Introduce tinkerbell essentials

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.22.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.23.1"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.22.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.23.1"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.15.0@sha256:973dc89e1fe1c9beb109d74a48297426ed5d340b43d0102b8e16f63dc2eb4016
+ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.15.0@sha256:538ee308f16c9e627ed16ee7c4aaa65919c2e6c4c2778f964a06e4797610d1cd

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.0@sha256:3a94fe11523b1411eab33bd72b26d6df42dda83086249ba72ad6f2aa1b209c1e
+ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.0@sha256:7716c88947d13dc90ccfcc3e60bfdd6e6fa9b201339a75e9c84bf825c76e2b1f

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.0@sha256:98d0493327d92e05f8893d864d312b79b1441b34e2a02f845470509e15c5dab9
+ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.0@sha256:be5e0eef92dada3ace5cddda5c68b30c9fe4682774c5e6e938ed31efba11ebbf

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.6.6
+version: 1.6.7

packages/apps/tenant/templates/kubeconfig.yaml

@@ -4,9 +4,13 @@
 
 {{- if $k8sClientSecret }}
 {{- $apiServerEndpoint := index $cozyConfig.data "api-server-endpoint" }}
+{{- $managementKubeconfigEndpoint := default "" (get $cozyConfig.data "management-kubeconfig-endpoint") }}
+{{- if and $managementKubeconfigEndpoint (ne $managementKubeconfigEndpoint "") }}
+{{- $apiServerEndpoint = $managementKubeconfigEndpoint }}
+{{- end }}
 {{- $k8sClient := index $k8sClientSecret.data "client-secret-key" | b64dec }}
 {{- $rootSaConfigMap := lookup "v1" "ConfigMap" "kube-system" "kube-root-ca.crt" }}
-{{- $k8sCa := index $rootSaConfigMap.data "ca.crt" | b64enc  }}
+{{- $k8sCa := index $rootSaConfigMap.data "ca.crt" | b64enc }}
 ---
 apiVersion: v1
 kind: Secret

packages/apps/versions_map

@@ -99,18 +99,21 @@ tenant 1.6.2 ccedc5fe
 tenant 1.6.3 2057bb96
 tenant 1.6.4 3c9e50a4
 tenant 1.6.5 f1e11451
-tenant 1.6.6 HEAD
+tenant 1.6.6 d4634797
+tenant 1.6.7 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823
 virtual-machine 0.3.0 b908400
 virtual-machine 0.4.0 4746d51
 virtual-machine 0.5.0 cad9cde
-virtual-machine 0.6.0 HEAD
+virtual-machine 0.6.0 0e728870
+virtual-machine 0.7.0 HEAD
 vm-disk 0.1.0 HEAD
 vm-instance 0.1.0 ced8e5b9
 vm-instance 0.2.0 4f767ee3
-vm-instance 0.3.0 HEAD
+vm-instance 0.3.0 0e728870
+vm-instance 0.4.0 HEAD
 vpn 0.1.0 f642698
 vpn 0.2.0 7151424
 vpn 0.3.0 a2bcf100

packages/apps/virtual-machine/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.7.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.1"
+appVersion: "0.7.0"

packages/apps/virtual-machine/templates/vm-update-hook.yaml

@@ -0,0 +1,118 @@
+{{- $vmName := include "virtual-machine.fullname" . -}}
+{{- $namespace := .Release.Namespace -}}
+
+{{- $existingVM := lookup "kubevirt.io/v1" "VirtualMachine" $namespace $vmName -}}
+{{- $existingPVC := lookup "v1" "PersistentVolumeClaim" $namespace $vmName -}}
+
+{{- $instanceType := .Values.instanceType | default "" -}}
+{{- $instanceProfile := .Values.instanceProfile | default "" -}}
+{{- $desiredStorage := .Values.systemDisk.storage | default "" -}}
+
+{{- $needUpdateType := false -}}
+{{- $needUpdateProfile := false -}}
+{{- $needResizePVC := false -}}
+
+{{- if and $existingVM $instanceType -}}
+  {{- if not (eq $existingVM.spec.instancetype.name $instanceType) -}}
+    {{- $needUpdateType = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and $existingVM $instanceProfile -}}
+  {{- if not (eq $existingVM.spec.preference.name $instanceProfile) -}}
+    {{- $needUpdateProfile = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and $existingPVC $desiredStorage -}}
+  {{- $currentStorage := $existingPVC.spec.resources.requests.storage | toString -}}
+  {{- if not (eq $currentStorage $desiredStorage) -}}
+    {{- $needResizePVC = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if or $needUpdateType $needUpdateProfile $needResizePVC }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ $.Release.Name }}-update-hook"
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "0"
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      labels:
+        app: "{{ $.Release.Name }}-update-hook"
+    spec:
+      serviceAccountName: {{ $.Release.Name }}-update-hook
+      restartPolicy: Never
+      containers:
+        - name: update-resources
+          image: bitnami/kubectl:latest
+          command: ["sh", "-exc"]
+          args:
+            - |
+              {{- if $needUpdateType }}
+              echo "Patching VirtualMachine for instancetype update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"instancetype":{"name": "{{ $instanceType }}", "revisionName": null}}}'
+              {{- end }}
+              
+              {{- if $needUpdateProfile }}
+              echo "Patching VirtualMachine for preference update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"preference":{"name": "{{ $instanceProfile }}", "revisionName": null}}}'
+              {{- end }}
+
+              {{- if $needResizePVC }}
+              echo "Patching PVC for storage resize..."
+              kubectl patch pvc {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"resources":{"requests":{"storage":"{{ $desiredStorage }}"}}}}'
+              {{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+rules:
+  - apiGroups: ["kubevirt.io"]
+    resources: ["virtualmachines"]
+    verbs: ["patch", "get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["patch", "get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Release.Name }}-update-hook
+roleRef:
+  kind: Role
+  name: {{ $.Release.Name }}-update-hook
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

packages/apps/vm-instance/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.2.0"
+appVersion: "0.4.0"

packages/apps/vm-instance/templates/vm-update-hook.yaml

@@ -0,0 +1,98 @@
+{{- $vmName := include "virtual-machine.fullname" . -}}
+{{- $namespace := .Release.Namespace -}}
+
+{{- $existingVM := lookup "kubevirt.io/v1" "VirtualMachine" $namespace $vmName -}}
+
+{{- $instanceType := .Values.instanceType | default "" -}}
+{{- $instanceProfile := .Values.instanceProfile | default "" -}}
+
+{{- $needUpdateType := false -}}
+{{- $needUpdateProfile := false -}}
+
+{{- if and $existingVM $instanceType -}}
+  {{- if not (eq $existingVM.spec.instancetype.name $instanceType) -}}
+    {{- $needUpdateType = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and $existingVM $instanceProfile -}}
+  {{- if not (eq $existingVM.spec.preference.name $instanceProfile) -}}
+    {{- $needUpdateProfile = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if or $needUpdateType $needUpdateProfile }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ $.Release.Name }}-update-hook"
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "0"
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      labels:
+        app: "{{ $.Release.Name }}-update-hook"
+    spec:
+      serviceAccountName: {{ $.Release.Name }}-update-hook
+      restartPolicy: Never
+      containers:
+        - name: update-resources
+          image: bitnami/kubectl:latest
+          command: ["sh", "-exc"]
+          args:
+            - |
+              {{- if $needUpdateType }}
+              echo "Patching VirtualMachine for instancetype update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"instancetype":{"name": "{{ $instanceType }}", "revisionName": null}}}'
+              {{- end }}
+              
+              {{- if $needUpdateProfile }}
+              echo "Patching VirtualMachine for preference update..."
+              kubectl patch virtualmachine {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"preference":{"name": "{{ $instanceProfile }}", "revisionName": null}}}'
+              {{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+rules:
+  - apiGroups: ["kubevirt.io"]
+    resources: ["virtualmachines"]
+    verbs: ["patch", "get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $.Release.Name }}-update-hook
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Release.Name }}-update-hook
+roleRef:
+  kind: Role
+  name: {{ $.Release.Name }}-update-hook
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

packages/apps/vm-instance/templates/vm.yaml

@@ -17,15 +17,12 @@ spec:
   instancetype:
     kind: VirtualMachineClusterInstancetype
     name: {{ . }}
-    revisionName: null
-  {{- end }}
+    {{- end }}
   {{- with .Values.instanceProfile }}
   preference:
     kind: VirtualMachineClusterPreference
     name: {{ . }}
-    revisionName: null
-  {{- end }}
-
+    {{- end }}
   template:
     metadata:
       annotations:

packages/core/builder/values.yaml

@@ -1,3 +1,3 @@
 talos:
   imager:
-    image: ghcr.io/kvaps/talos/imager:v1.9.1-1-gac655f2d3-dirty
+    image: ghcr.io/siderolabs/imager:v1.9.2

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: initramfs
   imageOptions: {}

packages/core/installer/images/talos/profiles/installer.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: installer
   imageOptions: {}

packages/core/installer/images/talos/profiles/iso.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: iso
   imageOptions: {}

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: kernel
   imageOptions: {}

packages/core/installer/images/talos/profiles/metal.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -3,14 +3,14 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.9.1
+version: v1.9.2
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/kvaps/talos/installer:v1.9.1-1-gac655f2d3-dirty
+    imageRef: ghcr.io/siderolabs/installer:v1.9.2
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
     - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
     - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.22.0@sha256:12e02a0d700373f119e45ee79777636207811b49448f485ce66173e1bd5a11ee
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.23.1@sha256:dfa803a3e02ec9ea221029d361aa9d7aef0b5eb0a36d66c949b265d4ac4fc114

packages/core/platform/bundles/distro-full.yaml

@@ -199,3 +199,10 @@ releases:
   namespace: cozy-keycloak
   optional: true
   dependsOn: [keycloak]
+
+- name: tinkerbell
+  releaseName: tinkerbell
+  chart: cozy-tinkerbell
+  namespace: cozy-tinkerbell
+  optional: true
+  dependsOn: [cilium,kubeovn]

packages/core/platform/bundles/paas-full.yaml

@@ -281,6 +281,13 @@ releases:
   optional: true
   dependsOn: [cilium,kubeovn]
 
+- name: tinkerbell
+  releaseName: tinkerbell
+  chart: cozy-tinkerbell
+  namespace: cozy-tinkerbell
+  optional: true
+  dependsOn: [cilium,kubeovn]
+
 {{- if $oidcEnabled }}
 - name: keycloak
   releaseName: keycloak
@@ -299,4 +306,7 @@ releases:
   chart: cozy-keycloak-configure
   namespace: cozy-keycloak
   dependsOn: [keycloak-operator]
+  values:
+    cozystack:
+      configHash: {{ $cozyConfig | toJson | sha256sum }}
 {{- end }}

packages/core/platform/bundles/paas-hosted.yaml

@@ -195,4 +195,7 @@ releases:
   chart: cozy-keycloak-configure
   namespace: cozy-keycloak
   dependsOn: [keycloak-operator]
+  values:
+    cozystack:
+      configHash: {{ $cozyConfig | toJson | sha256sum }}
 {{- end }}

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.22.0@sha256:38229517c86e179984a6d39f5510b859d13d965e35b216bc01ce456f9ab5f8b5
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.23.1@sha256:0f4ffa7f23d6cdc633c0c4a0b852fde9710edbce96486fd9bd29c7d0d7710380

packages/extra/monitoring/Chart.yaml

@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.6.1
+version: 1.7.0

packages/extra/monitoring/README.md

@@ -4,13 +4,14 @@
 
 ### Common parameters
 
-| Name                            | Description                                                                                               | Value  |
-| ------------------------------- | --------------------------------------------------------------------------------------------------------- | ------ |
-| `host`                          | The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host). | `""`   |
-| `metricsStorages`               | Configuration of metrics storage instances                                                                | `[]`   |
-| `logsStorages`                  | Configuration of logs storage instances                                                                   | `[]`   |
-| `alerta.storage`                | Persistent Volume size for alerta database                                                                | `10Gi` |
-| `alerta.storageClassName`       | StorageClass used to store the data                                                                       | `""`   |
-| `alerta.alerts.telegram.token`  | telegram token for your bot                                                                               | `""`   |
-| `alerta.alerts.telegram.chatID` | specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot                       | `""`   |
-| `grafana.db.size`               | Persistent Volume size for grafana database                                                               | `10Gi` |
+| Name                                      | Description                                                                                               | Value  |
+| ----------------------------------------- | --------------------------------------------------------------------------------------------------------- | ------ |
+| `host`                                    | The hostname used to access the grafana externally (defaults to 'grafana' subdomain for the tenant host). | `""`   |
+| `metricsStorages`                         | Configuration of metrics storage instances                                                                | `[]`   |
+| `logsStorages`                            | Configuration of logs storage instances                                                                   | `[]`   |
+| `alerta.storage`                          | Persistent Volume size for alerta database                                                                | `10Gi` |
+| `alerta.storageClassName`                 | StorageClass used to store the data                                                                       | `""`   |
+| `alerta.alerts.telegram.token`            | telegram token for your bot                                                                               | `""`   |
+| `alerta.alerts.telegram.chatID`           | specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot                       | `""`   |
+| `alerta.alerts.telegram.disabledSeverity` | list of severity without alerts, separated comma like: "informational,warning"                            | `""`   |
+| `grafana.db.size`                         | Persistent Volume size for grafana database                                                               | `10Gi` |

packages/extra/monitoring/templates/alerta/alerta.yaml

@@ -116,6 +116,8 @@ spec:
               value: "{{ .Values.alerta.alerts.telegram.token }}"
             - name: TELEGRAM_WEBHOOK_URL
               value: "https://{{ printf "alerta.%s" (.Values.host | default $host) }}/api/webhooks/telegram?api-key={{ $apiKey }}"
+            - name: TELEGRAM_DISABLE_NOTIFICATION_SEVERITY
+              value: "{{ .Values.alerta.alerts.telegram.disabledSeverity }}"
             {{- end }}
 
           ports:

packages/extra/monitoring/templates/vm/vmcluster.yaml

@@ -10,26 +10,26 @@ spec:
   vminsert:
     replicaCount: 2
     resources:
-      {{- if empty .vminsert.resources }}
+      {{- if and (hasKey . "vminsert") (hasKey .vminsert "resources") }}
+      {{- toYaml .vminsert.resources | nindent 6 }}
+      {{- else }}
       limits:
         memory: 1000Mi
       requests:
         cpu: 100m
         memory: 500Mi
-      {{- else }}
-      {{- toYaml .vminsert.resources | nindent 6 }}
       {{- end }}
   vmselect:
     replicaCount: 2
     resources:
-      {{- if empty .vmselect.resources }}
+      {{- if and (hasKey . "vmselect") (hasKey .vmselect "resources") }}
+      {{- toYaml .vmselect.resources | nindent 6 }}
+      {{- else }}
       limits:
         memory: 1000Mi
       requests:
         cpu: 100m
         memory: 500Mi
-      {{- else }}
-      {{- toYaml .vmselect.resources | nindent 6 }}
       {{- end }}
     extraArgs:
       search.maxUniqueTimeseries: "600000"
@@ -48,14 +48,14 @@ spec:
   vmstorage:
     replicaCount: 2
     resources:
-      {{- if empty .vmstorage.resources }}
+      {{- if and (hasKey . "vmstorage") (hasKey .vmstorage "resources") }}
+      {{- toYaml .vmstorage.resources | nindent 6 }}
+      {{- else }}
       limits:
         memory: 2048Mi
       requests:
         cpu: 100m
         memory: 500Mi
-      {{- else }}
-      {{- toYaml .vmstorage.resources | nindent 6 }}
       {{- end }}
     storage:
       volumeClaimTemplate:

packages/extra/monitoring/values.schema.json

@@ -51,6 +51,11 @@
                   "type": "string",
                   "description": "specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot",
                   "default": ""
+                },
+                "disabledSeverity": {
+                  "type": "string",
+                  "description": "list of severity without alerts, separated comma like: \"informational,warning\"",
+                  "default": ""
                 }
               }
             }

packages/extra/monitoring/values.yaml

@@ -78,14 +78,17 @@ alerta:
   alerts:
     ## @param alerta.alerts.telegram.token telegram token for your bot
     ## @param alerta.alerts.telegram.chatID specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot
+    ## @param alerta.alerts.telegram.disabledSeverity list of severity without alerts, separated comma like: "informational,warning"
     ## example:
     ##   telegram:
     ##     token: "7262461387:AAGtwq16iwuVtWtzoN6TUEMpF00fpC9Xz34"
     ##     chatID: "-4520856007"
+    ##     disabledSeverity: "informational,warning"
     ##
     telegram:
       token: ""
       chatID: ""
+      disabledSeverity: ""
 
