type: boolean
+                        crypted_root_password:
+                          type: string
+                        hostname:
+                          type: string
+                        id:
+                          type: string
+                        ips:
+                          items:
+                            properties:
+                              address:
+                                type: string
+                              family:
+                                format: int64
+                                type: integer
+                              gateway:
+                                type: string
+                              management:
+                                type: boolean
+                              netmask:
+                                type: string
+                              public:
+                                type: boolean
+                            type: object
+                          type: array
+                        ipxe_script_url:
+                          type: string
+                        network_ready:
+                          type: boolean
+                        operating_system:
+                          properties:
+                            distro:
+                              type: string
+                            image_tag:
+                              type: string
+                            os_slug:
+                              type: string
+                            slug:
+                              type: string
+                            version:
+                              type: string
+                          type: object
+                        rescue:
+                          type: boolean
+                        ssh_keys:
+                          items:
+                            type: string
+                          type: array
+                        state:
+                          type: string
+                        storage:
+                          properties:
+                            disks:
+                              items:
+                                properties:
+                                  device:
+                                    type: string
+                                  partitions:
+                                    items:
+                                      properties:
+                                        label:
+                                          type: string
+                                        number:
+                                          format: int64
+                                          type: integer
+                                        size:
+                                          format: int64
+                                          type: integer
+                                        start:
+                                          format: int64
+                                          type: integer
+                                        type_guid:
+                                          type: string
+                                      type: object
+                                    type: array
+                                  wipe_table:
+                                    type: boolean
+                                type: object
+                              type: array
+                            filesystems:
+                              items:
+                                properties:
+                                  mount:
+                                    properties:
+                                      create:
+                                        properties:
+                                          force:
+                                            type: boolean
+                                          options:
+                                            items:
+                                              type: string
+                                            type: array
+                                        type: object
+                                      device:
+                                        type: string
+                                      files:
+                                        items:
+                                          properties:
+                                            contents:
+                                              type: string
+                                            gid:
+                                              format: int64
+                                              type: integer
+                                            mode:
+                                              format: int64
+                                              type: integer
+                                            path:
+                                              type: string
+                                            uid:
+                                              format: int64
+                                              type: integer
+                                          type: object
+                                        type: array
+                                      format:
+                                        type: string
+                                      point:
+                                        type: string
+                                    type: object
+                                type: object
+                              type: array
+                            raid:
+                              items:
+                                properties:
+                                  devices:
+                                    items:
+                                      type: string
+                                    type: array
+                                  level:
+                                    type: string
+                                  name:
+                                    type: string
+                                  spare:
+                                    format: int64
+                                    type: integer
+                                type: object
+                              type: array
+                          type: object
+                        tags:
+                          items:
+                            type: string
+                          type: array
+                        userdata:
+                          type: string
+                      type: object
+                    manufacturer:
+                      properties:
+                        id:
+                          type: string
+                        slug:
+                          type: string
+                      type: object
+                    state:
+                      type: string
+                  type: object
+                resources:
+                  additionalProperties:
+                    anyOf:
+                      - type: integer
+                      - type: string
+                    pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                    x-kubernetes-int-or-string: true
+                  description: |-
+                    Resources represents known resources that are available on a machine.
+                    Resources may be used for scheduling by orchestrators.
+                  type: object
+                tinkVersion:
+                  format: int64
+                  type: integer
+                userData:
+                  description: |-
+                    UserData is the user data to configure in the hardware's
+                    metadata
+                  type: string
+                vendorData:
+                  description: |-
+                    VendorData is the vendor data to configure in the hardware's
+                    metadata
+                  type: string
+              type: object
+            status:
+              description: HardwareStatus defines the observed state of Hardware.
+              properties:
+                state:
+                  description: HardwareState represents the hardware state.
+                  type: string
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}

packages/system/tinkerbell/charts/smee/templates/_ports.tpl

@@ -0,0 +1,24 @@
+{{ define "smee.ports" }}
+- {{ .PortKey }}: {{ .http.port }}
+  name: {{ .http.name }}
+  protocol: TCP
+- {{ .PortKey }}: {{ .syslog.port }}
+  name: {{ .syslog.name }}
+  protocol: UDP
+- {{ .PortKey }}: {{ .dhcp.port }}
+  name: {{ .dhcp.name }}
+  protocol: UDP
+- {{ .PortKey }}: {{ .tftp.port }}
+  name: {{ .tftp.name }}
+  protocol: UDP
+{{- end }}
+
+{{- define "urlJoiner" }}
+{{- if .urlDict.port }}
+{{- $host := printf "%v:%v" .urlDict.host .urlDict.port }}
+{{- $newDict := set .urlDict "host" $host }}
+{{- print (urlJoin $newDict) }}
+{{- else }}
+{{- print (urlJoin .urlDict) }}
+{{- end }}
+{{- end }}

packages/system/tinkerbell/charts/smee/templates/_scheduling.tpl

@@ -0,0 +1,12 @@
+{{- define "singleNodeClusterConfig" }}
+- effect: NoSchedule
+  key: node-role.kubernetes.io/control-plane
+{{- end }}
+
+{{- define "preferWorkerNodes" }}
+- weight: {{ .nodeAffinityWeight }}
+  preference:
+    matchExpressions:
+    - key: node-role.kubernetes.io/control-plane
+      operator: DoesNotExist
+{{- end }}