Update installation manifests

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

hack/download-dashboards.sh

@@ -81,6 +81,7 @@ modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//main/capacity-p
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//flux/flux-control-plane.json
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//flux/flux-stats.json
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//kafka/strimzi-kafka.json
+modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//goldpinger/goldpinger.json
 EOT
 
 

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.25.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.26.0"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: assets
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.25.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.26.0"
         command:
         - /usr/bin/cozystack-assets-server
         - "-dir=/cozystack/assets"

packages/apps/ferretdb/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.8.0@sha256:71cdf8bdab3d6f27edeec0ab33ddd8c7b56675a4f2d7bbf4d3e09b70ecb43375
+ghcr.io/aenix-io/cozystack/postgres-backup:0.8.0@sha256:0167887b7e32ea6d4771346c8dc68ab6fa04ff9c1c03e446d0efd3c7473f4cfb

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:4c79017b6663f894812d8c3d4f9e03ef44e4d4032ad8bb91945c92c7cce6a0b0
+ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:4625589c24dc350ea3d3cd52b3daf6ad3c5b4608cc2c7cba7f2c92bd8311148c

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.15.0
+version: 0.15.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.15.0@sha256:50efa0d1e807c50d10e8fcece332e4eb7de464e98b23db6e3be02a1ef740821f
+ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.15.1@sha256:077023fc24d466ac18f8d43fec41b9a14c0b3d32c0013e836e7448e7a1e7d661

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.0@sha256:5f1ab06264c09f3dc7bfc43db0b6e68235ac44f83e8a5277dfb74fe6902d6dca
+ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.1@sha256:6f1822c583a7d21fd111838515b8d8aaad8ff02c68b0adccba86ce2127a5f6b7

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.0@sha256:7b206eb9c1b44cead6e0e4931c569612fa8034f026d845469ebd2d2ef46b85ab
+ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.1@sha256:48e16401c374ab96c17e8ce3c21400f513a20b5f9b202393ac33a89bba930a04

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:b882ff398d297824dbf73dee948cfa684cb18006b91bd152e1f03ed22d7190fa
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:1618317b09b071dfc9a80ff9d34d591f4f0f9ccf8d1ebe5b87b4c9e2c7388683

packages/apps/kubernetes/templates/cluster.yaml

@@ -118,7 +118,7 @@ spec:
     ingress:
       extraAnnotations:
         nginx.ingress.kubernetes.io/ssl-passthrough: "true"
-      hostname: {{ .Values.host | default (printf "%s.%s" .Release.Name $host) }}:443
+      hostname: {{ .Values.host | default (printf "%s.%s" .Release.Name $host) }}
       className: "{{ $ingress }}"
   deployment:
     podAdditionalMetadata:

packages/apps/mysql/images/mariadb-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:5994e3f7a57054e3cebc532fa29a90edc9a97befe8993cec011e3e726c83e9bd
+ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:f685d252761adf67140e1497b91b769523c85e91f47e71f5b50636a8a086289d

packages/apps/postgres/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.8.0@sha256:71cdf8bdab3d6f27edeec0ab33ddd8c7b56675a4f2d7bbf4d3e09b70ecb43375
+ghcr.io/aenix-io/cozystack/postgres-backup:0.8.0@sha256:0167887b7e32ea6d4771346c8dc68ab6fa04ff9c1c03e446d0efd3c7473f4cfb

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.6.8
+version: 1.8.0

packages/apps/tenant/README.md

@@ -50,11 +50,12 @@ tenant-u1
 
 ### Common parameters
 
-| Name         | Description                                                                                                                 | Value   |
-| ------------ | --------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `host`       | The hostname used to access tenant services (defaults to using the tenant name as a subdomain for it's parent tenant host). | `""`    |
-| `etcd`       | Deploy own Etcd cluster                                                                                                     | `false` |
-| `monitoring` | Deploy own Monitoring Stack                                                                                                 | `false` |
-| `ingress`    | Deploy own Ingress Controller                                                                                               | `false` |
-| `seaweedfs`  | Deploy own SeaweedFS                                                                                                        | `false` |
-| `isolated`   | Enforce tenant namespace with network policies                                                                              | `false` |
+| Name             | Description                                                                                                                 | Value   |
+| ---------------- | --------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `host`           | The hostname used to access tenant services (defaults to using the tenant name as a subdomain for it's parent tenant host). | `""`    |
+| `etcd`           | Deploy own Etcd cluster                                                                                                     | `false` |
+| `monitoring`     | Deploy own Monitoring Stack                                                                                                 | `false` |
+| `ingress`        | Deploy own Ingress Controller                                                                                               | `false` |
+| `seaweedfs`      | Deploy own SeaweedFS                                                                                                        | `false` |
+| `isolated`       | Enforce tenant namespace with network policies                                                                              | `false` |
+| `resourceQuotas` | Define resource quotas for the tenant                                                                                       | `{}`    |

packages/apps/tenant/templates/info.yaml

@@ -0,0 +1,27 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }}
+{{- if $oidcEnabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: info
+  namespace: {{ include "tenant.name" . }}
+  annotations:
+    helm.sh/resource-policy: keep
+  labels:
+    cozystack.io/ui: "true"
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  chart:
+    spec:
+      chart: info
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-extra
+        namespace: cozy-public
+      version: "*"
+  interval: 1m0s
+  timeout: 5m0s
+{{- end }}

packages/apps/tenant/templates/quota.yaml

@@ -0,0 +1,10 @@
+{{- if .Values.resourceQuotas }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: tenant-quota
+  namespace: {{ include "tenant.name" . }}
+spec:
+  hard:
+    {{- toYaml .Values.resourceQuotas | nindent 4 }}
+{{- end }}

packages/apps/tenant/templates/tenant.yaml

@@ -272,6 +272,7 @@ rules:
     - virtualmachines
     - vmdisks
     - vminstances
+    - infos
     verbs:
     - get
     - list

packages/apps/tenant/values.schema.json

@@ -31,6 +31,11 @@
             "type": "boolean",
             "description": "Enforce tenant namespace with network policies",
             "default": false
+        },
+        "resourceQuotas": {
+            "type": "object",
+            "description": "Define resource quotas for the tenant",
+            "default": {}
         }
     }
 }

packages/apps/tenant/values.yaml

@@ -6,9 +6,18 @@
 ## @param ingress Deploy own Ingress Controller
 ## @param seaweedfs Deploy own SeaweedFS
 ## @param isolated Enforce tenant namespace with network policies
+## @param resourceQuotas Define resource quotas for the tenant
 host: ""
 etcd: false
 monitoring: false
 ingress: false
 seaweedfs: false
 isolated: false
+resourceQuotas: {}
+# resourceQuotas:
+#   requests.cpu: "1"
+#   requests.memory: "1Gi"
+#   limits.cpu: "2"
+#   limits.memory: "2Gi"
+#   requests.nvidia.com/gpu: 4
+#   requests.storage: 100Gi

packages/apps/versions_map

@@ -44,7 +44,8 @@ kubernetes 0.12.1 28fca4e
 kubernetes 0.13.0 ced8e5b9
 kubernetes 0.14.0 bfbde07c
 kubernetes 0.14.1 fde4bcfa
-kubernetes 0.15.0 HEAD
+kubernetes 0.15.0 cb7b8158
+kubernetes 0.15.1 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
@@ -102,7 +103,9 @@ tenant 1.6.4 3c9e50a4
 tenant 1.6.5 f1e11451
 tenant 1.6.6 d4634797
 tenant 1.6.7 06afcf27
-tenant 1.6.8 HEAD
+tenant 1.6.8 4cc48e6f
+tenant 1.7.0 6c73e3f3
+tenant 1.8.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.25.2@sha256:5b70cd5a01d1c32f9072e37d3f5ae91f2a52516ff11dd25325c7da7ddba73c8b
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.26.0@sha256:8d35e540079f8f3b20a6ef69c600a082bc73c2e0d333f3c57aa593086880ef43

packages/core/platform/bundles/distro-full.yaml

@@ -174,7 +174,7 @@ releases:
   chart: cozy-linstor
   namespace: cozy-linstor
   privileged: true
-  dependsOn: [piraeus-operator,cilium,cert-manager]
+  dependsOn: [piraeus-operator,cilium,cert-manager,snapshot-controller]
 