 ## Configuration for Grafana
 ## @param grafana.db.size Persistent Volume size for grafana database

packages/extra/versions_map

@@ -22,7 +22,8 @@ monitoring 1.5.2 898374b5
 monitoring 1.5.3 c1ca19dc
 monitoring 1.5.4 d4634797
 monitoring 1.6.0 cb7b8158
-monitoring 1.6.1 HEAD
+monitoring 1.6.1 3bb97596
+monitoring 1.7.0 HEAD
 seaweedfs 0.1.0 5ca8823
 seaweedfs 0.2.0 9e33dc0
 seaweedfs 0.2.1 249bf35

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:9c8d38b1466d2333a1a916ddba4b3b644457361a4277bf4be132cb12f86e9281
+ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:35e9a8ba7e1a3b0cee634f6d2bd92d2b08c47c7ed3316559c9ea25ff733eb5d5

packages/system/cert-manager-crds/charts/cert-manager/Chart.yaml

@@ -6,7 +6,7 @@ annotations:
     fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
     url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
 apiVersion: v2
-appVersion: v1.16.1
+appVersion: v1.16.3
 description: A Helm chart for cert-manager
 home: https://cert-manager.io
 icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
@@ -23,4 +23,4 @@ maintainers:
 name: cert-manager
 sources:
 - https://github.com/cert-manager/cert-manager
-version: v1.16.1
+version: v1.16.3

packages/system/cert-manager-crds/charts/cert-manager/README.md

@@ -19,7 +19,7 @@ Before installing the chart, you must first install the cert-manager CustomResou
 This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources.
 
 ```bash
-$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.crds.yaml
+$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.3/cert-manager.crds.yaml
 ```
 
 To install the chart with the release name `cert-manager`:
@@ -29,7 +29,7 @@ To install the chart with the release name `cert-manager`:
 $ helm repo add jetstack https://charts.jetstack.io --force-update
 
 ## Install the cert-manager helm chart
-$ helm install cert-manager --namespace cert-manager --version v1.16.1 jetstack/cert-manager
+$ helm install cert-manager --namespace cert-manager --version v1.16.3 jetstack/cert-manager
 ```
 
 In order to begin issuing certificates, you will need to set up a ClusterIssuer
@@ -65,7 +65,7 @@ If you want to completely uninstall cert-manager from your cluster, you will als
 delete the previously installed CustomResourceDefinition resources:
 
 ```console
-$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.crds.yaml
+$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.3/cert-manager.crds.yaml
 ```
 
 ## Configuration
@@ -79,8 +79,8 @@ $ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/downlo
 > []
 > ```
 
-Reference to one or more secrets to be used when pulling images. For more information, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).
-
+Reference to one or more secrets to be used when pulling images. For more information, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).  
+  
 For example:
 
 ```yaml
@@ -93,9 +93,9 @@ imagePullSecrets:
 > {}
 > ```
 
-Labels to apply to all resources.
-Please note that this does not add labels to the resources created dynamically by the controllers. For these resources, you have to add the labels in the template in the cert-manager custom resource: For example, podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress. For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress).
-For example, secretTemplate in CertificateSpec
+Labels to apply to all resources.  
+Please note that this does not add labels to the resources created dynamically by the controllers. For these resources, you have to add the labels in the template in the cert-manager custom resource: For example, podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress. For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress).  
+For example, secretTemplate in CertificateSpec  
 For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec).
 #### **global.revisionHistoryLimit** ~ `number`
 
@@ -128,8 +128,8 @@ Aggregate ClusterRoles to Kubernetes default user-facing roles. For more informa
 > false
 > ```
 
-Create PodSecurityPolicy for cert-manager.
-
+Create PodSecurityPolicy for cert-manager.  
+  
 Note that PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in Kubernetes 1.25.
 #### **global.podSecurityPolicy.useAppArmor** ~ `bool`
 > Default value:
@@ -184,7 +184,7 @@ This option decides if the CRDs should be installed as part of the Helm installa
 > true
 > ```
 
-This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled. WARNING: when the CRDs are removed, all cert-manager custom resources
+This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled. WARNING: when the CRDs are removed, all cert-manager custom resources  
 (Certificates, Issuers, ...) will be removed too by the garbage collector.
 ### Controller
 
@@ -194,12 +194,12 @@ This option makes it so that the "helm.sh/resource-policy": keep annotation is a
 > 1
 > ```
 
-The number of replicas of the cert-manager controller to run.
-
-The default is 1, but in production set this to 2 or 3 to provide high availability.
-
-If `replicas > 1`, consider setting `podDisruptionBudget.enabled=true`.
-
+The number of replicas of the cert-manager controller to run.  
+  
+The default is 1, but in production set this to 2 or 3 to provide high availability.  
+  
+If `replicas > 1`, consider setting `podDisruptionBudget.enabled=true`.  
+  
 Note that cert-manager uses leader election to ensure that there can only be a single instance active at a time.
 #### **strategy** ~ `object`
 > Default value:
@@ -207,8 +207,8 @@ Note that cert-manager uses leader election to ensure that there can only be a s
 > {}
 > ```
 
-Deployment update strategy for the cert-manager controller deployment. For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).
-
+Deployment update strategy for the cert-manager controller deployment. For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).  
+  
 For example:
 
 ```yaml
@@ -224,13 +224,13 @@ strategy:
 > false
 > ```
 
-Enable or disable the PodDisruptionBudget resource.
-
-This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager
+Enable or disable the PodDisruptionBudget resource.  
+  
+This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager  
 Pod is currently running.
 #### **podDisruptionBudget.minAvailable** ~ `unknown`
 
-This configures the minimum available pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+This configures the minimum available pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
 It cannot be used if `maxUnavailable` is set.
 
 
@@ -311,7 +311,7 @@ Override the "cert-manager.name" value, which is used to annotate some of the re
 Specifies whether a service account should be created.
 #### **serviceAccount.name** ~ `string`
 
-The name of the service account to use.
+The name of the service account to use.  
 If not set and create is true, a name is generated using the fullname template.
 
 #### **serviceAccount.annotations** ~ `object`
@@ -346,10 +346,10 @@ When this flag is enabled, secrets will be automatically removed when the certif
 > {}
 > ```
 
-This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.
-
-If `apiVersion` and `kind` are unspecified they default to the current latest version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.
-
+This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.  
+  
+If `apiVersion` and `kind` are unspecified they default to the current latest version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.  
+  
 For example:
 
 ```yaml
@@ -412,7 +412,7 @@ Option to disable cert-manager's build-in auto-approver. The auto-approver appro
 > - clusterissuers.cert-manager.io/*
 > ```
 
-List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because eg. you are using approver-policy, you can enable 'disableAutoApproval'.
+List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because eg. you are using approver-policy, you can enable 'disableAutoApproval'.  
 ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
 
 #### **extraArgs** ~ `array`
@@ -421,10 +421,10 @@ ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
 > []
 > ```
 
-Additional command line flags to pass to cert-manager controller binary. To see all available flags run `docker run quay.io/jetstack/cert-manager-controller:<version> --help`.
-
-Use this flag to enable or disable arbitrary controllers. For example, to disable the CertificateRequests approver.
-
+Additional command line flags to pass to cert-manager controller binary. To see all available flags run `docker run quay.io/jetstack/cert-manager-controller:<version> --help`.  
+  
+Use this flag to enable or disable arbitrary controllers. For example, to disable the CertificateRequests approver.  
+  
 For example:
 
 ```yaml
@@ -437,7 +437,7 @@ extraArgs:
 > []
 > ```
 
-Additional environment variables to pass to cert-manager controller binary.
+Additional environment variables to pass to cert-manager controller binary.  
 For example:
 
 ```yaml
@@ -451,8 +451,8 @@ extraEnv:
 > {}
 > ```
 
-Resources to provide to the cert-manager controller pod.
-
+Resources to provide to the cert-manager controller pod.  
+  
 For example:
 
 ```yaml
@@ -470,7 +470,7 @@ For more information, see [Resource Management for Pods and Containers](https://
 >   type: RuntimeDefault
 > ```
 
-Pod Security Context.
+Pod Security Context.  
 For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
 
 #### **containerSecurityContext** ~ `object`
@@ -532,7 +532,7 @@ Optionally set the IP families for the controller Service that should be support
 
 #### **podDnsPolicy** ~ `string`
 
-Pod DNS policy.
+Pod DNS policy.  
 For more information, see [Pod's DNS Policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy).
 
 #### **podDnsConfig** ~ `object`
@@ -552,8 +552,8 @@ Optional hostAliases for cert-manager-controller pods. May be useful when perfor
 > kubernetes.io/os: linux
 > ```
 
-The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
-
+The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).  
+  
 This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
 
 #### **ingressShim.defaultIssuerName** ~ `string`
@@ -586,8 +586,8 @@ Configures the NO_PROXY environment variable where a HTTP proxy is required, but
 > {}
 > ```
 
-A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
-
+A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).  
+  
 For example:
 
 ```yaml
@@ -607,8 +607,8 @@ affinity:
 > []
 > ```
 
-A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
-
+A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).  
+  
 For example:
 
 ```yaml
@@ -624,8 +624,8 @@ tolerations:
 > []
 > ```
 
-A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
-
+A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core  
+  
 For example:
 
 ```yaml
@@ -649,9 +649,9 @@ topologySpreadConstraints:
 > timeoutSeconds: 15
 > ```
 
-LivenessProbe settings for the controller container of the controller Pod.
-
-This is enabled by default, in order to enable the clock-skew liveness probe that restarts the controller in case of a skew between the system clock and the monotonic clock. LivenessProbe durations and thresholds are based on those used for the Kubernetes controller-manager. For more information see the following on the
+LivenessProbe settings for the controller container of the controller Pod.  
+  
+This is enabled by default, in order to enable the clock-skew liveness probe that restarts the controller in case of a skew between the system clock and the monotonic clock. LivenessProbe durations and thresholds are based on those used for the Kubernetes controller-manager. For more information see the following on the  
 [Kubernetes GitHub repository](https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245)
 
 #### **enableServiceLinks** ~ `bool`
@@ -669,8 +669,8 @@ enableServiceLinks indicates whether information about services should be inject
 > true
 > ```
 
-Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a
-ServiceMonitor resource.
+Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a  
+ServiceMonitor resource.  
 Otherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.
 #### **prometheus.servicemonitor.enabled** ~ `bool`
 > Default value:
@@ -745,8 +745,8 @@ Keep labels from scraped data, overriding server-side labels.
 > {}
 > ```
 
-EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.
-
+EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.  
+  
 For example:
 
 ```yaml
@@ -826,8 +826,8 @@ Keep labels from scraped data, overriding server-side labels.
 > {}
 > ```
 
-EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.
-
+EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.  
+  
 For example:
 
 ```yaml
@@ -858,10 +858,10 @@ endpointAdditionalProperties:
 > 1
 > ```
 
-Number of replicas of the cert-manager webhook to run.
-
-The default is 1, but in production set this to 2 or 3 to provide high availability.
-
+Number of replicas of the cert-manager webhook to run.  
+  
+The default is 1, but in production set this to 2 or 3 to provide high availability.  
+  
 If `replicas > 1`, consider setting `webhook.podDisruptionBudget.enabled=true`.
 #### **webhook.timeoutSeconds** ~ `number`
 > Default value:
@@ -869,9 +869,9 @@ If `replicas > 1`, consider setting `webhook.podDisruptionBudget.enabled=true`.
 > 30
 > ```
 
-The number of seconds the API server should wait for the webhook to respond before treating the call as a failure. The value must be between 1 and 30 seconds. For more information, see
-[Validating webhook configuration v1](https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/).
-
+The number of seconds the API server should wait for the webhook to respond before treating the call as a failure. The value must be between 1 and 30 seconds. For more information, see  
+[Validating webhook configuration v1](https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/).  
+  
 The default is set to the maximum value of 30 seconds as users sometimes report that the connection between the K8S API server and the cert-manager webhook server times out. If *this* timeout is reached, the error message will be "context deadline exceeded", which doesn't help the user diagnose what phase of the HTTPS connection timed out. For example, it could be during DNS resolution, TCP connection, TLS negotiation, HTTP negotiation, or slow HTTP response from the webhook server. By setting this timeout to its maximum value the underlying timeout error message has more chance of being returned to the end user.
 #### **webhook.config** ~ `object`
 > Default value:
@@ -879,10 +879,10 @@ The default is set to the maximum value of 30 seconds as users sometimes report
 > {}
 > ```
 
-This is used to configure options for the webhook pod. This allows setting options that would usually be provided using flags.
-
-If `apiVersion` and `kind` are unspecified they default to the current latest version (currently `webhook.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.
-
+This is used to configure options for the webhook pod. This allows setting options that would usually be provided using flags.  
+  
+If `apiVersion` and `kind` are unspecified they default to the current latest version (currently `webhook.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.  
+  
 For example:
 
 ```yaml
@@ -911,8 +911,8 @@ metricsTLSConfig:
 > {}
 > ```
 
-The update strategy for the cert-manager webhook deployment. For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy)
-
+The update strategy for the cert-manager webhook deployment. For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy)  
+  
 For example:
 
 ```yaml
@@ -950,19 +950,19 @@ Container Security Context to be set on the webhook component container. For mor
 > false
 > ```
 
-Enable or disable the PodDisruptionBudget resource.
-
-This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager
+Enable or disable the PodDisruptionBudget resource.  
+  
+This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager  
 Pod is currently running.
 #### **webhook.podDisruptionBudget.minAvailable** ~ `unknown`
 
-This property configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+This property configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
 It cannot be used if `maxUnavailable` is set.
 