 - name: telepresence
   releaseName: traffic-manager

packages/core/platform/bundles/paas-full.yaml

@@ -205,7 +205,7 @@ releases:
   chart: cozy-linstor
   namespace: cozy-linstor
   privileged: true
-  dependsOn: [piraeus-operator,cilium,kubeovn,cert-manager]
+  dependsOn: [piraeus-operator,cilium,kubeovn,cert-manager,snapshot-controller]
 
 - name: snapshot-controller
   releaseName: snapshot-controller
@@ -246,19 +246,14 @@ releases:
     {{- end }}
     {{- end }}
       dashboard:
-        image:
-          registry: ghcr.io/aenix-io/cozystack
-          repository: dashboard
-          tag: v0.25.0
-          digest: "sha256:81e7b625c667bce5fc339eb97c8e115eafb82f66df4501550b3677ac53f6e234"
-        {{- $wlConfigmap := lookup "v1" "ConfigMap" "cozy-dashboard" "white-label" }}
-        {{- $locale := dig "data" "locale" "" $wlConfigmap }}
-        {{- if $locale }}
+        {{- $cozystackBranding:= lookup "v1" "ConfigMap" "cozy-system" "cozystack-branding" }}
+        {{- $branding := dig "data" "branding" "" $cozystackBranding }}
+        {{- if $branding }}
         customLocale:
-          "Kubeapps": {{ $locale }}
+          "Kubeapps": {{ $branding }}
         {{- end }}
         customStyle: |
-          {{- $logoImage := dig "data" "logo" "" $wlConfigmap }}
+          {{- $logoImage := dig "data" "logo" "" $cozystackBranding }}
           {{- if $logoImage }}
           .kubeapps-logo {
             background-image: {{ $logoImage }}
@@ -364,3 +359,10 @@ releases:
     cozystack:
       configHash: {{ $cozyConfig | toJson | sha256sum }}
 {{- end }}
+
+- name: goldpinger
+  releaseName: goldpinger
+  chart: cozy-goldpinger
+  namespace: cozy-goldpinger
+  privileged: true
+  dependsOn: [monitoring-agents]

packages/core/platform/bundles/paas-hosted.yaml

@@ -169,19 +169,14 @@ releases:
     {{- end }}
     {{- end }}
       dashboard:
-        image:
-          registry: ghcr.io/aenix-io/cozystack
-          repository: dashboard
-          tag: v0.25.0
-          digest: "sha256:81e7b625c667bce5fc339eb97c8e115eafb82f66df4501550b3677ac53f6e234"
-        {{- $wlConfigmap := lookup "v1" "ConfigMap" "cozy-dashboard" "white-label" }}
-        {{- $locale := dig "data" "locale" "" $wlConfigmap }}
-        {{- if $locale }}
+        {{- $cozystackBranding:= lookup "v1" "ConfigMap" "cozy-system" "cozystack-branding" }}
+        {{- $branding := dig "data" "branding" "" $cozystackBranding }}
+        {{- if $branding }}
         customLocale:
-          "Kubeapps": {{ $locale }}
+          "Kubeapps": {{ $branding }}
         {{- end }}
         customStyle: |
-          {{- $logoImage := dig "data" "logo" "" $wlConfigmap }}
+          {{- $logoImage := dig "data" "logo" "" $cozystackBranding }}
           {{- if $logoImage }}
           .kubeapps-logo {
             background-image: {{ $logoImage }}
@@ -245,3 +240,10 @@ releases:
     cozystack:
       configHash: {{ $cozyConfig | toJson | sha256sum }}
 {{- end }}
+
+- name: goldpinger
+  releaseName: goldpinger
+  chart: cozy-goldpinger
+  namespace: cozy-goldpinger
+  privileged: true
+  dependsOn: [monitoring-agents]

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.25.2@sha256:3c505ef20030ee4ff9412553c7ecc2077c01fb2785ff48991c404e09cd0db69f
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.26.0@sha256:8de1b87f442d4142dea6130540c6e34b1f8515cf6443a438a65a4145662648f7

packages/extra/bootbox/images/matchbox.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/matchbox:v0.25.2@sha256:32350617412bf29d4a8f29364e95f9814506522f98d31acab0ab19967613eef7
+ghcr.io/aenix-io/cozystack/matchbox:v0.26.0@sha256:5373d9c66361a7319314ed0553d402a99c8afea115e1dfee31034c3b9e3f3517

packages/extra/etcd/Chart.yaml

@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: /logos/etcd.svg
 type: application
-version: 2.5.0
+version: 2.6.0

packages/extra/etcd/templates/etcd-cluster.yaml

@@ -73,11 +73,12 @@ spec:
   - "key encipherment"
   - "cert sign"
   commonName: etcd-peer-ca
+  duration: 87600h
   subject:
     organizations:
-      - ACME Inc.
+      - {{ .Release.Namespace }}
     organizationalUnits:
-      - Widgets
+      - {{ .Release.Name }}
   secretName: etcd-peer-ca-tls
   privateKey:
     algorithm: RSA
@@ -98,11 +99,12 @@ spec:
   - "key encipherment"
   - "cert sign"
   commonName: etcd-ca
+  duration: 87600h
   subject:
     organizations:
-      - ACME Inc.
+      - {{ .Release.Namespace }}
     organizationalUnits:
-      - Widgets
+      - {{ .Release.Name }}
   secretName: etcd-ca-tls
   privateKey:
     algorithm: RSA
@@ -133,9 +135,16 @@ kind: Certificate
 metadata:
   name: etcd-server
 spec:
+  commonName: etcd-server
   secretName: etcd-server-tls
+  subject:
+    organizations:
+      - {{ .Release.Namespace }}
+    organizationalUnits:
+      - {{ .Release.Name }}
   isCA: false
   usages:
+    - "client auth"
     - "server auth"
     - "signing"
     - "key encipherment"
@@ -146,6 +155,7 @@ spec:
   - etcd-{{ $i }}.etcd-headless.{{ $.Release.Namespace }}.svc
   {{- end }}
   - localhost
+  ipAddresses:
   - "127.0.0.1"
   privateKey:
     rotationPolicy: Always
@@ -159,7 +169,13 @@ kind: Certificate
 metadata:
   name: etcd-peer
 spec:
+  commonName: etcd-peer
   secretName: etcd-peer-tls
+  subject:
+    organizations:
+      - {{ .Release.Namespace }}
+    organizationalUnits:
+      - {{ .Release.Name }}
   isCA: false
   usages:
     - "server auth"
@@ -173,6 +189,7 @@ spec:
   - etcd-{{ $i }}.etcd-headless.{{ $.Release.Namespace }}.svc
   {{- end }}
   - localhost
+  ipAddresses:
   - "127.0.0.1"
   privateKey:
     rotationPolicy: Always
@@ -188,6 +205,11 @@ metadata:
 spec:
   commonName: root
   secretName: etcd-client-tls
+  subject:
+    organizations:
+      - {{ .Release.Namespace }}
+    organizationalUnits:
+      - {{ .Release.Name }}
   usages:
   - "signing"
   - "key encipherment"

packages/extra/etcd/values.schema.json

@@ -18,4 +18,4 @@
             "default": 3
         }
     }
-}
+}

packages/extra/info/.helmignore

@@ -0,0 +1,2 @@
+.helmignore
+/logos

packages/extra/info/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: info
+description: Info
+icon: /logos/info.svg
+type: application
+version: 1.0.0

packages/extra/info/Makefile

@@ -0,0 +1,3 @@
+NAME=etcd
+
+include ../../../scripts/package.mk

packages/extra/info/README.md

@@ -0,0 +1,18 @@
+# Info
+
+### Kubeconfig for tenant 
+
+### Kubelogin
+
+For using kubeconfig need install kubelogin.
+
+```bash
+# Homebrew (macOS and Linux)
+brew install int128/kubelogin/kubelogin
+
+# Krew (macOS, Linux, Windows and ARM)
+kubectl krew install oidc-login
+
+# Chocolatey (Windows)
+choco install kubelogin
+```

packages/extra/info/logos/info.svg

@@ -0,0 +1,15 @@
+<svg width="144" height="144" viewBox="0 0 144 144" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="144" height="144" rx="24" fill="url(#paint0_radial_144_3)"/>
+<g clip-path="url(#clip0_144_3)">
+<path d="M77.6407 97.0844L82.833 97.3604V104.637H61.1728V97.7197L64.1771 97.4495C65.8101 97.2684 66.8106 96.7193 66.8106 94.5343V69.2314C66.8106 67.2217 66.2701 66.5864 64.5365 66.5864L61.3568 66.4081V58.8584H77.6465L77.6407 97.0844ZM71.2726 39.363C75.2804 39.363 78.187 42.3731 78.187 46.1883C78.187 50.0149 75.2718 52.8381 71.1778 52.8381C66.9975 52.8381 64.2663 50.0149 64.2663 46.1883C64.2663 42.3731 66.9975 39.363 71.2726 39.363ZM72 118C46.6368 118 26 97.3632 26 72C26 46.6368 46.6368 26 72 26C97.3575 26 118 46.6368 118 72C118 97.3632 97.3575 118 72 118ZM72 34.625C51.392 34.625 34.625 51.392 34.625 72C34.625 92.608 51.392 109.375 72 109.375C92.608 109.375 109.375 92.608 109.375 72C109.375 51.392 92.608 34.625 72 34.625Z" fill="white"/>
+</g>
+<defs>
+<radialGradient id="paint0_radial_144_3" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(1.32298e-05 -7.50001) rotate(44.7178) scale(215.317 312.455)">
+<stop stop-color="#00B5E7"/>
+<stop offset="1" stop-color="#003984"/>
+</radialGradient>
+<clipPath id="clip0_144_3">
+<rect width="92" height="92" fill="white" transform="translate(26 26)"/>
+</clipPath>
+</defs>
+</svg>

packages/extra/info/templates/dashboard-resourcemap.yaml

@@ -1,13 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ include "tenant.name" . }}-dashboard-resources
-  namespace: {{ .Release.namespace }}
+  name: info-dashboard-resources
 rules:
 - apiGroups:
   - ""
   resources:
   - secrets
   resourceNames:
-  - kubeconfig-{{ include "tenant.name" . }}
+  - kubeconfig-{{ .Release.Namespace }}
   verbs: ["get", "list", "watch"]

packages/extra/info/templates/kubeconfig.yaml

@@ -15,8 +15,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: kubeconfig-{{ include "tenant.name" . }}
-  namespace: tenant-root
+  name: kubeconfig-{{ .Release.Namespace }}
 stringData:
   kubeconfig: |
     apiVersion: v1
@@ -28,10 +27,10 @@ stringData:
     contexts:
     - context:
         cluster: cluster
-        namespace: {{ include "tenant.name" . }}
+        namespace: {{ .Release.Namespace }}
         user: keycloak
-      name: {{ include "tenant.name" . }}
-    current-context: {{ include "tenant.name" . }}
+      name: {{ .Release.Namespace }}
+    current-context: {{ .Release.Namespace }}
     users:
     - name: keycloak
       user:

packages/extra/info/values.schema.json

@@ -0,0 +1 @@
+{}

packages/extra/monitoring/dashboards.list

@@ -35,3 +35,4 @@ kubevirt/kubevirt-control-plane
 flux/flux-control-plane
 flux/flux-stats
 kafka/strimzi-kafka
+goldpinger/goldpinger

packages/extra/versions_map

@@ -6,7 +6,9 @@ etcd 2.1.0 2b00fcf8
 etcd 2.2.0 5ca8823
 etcd 2.3.0 b908400d
 etcd 2.4.0 cb7b8158
-etcd 2.5.0 HEAD
+etcd 2.5.0 861e6c46
+etcd 2.6.0 HEAD
+info 1.0.0 HEAD
 ingress 1.0.0 f642698
 ingress 1.1.0 838bee5d
 ingress 1.2.0 ced8e5b

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:e50aecd2158490cb383cef28b8b066aef847782cd826b161fccd91c928fcb500
+ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:90489380ee0108188801978afc4d2a4fd837e0e46efef6b45e6640d1dfea6a63

packages/system/cilium/charts/cilium/Chart.yaml

@@ -79,7 +79,7 @@ annotations:
     Pod IP Pool\n  description: |\n    CiliumPodIPPool defines an IP pool that can
     be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n"
 apiVersion: v2
-appVersion: 1.16.6
+appVersion: 1.16.7
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
@@ -95,4 +95,4 @@ kubeVersion: '>= 1.21.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.16.6
+version: 1.16.7

packages/system/cilium/charts/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.16.6](https://img.shields.io/badge/Version-1.16.6-informational?style=flat-square) ![AppVersion: 1.16.6](https://img.shields.io/badge/AppVersion-1.16.6-informational?style=flat-square)
+![Version: 1.16.7](https://img.shields.io/badge/Version-1.16.7-informational?style=flat-square) ![AppVersion: 1.16.7](https://img.shields.io/badge/AppVersion-1.16.7-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -182,7 +182,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
 | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.6","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:8e7eda5b194d45c3b1607f5bf31cbb3fecd0f1cf85ce32b41f93b2bd832bf02f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.7","useDigest":true}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
@@ -353,10 +353,11 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:a69dfe0e54b24b0ff747385c8feeae0612cfbcae97bfcc8ee42a773bb3f69c88","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.30.9-1737073743-40a016d11c0d863b772961ed0168eea6fe6b10a5","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:fc708bd36973d306412b2e50c924cd8333de67e0167802c9b48506f9d772f521","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.31.5-1739264036-958bef243c6c66fcfd73ca319f2eb49fff1eb2ae","useDigest":true}` | Envoy container image. |
 | envoy.initialFetchTimeoutSeconds | int | `30` | Time in seconds after which the initial fetch on an xDS stream is considered timed out |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
+| envoy.log.accessLogBufferSize | int | `4096` | Size of the Envoy access log buffer created within the agent in bytes. Tune this value up if you encounter "Envoy: Discarded truncated access log message" errors. Large request/response header sizes (e.g. 16KiB) will require a larger buffer size. |
 | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
 | envoy.log.path | string | `""` | Path to a separate Envoy log file, if any. Defaults to /dev/stdout. |
 | envoy.maxConnectionDurationSeconds | int | `0` | Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable) |
@@ -485,7 +486,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.6","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:8f408ed921cd534394aa1c57b313741cec6aec03a14ea243b2173cbf2c88c91e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.7","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -591,7 +592,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.6","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"sha256:294d2432507fed393b26e9fbfacb25c2e37095578cb34dabac7312b66ed0782e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.7","useDigest":true}` | Agent container image. |
 | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -718,7 +719,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.hostNetwork | bool | `true` | HostNetwork setting |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9","awsDigest":"sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d","azureDigest":"sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd","genericDigest":"sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.6","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:dbdc856303e1ab6734538e29791fdfc4fe2c1295fd7bbce8fa006cd3165f85c8","awsDigest":"sha256:110d922337bdbfc3cd4d7d71b85b2c8f72c1d9925e9b61b4cd73ff990799d7ba","azureDigest":"sha256:4e7e64cc505676d402c68043934e2c8efc75b294245514d7611a58d06b5e0f69","genericDigest":"sha256:25a41ac50bcebfb780ed2970e55a5ba1a5f26996850ed5a694dc69b312e0b5a0","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.7","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -768,7 +769,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.6","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:294d2432507fed393b26e9fbfacb25c2e37095578cb34dabac7312b66ed0782e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.7","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |

packages/system/cilium/charts/cilium/files/nodeinit/startup.bash

@@ -116,6 +116,8 @@ else
   exec /home/kubernetes/bin/the-kubelet "${@}" --network-plugin=cni --cni-bin-dir={{ .Values.cni.binPath }}
 fi
 EOF
+    echo "Restarting the kubelet..."
+    systemctl restart kubelet
   else
     echo "Kubelet wrapper already exists, skipping..."
   fi
@@ -135,10 +137,10 @@ else
     echo "Changing kubelet configuration to --network-plugin=cni --cni-bin-dir={{ .Values.cni.binPath }}"
     mkdir -p {{ .Values.cni.binPath }}
     sed -i "s:--network-plugin=kubenet:--network-plugin=cni\ --cni-bin-dir={{ .Values.cni.binPath }}:g" "${KUBELET_DEFAULTS_FILE}"
+    echo "Restarting the kubelet..."
+    systemctl restart kubelet
   fi
 fi
-echo "Restarting the kubelet..."
-systemctl restart kubelet
 {{- end }}
 