 
 #### **webhook.podDisruptionBudget.maxUnavailable** ~ `unknown`
 
-This property configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+This property configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
 It cannot be used if `minAvailable` is set.
 
 
@@ -1019,7 +1019,7 @@ Additional command line flags to pass to cert-manager webhook binary. To see all
 > []
 > ```
 
-Additional environment variables to pass to cert-manager webhook binary.
+Additional environment variables to pass to cert-manager webhook binary.  
 For example:
 
 ```yaml
@@ -1040,8 +1040,8 @@ Comma separated list of feature gates that should be enabled on the webhook pod.
 > {}
 > ```
 
-Resources to provide to the cert-manager webhook pod.
-
+Resources to provide to the cert-manager webhook pod.  
+  
 For example:
 
 ```yaml
@@ -1061,7 +1061,7 @@ For more information, see [Resource Management for Pods and Containers](https://
 > timeoutSeconds: 1
 > ```
 
-Liveness probe values.
+Liveness probe values.  
 For more information, see [Container probes](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
 
 #### **webhook.readinessProbe** ~ `object`
@@ -1074,7 +1074,7 @@ For more information, see [Container probes](https://kubernetes.io/docs/concepts
 > timeoutSeconds: 1
 > ```
 
-Readiness probe values.
+Readiness probe values.  
 For more information, see [Container probes](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
 
 #### **webhook.nodeSelector** ~ `object`
@@ -1083,8 +1083,8 @@ For more information, see [Container probes](https://kubernetes.io/docs/concepts
 > kubernetes.io/os: linux
 > ```
 
-The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
-
+The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).  
+  
 This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
 
 #### **webhook.affinity** ~ `object`
@@ -1093,8 +1093,8 @@ This default ensures that Pods are only scheduled to Linux nodes. It prevents Po
 > {}
 > ```
 
-A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
-
+A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).  
+  
 For example:
 
 ```yaml
@@ -1114,8 +1114,8 @@ affinity:
 > []
 > ```
 
-A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
-
+A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).  
+  
 For example:
 
 ```yaml
@@ -1131,8 +1131,8 @@ tolerations:
 > []
 > ```
 
-A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).
-
+A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).  
+  
 For example:
 
 ```yaml
@@ -1209,7 +1209,7 @@ Kubernetes imagePullPolicy on Deployment.
 Specifies whether a service account should be created.
 #### **webhook.serviceAccount.name** ~ `string`
 
-The name of the service account to use.
+The name of the service account to use.  
 If not set and create is true, a name is generated using the fullname template.
 
 #### **webhook.serviceAccount.annotations** ~ `object`
@@ -1244,10 +1244,10 @@ The port that the webhook listens on for requests. In GKE private clusters, by d
 > false
 > ```
 
-Specifies if the webhook should be started in hostNetwork mode.
-
-Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working
-
+Specifies if the webhook should be started in hostNetwork mode.  
+  
+Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working  
+  
 Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode.
 #### **webhook.serviceType** ~ `string`
 > Default value:
@@ -1341,12 +1341,12 @@ Create the CA Injector deployment
 > 1
 > ```
 
-The number of replicas of the cert-manager cainjector to run.
-
-The default is 1, but in production set this to 2 or 3 to provide high availability.
-
-If `replicas > 1`, consider setting `cainjector.podDisruptionBudget.enabled=true`.
-
+The number of replicas of the cert-manager cainjector to run.  
+  
+The default is 1, but in production set this to 2 or 3 to provide high availability.  
+  
+If `replicas > 1`, consider setting `cainjector.podDisruptionBudget.enabled=true`.  
+  
 Note that cert-manager uses leader election to ensure that there can only be a single instance active at a time.
 #### **cainjector.config** ~ `object`
 > Default value:
@@ -1354,10 +1354,10 @@ Note that cert-manager uses leader election to ensure that there can only be a s
 > {}
 > ```
 
-This is used to configure options for the cainjector pod. It allows setting options that are usually provided via flags.
-
-If `apiVersion` and `kind` are unspecified they default to the current latest version (currently `cainjector.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.
-
+This is used to configure options for the cainjector pod. It allows setting options that are usually provided via flags.  
+  
+If `apiVersion` and `kind` are unspecified they default to the current latest version (currently `cainjector.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.  
+  
 For example:
 
 ```yaml
@@ -1383,8 +1383,8 @@ metricsTLSConfig:
 > {}
 > ```
 
-Deployment update strategy for the cert-manager cainjector deployment. For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).
-
+Deployment update strategy for the cert-manager cainjector deployment. For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).  
+  
 For example:
 
 ```yaml
@@ -1422,21 +1422,21 @@ Container Security Context to be set on the cainjector component container. For
 > false
 > ```
 
-Enable or disable the PodDisruptionBudget resource.
-
-This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager
+Enable or disable the PodDisruptionBudget resource.  
+  
+This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager  
 Pod is currently running.
 #### **cainjector.podDisruptionBudget.minAvailable** ~ `unknown`
 
-`minAvailable` configures the minimum available pods for disruptions. It can either be set to
-an integer (e.g. 1) or a percentage value (e.g. 25%).
+`minAvailable` configures the minimum available pods for disruptions. It can either be set to  
+an integer (e.g. 1) or a percentage value (e.g. 25%).  
 Cannot be used if `maxUnavailable` is set.
 
 
 #### **cainjector.podDisruptionBudget.maxUnavailable** ~ `unknown`
 
-`maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to
-an integer (e.g. 1) or a percentage value (e.g. 25%).
+`maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to  
+an integer (e.g. 1) or a percentage value (e.g. 25%).  
 Cannot be used if `minAvailable` is set.
 
 
@@ -1465,7 +1465,7 @@ Additional command line flags to pass to cert-manager cainjector binary. To see
 > []
 > ```
 
-Additional environment variables to pass to cert-manager cainjector binary.
+Additional environment variables to pass to cert-manager cainjector binary.  
 For example:
 
 ```yaml
@@ -1486,8 +1486,8 @@ Comma separated list of feature gates that should be enabled on the cainjector p
 > {}
 > ```
 
-Resources to provide to the cert-manager cainjector pod.
-
+Resources to provide to the cert-manager cainjector pod.  
+  
 For example:
 
 ```yaml
@@ -1503,8 +1503,8 @@ For more information, see [Resource Management for Pods and Containers](https://
 > kubernetes.io/os: linux
 > ```
 
-The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
-
+The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).  
+  
 This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
 
 #### **cainjector.affinity** ~ `object`
@@ -1513,8 +1513,8 @@ This default ensures that Pods are only scheduled to Linux nodes. It prevents Po
 > {}
 > ```
 
-A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
-
+A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).  
+  
 For example:
 
 ```yaml
@@ -1534,8 +1534,8 @@ affinity:
 > []
 > ```
 
-A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
-
+A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).  
+  
 For example:
 
 ```yaml
@@ -1551,8 +1551,8 @@ tolerations:
 > []
 > ```
 
-A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).
-
+A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).  
+  
 For example:
 
 ```yaml
@@ -1615,7 +1615,7 @@ Kubernetes imagePullPolicy on Deployment.
 Specifies whether a service account should be created.
 #### **cainjector.serviceAccount.name** ~ `string`
 
-The name of the service account to use.
+The name of the service account to use.  
 If not set and create is true, a name is generated using the fullname template
 
 #### **cainjector.serviceAccount.annotations** ~ `object`
@@ -1754,8 +1754,8 @@ Optional additional annotations to add to the startupapicheck Pods.
 > - -v
 > ```
 
-Additional command line flags to pass to startupapicheck binary. To see all available flags run `docker run quay.io/jetstack/cert-manager-startupapicheck:<version> --help`.
-
+Additional command line flags to pass to startupapicheck binary. To see all available flags run `docker run quay.io/jetstack/cert-manager-startupapicheck:<version> --help`.  
+  
 Verbose logging is enabled by default so that if startupapicheck fails, you can know what exactly caused the failure. Verbose logs include details of the webhook URL, IP address and TCP connect errors for example.
 
 #### **startupapicheck.extraEnv** ~ `array`
@@ -1764,7 +1764,7 @@ Verbose logging is enabled by default so that if startupapicheck fails, you can
 > []
 > ```
 
-Additional environment variables to pass to cert-manager startupapicheck binary.
+Additional environment variables to pass to cert-manager startupapicheck binary.  
 For example:
 
 ```yaml
@@ -1778,8 +1778,8 @@ extraEnv:
 > {}
 > ```
 
-Resources to provide to the cert-manager controller pod.
-
+Resources to provide to the cert-manager controller pod.  
+  
 For example:
 
 ```yaml
@@ -1795,8 +1795,8 @@ For more information, see [Resource Management for Pods and Containers](https://
 > kubernetes.io/os: linux
 > ```
 
-The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
-
+The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).  
+  
 This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
 
 #### **startupapicheck.affinity** ~ `object`
@@ -1805,7 +1805,7 @@ This default ensures that Pods are only scheduled to Linux nodes. It prevents Po
 > {}
 > ```
 
-A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
+A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).  
 For example:
 
 ```yaml
@@ -1825,8 +1825,8 @@ affinity:
 > []
 > ```
 
-A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
-
+A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).  
+  
 For example:
 
 ```yaml
@@ -1893,7 +1893,7 @@ Automounting API credentials for a particular pod.
 Specifies whether a service account should be created.
 #### **startupapicheck.serviceAccount.name** ~ `string`
 
-The name of the service account to use.
+The name of the service account to use.  
 If not set and create is true, a name is generated using the fullname template.
 
 #### **startupapicheck.serviceAccount.annotations** ~ `object`
@@ -1945,8 +1945,8 @@ enableServiceLinks indicates whether information about services should be inject
 > []
 > ```
 
-Create dynamic manifests via values.
-
+Create dynamic manifests via values.  
+  
 For example:
 
 ```yaml

packages/system/cert-manager/charts/cert-manager/Chart.yaml

@@ -1,13 +1,15 @@
 annotations:
+  artifacthub.io/category: security
+  artifacthub.io/license: Apache-2.0
   artifacthub.io/prerelease: "false"
   artifacthub.io/signKey: |
     fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
     url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
-apiVersion: v1
-appVersion: v1.12.3
+apiVersion: v2
+appVersion: v1.16.3
 description: A Helm chart for cert-manager
-home: https://github.com/cert-manager/cert-manager
-icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png
+home: https://cert-manager.io
+icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
 keywords:
 - cert-manager
 - kube-lego
@@ -21,4 +23,4 @@ maintainers:
 name: cert-manager
 sources:
 - https://github.com/cert-manager/cert-manager
-version: v1.12.3
+version: v1.16.3

packages/system/cert-manager/charts/cert-manager/templates/NOTES.txt

@@ -1,3 +1,6 @@
+{{- if .Values.installCRDs }}
+⚠️  WARNING: `installCRDs` is deprecated, use `crds.enabled` instead.
+{{- end }}
 cert-manager {{ .Chart.AppVersion }} has been deployed successfully!
 
 In order to begin issuing certificates, you will need to set up a ClusterIssuer

packages/system/cert-manager/charts/cert-manager/templates/_helpers.tpl

@@ -152,7 +152,7 @@ Labels that should be added on each resource
 */}}
 {{- define "labels" -}}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- if eq (default "helm" .Values.creator) "helm" }}
+{{- if eq .Values.creator "helm" }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 helm.sh/chart: {{ include "chartName" . }}
 {{- end -}}
@@ -172,3 +172,31 @@ https://github.com/helm/helm/issues/5358
 {{- define "cert-manager.namespace" -}}
     {{ .Values.namespace | default .Release.Namespace }}
 {{- end -}}
+
+{{/*
+Util function for generating the image URL based on the provided options.
+IMPORTANT: This function is standardized across all charts in the cert-manager GH organization.
+Any changes to this function should also be made in cert-manager, trust-manager, approver-policy, ...
+See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linked PRs.
+*/}}
+{{- define "image" -}}
+{{- $defaultTag := index . 1 -}}
+{{- with index . 0 -}}
+{{- if .registry -}}{{ printf "%s/%s" .registry .repository }}{{- else -}}{{- .repository -}}{{- end -}}
+{{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
+{{- end }}
+{{- end }}
+
+{{/*
+Check that the user has not set both .installCRDs and .crds.enabled or
+set .installCRDs and disabled .crds.keep.
+.installCRDs is deprecated and users should use .crds.enabled and .crds.keep instead.
+*/}}
+{{- define "cert-manager.crd-check" -}}
+  {{- if and (.Values.installCRDs) (.Values.crds.enabled) }}
+    {{- fail "ERROR: the deprecated .installCRDs option cannot be enabled at the same time as its replacement .crds.enabled" }}
+  {{- end }}
+  {{- if and (.Values.installCRDs) (not .Values.crds.keep) }}
+    {{- fail "ERROR: .crds.keep is not compatible with .installCRDs, please use .crds.enabled and .crds.keep instead" }}
+  {{- end }}
+{{- end -}}

packages/system/cert-manager/charts/cert-manager/templates/cainjector-config.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.cainjector.config -}}
+{{- $config := .Values.cainjector.config -}}
+{{- $_ := set $config "apiVersion" (default "cainjector.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
+{{- $_ := set $config "kind" (default "CAInjectorConfiguration" $config.kind) -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cainjector.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- $config | toYaml | nindent 4 }}
+{{- end -}}

packages/system/cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml

@@ -16,6 +16,10 @@ metadata:
   {{- end }}
 spec:
   replicas: {{ .Values.cainjector.replicaCount }}
+  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  {{- end }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ include "cainjector.name" . }}
@@ -40,11 +44,20 @@ spec:
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
+      {{- if not .Values.cainjector.podAnnotations }}
+      annotations:
+      {{- end }}
+        prometheus.io/path: "/metrics"
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '9402'
+      {{- end }}
     spec:
       serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
       {{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
       {{- end }}
+      enableServiceLinks: {{ .Values.cainjector.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -54,14 +67,16 @@ spec:
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}-cainjector
-          {{- with .Values.cainjector.image }}
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-          {{- end }}
+          image: "{{ template "image" (tuple .Values.cainjector.image $.Chart.AppVersion) }}"
           imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }}
           args:
-          {{- if .Values.global.logLevel }}
+          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
           - --v={{ .Values.global.logLevel }}
           {{- end }}
+          {{- if .Values.cainjector.config }}
+          - --config=/var/cert-manager/config/config.yaml
+          {{- end }}
           {{- with .Values.global.leaderElection }}
           - --leader-election-namespace={{ .namespace }}
           {{- if .leaseDuration }}
@@ -74,14 +89,29 @@ spec:
           - --leader-election-retry-period={{ .retryPeriod }}
           {{- end }}
           {{- end }}
+          {{- with .Values.cainjector.featureGates}}
+          - --feature-gates={{ . }}
+          {{- end}}
           {{- with .Values.cainjector.extraArgs }}
           {{- toYaml . | nindent 10 }}
           {{- end }}
+          {{- if not .Values.prometheus.enabled }}
+          - --metrics-listen-address=0
+          {{- end }}
+          {{- if .Values.prometheus.enabled }}
+          ports:
+          - containerPort: 9402
+            name: http-metrics
+            protocol: TCP
+          {{- end }}
           env:
           - name: POD_NAMESPACE
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          {{- with .Values.cainjector.extraEnv }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
           {{- with .Values.cainjector.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
@@ -90,9 +120,15 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.cainjector.volumeMounts }}
+          {{- if or .Values.cainjector.config .Values.cainjector.volumeMounts }}
           volumeMounts:
+            {{- if .Values.cainjector.config }}
+            - name: config
+              mountPath: /var/cert-manager/config
+            {{- end }}
+            {{- with .Values.cainjector.volumeMounts }}
             {{- toYaml . | nindent 12 }}
+            {{- end }}
           {{- end }}
       {{- with .Values.cainjector.nodeSelector }}
       nodeSelector:
@@ -110,8 +146,15 @@ spec:
       topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.cainjector.volumes }}
+      {{- if or .Values.cainjector.volumes .Values.cainjector.config }}
       volumes:
+        {{- if .Values.cainjector.config }}
+        - name: config
+          configMap:
+            name: {{ include "cainjector.fullname" . }}
+        {{- end }}
+        {{ with .Values.cainjector.volumes }}
         {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml

@@ -17,10 +17,13 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "cainjector"
 
-  {{- with .Values.cainjector.podDisruptionBudget.minAvailable }}
-  minAvailable: {{ . }}
+  {{- if not (or (hasKey .Values.cainjector.podDisruptionBudget "minAvailable") (hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable")) }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
   {{- end }}
-  {{- with .Values.cainjector.podDisruptionBudget.maxUnavailable }}
-  maxUnavailable: {{ . }}
+  {{- if hasKey .Values.cainjector.podDisruptionBudget "minAvailable" }}
+  minAvailable: {{ .Values.cainjector.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.cainjector.podDisruptionBudget.maxUnavailable }}
   {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/cainjector-rbac.yaml

@@ -101,3 +101,56 @@ subjects:
     namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}
 {{- end }}
+{{- $certmanagerNamespace := include "cert-manager.namespace" . }}
+{{- if (.Values.cainjector.config.metricsTLSConfig).dynamic }}
+{{- if $certmanagerNamespace | eq .Values.cainjector.config.metricsTLSConfig.dynamic.secretNamespace }}
+
+---
+
+# Metrics server dynamic TLS serving certificate rules
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "cainjector.fullname" . }}:dynamic-serving
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames:
+    # Allow cainjector to read and update the metrics CA Secret when dynamic TLS is
+    # enabled for the metrics server and if the Secret is configured to be in the
+    # same namespace as cert-manager.
+    - {{ .Values.cainjector.config.metricsTLSConfig.dynamic.secretName | quote }}
+    verbs: ["get", "list", "watch", "update"]
+  # It's not possible to grant CREATE permission on a single resourceName.
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "cainjector.fullname" . }}:dynamic-serving
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "cainjector.fullname" . }}:dynamic-serving
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "cainjector.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+{{- end }}

packages/system/cert-manager/charts/cert-manager/templates/cainjector-service.yaml

@@ -0,0 +1,30 @@
+{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "cainjector.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+{{- with .Values.cainjector.serviceAnnotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+    {{- with .Values.cainjector.serviceLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: ClusterIP
+  ports:
+  - protocol: TCP
+    port: 9402
+    name: http-metrics
+  selector:
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+{{- end }}

packages/system/cert-manager/charts/cert-manager/templates/controller-config.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.config -}}
+{{- $config := .Values.config -}}
+{{- $_ := set $config "apiVersion" (default "controller.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
+{{- $_ := set $config "kind" (default "ControllerConfiguration" $config.kind) -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cert-manager.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- $config | toYaml | nindent 4 }}
+{{- end -}}

packages/system/cert-manager/charts/cert-manager/templates/deployment.yaml

@@ -15,6 +15,10 @@ metadata:
   {{- end }}
 spec:
   replicas: {{ .Values.replicaCount }}
+  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  {{- end }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ template "cert-manager.name" . }}
@@ -39,7 +43,7 @@ spec:
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if and .Values.prometheus.enabled (not .Values.prometheus.servicemonitor.enabled) }}
+      {{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
       {{- if not .Values.podAnnotations }}
       annotations:
       {{- end }}
@@ -52,6 +56,7 @@ spec:
       {{- if hasKey .Values "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       {{- end }}
+      enableServiceLinks: {{ .Values.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -59,20 +64,30 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.volumes }}
+      {{- if or .Values.volumes .Values.config}}
       volumes:
+        {{- if .Values.config }}
+        - name: config 
+          configMap: 
+            name: {{ include "cert-manager.fullname" . }}
+        {{- end }}
+        {{ with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}-controller
-          {{- with .Values.image }}
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-          {{- end }}
+          image: "{{ template "image" (tuple .Values.image $.Chart.AppVersion) }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
-          {{- if .Values.global.logLevel }}
+          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
           - --v={{ .Values.global.logLevel }}
           {{- end }}
+          {{- if .Values.config }}
+          - --config=/var/cert-manager/config/config.yaml
+          {{- end }}
+          {{- $config := default .Values.config "" }}
           {{- if .Values.clusterResourceNamespace }}
           - --cluster-resource-namespace={{ .Values.clusterResourceNamespace }}
           {{- else }}
@@ -122,6 +137,9 @@ spec:
           {{- with .Values.dns01RecursiveNameservers }}
           - --dns01-recursive-nameservers={{ . }}
           {{- end }}
+          {{- if .Values.disableAutoApproval }}
+          - --controllers=-certificaterequests-approver
+          {{- end }}
           ports:
           - containerPort: 9402
             name: http-metrics
@@ -133,9 +151,15 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.volumeMounts }}
+          {{- if or .Values.config .Values.volumeMounts }}
           volumeMounts:
+            {{- if .Values.config }}
+            - name: config 
+              mountPath: /var/cert-manager/config
+            {{- end }}
+            {{- with .Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
+            {{- end }}
           {{- end }}
           env:
           - name: POD_NAMESPACE
@@ -202,3 +226,6 @@ spec:
       dnsConfig:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.hostAliases }}
+      hostAliases: {{ toYaml . | nindent 8 }}
+      {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/extras-objects.yaml

@@ -0,0 +1,4 @@
+{{ range .Values.extraObjects }}
+---
+{{ tpl . $ }}
+{{ end }}

packages/system/cert-manager/charts/cert-manager/templates/networkpolicy-egress.yaml

@@ -11,13 +11,9 @@ spec:
     {{- end }}
   podSelector:
     matchLabels:
-      app: {{ include "webhook.name" . }}
       app.kubernetes.io/name: {{ include "webhook.name" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "webhook"
-      {{- with .Values.webhook.podLabels }}
-      {{- toYaml . | nindent 6 }}
-      {{- end }}
   policyTypes:
   - Egress
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/networkpolicy-webhooks.yaml

@@ -12,13 +12,9 @@ spec:
     {{- end }}
   podSelector:
     matchLabels:
-        app: {{ include "webhook.name" . }}
-        app.kubernetes.io/name: {{ include "webhook.name" . }}
-        app.kubernetes.io/instance: {{ .Release.Name }}
-        app.kubernetes.io/component: "webhook"
-        {{- with .Values.webhook.podLabels }}
-        {{- toYaml . | nindent 6 }}
-        {{- end }}
+      app.kubernetes.io/name: {{ include "webhook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "webhook"
   policyTypes:
   - Ingress
 

packages/system/cert-manager/charts/cert-manager/templates/poddisruptionbudget.yaml

@@ -17,10 +17,13 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "controller"
 
-  {{- with .Values.podDisruptionBudget.minAvailable }}
-  minAvailable: {{ . }}
+  {{- if not (or (hasKey .Values.podDisruptionBudget "minAvailable") (hasKey .Values.podDisruptionBudget "maxUnavailable")) }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
   {{- end }}
-  {{- with .Values.podDisruptionBudget.maxUnavailable }}
-  maxUnavailable: {{ . }}
+  {{- if hasKey .Values.podDisruptionBudget "minAvailable" }}
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
   {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/podmonitor.yaml

@@ -0,0 +1,63 @@
+{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
+{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
+{{- else if and .Values.prometheus.enabled .Values.prometheus.podmonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ template "cert-manager.fullname" . }}
+{{- if .Values.prometheus.podmonitor.namespace }}
+  namespace: {{ .Values.prometheus.podmonitor.namespace }}
+{{- else }}
+  namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+    prometheus: {{ .Values.prometheus.podmonitor.prometheusInstance }}
+    {{- with .Values.prometheus.podmonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- if .Values.prometheus.podmonitor.annotations }}
+  annotations:
+    {{- with .Values.prometheus.podmonitor.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}
+spec:
+  jobLabel: {{ template "cert-manager.fullname" . }}
+  selector:
+    matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: In
+        values:
+        - {{ include "cainjector.name" . }}
+        - {{ template "cert-manager.name" . }}
+        - {{ include "webhook.name" . }}
+      - key: app.kubernetes.io/instance
+        operator: In
+        values:
+        - {{ .Release.Name }}
+      - key: app.kubernetes.io/component
+        operator: In
+        values:
+        - cainjector
+        - controller
+        - webhook
+{{- if .Values.prometheus.podmonitor.namespace }}
+  namespaceSelector:
+    matchNames:
+      - {{ include "cert-manager.namespace" . }}
+{{- end }}
+  podMetricsEndpoints:
+    - port: http-metrics
+      path: {{ .Values.prometheus.podmonitor.path }}
+      interval: {{ .Values.prometheus.podmonitor.interval }}
+      scrapeTimeout: {{ .Values.prometheus.podmonitor.scrapeTimeout }}
+      honorLabels: {{ .Values.prometheus.podmonitor.honorLabels }}
+      {{- with .Values.prometheus.podmonitor.endpointAdditionalProperties }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end }}

packages/system/cert-manager/charts/cert-manager/templates/rbac.yaml

@@ -39,13 +39,56 @@ roleRef:
   kind: Role
   name: {{ template "cert-manager.fullname" . }}:leaderelection
 subjects:
-  - apiGroup: ""
-    kind: ServiceAccount
+  - kind: ServiceAccount
     name: {{ template "cert-manager.serviceAccountName" . }}
     namespace: {{ include "cert-manager.namespace" . }}
 
 ---
 
+{{- if .Values.serviceAccount.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "cert-manager.serviceAccountName" . }}-tokenrequest
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["serviceaccounts/token"]
+    resourceNames: ["{{ template "cert-manager.serviceAccountName" . }}"]
+    verbs: ["create"]
+
+---
+
+# grant cert-manager permission to create tokens for the serviceaccount
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "cert-manager.fullname" . }}-{{ template "cert-manager.serviceAccountName" .  }}-tokenrequest
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "cert-manager.serviceAccountName" . }}-tokenrequest
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "cert-manager.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+
+---
+
 # Issuer controller role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -398,6 +441,26 @@ subjects:
     namespace: {{ include "cert-manager.namespace" . }}
     kind: ServiceAccount
 
+{{- if .Values.global.rbac.aggregateClusterRoles }}
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-cluster-view
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers"]
+    verbs: ["get", "list", "watch"]
+
+{{- end }}
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
@@ -414,6 +477,7 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
     {{- end }}
 rules:
   - apiGroups: ["cert-manager.io"]
@@ -453,6 +517,8 @@ rules:
 
 ---
 
+{{- if not .Values.disableAutoApproval -}}
+
 # Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -468,7 +534,12 @@ rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["signers"]
     verbs: ["approve"]
-    resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
+    {{- with .Values.approveSignerNames }}
+    resourceNames:
+    {{- range . }}
+    - {{ . | quote }}
+    {{- end  }}
+    {{- end }}
 
 ---
 
@@ -493,8 +564,10 @@ subjects:
 
 ---
 
+{{- end -}}
+
 # Permission to:
-# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
+# - Update and sign CertificateSigningRequests referencing cert-manager.io Issuers and ClusterIssuers
 # - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

packages/system/cert-manager/charts/cert-manager/templates/service.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.prometheus.enabled }}
+{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -19,6 +19,12 @@ metadata:
     {{- end }}
 spec:
   type: ClusterIP
+  {{- if .Values.serviceIPFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.serviceIPFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.serviceIPFamilies }}
+  ipFamilies: {{ .Values.serviceIPFamilies | toYaml | nindent 2 }}
+  {{- end }}
   ports:
   - protocol: TCP
     port: 9402

packages/system/cert-manager/charts/cert-manager/templates/serviceaccount.yaml

@@ -20,6 +20,6 @@ metadata:
     app.kubernetes.io/component: "controller"
     {{- include "labels" . | nindent 4 }}