 {{- if (and .Values.gke.enabled (or .Values.enableIPv4Masquerade .Values.gke.disableDefaultSnat))}}

packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml

@@ -1284,7 +1284,9 @@ data:
 {{- if .Values.envoy.log.path }}
   envoy-log: {{ .Values.envoy.log.path | quote }}
 {{- end }}
-
+{{- if .Values.envoy.log.accessLogBufferSize }}
+  envoy-access-log-buffer-size: {{ .Values.envoy.log.accessLogBufferSize | quote }}
+{{- end }}
   envoy-keep-cap-netbindservice: {{ .Values.envoy.securityContext.capabilities.keepCapNetBindService | quote }}
 
 {{- if hasKey .Values.clustermesh "maxConnectedClusters" }}

packages/system/cilium/charts/cilium/templates/validate.yaml

@@ -151,6 +151,7 @@
   {{ fail "The cluster name is invalid: cannot use default value with cluster.id != 0" }}
 {{- end }}
 {{ if and
+    (ne (index .Values.extraConfig "allow-unsafe-policy-skb-usage") "true")
     (or (and (ge (int .Values.cluster.id) 128) (le (int .Values.cluster.id) 255)) (and (ge (int .Values.cluster.id) 384) (le (int .Values.cluster.id) 511)))
     (or .Values.eni.enabled .Values.alibabacloud.enabled (eq .Values.cni.chainingMode "aws-cni")) -}}
   {{ fail "Cilium is currently affected by a bug that causes traffic matched by network policies to be incorrectly dropped when running in either ENI mode (both AWS and AlibabaCloud) or AWS VPC CNI chaining mode, if the cluster ID is 128-255 (and 384-511 when maxConnectedClusters=511). Please refer to https://github.com/cilium/cilium/issues/21330 for additional details." }}

packages/system/cilium/charts/cilium/values.schema.json

@@ -1969,6 +1969,12 @@
         },
         "log": {
           "properties": {
+            "accessLogBufferSize": {
+              "type": [
+                "null",
+                "integer"
+              ]
+            },
             "format": {
               "type": "string"
             },

packages/system/cilium/charts/cilium/values.yaml

@@ -153,10 +153,10 @@ image:
   # @schema
   override: ~
   repository: "quay.io/cilium/cilium"
-  tag: "v1.16.6"
+  tag: "v1.16.7"
   pullPolicy: "IfNotPresent"
   # cilium-digest
-  digest: "sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da"
+  digest: "sha256:294d2432507fed393b26e9fbfacb25c2e37095578cb34dabac7312b66ed0782e"
   useDigest: true
 # -- Affinity for cilium-agent.
 affinity:
@@ -1314,9 +1314,9 @@ hubble:
       # @schema
       override: ~
       repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.16.6"
+      tag: "v1.16.7"
       # hubble-relay-digest
-      digest: "sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b"
+      digest: "sha256:8f408ed921cd534394aa1c57b313741cec6aec03a14ea243b2173cbf2c88c91e"
       useDigest: true
       pullPolicy: "IfNotPresent"
     # -- Specifies the resources for the hubble-relay pods
@@ -2143,6 +2143,13 @@ envoy:
     format: "[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"
     # -- Path to a separate Envoy log file, if any. Defaults to /dev/stdout.
     path: ""
+    # @schema
+    # type: [null, integer]
+    # @schema
+    # -- Size of the Envoy access log buffer created within the agent in bytes.
+    # Tune this value up if you encounter "Envoy: Discarded truncated access log message" errors.
+    # Large request/response header sizes (e.g. 16KiB) will require a larger buffer size.
+    accessLogBufferSize: 4096
   # -- Time in seconds after which a TCP connection attempt times out
   connectTimeoutSeconds: 2
   # -- Time in seconds after which the initial fetch on an xDS stream is considered timed out
@@ -2165,9 +2172,9 @@ envoy:
     # @schema
     override: ~
     repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.30.9-1737073743-40a016d11c0d863b772961ed0168eea6fe6b10a5"
+    tag: "v1.31.5-1739264036-958bef243c6c66fcfd73ca319f2eb49fff1eb2ae"
     pullPolicy: "IfNotPresent"
-    digest: "sha256:a69dfe0e54b24b0ff747385c8feeae0612cfbcae97bfcc8ee42a773bb3f69c88"
+    digest: "sha256:fc708bd36973d306412b2e50c924cd8333de67e0167802c9b48506f9d772f521"
     useDigest: true
   # -- Additional containers added to the cilium Envoy DaemonSet.
   extraContainers: []
@@ -2480,15 +2487,15 @@ operator:
     # @schema
     override: ~
     repository: "quay.io/cilium/operator"
-    tag: "v1.16.6"
+    tag: "v1.16.7"
     # operator-generic-digest
-    genericDigest: "sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc"
+    genericDigest: "sha256:25a41ac50bcebfb780ed2970e55a5ba1a5f26996850ed5a694dc69b312e0b5a0"
     # operator-azure-digest
-    azureDigest: "sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd"
+    azureDigest: "sha256:4e7e64cc505676d402c68043934e2c8efc75b294245514d7611a58d06b5e0f69"
     # operator-aws-digest
-    awsDigest: "sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d"
+    awsDigest: "sha256:110d922337bdbfc3cd4d7d71b85b2c8f72c1d9925e9b61b4cd73ff990799d7ba"
     # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9"
+    alibabacloudDigest: "sha256:dbdc856303e1ab6734538e29791fdfc4fe2c1295fd7bbce8fa006cd3165f85c8"
     useDigest: true
     pullPolicy: "IfNotPresent"
     suffix: ""
@@ -2762,9 +2769,9 @@ preflight:
     # @schema
     override: ~
     repository: "quay.io/cilium/cilium"
-    tag: "v1.16.6"
+    tag: "v1.16.7"
     # cilium-digest
-    digest: "sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da"
+    digest: "sha256:294d2432507fed393b26e9fbfacb25c2e37095578cb34dabac7312b66ed0782e"
     useDigest: true
     pullPolicy: "IfNotPresent"
   # -- The priority class to use for the preflight pod.
@@ -2911,9 +2918,9 @@ clustermesh:
       # @schema
       override: ~
       repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.16.6"
+      tag: "v1.16.7"
       # clustermesh-apiserver-digest
-      digest: "sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a"
+      digest: "sha256:8e7eda5b194d45c3b1607f5bf31cbb3fecd0f1cf85ce32b41f93b2bd832bf02f"
       useDigest: true
       pullPolicy: "IfNotPresent"
     # -- TCP port for the clustermesh-apiserver health API.