     {{- with .Values.serviceAccount.labels }}
-      {{ toYaml . | nindent 4 }}
+      {{- toYaml . | nindent 4 }}
     {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/servicemonitor.yaml

@@ -1,4 +1,6 @@
-{{- if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
+{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
+{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
+{{- else if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -27,10 +29,23 @@ metadata:
 spec:
   jobLabel: {{ template "cert-manager.fullname" . }}
   selector:
-    matchLabels:
-      app.kubernetes.io/name: {{ template "cert-manager.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-      app.kubernetes.io/component: "controller"
+    matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: In
+        values:
+        - {{ include "cainjector.name" . }}
+        - {{ template "cert-manager.name" . }}
+        - {{ include "webhook.name" . }}
+      - key: app.kubernetes.io/instance
+        operator: In
+        values:
+        - {{ .Release.Name }}
+      - key: app.kubernetes.io/component
+        operator: In
+        values:
+        - cainjector
+        - controller
+        - webhook
 {{- if .Values.prometheus.servicemonitor.namespace }}
   namespaceSelector:
     matchNames:
@@ -42,4 +57,7 @@ spec:
     interval: {{ .Values.prometheus.servicemonitor.interval }}
     scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
     honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
+    {{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/startupapicheck-job.yaml

@@ -37,6 +37,7 @@ spec:
       {{- if hasKey .Values.startupapicheck "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.startupapicheck.automountServiceAccountToken }}
       {{- end }}
+      enableServiceLinks: {{ .Values.startupapicheck.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -46,9 +47,7 @@ spec:
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}-startupapicheck
-          {{- with .Values.startupapicheck.image }}
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-          {{- end }}
+          image: "{{ template "image" (tuple .Values.startupapicheck.image $.Chart.AppVersion) }}"
           imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }}
           args:
           - check
@@ -61,6 +60,14 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          {{- with .Values.startupapicheck.extraEnv }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
           {{- with .Values.startupapicheck.resources }}
           resources:
             {{- toYaml . | nindent 12 }}

packages/system/cert-manager/charts/cert-manager/templates/startupapicheck-rbac.yaml

@@ -18,7 +18,7 @@ metadata:
   {{- end }}
 rules:
   - apiGroups: ["cert-manager.io"]
-    resources: ["certificates"]
+    resources: ["certificaterequests"]
     verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1

packages/system/cert-manager/charts/cert-manager/templates/webhook-config.yaml

@@ -1,12 +1,7 @@
 {{- if .Values.webhook.config -}}
-  {{- if not .Values.webhook.config.apiVersion -}}
-    {{- fail "webhook.config.apiVersion must be set" -}}
-  {{- end -}}
-
-  {{- if not .Values.webhook.config.kind -}}
-    {{- fail "webhook.config.kind must be set" -}}
-  {{- end -}}
-{{- end -}}
+{{- $config := .Values.webhook.config -}}
+{{- $_ := set $config "apiVersion" (default "webhook.config.cert-manager.io/v1alpha1" $config.apiVersion) -}}
+{{- $_ := set $config "kind" (default "WebhookConfiguration" $config.kind) -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -19,7 +14,6 @@ metadata:
     app.kubernetes.io/component: "webhook"
     {{- include "labels" . | nindent 4 }}
 data:
-  {{- if .Values.webhook.config }}
   config.yaml: |
-    {{ .Values.webhook.config | toYaml | nindent 4 }}
-  {{- end }}
+    {{- $config | toYaml | nindent 4 }}
+{{- end -}}

packages/system/cert-manager/charts/cert-manager/templates/webhook-deployment.yaml

@@ -15,6 +15,10 @@ metadata:
   {{- end }}
 spec:
   replicas: {{ .Values.webhook.replicaCount }}
+  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  {{- end }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ include "webhook.name" . }}
@@ -39,11 +43,20 @@ spec:
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if and .Values.prometheus.enabled (not (or .Values.prometheus.servicemonitor.enabled .Values.prometheus.podmonitor.enabled)) }}
+      {{- if not .Values.webhook.podAnnotations }}
+      annotations:
+      {{- end }}
+        prometheus.io/path: "/metrics"
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '9402'
+      {{- end }}
     spec:
       serviceAccountName: {{ template "webhook.serviceAccountName" . }}
       {{- if hasKey .Values.webhook "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
       {{- end }}
+      enableServiceLinks: {{ .Values.webhook.enableServiceLinks }}
       {{- with .Values.global.priorityClassName }}
       priorityClassName: {{ . | quote }}
       {{- end }}
@@ -54,14 +67,16 @@ spec:
       {{- if .Values.webhook.hostNetwork }}
       hostNetwork: true
       {{- end }}
+      {{- if .Values.webhook.hostNetwork }}
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}-webhook
-          {{- with .Values.webhook.image }}
-          image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
-          {{- end }}
+          image: "{{ template "image" (tuple .Values.webhook.image $.Chart.AppVersion) }}"
           imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
           args:
-          {{- if .Values.global.logLevel }}
+          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
           - --v={{ .Values.global.logLevel }}
           {{- end }}
           {{- if .Values.webhook.config }}
@@ -71,8 +86,8 @@ spec:
           {{ if not $config.securePort -}}
           - --secure-port={{ .Values.webhook.securePort }}
           {{- end }}
-          {{- if .Values.featureGates }}
-          - --feature-gates={{ .Values.featureGates }}
+          {{- if .Values.webhook.featureGates }}
+          - --feature-gates={{ .Values.webhook.featureGates }}
           {{- end }}
           {{- $tlsConfig := default $config.tlsConfig "" }}
           {{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
@@ -88,6 +103,9 @@ spec:
           {{- with .Values.webhook.extraArgs }}
           {{- toYaml . | nindent 10 }}
           {{- end }}
+          {{- if not .Values.prometheus.enabled }}
+          - --metrics-listen-address=0
+          {{- end }}
           ports:
           - name: https
             protocol: TCP
@@ -105,6 +123,11 @@ spec:
             {{- else }}
             containerPort: 6080
             {{- end }}
+          {{- if .Values.prometheus.enabled }}
+          - containerPort: 9402
+            name: http-metrics
+            protocol: TCP
+          {{- end }}
           livenessProbe:
             httpGet:
               path: /livez
@@ -142,6 +165,9 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          {{- with .Values.webhook.extraEnv }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
           {{- with .Values.webhook.resources }}
           resources:
             {{- toYaml . | nindent 12 }}
@@ -152,8 +178,8 @@ spec:
             - name: config
               mountPath: /var/cert-manager/config
             {{- end }}
-            {{- if .Values.webhook.volumeMounts }}
-            {{- toYaml .Values.webhook.volumeMounts | nindent 12 }}
+            {{- with .Values.webhook.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
             {{- end }}
           {{- end }}
       {{- with .Values.webhook.nodeSelector }}
@@ -179,7 +205,7 @@ spec:
           configMap:
             name: {{ include "webhook.fullname" . }}
         {{- end }}
-        {{- if .Values.webhook.volumes }}
-        {{- toYaml .Values.webhook.volumes | nindent 8 }}
+        {{- with .Values.webhook.volumes }}
+        {{- toYaml . | nindent 8 }}
         {{- end }}
       {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/webhook-mutating-webhook.yaml

@@ -15,17 +15,19 @@ metadata:
     {{- end }}
 webhooks:
   - name: webhook.cert-manager.io
+    {{- with .Values.webhook.mutatingWebhookConfiguration.namespaceSelector }}
+    namespaceSelector:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
     rules:
       - apiGroups:
           - "cert-manager.io"
-          - "acme.cert-manager.io"
         apiVersions:
           - "v1"
         operations:
           - CREATE
-          - UPDATE
         resources:
-          - "*/*"
+          - "certificaterequests"
     admissionReviewVersions: ["v1"]
     # This webhook only accepts v1 cert-manager resources.
     # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
@@ -43,4 +45,4 @@ webhooks:
         name: {{ template "webhook.fullname" . }}
         namespace: {{ include "cert-manager.namespace" . }}
         path: /mutate
-      {{- end }}
+      {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml

@@ -17,10 +17,13 @@ spec:
       app.kubernetes.io/instance: {{ .Release.Name }}
       app.kubernetes.io/component: "webhook"
 
-  {{- with .Values.webhook.podDisruptionBudget.minAvailable }}
-  minAvailable: {{ . }}
+  {{- if not (or (hasKey .Values.webhook.podDisruptionBudget "minAvailable") (hasKey .Values.webhook.podDisruptionBudget "maxUnavailable")) }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
   {{- end }}
-  {{- with .Values.webhook.podDisruptionBudget.maxUnavailable }}
-  maxUnavailable: {{ . }}
+  {{- if hasKey .Values.webhook.podDisruptionBudget "minAvailable" }}
+  minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.webhook.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }}
   {{- end }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/webhook-rbac.yaml

@@ -15,6 +15,15 @@ rules:
   resources: ["secrets"]
   resourceNames:
   - '{{ template "webhook.fullname" . }}-ca'
+  {{- $certmanagerNamespace := include "cert-manager.namespace" . }}
+  {{- with (.Values.webhook.config.metricsTLSConfig).dynamic }}
+  {{- if $certmanagerNamespace | eq .secretNamespace }}
+  # Allow webhook to read and update the metrics CA Secret when dynamic TLS is
+  # enabled for the metrics server and if the Secret is configured to be in the
+  # same namespace as cert-manager.
+  - {{ .secretName | quote }}
+  {{- end }}
+  {{- end }}
   verbs: ["get", "list", "watch", "update"]
 # It's not possible to grant CREATE permission on a single resourceName.
 - apiGroups: [""]
@@ -38,8 +47,7 @@ roleRef:
   kind: Role
   name: {{ template "webhook.fullname" . }}:dynamic-serving
 subjects:
-- apiGroup: ""
-  kind: ServiceAccount
+- kind: ServiceAccount
   name: {{ template "webhook.serviceAccountName" . }}
   namespace: {{ include "cert-manager.namespace" . }}
 
@@ -76,8 +84,7 @@ roleRef:
   kind: ClusterRole
   name: {{ template "webhook.fullname" . }}:subjectaccessreviews
 subjects:
-- apiGroup: ""
-  kind: ServiceAccount
+- kind: ServiceAccount
   name: {{ template "webhook.serviceAccountName" . }}
   namespace: {{ include "cert-manager.namespace" . }}
 {{- end }}

packages/system/cert-manager/charts/cert-manager/templates/webhook-service.yaml

@@ -18,6 +18,12 @@ metadata:
     {{- end }}
 spec:
   type: {{ .Values.webhook.serviceType }}
+  {{- if .Values.webhook.serviceIPFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.webhook.serviceIPFamilyPolicy }}
+  {{- end }}
+  {{- if .Values.webhook.serviceIPFamilies }}
+  ipFamilies: {{ .Values.webhook.serviceIPFamilies | toYaml | nindent 2 }}
+  {{- end }}
   {{- with .Values.webhook.loadBalancerIP }}
   loadBalancerIP: {{ . }}
   {{- end }}
@@ -26,6 +32,12 @@ spec:
     port: 443
     protocol: TCP
     targetPort: "https"
+{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
+  - name: metrics
+    port: 9402
+    protocol: TCP
+    targetPort: "http-metrics"
+{{- end }}
   selector:
     app.kubernetes.io/name: {{ include "webhook.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}

packages/system/cert-manager/charts/cert-manager/templates/webhook-validating-webhook.yaml

@@ -15,16 +15,10 @@ metadata:
     {{- end }}
 webhooks:
   - name: webhook.cert-manager.io
+    {{- with .Values.webhook.validatingWebhookConfiguration.namespaceSelector }}
     namespaceSelector:
-      matchExpressions:
-      - key: "cert-manager.io/disable-validation"
-        operator: "NotIn"
-        values:
-        - "true"
-      - key: "name"
-        operator: "NotIn"
-        values:
-        - {{ include "cert-manager.namespace" . }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
     rules:
       - apiGroups:
           - "cert-manager.io"

packages/system/cozystack-api/values.yaml

@@ -1,2 +1,2 @@
 cozystackAPI:
-  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.22.0@sha256:14c53970dec8a90e320675f8b35a098279cabd08fbd1fbddbe7a67e24a0811d5
+  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.23.1@sha256:b25faba99a8b98c1d3576b47986266c4f391c1998d89b599e9139f43727c5b4c

packages/system/cozystack-controller/values.yaml

@@ -1,5 +1,5 @@
 cozystackController:
-  image: ghcr.io/aenix-io/cozystack/cozystack-controller:v0.22.0@sha256:c5075188357f574a605fd89262e2e89633b42e6245575d5436e16ef57f3b914f
+  image: ghcr.io/aenix-io/cozystack/cozystack-controller:v0.23.1@sha256:ca7801e33fbd38e01b3abe9645956bb235ba7b0f2381bd622d18d4dc5e280020
   debug: false
   disableTelemetry: false
-  cozystackVersion: "v0.22.0"
+  cozystackVersion: "v0.23.1"

packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml

@@ -76,7 +76,7 @@ data:
       "kubeappsNamespace": {{ .Release.Namespace | quote }},
       "helmGlobalNamespace": {{ include "kubeapps.helmGlobalPackagingNamespace" . | quote }},
       "carvelGlobalNamespace": {{ .Values.kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace | quote }},
-      "appVersion": "v0.22.0",
+      "appVersion": "v0.23.1",
       "authProxyEnabled": {{ .Values.authProxy.enabled }},
       "oauthLoginURI": {{ .Values.authProxy.oauthLoginURI | quote }},
       "oauthLogoutURI": {{ .Values.authProxy.oauthLogoutURI | quote }},

packages/system/dashboard/images/dashboard/Dockerfile

@@ -1,7 +1,7 @@
 FROM bitnami/node:20.15.1 AS build
 WORKDIR /app
 
-ARG COMMIT_REF=215c323b0754c8f7328819df9a253e0e507eccb4
+ARG COMMIT_REF=dd02680d796c962b8dcc4e5ea70960a846c1acdc
 RUN wget -O- https://github.com/aenix-io/kubeapps/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=2 kubeapps-${COMMIT_REF}/dashboard
 
 RUN yarn install --frozen-lockfile

packages/system/dashboard/images/kubeapps-apis/Dockerfile

@@ -4,7 +4,7 @@
 # syntax = docker/dockerfile:1
 
 FROM alpine as source
-ARG COMMIT_REF=215c323b0754c8f7328819df9a253e0e507eccb4
+ARG COMMIT_REF=dd02680d796c962b8dcc4e5ea70960a846c1acdc
 RUN apk add --no-cache patch
 WORKDIR /source
 RUN wget -O- https://github.com/aenix-io/kubeapps/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1

packages/system/dashboard/values.yaml

@@ -40,14 +40,14 @@ kubeapps:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: dashboard
-      tag: v0.22.0
-      digest: "sha256:b4c5b9a59e95b562c350a03bb1b639e906b3eb9a51fe48de9553c86318b0e270"
+      tag: v0.23.1
+      digest: "sha256:81e7b625c667bce5fc339eb97c8e115eafb82f66df4501550b3677ac53f6e234"
   kubeappsapis:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: kubeapps-apis
-      tag: v0.22.0
-      digest: "sha256:91128543e22c612a0ddc07fa193bf1dc315cb4ebc15302dfa6eb9daff779f3ea"
+      tag: v0.23.1
+      digest: "sha256:d3767354cf6c785447f30e87bb2017ec45843edfc02635f526d2ecacc82f5d26"
     pluginConfig:
       flux:
         packages:

packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml

@@ -8,7 +8,7 @@ annotations:
     - name: Upstream Project
       url: https://github.com/controlplaneio-fluxcd/flux-operator
 apiVersion: v2
-appVersion: v0.12.0
+appVersion: v0.13.0
 description: 'A Helm chart for deploying the Flux Operator. '
 home: https://github.com/controlplaneio-fluxcd
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
@@ -25,4 +25,4 @@ sources:
 - https://github.com/controlplaneio-fluxcd/flux-operator
 - https://github.com/controlplaneio-fluxcd/charts
 type: application
-version: 0.12.0
+version: 0.13.0

packages/system/fluxcd-operator/charts/flux-operator/README.md

@@ -1,6 +1,6 @@
 # flux-operator
 
-![Version: 0.12.0](https://img.shields.io/badge/Version-0.12.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.0](https://img.shields.io/badge/AppVersion-v0.12.0-informational?style=flat-square)
+![Version: 0.13.0](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.13.0](https://img.shields.io/badge/AppVersion-v0.13.0-informational?style=flat-square)
 
 The [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator) provides a
 declarative API for the installation and upgrade of CNCF [Flux](https://fluxcd.io) and the

packages/system/fluxcd/charts/flux-instance/Chart.yaml

@@ -8,7 +8,7 @@ annotations:
     - name: Upstream Project
       url: https://github.com/controlplaneio-fluxcd/flux-operator
 apiVersion: v2
-appVersion: v0.12.0
+appVersion: v0.13.0
 description: 'A Helm chart for deploying a Flux instance managed by Flux Operator. '
 home: https://github.com/controlplaneio-fluxcd
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
@@ -25,4 +25,4 @@ sources:
 - https://github.com/controlplaneio-fluxcd/flux-operator
 - https://github.com/controlplaneio-fluxcd/charts
 type: application
-version: 0.12.0
+version: 0.13.0

packages/system/fluxcd/charts/flux-instance/README.md

@@ -1,6 +1,6 @@
 # flux-instance
 
-![Version: 0.12.0](https://img.shields.io/badge/Version-0.12.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.0](https://img.shields.io/badge/AppVersion-v0.12.0-informational?style=flat-square)
+![Version: 0.13.0](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.13.0](https://img.shields.io/badge/AppVersion-v0.13.0-informational?style=flat-square)
 
 This chart is a thin wrapper around the `FluxInstance` custom resource, which is
 used by the [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator)
@@ -38,12 +38,13 @@ helm -n flux-system uninstall flux
 | commonLabels | object | `{}` | Common labels to add to all deployed objects including pods. |
 | fullnameOverride | string | `"flux"` |  |
 | instance.cluster | object | `{"domain":"cluster.local","multitenant":false,"networkPolicy":true,"tenantDefaultServiceAccount":"default","type":"kubernetes"}` | Cluster https://fluxcd.control-plane.io/operator/fluxinstance/#cluster-configuration |
+| instance.commonMetadata | object | `{"annotations":{},"labels":{}}` | Common metadata https://fluxcd.control-plane.io/operator/fluxinstance/#common-metadata |
 | instance.components | list | `["source-controller","kustomize-controller","helm-controller","notification-controller"]` | Components https://fluxcd.control-plane.io/operator/fluxinstance/#components-configuration |
 | instance.distribution | object | `{"artifact":"oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests:latest","imagePullSecret":"","registry":"ghcr.io/fluxcd","version":"2.x"}` | Distribution https://fluxcd.control-plane.io/operator/fluxinstance/#distribution-configuration |
 | instance.kustomize.patches | list | `[]` | Kustomize patches https://fluxcd.control-plane.io/operator/fluxinstance/#kustomize-patches |
 | instance.sharding | object | `{"key":"sharding.fluxcd.io/key","shards":[]}` | Sharding https://fluxcd.control-plane.io/operator/fluxinstance/#sharding-configuration |
 | instance.storage | object | `{"class":"","size":""}` | Storage https://fluxcd.control-plane.io/operator/fluxinstance/#storage-configuration |
-| instance.sync | object | `{"kind":"GitRepository","path":"","pullSecret":"","ref":"","url":""}` | Sync https://fluxcd.control-plane.io/operator/fluxinstance/#sync-configuration |
+| instance.sync | object | `{"kind":"GitRepository","name":"","path":"","pullSecret":"","ref":"","url":""}` | Sync https://fluxcd.control-plane.io/operator/fluxinstance/#sync-configuration |
 | nameOverride | string | `""` |  |
 
 ## Source Code

packages/system/fluxcd/charts/flux-instance/templates/instance.yaml

@@ -22,6 +22,17 @@ spec:
     {{- end }}
   components: {{ .Values.instance.components | toYaml | nindent 4 }}
   cluster: {{ .Values.instance.cluster | toYaml | nindent 4 }}
+  {{- if or .Values.instance.commonMetadata.annotations  .Values.instance.commonMetadata.labels }}
+  commonMetadata:
+    {{- with .Values.instance.commonMetadata.annotations }}
+    annotations:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.instance.commonMetadata.labels }}
+    labels:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  {{- end }}
   kustomize: {{ .Values.instance.kustomize | toYaml | nindent 4 }}
   {{- if .Values.instance.sync.url }}
   sync:
@@ -29,6 +40,9 @@ spec:
     url: {{ .Values.instance.sync.url }}
     ref: {{ .Values.instance.sync.ref }}
     path: {{ .Values.instance.sync.path }}
+    {{- if .Values.instance.sync.name }}
+    name: {{ .Values.instance.sync.name }}
+    {{- end }}
     {{- if .Values.instance.sync.pullSecret }}
     pullSecret: {{ .Values.instance.sync.pullSecret }}
     {{- end }}

packages/system/fluxcd/charts/flux-instance/values.schema.json

@@ -41,6 +41,19 @@
                     },
                     "type": "object"
                 },
+                "commonMetadata": {
+                    "properties": {
+                        "annotations": {
+                            "properties": {},
+                            "type": "object"
+                        },
+                        "labels": {
+                            "properties": {},
+                            "type": "object"
+                        }
+                    },
+                    "type": "object"
+                },
                 "components": {
                     "items": {
                         "enum": [
@@ -123,6 +136,9 @@
                             ],
                             "type": "string"
                         },
+                        "name": {
+                            "type": "string"
+                        },
                         "path": {
                             "type": "string"
                         },

packages/system/fluxcd/charts/flux-instance/values.yaml

@@ -23,6 +23,10 @@ instance:
     networkPolicy: true
     multitenant: false
     tenantDefaultServiceAccount: "default"
+  # -- Common metadata https://fluxcd.control-plane.io/operator/fluxinstance/#common-metadata
+  commonMetadata: # @schema required: false
+    labels: { }
+    annotations: { }
   # -- Storage https://fluxcd.control-plane.io/operator/fluxinstance/#storage-configuration
   storage: # @schema required: false
     class: ""
@@ -38,6 +42,7 @@ instance:
     ref: ""
     path: ""
     pullSecret: ""
+    name: ""
   kustomize: # @schema required: false
     # -- Kustomize patches https://fluxcd.control-plane.io/operator/fluxinstance/#kustomize-patches
     patches: [] # @schema item: object

packages/system/kamaji/values.yaml

@@ -3,7 +3,7 @@ kamaji:
     deploy: false
   image:
     pullPolicy: IfNotPresent
-    tag: v0.22.0@sha256:63b45c237ac26851236fb4d1d724067b8b8f614bb5fd0f523a3811cf50c570ef
+    tag: v0.23.1@sha256:87166056685e4dab9de030ad9389ce58f0d96e7f6c191674fe93483fbe99490f
     repository: ghcr.io/aenix-io/cozystack/kamaji
   resources:
     limits:

packages/system/kubeovn/values.yaml

@@ -22,4 +22,4 @@ global:
   images:
     kubeovn:
       repository: kubeovn
-      tag: v1.13.2@sha256:9ed2b3ec3f93832a1871a327f97eeedebf57dc01a98d52471312c4c47c265241
+      tag: v1.13.2@sha256:ee658a003cd77a1f7b9df1d108255a8b5a69e67dd59fa6a6161c869b00207d4f

packages/system/tinkerbell/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-tinkerbell
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/tinkerbell/Makefile

@@ -0,0 +1,16 @@
+export NAME=tinkerbell
+export NAMESPACE=cozy-$(NAME)
+
+include ../../../scripts/package.mk
+
+update:
+	rm -rf charts
+	mkdir -p charts
+	cd charts && \
+	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/tinkerbell/charts  | awk -F'[/^]' 'END{print $$3}') && \
+	curl -sSL https://github.com/tinkerbell/charts/archive/refs/tags/$${tag}.tar.gz | \
+	tar xzvf - --strip 2 charts-$${tag#*v}/tinkerbell
+	find charts -maxdepth 1 -mindepth 1 ! -name tink -and ! -name smee -and ! -name rufio -exec rm -rf {} \;
+	mkdir -p charts/smee/crds
+	mv charts/tink/crds/hardware-crd.yaml charts/smee/crds
+	rm -rf charts/tink

packages/system/tinkerbell/charts/rufio/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+name: rufio
+description: Rufio handles BMC interactions for Tinkerbell
+icon: https://github.com/tinkerbell/artwork/blob/6f07de53d75cb8932dbc7d14201e038cf3a3b230/Tinkerbell-Icon-Dark.png
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.4.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.6.1"

packages/system/tinkerbell/charts/rufio/crds/bmc.tinkerbell.org_jobs.yaml

@@ -0,0 +1,166 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: jobs.bmc.tinkerbell.org
+spec:
+  group: bmc.tinkerbell.org
+  names:
+    categories:
+    - tinkerbell
+    kind: Job
+    listKind: JobList
+    plural: jobs
+    shortNames:
+    - j
+    singular: job
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Job is the Schema for the bmcjobs API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: JobSpec defines the desired state of Job.
+            properties:
+              machineRef:
+                description: |-
+                  MachineRef represents the Machine resource to execute the job.
+                  All the tasks in the job are executed for the same Machine.
+                properties:
+                  name:
+                    description: Name of the Machine.
+                    type: string
+                  namespace:
+                    description: Namespace the Machine resides in.
+                    type: string
+                required:
+                - name
+                - namespace
+                type: object
+              tasks:
+                description: |-
+                  Tasks represents a list of baseboard management actions to be executed.
+                  The tasks are executed sequentially. Controller waits for one task to complete before executing the next.
+                  If a single task fails, job execution stops and sets condition Failed.
+                  Condition Completed is set only if all the tasks were successful.
+                items:
+                  description: |-
+                    Action represents the action to be performed.
+                    A single task can only perform one type of action.
+                    For example either PowerAction or OneTimeBootDeviceAction.
+                  maxProperties: 1
+                  properties:
+                    oneTimeBootDeviceAction:
+                      description: OneTimeBootDeviceAction represents a baseboard
+                        management one time set boot device operation.
+                      properties:
+                        device:
+                          description: |-
+                            Devices represents the boot devices, in order for setting one time boot.
+                            Currently only the first device in the slice is used to set one time boot.
+                          items:
+                            description: BootDevice represents boot device of the
+                              Machine.
+                            type: string
+                          type: array
+                        efiBoot:
+                          description: EFIBoot instructs the machine to use EFI boot.
+                          type: boolean
+                      required:
+                      - device
+                      type: object
+                    powerAction:
+                      description: PowerAction represents a baseboard management power
+                        operation.
+                      enum:
+                      - "on"
+                      - "off"
+                      - soft
+                      - status
+                      - cycle
+                      - reset
+                      type: string
+                    virtualMediaAction:
+                      description: VirtualMediaAction represents a baseboard management
+                        virtual media insert/eject.
+                      properties:
+                        kind:
+                          type: string
+                        mediaURL:
+                          description: |-
+                            mediaURL represents the URL of the image to be inserted into the virtual media, or empty to
+                            eject media.
+                          type: string
+                      required:
+                      - kind
+                      type: object
+                  type: object
+                minItems: 1
+                type: array
+            required:
+            - machineRef
+            - tasks
+            type: object
+          status:
+            description: JobStatus defines the observed state of Job.
+            properties:
+              completionTime:
+                description: |-
+                  CompletionTime represents time when the job was completed.
+                  The completion time is only set when the job finishes successfully.
+                format: date-time
+                type: string
+              conditions:
+                description: Conditions represents the latest available observations
+                  of an object's current state.
+                items:
+                  properties:
+                    message:
+                      description: Message represents human readable message indicating
+                        details about last transition.
+                      type: string
+                    status:
+                      description: |-
+                        Status is the status of the Job condition.
+                        Can be True or False.
+                      type: string
+                    type:
+                      description: Type of the Job condition.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              startTime:
+                description: StartTime represents time when the Job controller started
+                  processing a job.
+                format: date-time
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

packages/system/tinkerbell/charts/rufio/crds/bmc.tinkerbell.org_machines.yaml

@@ -0,0 +1,294 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: machines.bmc.tinkerbell.org
+spec:
+  group: bmc.tinkerbell.org
+  names:
+    categories:
+    - tinkerbell
+    kind: Machine
+    listKind: MachineList
+    plural: machines
+    singular: machine
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Machine is the Schema for the machines API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MachineSpec defines desired machine state.
+            properties:
+              connection:
+                description: Connection contains connection data for a Baseboard Management
+                  Controller.
+                properties:
+                  authSecretRef:
+                    description: |-
+                      AuthSecretRef is the SecretReference that contains authentication information of the Machine.
+                      The Secret must contain username and password keys. This is optional as it is not required when using
+                      the RPC provider.
+                    properties:
+                      name:
+                        description: name is unique within a namespace to reference
+                          a secret resource.
+                        type: string
+                      namespace:
+                        description: namespace defines the space within which the
+                          secret name must be unique.
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  host:
+                    description: Host is the host IP address or hostname of the Machine.
+                    minLength: 1
+                    type: string
+                  insecureTLS:
+                    description: InsecureTLS specifies trusted TLS connections.
+                    type: boolean
+                  port:
+                    default: 623
+                    description: Port is the port number for connecting with the Machine.
+                    type: integer
+                  providerOptions:
+                    description: ProviderOptions contains provider specific options.
+                    properties:
+                      intelAMT:
+                        description: IntelAMT contains the options to customize the
+                          IntelAMT provider.
+                        properties:
+                          hostScheme:
+                            default: http
+                            description: HostScheme determines whether to use http
+                              or https for intelAMT calls.
+                            enum:
+                            - http
+                            - https
+                            type: string
+                          port:
+                            description: Port that intelAMT will use for calls.
+                            type: integer
+                        type: object
+                      ipmitool:
+                        description: IPMITOOL contains the options to customize the
+                          Ipmitool provider.
+                        properties:
+                          cipherSuite:
+                            description: CipherSuite that ipmitool will use for calls.
+                            type: string
+                          port:
+                            description: Port that ipmitool will use for calls.
+                            type: integer
+                        type: object
+                      preferredOrder:
+                        description: |-
+                          PreferredOrder allows customizing the order that BMC providers are called.
+                          Providers added to this list will be moved to the front of the default order.
+                          Provider names are case insensitive.
+                          The default order is: ipmitool, asrockrack, gofish, intelamt, dell, supermicro, openbmc.
+                        items:
+                          description: ProviderName is the bmclib specific provider
+                            name. Names are case insensitive.
+                          pattern: (?i)^(ipmitool|asrockrack|gofish|IntelAMT|dell|supermicro|openbmc)$
+                          type: string
+                        type: array
+                      redfish:
+                        description: Redfish contains the options to customize the
+                          Redfish provider.
+                        properties:
+                          port:
+                            description: Port that redfish will use for calls.
+                            type: integer
+                          systemName:
+                            description: |-
+                              SystemName is the name of the system to use for redfish calls.
+                              With redfish implementations that manage multiple systems via a single endpoint, this allows for specifying the system to manage.
+                            type: string
+                          useBasicAuth:
+                            description: UseBasicAuth for redfish calls. The default
+                              is false which means token based auth is used.
+                            type: boolean
+                        type: object
+                      rpc:
+                        description: RPC contains the options to customize the RPC
+                          provider.
+                        properties:
+                          consumerURL:
+                            description: |-
+                              ConsumerURL is the URL where an rpc consumer/listener is running
+                              and to which we will send and receive all notifications.
+                            type: string
+                          experimental:
+                            description: Experimental options.
+                            properties:
+                              customRequestPayload:
+                                description: CustomRequestPayload must be in json.
+                                type: string
+                              dotPath:
+                                description: 'DotPath is the path to the json object
+                                  where the bmclib RequestPayload{} struct will be
+                                  embedded. For example: object.data.body'
+                                type: string
+                            type: object
+                          hmac:
+                            description: HMAC is the options used to create a HMAC
+                              signature.
+                            properties:
+                              prefixSigDisabled:
+                                description: 'PrefixSigDisabled determines whether
+                                  the algorithm will be prefixed to the signature.
+                                  Example: sha256=abc123'
+                                type: boolean
+                              secrets:
+                                additionalProperties:
+                                  items:
+                                    description: |-
+                                      SecretReference represents a Secret Reference. It has enough information to retrieve secret
+                                      in any namespace
+                                    properties:
+                                      name:
+                                        description: name is unique within a namespace
+                                          to reference a secret resource.
+                                        type: string
+                                      namespace:
+                                        description: namespace defines the space within
+                                          which the secret name must be unique.
+                                        type: string
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  type: array
+                                description: Secrets are a map of algorithms to secrets
+                                  used for signing.
+                                type: object
+                            type: object
+                          logNotificationsDisabled:
+                            description: LogNotificationsDisabled determines whether
+                              responses from rpc consumer/listeners will be logged
+                              or not.
+                            type: boolean
+                          request:
+                            description: Request is the options used to create the
+                              rpc HTTP request.
+                            properties:
+                              httpContentType:
+                                description: HTTPContentType is the content type to
+                                  use for the rpc request notification.
+                                type: string
+                              httpMethod:
+                                description: HTTPMethod is the HTTP method to use
+                                  for the rpc request notification.
+                                type: string
+                              staticHeaders:
+                                additionalProperties:
+                                  items:
+                                    type: string
+                                  type: array
+                                description: StaticHeaders are predefined headers
+                                  that will be added to every request.
+                                type: object
+                              timestampFormat:
+                                description: TimestampFormat is the time format for
+                                  the timestamp header.
+                                type: string
+                              timestampHeader:
+                                description: 'TimestampHeader is the header name that
+                                  should contain the timestamp. Example: X-BMCLIB-Timestamp'
+                                type: string
+                            type: object
+                          signature:
+                            description: Signature is the options used for adding
+                              an HMAC signature to an HTTP request.
+                            properties:
+                              appendAlgoToHeaderDisabled:
+                                description: |-
+                                  AppendAlgoToHeaderDisabled decides whether to append the algorithm to the signature header or not.
+                                  Example: X-BMCLIB-Signature becomes X-BMCLIB-Signature-256
+                                  When set to true, a header will be added for each algorithm. Example: X-BMCLIB-Signature-256 and X-BMCLIB-Signature-512
+                                type: boolean
+                              headerName:
+                                description: 'HeaderName is the header name that should
+                                  contain the signature(s). Example: X-BMCLIB-Signature'
+                                type: string
+                              includedPayloadHeaders:
+                                description: |-
+                                  IncludedPayloadHeaders are headers whose values will be included in the signature payload. Example: X-BMCLIB-My-Custom-Header
+                                  All headers will be deduplicated.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                        required:
+                        - consumerURL
+                        type: object
+                    type: object
+                required:
+                - host
+                - insecureTLS
+                type: object
+            required:
+            - connection
+            type: object
+          status:
+            description: MachineStatus defines the observed state of Machine.
+            properties:
+              conditions:
+                description: Conditions represents the latest available observations
+                  of an object's current state.
+                items:
+                  description: MachineCondition defines an observed condition of a
+                    Machine.
+                  properties:
+                    lastUpdateTime:
+                      description: LastUpdateTime of the condition.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human readable message indicating
+                        with details of the last transition.
+                      type: string
+                    status:
+                      description: Status of the condition.
+                      type: string
+                    type:
+                      description: Type of the Machine condition.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              powerState:
+                description: Power is the current power state of the Machine.
+                enum:
+                - "on"
+                - "off"
+                - unknown
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

packages/system/tinkerbell/charts/rufio/crds/bmc.tinkerbell.org_tasks.yaml

@@ -0,0 +1,342 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: tasks.bmc.tinkerbell.org
+spec:
+  group: bmc.tinkerbell.org
+  names:
+    categories:
+    - tinkerbell
+    kind: Task
+    listKind: TaskList
+    plural: tasks
+    shortNames:
+    - t
+    singular: task
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Task is the Schema for the Task API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TaskSpec defines the desired state of Task.
+            properties:
+              connection:
+                description: Connection represents the Machine connectivity information.
+                properties:
+                  authSecretRef:
+                    description: |-
+                      AuthSecretRef is the SecretReference that contains authentication information of the Machine.
+                      The Secret must contain username and password keys. This is optional as it is not required when using
+                      the RPC provider.
+                    properties:
+                      name:
+                        description: name is unique within a namespace to reference
+                          a secret resource.
+                        type: string
+                      namespace:
+                        description: namespace defines the space within which the
+                          secret name must be unique.
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  host:
+                    description: Host is the host IP address or hostname of the Machine.
+                    minLength: 1
+                    type: string
+                  insecureTLS:
+                    description: InsecureTLS specifies trusted TLS connections.
+                    type: boolean
+                  port:
+                    default: 623
+                    description: Port is the port number for connecting with the Machine.
+                    type: integer
+                  providerOptions:
+                    description: ProviderOptions contains provider specific options.
+                    properties:
+                      intelAMT:
+                        description: IntelAMT contains the options to customize the
+                          IntelAMT provider.
+                        properties:
+                          hostScheme:
+                            default: http
+                            description: HostScheme determines whether to use http
+                              or https for intelAMT calls.
+                            enum:
+                            - http
+                            - https
+                            type: string
+                          port:
+                            description: Port that intelAMT will use for calls.
+                            type: integer
+                        type: object
+                      ipmitool:
+                        description: IPMITOOL contains the options to customize the
+                          Ipmitool provider.
+                        properties:
+                          cipherSuite:
+                            description: CipherSuite that ipmitool will use for calls.
+                            type: string
+                          port:
+                            description: Port that ipmitool will use for calls.
+                            type: integer
+                        type: object
+                      preferredOrder:
+                        description: |-
+                          PreferredOrder allows customizing the order that BMC providers are called.
+                          Providers added to this list will be moved to the front of the default order.
+                          Provider names are case insensitive.
+                          The default order is: ipmitool, asrockrack, gofish, intelamt, dell, supermicro, openbmc.
+                        items:
+                          description: ProviderName is the bmclib specific provider
+                            name. Names are case insensitive.
+                          pattern: (?i)^(ipmitool|asrockrack|gofish|IntelAMT|dell|supermicro|openbmc)$
+                          type: string
+                        type: array
+                      redfish:
+                        description: Redfish contains the options to customize the
+                          Redfish provider.
+                        properties:
+                          port:
+                            description: Port that redfish will use for calls.
+                            type: integer
+                          systemName:
+                            description: |-
+                              SystemName is the name of the system to use for redfish calls.
+                              With redfish implementations that manage multiple systems via a single endpoint, this allows for specifying the system to manage.
+                            type: string
+                          useBasicAuth:
+                            description: UseBasicAuth for redfish calls. The default
+                              is false which means token based auth is used.
+                            type: boolean
+                        type: object
+                      rpc:
+                        description: RPC contains the options to customize the RPC
+                          provider.
+                        properties:
+                          consumerURL:
+                            description: |-
+                              ConsumerURL is the URL where an rpc consumer/listener is running
+                              and to which we will send and receive all notifications.
+                            type: string
+                          experimental:
+                            description: Experimental options.
+                            properties:
+                              customRequestPayload:
+                                description: CustomRequestPayload must be in json.
+                                type: string
+                              dotPath:
+                                description: 'DotPath is the path to the json object
+                                  where the bmclib RequestPayload{} struct will be
+                                  embedded. For example: object.data.body'
+                                type: string
+                            type: object
+                          hmac:
+                            description: HMAC is the options used to create a HMAC
+                              signature.
+                            properties:
+                              prefixSigDisabled:
+                                description: 'PrefixSigDisabled determines whether
+                                  the algorithm will be prefixed to the signature.
+                                  Example: sha256=abc123'
+                                type: boolean
+                              secrets:
+                                additionalProperties:
+                                  items:
+                                    description: |-
+                                      SecretReference represents a Secret Reference. It has enough information to retrieve secret
+                                      in any namespace
+                                    properties:
+                                      name:
+                                        description: name is unique within a namespace
+                                          to reference a secret resource.
+                                        type: string
+                                      namespace:
+                                        description: namespace defines the space within
+                                          which the secret name must be unique.
+                                        type: string
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  type: array
+                                description: Secrets are a map of algorithms to secrets
+                                  used for signing.
+                                type: object
+                            type: object
+                          logNotificationsDisabled:
+                            description: LogNotificationsDisabled determines whether
+                              responses from rpc consumer/listeners will be logged
+                              or not.
+                            type: boolean
+                          request:
+                            description: Request is the options used to create the
+                              rpc HTTP request.
+                            properties:
+                              httpContentType:
+                                description: HTTPContentType is the content type to
+                                  use for the rpc request notification.
+                                type: string
+                              httpMethod:
+                                description: HTTPMethod is the HTTP method to use
+                                  for the rpc request notification.
+                                type: string
+                              staticHeaders:
+                                additionalProperties:
+                                  items:
+                                    type: string
+                                  type: array
+                                description: StaticHeaders are predefined headers
+                                  that will be added to every request.
+                                type: object
+                              timestampFormat:
+                                description: TimestampFormat is the time format for
+                                  the timestamp header.
+                                type: string
+                              timestampHeader:
+                                description: 'TimestampHeader is the header name that
+                                  should contain the timestamp. Example: X-BMCLIB-Timestamp'
+                                type: string
+                            type: object
+                          signature:
+                            description: Signature is the options used for adding
+                              an HMAC signature to an HTTP request.
+                            properties:
+                              appendAlgoToHeaderDisabled:
+                                description: |-
+                                  AppendAlgoToHeaderDisabled decides whether to append the algorithm to the signature header or not.
+                                  Example: X-BMCLIB-Signature becomes X-BMCLIB-Signature-256
+                                  When set to true, a header will be added for each algorithm. Example: X-BMCLIB-Signature-256 and X-BMCLIB-Signature-512
+                                type: boolean
+                              headerName:
+                                description: 'HeaderName is the header name that should
+                                  contain the signature(s). Example: X-BMCLIB-Signature'
+                                type: string
+                              includedPayloadHeaders:
+                                description: |-
+                                  IncludedPayloadHeaders are headers whose values will be included in the signature payload. Example: X-BMCLIB-My-Custom-Header
+                                  All headers will be deduplicated.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                        required:
+                        - consumerURL
+                        type: object
+                    type: object
+                required:
+                - host
+                - insecureTLS
+                type: object
+              task:
+                description: Task defines the specific action to be performed.
+                maxProperties: 1
+                properties:
+                  oneTimeBootDeviceAction:
+                    description: OneTimeBootDeviceAction represents a baseboard management
+                      one time set boot device operation.
+                    properties:
+                      device:
+                        description: |-
+                          Devices represents the boot devices, in order for setting one time boot.
+                          Currently only the first device in the slice is used to set one time boot.
+                        items:
+                          description: BootDevice represents boot device of the Machine.
+                          type: string
+                        type: array
+                      efiBoot:
+                        description: EFIBoot instructs the machine to use EFI boot.
+                        type: boolean
+                    required:
+                    - device
+                    type: object
+                  powerAction:
+                    description: PowerAction represents a baseboard management power
+                      operation.
+                    enum:
+                    - "on"
+                    - "off"
+                    - soft
+                    - status
+                    - cycle
+                    - reset
+                    type: string
+                  virtualMediaAction:
+                    description: VirtualMediaAction represents a baseboard management
+                      virtual media insert/eject.
+                    properties:
+                      kind:
+                        type: string
+                      mediaURL:
+                        description: |-
+                          mediaURL represents the URL of the image to be inserted into the virtual media, or empty to
+                          eject media.
+                        type: string
+                    required:
+                    - kind
+                    type: object
+                type: object
+            required:
+            - task
+            type: object
+          status:
+            description: TaskStatus defines the observed state of Task.
+            properties:
+              completionTime:
+                description: |-
+                  CompletionTime represents time when the task was completed.
+                  The completion time is only set when the task finishes successfully.
+                format: date-time
+                type: string
+              conditions:
+                description: Conditions represents the latest available observations
+                  of an object's current state.
+                items:
+                  properties:
+                    message:
+                      description: Message represents human readable message indicating
+                        details about last transition.
+                      type: string
+                    status:
+                      description: |-
+                        Status is the status of the Task condition.
+                        Can be True or False.
+                      type: string
+                    type:
+                      description: Type of the Task condition.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              startTime:
+                description: StartTime represents time when the Task started processing.
+                format: date-time
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

packages/system/tinkerbell/charts/rufio/templates/_scheduling.tpl

@@ -0,0 +1,12 @@
+{{- define "singleNodeClusterConfig" }}
+- effect: NoSchedule
+  key: node-role.kubernetes.io/control-plane
+{{- end }}
+
+{{- define "preferWorkerNodes" }}
+- weight: {{ .nodeAffinityWeight }}
+  preference:
+    matchExpressions:
+    - key: node-role.kubernetes.io/control-plane
+      operator: DoesNotExist
+{{- end }}

packages/system/tinkerbell/charts/rufio/templates/deployment.yaml

@@ -0,0 +1,87 @@
+{{- if .Values.deploy }}
+{{- $roleType := .Values.rbac.type }}
+{{- $nodeSelector := .Values.nodeSelector }}
+{{- if .Values.global }}
+{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
+{{- $nodeSelector = coalesce .Values.nodeSelector .Values.global.nodeSelector }}
+{{- end }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: {{ .Values.name }}
+    control-plane: controller-manager
+  name: {{ .Values.name }}
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Values.name }}
+      control-plane: controller-manager
+      stack: tinkerbell
+  replicas: 1
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: manager
+      labels:
+        app: {{ .Values.name }}
+        control-plane: controller-manager
+        stack: tinkerbell
+    spec:
+      {{- if .Values.hostNetwork }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
+      securityContext:
+        runAsNonRoot: true
+      containers:
+      - name: manager
+        image: {{ .Values.image }}
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
+        command:
+        - /manager
+        args:
+        - --leader-elect
+        {{- if eq $roleType "Role" }}
+        - -kube-namespace={{ .Release.Namespace }}
+        {{- end }}
+        {{- range .Values.additionalArgs }}
+        - {{ . }}
+        {{- end }}
+        securityContext:
+          allowPrivilegeEscalation: false
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          limits:
+            cpu: {{ .Values.resources.limits.cpu }}
+            memory: {{ .Values.resources.limits.memory }}
+          requests:
+            cpu: {{ .Values.resources.requests.cpu }}
+            memory: {{ .Values.resources.requests.memory }}
+      serviceAccountName: {{ .Values.serviceAccountName }}
+      terminationGracePeriodSeconds: 10
+      {{- with $nodeSelector }}
+      nodeSelector:
+      {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.singleNodeClusterConfig.controlPlaneTolerationsEnabled }}
+      tolerations:
+      {{- include "singleNodeClusterConfig" . | indent 6 }}
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          {{- include "preferWorkerNodes" (dict "nodeAffinityWeight" .Values.singleNodeClusterConfig.nodeAffinityWeight) | indent 10 }}
+      {{- end }}
+{{- end }}