packages/system/cilium/charts/cilium/values.yaml.tmpl

@@ -2157,6 +2157,13 @@ envoy:
     format: "[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"
     # -- Path to a separate Envoy log file, if any. Defaults to /dev/stdout.
     path: ""
+    # @schema
+    # type: [null, integer]
+    # @schema
+    # -- Size of the Envoy access log buffer created within the agent in bytes.
+    # Tune this value up if you encounter "Envoy: Discarded truncated access log message" errors.
+    # Large request/response header sizes (e.g. 16KiB) will require a larger buffer size.
+    accessLogBufferSize: 4096
   # -- Time in seconds after which a TCP connection attempt times out
   connectTimeoutSeconds: 2
   # -- Time in seconds after which the initial fetch on an xDS stream is considered timed out

packages/system/cilium/images/cilium/Dockerfile

@@ -1,2 +1,2 @@
-ARG VERSION=v1.16.6
+ARG VERSION=v1.16.7
 FROM quay.io/cilium/cilium:${VERSION}

packages/system/cilium/values.yaml

@@ -12,7 +12,7 @@ cilium:
     mode: "kubernetes"
   image:
     repository: ghcr.io/aenix-io/cozystack/cilium
-    tag: 1.16.6
-    digest: "sha256:cf64df62897b071d5a9a005564ecbfb9124aa82a96957e329ce28a187864f113"
+    tag: 1.16.7
+    digest: "sha256:d2d6f5675aa30c18c4d9c08c27448173416cfb4a84080d5b9765fa1bdc9b4c70"
   envoy:
     enabled: false

packages/system/cozystack-api/templates/configmap.yaml

@@ -314,3 +314,17 @@ data:
             kind: HelmRepository
             name: cozystack-extra
             namespace: cozy-public
+    - application:
+        kind: Info
+        plural: infos
+        singular: info
+      release:
+        prefix: ""
+        labels:
+          cozystack.io/ui: "true"
+        chart:
+          name: info
+          sourceRef:
+            kind: HelmRepository
+            name: cozystack-extra
+            namespace: cozy-public

packages/system/cozystack-api/values.yaml

@@ -1,2 +1,2 @@
 cozystackAPI:
-  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.25.2@sha256:ade847d803ffe9538fc063a8427d7ca87187ac9eb18a584104dfce741be0d0cf
+  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.26.0@sha256:11e455081a7898da92dc6611204c25eba7614567cc0665a26c5425db4b94192e

packages/system/cozystack-controller/values.yaml

@@ -1,5 +1,5 @@
 cozystackController:
-  image: ghcr.io/aenix-io/cozystack/cozystack-controller:v0.25.2@sha256:310df1af9d6feb1604b56eab57ee43c82b080f9103d229b3f1cebf9525a04501
+  image: ghcr.io/aenix-io/cozystack/cozystack-controller:v0.26.0@sha256:d0601c3776387bc38af6706ef5b68cfc986c119a1209c28a37e5797089308f26
   debug: false
   disableTelemetry: false
-  cozystackVersion: "v0.25.2"
+  cozystackVersion: "v0.26.0"

packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml

@@ -76,7 +76,7 @@ data:
       "kubeappsNamespace": {{ .Release.Namespace | quote }},
       "helmGlobalNamespace": {{ include "kubeapps.helmGlobalPackagingNamespace" . | quote }},
       "carvelGlobalNamespace": {{ .Values.kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace | quote }},
-      "appVersion": "v0.25.2",
+      "appVersion": "v0.26.0",
       "authProxyEnabled": {{ .Values.authProxy.enabled }},
       "oauthLoginURI": {{ .Values.authProxy.oauthLoginURI | quote }},
       "oauthLogoutURI": {{ .Values.authProxy.oauthLogoutURI | quote }},

packages/system/dashboard/values.yaml

@@ -15,39 +15,17 @@ kubeapps:
     flux:
       enabled: true
   dashboard:
-    customStyle: |
-      #serviceaccount-selector {
-        display: none;
-      }
-      .login-moreinfo {
-        display: none;
-      }
-      a[href="#/docs"] {
-        display: none;
-      }
-      .login-group .clr-form-control .clr-control-label {
-        display: none;
-      }
-      .appview-separator div.appview-first-row div.center {
-        display: none;
-      }
-      .appview-separator div.appview-first-row section[aria-labelledby="app-secrets"] {
-        display: none;
-      }
-      .appview-first-row section[aria-labelledby="access-urls-title"] {
-        width: 100%;
-      }
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: dashboard
-      tag: v0.25.2
-      digest: "sha256:4a5dab471c358f826920693591d153dacb81ff7d499daa19edd1f74109f12224"
+      tag: v0.26.0
+      digest: "sha256:b8c2d271040ae129345c7d8c2427cb9bbc7fb998be2d4ff47887bc3b643f6f72"
   kubeappsapis:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: kubeapps-apis
-      tag: v0.25.2
-      digest: "sha256:69e16490aff84e9084748011b7ae212679b8916cb882032436df450202aea37b"
+      tag: v0.26.0
+      digest: "sha256:8364d1fc8ecdbd93fe2fe21a8619f0fde7a89ee68e5bcd6b8fb777bf73a39f5e"
     pluginConfig:
       flux:
         packages:
@@ -361,3 +339,17 @@ kubeapps:
                       kind: HelmRepository
                       name: cozystack-extra
                       namespace: cozy-public
+              - application:
+                  kind: Info
+                  plural: infos
+                  singular: info
+                release:
+                  prefix: ""
+                  labels:
+                    cozystack.io/ui: "true"
+                  chart:
+                    name: info
+                    sourceRef:
+                      kind: HelmRepository
+                      name: cozystack-extra
+                      namespace: cozy-public

packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml

@@ -8,7 +8,7 @@ annotations:
     - name: Upstream Project
       url: https://github.com/controlplaneio-fluxcd/flux-operator
 apiVersion: v2
-appVersion: v0.13.0
+appVersion: v0.15.0
 description: 'A Helm chart for deploying the Flux Operator. '
 home: https://github.com/controlplaneio-fluxcd
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
@@ -25,4 +25,4 @@ sources:
 - https://github.com/controlplaneio-fluxcd/flux-operator
 - https://github.com/controlplaneio-fluxcd/charts
 type: application
-version: 0.13.0
+version: 0.15.0

packages/system/fluxcd-operator/charts/flux-operator/README.md

@@ -1,6 +1,6 @@
 # flux-operator
 
-![Version: 0.13.0](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.13.0](https://img.shields.io/badge/AppVersion-v0.13.0-informational?style=flat-square)
+![Version: 0.15.0](https://img.shields.io/badge/Version-0.15.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.15.0](https://img.shields.io/badge/AppVersion-v0.15.0-informational?style=flat-square)
 
 The [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator) provides a
 declarative API for the installation and upgrade of CNCF [Flux](https://fluxcd.io) and the
@@ -44,9 +44,12 @@ see the Flux Operator [documentation](https://fluxcd.control-plane.io/operator/)
 | livenessProbe | object | `{"httpGet":{"path":"/healthz","port":8081},"initialDelaySeconds":15,"periodSeconds":20}` | Container liveness probe settings. |
 | logLevel | string | `"info"` | Container logging level flag. |
 | marketplace | object | `{"account":"","license":"","type":""}` | Marketplace settings. |
+| multitenancy | object | `{"defaultServiceAccount":"flux-operator","enabled":false}` | Enable [multitenancy lockdown](https://fluxcd.control-plane.io/operator/resourceset/#role-based-access-control) for the ResourceSet APIs. |
 | nameOverride | string | `""` |  |
 | podSecurityContext | object | `{}` | Pod security context settings. |
 | priorityClassName | string | `""` | Pod priority class name. Recommended value is system-cluster-critical. |
+| rbac.create | bool | `true` | Grant the cluster-admin role to the flux-operator service account (required for the Flux Instance deployment). |
+| rbac.createAggregation | bool | `true` | Grant the Kubernetes view, edit and admin roles access to ResourceSet APIs. |
 | readinessProbe | object | `{"httpGet":{"path":"/readyz","port":8081},"initialDelaySeconds":5,"periodSeconds":10}` | Container readiness probe settings. |
 | resources | object | `{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | Container resources requests and limits settings. |
 | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context settings. The default is compliant with the pod security restricted profile. |

packages/system/fluxcd-operator/charts/flux-operator/templates/admin-clusterrole.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -19,3 +20,4 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "flux-operator.fullname" . }}
     namespace: {{ .Release.Namespace }}
+{{- end }}

packages/system/fluxcd-operator/charts/flux-operator/templates/aggregate-clusterrole.yaml

@@ -0,0 +1,56 @@
+{{- if .Values.rbac.createAggregation }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "flux-operator.fullname" . }}-edit
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- include "flux-operator.labels" . | nindent 4 }}
+    {{- with .Values.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - fluxcd.controlplane.io
+    resources:
+      - resourcesets
+      - resourcesetinputproviders
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "flux-operator.fullname" . }}-view
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    {{- include "flux-operator.labels" . | nindent 4 }}
+    {{- with .Values.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - fluxcd.controlplane.io
+    resources:
+      - resourcesets
+      - resourcesetinputproviders
+    verbs:
+      - get
+      - list
+      - watch
+{{- end }}

packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml

@@ -142,6 +142,11 @@ spec:
                       e.g. 'oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests:latest'.
                     pattern: ^oci://.*$
                     type: string
+                  artifactPullSecret:
+                    description: |-
+                      ArtifactPullSecret is the name of the Kubernetes secret
+                      to use for pulling the Kubernetes manifests for the distribution specified in the Artifact field.
+                    type: string
                   imagePullSecret:
                     description: |-
                       ImagePullSecret is the name of the Kubernetes secret
@@ -734,4 +739,513 @@ spec:
     storage: true
     subresources:
       status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+    helm.sh/resource-policy: keep
+  labels:
+    app.kubernetes.io/instance: '{{ .Release.Name }}'
+    app.kubernetes.io/managed-by: '{{ .Release.Service }}'
+    app.kubernetes.io/name: '{{ .Chart.Name }}'
+    app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
+    helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+  name: resourcesetinputproviders.fluxcd.controlplane.io
+spec:
+  group: fluxcd.controlplane.io
+  names:
+    kind: ResourceSetInputProvider
+    listKind: ResourceSetInputProviderList
+    plural: resourcesetinputproviders
+    shortNames:
+    - rsip
+    singular: resourcesetinputprovider
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: ResourceSetInputProvider is the Schema for the ResourceSetInputProviders
+          API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ResourceSetInputProviderSpec defines the desired state of
+              ResourceSetInputProvider
+            properties:
+              certSecretRef:
+                description: |-
+                  CertSecretRef specifies the Kubernetes Secret containing either or both of
+
+                  - a PEM-encoded CA certificate (`ca.crt`)
+                  - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`)
+
+                  When connecting to a Git provider that uses self-signed certificates, the CA certificate
+                  must be set in the Secret under the 'ca.crt' key to establish the trust relationship.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              defaultValues:
+                additionalProperties:
+                  x-kubernetes-preserve-unknown-fields: true
+                description: |-
+                  DefaultValues contains the default values for the inputs.
+                  These values are used to populate the inputs when the provider
+                  response does not contain them.
+                type: object
+              filter:
+                description: Filter defines the filter to apply to the input provider
+                  response.
+                properties:
+                  excludeBranch:
+                    description: |-
+                      ExcludeBranch specifies the regular expression to filter the branches
+                      that the input provider should exclude.
+                    type: string
+                  includeBranch:
+                    description: |-
+                      IncludeBranch specifies the regular expression to filter the branches
+                      that the input provider should include.
+                    type: string
+                  labels:
+                    description: Labels specifies the list of labels to filter the
+                      input provider response.
+                    items:
+                      type: string
+                    type: array
+                  limit:
+                    description: |-
+                      Limit specifies the maximum number of input sets to return.
+                      When not set, the default limit is 100.
+                    type: integer
+                type: object
+              secretRef:
+                description: |-
+                  SecretRef specifies the Kubernetes Secret containing the basic-auth credentials
+                  to access the input provider. The secret must contain the keys
+                  'username' and 'password'.
+                  When connecting to a Git provider, the password should be a personal access token
+                  that grants read-only access to the repository.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              type:
+                description: Type specifies the type of the input provider.
+                enum:
+                - GitHubBranch
+                - GitHubPullRequest
+                - GitLabBranch
+                - GitLabMergeRequest
+                type: string
+              url:
+                description: |-
+                  URL specifies the HTTP/S address of the input provider API.
+                  When connecting to a Git provider, the URL should point to the repository address.
+                pattern: ^(http|https)://.*$
+                type: string
+            required:
+            - type
+            - url
+            type: object
+          status:
+            description: ResourceSetInputProviderStatus defines the observed state
+              of ResourceSetInputProvider.
+            properties:
+              conditions:
+                description: Conditions contains the readiness conditions of the object.
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              exportedInputs:
+                description: ExportedInputs contains the list of inputs exported by
+                  the provider.
+                items:
+                  additionalProperties:
+                    x-kubernetes-preserve-unknown-fields: true
+                  description: ResourceSetInput defines the key-value pairs of the
+                    ResourceSet input.
+                  type: object
+                type: array
+              lastExportedRevision:
+                description: |-
+                  LastExportedRevision is the digest of the
+                  inputs that were last reconcile.
+                type: string
+              lastHandledReconcileAt:
+                description: |-
+                  LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value
+                  can be detected.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+    helm.sh/resource-policy: keep
+  labels:
+    app.kubernetes.io/instance: '{{ .Release.Name }}'
+    app.kubernetes.io/managed-by: '{{ .Release.Service }}'
+    app.kubernetes.io/name: '{{ .Chart.Name }}'
+    app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
+    helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
+  name: resourcesets.fluxcd.controlplane.io
+spec:
+  group: fluxcd.controlplane.io
+  names:
+    kind: ResourceSet
+    listKind: ResourceSetList
+    plural: resourcesets
+    shortNames:
+    - rset
+    singular: resourceset
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: ResourceSet is the Schema for the ResourceSets API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ResourceSetSpec defines the desired state of ResourceSet
+            properties:
+              commonMetadata:
+                description: |-
+                  CommonMetadata specifies the common labels and annotations that are
+                  applied to all resources. Any existing label or annotation will be
+                  overridden if its key matches a common one.
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: Annotations to be added to the object's metadata.
+                    type: object
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: Labels to be added to the object's metadata.
+                    type: object
+                type: object
+              dependsOn:
+                description: |-
+                  DependsOn specifies the list of Kubernetes resources that must
+                  exist on the cluster before the reconciliation process starts.
+                items:
+                  description: Dependency defines a ResourceSet dependency on a Kubernetes
+                    resource.
+                  properties:
+                    apiVersion:
+                      description: APIVersion of the resource to depend on.
+                      type: string
+                    kind:
+                      description: Kind of the resource to depend on.
+                      type: string
+                    name:
+                      description: Name of the resource to depend on.
+                      type: string
+                    namespace:
+                      description: Namespace of the resource to depend on.
+                      type: string
+                    ready:
+                      description: Ready checks if the resource Ready status condition
+                        is true.
+                      type: boolean
+                    readyExpr:
+                      description: |-
+                        ReadyExpr checks if the resource satisfies the given CEL expression.
+                        The expression replaces the default readiness check and
+                        is only evaluated if Ready is set to 'true'.
+                      type: string
+                  required:
+                  - apiVersion
+                  - kind
+                  - name
+                  type: object
+                type: array
+              inputs:
+                description: Inputs contains the list of ResourceSet inputs.
+                items:
+                  additionalProperties:
+                    x-kubernetes-preserve-unknown-fields: true
+                  description: ResourceSetInput defines the key-value pairs of the
+                    ResourceSet input.
+                  type: object
+                type: array
+              inputsFrom:
+                description: |-
+                  InputsFrom contains the list of references to input providers.
+                  When set, the inputs are fetched from the providers and concatenated
+                  with the in-line inputs defined in the ResourceSet.
+                items:
+                  properties:
+                    apiVersion:
+                      description: |-
+                        APIVersion of the input provider resource.
+                        When not set, the APIVersion of the ResourceSet is used.
+                      type: string
+                    kind:
+                      description: Kind of the input provider resource.
+                      enum:
+                      - ResourceSetInputProvider
+                      type: string
+                    name:
+                      description: Name of the input provider resource.
+                      type: string
+                  required:
+                  - kind
+                  - name
+                  type: object
+                type: array
+              resources:
+                description: Resources contains the list of Kubernetes resources to
+                  reconcile.
+                items:
+                  x-kubernetes-preserve-unknown-fields: true
+                type: array
+              resourcesTemplate:
+                description: |-
+                  ResourcesTemplate is a Go template that generates the list of
+                  Kubernetes resources to reconcile. The template is rendered
+                  as multi-document YAML, the resources should be separated by '---'.
+                  When both Resources and ResourcesTemplate are set, the resulting
+                  objects are merged and deduplicated, with the ones from Resources taking precedence.
+                type: string
+              serviceAccountName:
+                description: |-
+                  The name of the Kubernetes service account to impersonate
+                  when reconciling the generated resources.
+                type: string
+              wait:
+                description: |-
+                  Wait instructs the controller to check the health
+                  of all the reconciled resources.
+                type: boolean
+            type: object
+          status:
+            description: ResourceSetStatus defines the observed state of ResourceSet.
+            properties:
+              conditions:
+                description: Conditions contains the readiness conditions of the object.
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              inventory:
+                description: |-
+                  Inventory contains a list of Kubernetes resource object references
+                  last applied on the cluster.
+                properties:
+                  entries:
+                    description: Entries of Kubernetes resource object references.
+                    items:
+                      description: ResourceRef contains the information necessary
+                        to locate a resource within a cluster.
+                      properties:
+                        id:
+                          description: |-
+                            ID is the string representation of the Kubernetes resource object's metadata,
+                            in the format '<namespace>_<name>_<group>_<kind>'.
+                          type: string
+                        v:
+                          description: Version is the API version of the Kubernetes
+                            resource object's kind.
+                          type: string
+                      required:
+                      - id
+                      - v
+                      type: object
+                    type: array
+                required:
+                - entries
+                type: object
+              lastAppliedRevision:
+                description: |-
+                  LastAppliedRevision is the digest of the
+                  generated resources that were last reconcile.
+                type: string
+              lastHandledReconcileAt:
+                description: |-
+                  LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value
+                  can be detected.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
 {{- end }}