packages/system/tinkerbell/charts/rufio/templates/leader-election-role-binding.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.deploy }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.rufioLeaderElectionRoleBindingName }}
+  namespace: {{ .Release.Namespace | quote }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Values.rufioLeaderElectionRoleName }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.serviceAccountName }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- end }}

packages/system/tinkerbell/charts/rufio/templates/leader-election-role.yaml

@@ -0,0 +1,39 @@
+{{- if .Values.deploy }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Values.rufioLeaderElectionRoleName }}
+  namespace: {{ .Release.Namespace | quote }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+{{- end }}

packages/system/tinkerbell/charts/rufio/templates/role-binding.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.deploy }}
+{{- $roleType := .Values.rbac.type }}
+{{- if .Values.global }}
+{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
+{{- end }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ printf "%sBinding" $roleType }}
+metadata:
+  name: {{ .Values.rbac.bindingName }}
+  {{- if eq $roleType "Role"  }}
+  namespace: {{ .Release.Namespace | quote }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ $roleType }}
+  name: {{ .Values.rbac.name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.serviceAccountName }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- end }}

packages/system/tinkerbell/charts/rufio/templates/role.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.deploy }}
+{{- $roleType := .Values.rbac.type }}
+{{- if .Values.global }}
+{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
+{{- end }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ $roleType }}
+metadata:
+  name: {{ .Values.rbac.name }}
+  {{- if eq $roleType "Role"  }}
+  namespace: {{ .Release.Namespace | quote }}
+  {{- end }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["bmc.tinkerbell.org"]
+  resources: ["jobs", "jobs/status", "machines", "machines/status", "tasks", "tasks/status"]
+  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+- apiGroups: ["bmc.tinkerbell.org"]
+  resources: ["jobs/finalizers", "machines/finalizers", "tasks/finalizers"]
+  verbs: ["update"]
+{{- end }}

packages/system/tinkerbell/charts/rufio/templates/service-account.yaml

@@ -0,0 +1,7 @@
+{{- if .Values.deploy }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccountName }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- end }}

packages/system/tinkerbell/charts/rufio/values.schema.json

@@ -0,0 +1,21 @@
+{
+    "$schema": "http://json-schema.org/draft-04/schema#",
+    "type": "object",
+    "properties": {
+      "rbac": {
+        "type": "object",
+        "properties": {
+          "type": {
+            "type": "string",
+            "enum": ["Role", "ClusterRole"]
+          },
+          "name": {
+            "type": "string"
+          },
+          "bindingName": {
+            "type": "string"
+          }
+        }
+      }
+    }
+  }

packages/system/tinkerbell/charts/rufio/values.yaml

@@ -0,0 +1,26 @@
+deploy: true
+name: rufio
+image: quay.io/tinkerbell/rufio:v0.6.1
+imagePullPolicy: IfNotPresent
+resources:
+  requests:
+    cpu: 10m
+    memory: 64Mi
+  limits:
+    cpu: 500m
+    memory: 128Mi
+additionalArgs: []
+serviceAccountName: rufio-controller-manager
+rufioLeaderElectionRoleName: rufio-leader-election-role
+rufioLeaderElectionRoleBindingName: rufio-leader-election-rolebinding
+nodeSelector: {}
+hostNetwork: false
+# singleNodeClusterConfig to add tolerations for deployments on control plane nodes. This is defaulted to false.
+singleNodeClusterConfig:
+  controlPlaneTolerationsEnabled: false
+  nodeAffinityWeight: 1
+
+rbac:
+  type: Role # or ClusterRole
+  name: rufio-role # or rufio-cluster-role
+  bindingName: rufio-rolebinding # or rufio-cluster-rolebinding

packages/system/tinkerbell/charts/smee/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+name: smee
+description: Smee is the network boot service for Tinkerbell
+icon: https://github.com/tinkerbell/artwork/blob/6f07de53d75cb8932dbc7d14201e038cf3a3b230/Tinkerbell-Icon-Dark.png
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.6.2
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.15.1"

packages/system/tinkerbell/charts/smee/crds/hardware-crd.yaml

@@ -0,0 +1,388 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.3
+  name: hardware.tinkerbell.org
+spec:
+  group: tinkerbell.org
+  names:
+    categories:
+      - tinkerbell
+    kind: Hardware
+    listKind: HardwareList
+    plural: hardware
+    shortNames:
+      - hw
+    singular: hardware
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .status.state
+          name: State
+          type: string
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: Hardware is the Schema for the Hardware API.
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: HardwareSpec defines the desired state of Hardware.
+              properties:
+                bmcRef:
+                  description: |-
+                    BMCRef contains a relation to a BMC state management type in the same
+                    namespace as the Hardware. This may be used for BMC management by
+                    orchestrators.
+                  properties:
+                    apiGroup:
+                      description: |-
+                        APIGroup is the group for the resource being referenced.
+                        If APIGroup is not specified, the specified Kind must be in the core API group.
+                        For any other third-party types, APIGroup is required.
+                      type: string
+                    kind:
+                      description: Kind is the type of resource being referenced
+                      type: string
+                    name:
+                      description: Name is the name of resource being referenced
+                      type: string
+                  required:
+                    - kind
+                    - name
+                  type: object
+                  x-kubernetes-map-type: atomic
+                disks:
+                  items:
+                    description: Disk represents a disk device for Tinkerbell Hardware.
+                    properties:
+                      device:
+                        type: string
+                    type: object
+                  type: array
+                interfaces:
+                  items:
+                    description: Interface represents a network interface configuration for Hardware.
+                    properties:
+                      dhcp:
+                        description: DHCP configuration.
+                        properties:
+                          arch:
+                            type: string
+                          hostname:
+                            type: string
+                          iface_name:
+                            type: string
+                          ip:
+                            description: IP configuration.
+                            properties:
+                              address:
+                                type: string
+                              family:
+                                format: int64
+                                type: integer
+                              gateway:
+                                type: string
+                              netmask:
+                                type: string
+                            type: object
+                          lease_time:
+                            format: int64
+                            type: integer
+                          mac:
+                            pattern: ([0-9a-f]{2}[:]){5}([0-9a-f]{2})
+                            type: string
+                          name_servers:
+                            items:
+                              type: string
+                            type: array
+                          time_servers:
+                            items:
+                              type: string
+                            type: array
+                          uefi:
+                            type: boolean
+                          vlan_id:
+                            description: validation pattern for VLANDID is a string number between 0-4096
+                            pattern: ^(([0-9][0-9]{0,2}|[1-3][0-9][0-9][0-9]|40([0-8][0-9]|9[0-6]))(,[1-9][0-9]{0,2}|[1-3][0-9][0-9][0-9]|40([0-8][0-9]|9[0-6]))*)$
+                            type: string
+                        type: object
+                      disableDhcp:
+                        default: false
+                        description: DisableDHCP disables DHCP for this interface.
+                        type: boolean
+                      netboot:
+                        description: Netboot configuration.
+                        properties:
+                          allowPXE:
+                            type: boolean
+                          allowWorkflow:
+                            type: boolean
+                          ipxe:
+                            description: IPXE configuration.
+                            properties:
+                              contents:
+                                type: string
+                              url:
+                                type: string
+                            type: object
+                          osie:
+                            description: OSIE configuration.
+                            properties:
+                              baseURL:
+                                type: string
+                              initrd:
+                                type: string
+                              kernel:
+                                type: string
+                            type: object
+                        type: object
+                    type: object
+                  type: array
+                metadata:
+                  properties:
+                    bonding_mode:
+                      format: int64
+                      type: integer
+                    custom:
+                      properties:
+                        preinstalled_operating_system_version:
+                          properties:
+                            distro:
+                              type: string
+                            image_tag:
+                              type: string
+                            os_slug:
+                              type: string
+                            slug:
+                              type: string
+                            version:
+                              type: string
+                          type: object
+                        private_subnets:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    facility:
+                      properties:
+                        facility_code:
+                          type: string
+                        plan_slug:
+                          type: string
+                        plan_version_slug:
+                          type: string
+                      type: object
+                    instance:
+                      properties:
+                        allow_pxe:
+                          type: boolean
+                        always_pxe:
+                          type: boolean
+                        crypted_root_password:
+                          type: string
+                        hostname:
+                          type: string
+                        id:
+                          type: string
+                        ips:
+                          items:
+                            properties:
+                              address:
+                                type: string
+                              family:
+                                format: int64
+                                type: integer
+                              gateway:
+                                type: string
+                              management:
+                                type: boolean
+                              netmask:
+                                type: string
+                              public:
+                                type: boolean
+                            type: object
+                          type: array
+                        ipxe_script_url:
+                          type: string
+                        network_ready:
+                          type: boolean
+                        operating_system:
+                          properties:
+                            distro:
+                              type: string
+                            image_tag:
+                              type: string
+                            os_slug:
+                              type: string
+                            slug:
+                              type: string
+                            version:
+                              type: string
+                          type: object
+                        rescue:
+                          type: boolean
+                        ssh_keys:
+                          items:
+                            type: string
+                          type: array
+                        state:
+                          type: string
+                        storage:
+                          properties:
+                            disks:
+                              items:
+                                properties:
+                                  device:
+                                    type: string
+                                  partitions:
+                                    items:
+                                      properties:
+                                        label:
+                                          type: string
+                                        number:
+                                          format: int64
+                                          type: integer
+                                        size:
+                                          format: int64
+                                          type: integer
+                                        start:
+                                          format: int64
+                                          type: integer
+                                        type_guid:
+                                          type: string
+                                      type: object
+                                    type: array
+                                  wipe_table:
+                                    type: boolean
+                                type: object
+                              type: array
+                            filesystems:
+                              items:
+                                properties:
+                                  mount:
+                                    properties:
+                                      create:
+                                        properties:
+                                          force:
+                                            type: boolean
+                                          options:
+                                            items:
+                                              type: string
+                                            type: array
+                                        type: object
+                                      device:
+                                        type: string
+                                      files:
+                                        items:
+                                          properties:
+                                            contents:
+                                              type: string
+                                            gid:
+                                              format: int64
+                                              type: integer
+                                            mode:
+                                              format: int64
+                                              type: integer
+                                            path:
+                                              type: string
+                                            uid:
+                                              format: int64
+                                              type: integer
+                                          type: object
+                                        type: array
+                                      format:
+                                        type: string
+                                      point:
+                                        type: string
+                                    type: object
+                                type: object
+                              type: array
+                            raid:
+                              items:
+                                properties:
+                                  devices:
+                                    items:
+                                      type: string
+                                    type: array
+                                  level:
+                                    type: string
+                                  name:
+                                    type: string
+                                  spare:
+                                    format: int64
+                                    type: integer
+                                type: object
+                              type: array
+                          type: object
+                        tags:
+                          items:
+                            type: string
+                          type: array
+                        userdata:
+                          type: string
+                      type: object
+                    manufacturer:
+                      properties:
+                        id:
+                          type: string
+                        slug:
+                          type: string
+                      type: object
+                    state:
+                      type: string
+                  type: object
+                resources:
+                  additionalProperties:
+                    anyOf:
+                      - type: integer
+                      - type: string
+                    pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                    x-kubernetes-int-or-string: true
+                  description: |-
+                    Resources represents known resources that are available on a machine.
+                    Resources may be used for scheduling by orchestrators.
+                  type: object
+                tinkVersion:
+                  format: int64
+                  type: integer
+                userData:
+                  description: |-
+                    UserData is the user data to configure in the hardware's
+                    metadata
+                  type: string
+                vendorData:
+                  description: |-
+                    VendorData is the vendor data to configure in the hardware's
+                    metadata
+                  type: string
+              type: object
+            status:
+              description: HardwareStatus defines the observed state of Hardware.
+              properties:
+                state:
+                  description: HardwareState represents the hardware state.
+                  type: string
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}

packages/system/tinkerbell/charts/smee/templates/_ports.tpl

@@ -0,0 +1,24 @@
+{{ define "smee.ports" }}
+- {{ .PortKey }}: {{ .http.port }}
+  name: {{ .http.name }}
+  protocol: TCP
+- {{ .PortKey }}: {{ .syslog.port }}
+  name: {{ .syslog.name }}
+  protocol: UDP
+- {{ .PortKey }}: {{ .dhcp.port }}
+  name: {{ .dhcp.name }}
+  protocol: UDP
+- {{ .PortKey }}: {{ .tftp.port }}
+  name: {{ .tftp.name }}
+  protocol: UDP
+{{- end }}
+
+{{- define "urlJoiner" }}
+{{- if .urlDict.port }}
+{{- $host := printf "%v:%v" .urlDict.host .urlDict.port }}
+{{- $newDict := set .urlDict "host" $host }}
+{{- print (urlJoin $newDict) }}
+{{- else }}
+{{- print (urlJoin .urlDict) }}
+{{- end }}
+{{- end }}

packages/system/tinkerbell/charts/smee/templates/_scheduling.tpl

@@ -0,0 +1,12 @@
+{{- define "singleNodeClusterConfig" }}
+- effect: NoSchedule
+  key: node-role.kubernetes.io/control-plane
+{{- end }}
+
+{{- define "preferWorkerNodes" }}
+- weight: {{ .nodeAffinityWeight }}
+  preference:
+    matchExpressions:
+    - key: node-role.kubernetes.io/control-plane
+      operator: DoesNotExist
+{{- end }}