packages/system/fluxcd-operator/charts/flux-operator/templates/deployment.yaml

@@ -50,6 +50,9 @@ spec:
         - name: manager
           args:
             - --log-level={{ .Values.logLevel }}
+            {{- if .Values.multitenancy.enabled }}
+            - --default-service-account={{ .Values.multitenancy.defaultServiceAccount }}
+            {{- end }}
             {{- range .Values.extraArgs }}
             - {{ . }}
             {{- end }}

packages/system/fluxcd-operator/charts/flux-operator/values.schema.json

@@ -169,6 +169,20 @@
             },
             "type": "object"
         },
+        "multitenancy": {
+            "properties": {
+                "defaultServiceAccount": {
+                    "type": "string"
+                },
+                "enabled": {
+                    "type": "boolean"
+                }
+            },
+            "required": [
+                "defaultServiceAccount"
+            ],
+            "type": "object"
+        },
         "nameOverride": {
             "type": "string"
         },
@@ -183,6 +197,17 @@
             "default": "system-cluster-critical",
             "type": "string"
         },
+        "rbac": {
+            "properties": {
+                "create": {
+                    "type": "boolean"
+                },
+                "createAggregation": {
+                    "type": "boolean"
+                }
+            },
+            "type": "object"
+        },
         "readinessProbe": {
             "default": {
                 "httpGet": {

packages/system/fluxcd-operator/charts/flux-operator/values.yaml

@@ -3,6 +3,11 @@
 nameOverride: ""
 fullnameOverride: ""
 
+# -- Enable [multitenancy lockdown](https://fluxcd.control-plane.io/operator/resourceset/#role-based-access-control) for the ResourceSet APIs.
+multitenancy:
+  enabled: false
+  defaultServiceAccount: "flux-operator" # @schema required: true
+
 # -- Install and upgrade the custom resource definitions.
 installCRDs: true # @schema default: true
 
@@ -55,6 +60,12 @@ serviceAccount: # @schema default: {"create":true,"automount":true,"name":""}
   automount: true
   name: ""
 
+rbac:
+   # -- Grant the cluster-admin role to the flux-operator service account (required for the Flux Instance deployment).
+  create: true
+  # -- Grant the Kubernetes view, edit and admin roles access to ResourceSet APIs.
+  createAggregation: true
+
 # -- Pod security context settings.
 podSecurityContext: { } # @schema default: {"fsGroup":1337}
 

packages/system/fluxcd/charts/flux-instance/Chart.yaml

@@ -8,7 +8,7 @@ annotations:
     - name: Upstream Project
       url: https://github.com/controlplaneio-fluxcd/flux-operator
 apiVersion: v2
-appVersion: v0.13.0
+appVersion: v0.15.0
 description: 'A Helm chart for deploying a Flux instance managed by Flux Operator. '
 home: https://github.com/controlplaneio-fluxcd
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
@@ -25,4 +25,4 @@ sources:
 - https://github.com/controlplaneio-fluxcd/flux-operator
 - https://github.com/controlplaneio-fluxcd/charts
 type: application
-version: 0.13.0
+version: 0.15.0

packages/system/fluxcd/charts/flux-instance/README.md

@@ -1,6 +1,6 @@
 # flux-instance
 
-![Version: 0.13.0](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.13.0](https://img.shields.io/badge/AppVersion-v0.13.0-informational?style=flat-square)
+![Version: 0.15.0](https://img.shields.io/badge/Version-0.15.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.15.0](https://img.shields.io/badge/AppVersion-v0.15.0-informational?style=flat-square)
 
 This chart is a thin wrapper around the `FluxInstance` custom resource, which is
 used by the [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator)
@@ -40,11 +40,11 @@ helm -n flux-system uninstall flux
 | instance.cluster | object | `{"domain":"cluster.local","multitenant":false,"networkPolicy":true,"tenantDefaultServiceAccount":"default","type":"kubernetes"}` | Cluster https://fluxcd.control-plane.io/operator/fluxinstance/#cluster-configuration |
 | instance.commonMetadata | object | `{"annotations":{},"labels":{}}` | Common metadata https://fluxcd.control-plane.io/operator/fluxinstance/#common-metadata |
 | instance.components | list | `["source-controller","kustomize-controller","helm-controller","notification-controller"]` | Components https://fluxcd.control-plane.io/operator/fluxinstance/#components-configuration |
-| instance.distribution | object | `{"artifact":"oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests:latest","imagePullSecret":"","registry":"ghcr.io/fluxcd","version":"2.x"}` | Distribution https://fluxcd.control-plane.io/operator/fluxinstance/#distribution-configuration |
+| instance.distribution | object | `{"artifact":"oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests:latest","artifactPullSecret":"","imagePullSecret":"","registry":"ghcr.io/fluxcd","version":"2.x"}` | Distribution https://fluxcd.control-plane.io/operator/fluxinstance/#distribution-configuration |
 | instance.kustomize.patches | list | `[]` | Kustomize patches https://fluxcd.control-plane.io/operator/fluxinstance/#kustomize-patches |
 | instance.sharding | object | `{"key":"sharding.fluxcd.io/key","shards":[]}` | Sharding https://fluxcd.control-plane.io/operator/fluxinstance/#sharding-configuration |
 | instance.storage | object | `{"class":"","size":""}` | Storage https://fluxcd.control-plane.io/operator/fluxinstance/#storage-configuration |
-| instance.sync | object | `{"kind":"GitRepository","name":"","path":"","pullSecret":"","ref":"","url":""}` | Sync https://fluxcd.control-plane.io/operator/fluxinstance/#sync-configuration |
+| instance.sync | object | `{"interval":"1m","kind":"GitRepository","name":"","path":"","pullSecret":"","ref":"","url":""}` | Sync https://fluxcd.control-plane.io/operator/fluxinstance/#sync-configuration |
 | nameOverride | string | `""` |  |
 
 ## Source Code

packages/system/fluxcd/charts/flux-instance/templates/instance.yaml

@@ -17,6 +17,9 @@ spec:
     version: {{ .Values.instance.distribution.version }}
     registry: {{ .Values.instance.distribution.registry }}
     artifact: {{ .Values.instance.distribution.artifact }}
+    {{- if .Values.instance.distribution.artifactPullSecret }}
+    artifactPullSecret: {{ .Values.instance.distribution.artifactPullSecret }}
+    {{- end }}
     {{- if .Values.instance.distribution.imagePullSecret }}
     imagePullSecret: {{ .Values.instance.distribution.imagePullSecret }}
     {{- end }}
@@ -37,6 +40,7 @@ spec:
   {{- if .Values.instance.sync.url }}
   sync:
     kind: {{ .Values.instance.sync.kind }}
+    interval: {{ .Values.instance.sync.interval }}
     url: {{ .Values.instance.sync.url }}
     ref: {{ .Values.instance.sync.ref }}
     path: {{ .Values.instance.sync.path }}

packages/system/fluxcd/charts/flux-instance/values.schema.json

@@ -74,6 +74,9 @@
                         "artifact": {
                             "type": "string"
                         },
+                        "artifactPullSecret": {
+                            "type": "string"
+                        },
                         "imagePullSecret": {
                             "type": "string"
                         },
@@ -128,6 +131,9 @@
                 },
                 "sync": {
                     "properties": {
+                        "interval": {
+                            "type": "string"
+                        },
                         "kind": {
                             "enum": [
                                 "GitRepository",

packages/system/fluxcd/charts/flux-instance/values.yaml

@@ -9,6 +9,7 @@ instance:
     version: "2.x" # @schema required: true
     registry: "ghcr.io/fluxcd" # @schema required: true
     artifact: "oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests:latest"
+    artifactPullSecret: ""
     imagePullSecret: ""
   # -- Components https://fluxcd.control-plane.io/operator/fluxinstance/#components-configuration
   components: # @schema item: string; uniqueItems: true; itemEnum: [source-controller,kustomize-controller,helm-controller,notification-controller,image-reflector-controller,image-automation-controller]
@@ -37,6 +38,7 @@ instance:
     shards: [] # @schema item: string
   # -- Sync https://fluxcd.control-plane.io/operator/fluxinstance/#sync-configuration
   sync: # @schema required: false
+    interval: 1m
     kind: "GitRepository" # @schema enum:[GitRepository,OCIRepository,Bucket]
     url: ""
     ref: ""

packages/system/fluxcd/values.yaml

@@ -4,7 +4,7 @@ flux-instance:
       networkPolicy: true
       domain: cozy.local # -- default value is overriden in patches
     distribution:
-      version: 2.4.x
+      version: 2.5.x
       registry: ghcr.io/fluxcd
     components:
       - source-controller

packages/system/goldpinger/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-goldpinger
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/goldpinger/Makefile

@@ -0,0 +1,7 @@
+include ../../../scripts/package.mk
+
+update:
+	rm -rf charts
+	helm repo add goldpinger https://bloomberg.github.io/goldpinger
+	helm repo update goldpinger
+	helm pull goldpinger/goldpinger --untar --untardir charts

packages/system/goldpinger/charts/goldpinger/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+
+OWNERS

packages/system/goldpinger/charts/goldpinger/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+appVersion: 3.10.2
+description: Goldpinger is a tool to help debug, troubleshoot and visualize network
+  connectivity and slowness issues.
+home: https://github.com/bloomberg/goldpinger
+name: goldpinger
+sources:
+- https://github.com/bloomberg/goldpinger
+version: 1.0.1

packages/system/goldpinger/charts/goldpinger/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "goldpinger.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "goldpinger.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "goldpinger.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "goldpinger.labels" -}}
+helm.sh/chart: {{ include "goldpinger.chart" . }}
+{{ include "goldpinger.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "goldpinger.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "goldpinger.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "goldpinger.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "goldpinger.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

packages/system/goldpinger/charts/goldpinger/templates/clusterrole.yaml

@@ -0,0 +1,12 @@
+{{- if and .Values.rbac.create .Values.rbac.clusterscoped }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "goldpinger.fullname" . }}-clusterrole
+  labels:
+    {{- include "goldpinger.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["list"]
+{{- end }}

packages/system/goldpinger/charts/goldpinger/templates/clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if and .Values.rbac.create .Values.rbac.clusterscoped }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "goldpinger.fullname" . }}-clusterrolebinding
+  labels:
+    {{- include "goldpinger.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "goldpinger.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "goldpinger.fullname" . }}-clusterrole
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

packages/system/goldpinger/charts/goldpinger/templates/configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "goldpinger.fullname" . }}-zap
+  labels:
+    {{- include "goldpinger.labels" . | nindent 4 }}
+data:
+  zap.json: {{ .Values.goldpinger.zapConfig | toJson }}

packages/system/goldpinger/charts/goldpinger/templates/daemonset.yaml

@@ -0,0 +1,103 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "goldpinger.fullname" . }}
+  labels:
+    {{- include "goldpinger.labels" . | nindent 4 }}
+spec:
+  {{- with .Values.updateStrategy }}
+  updateStrategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "goldpinger.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "goldpinger.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podLabels }}
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      priorityClassName: {{ .Values.priorityClassName }}
+      serviceAccountName: {{ include "goldpinger.serviceAccountName" . }}
+      {{- if .Values.image.pullSecrets }}
+      imagePullSecrets:
+        {{- range .Values.image.pullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+      containers:
+        - name: goldpinger-daemon
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          volumeMounts:
+            - name: zap
+              mountPath: /config
+          env:
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: HOST
+              value: "0.0.0.0"
+            - name: PORT
+              value: "{{ .Values.goldpinger.port }}"
+            - name: LABEL_SELECTOR
+              value: "app.kubernetes.io/name={{ include "goldpinger.name" . }}"
+            {{- if .Values.extraEnv -}}
+            {{ toYaml .Values.extraEnv | nindent 12 }}
+            {{- end }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.goldpinger.port }}
+              protocol: TCP
+              {{- range $k := .Values.extraEnv }}
+              {{- if and (eq $k.name "USE_HOST_IP") (eq $k.value "true") }}
+              hostPort: {{ $.Values.goldpinger.port }}
+              {{- end }}
+              {{- end }}
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+        - name: zap
+          configMap:
+            name: {{ include "goldpinger.fullname" . }}-zap
+      {{- range $k := .Values.extraEnv }}
+      {{- if and (eq $k.name "USE_HOST_IP") (eq $k.value "true") }}
+      hostNetwork: true
+      {{- end }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

packages/system/goldpinger/charts/goldpinger/templates/ingress.yaml

@@ -0,0 +1,61 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "goldpinger.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "goldpinger.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}

packages/system/goldpinger/charts/goldpinger/templates/prometheusrule.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.prometheusRule.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ template "goldpinger.fullname" . }}
+  {{- if .Values.prometheusRule.namespace }}
+  namespace: {{ .Values.prometheusRule.namespace }}
+  {{- else }}
+  namespace: {{ .Release.Namespace | quote }}
+  {{- end }}
+  labels:
+    {{- include "goldpinger.labels" . | nindent 4 }}
+spec:
+  {{- with .Values.prometheusRule.rules }}
+  groups:
+    - name: {{ template "goldpinger.name" $ }}
+      rules: {{- tpl (toYaml .) $ | nindent 8 }}
+  {{- end }}
+{{- end }}

packages/system/goldpinger/charts/goldpinger/templates/role.yaml

@@ -0,0 +1,20 @@
+{{- if or .Values.podSecurityPolicy.enabled (not .Values.rbac.clusterscoped) }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "goldpinger.fullname" . }}-pod-security-policy
+  labels:
+    {{- include "goldpinger.labels" . | nindent 4 }}
+rules:
+{{- if not .Values.rbac.clusterscoped }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["list"]
+{{- end }}
+{{- if .Values.podSecurityPolicy.enabled }}
+  - apiGroups: ["extensions"]
+    resources: ["podsecuritypolicies"]
+    resourceNames: [{{ .Values.podSecurityPolicy.policyName | quote }}]
+    verbs: ["use"]
+{{- end }}
+{{- end }}

packages/system/goldpinger/charts/goldpinger/templates/rolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if or .Values.podSecurityPolicy.enabled (not .Values.rbac.clusterscoped) }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "goldpinger.fullname" . }}-pod-security-policy
+  labels:
+    {{- include "goldpinger.labels" . | nindent 4 }}
+roleRef:
+  kind: Role
+  name: {{ include "goldpinger.fullname" . }}-pod-security-policy
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "goldpinger.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

packages/system/goldpinger/charts/goldpinger/templates/service.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "goldpinger.fullname" . }}
+  labels:
+    {{- include "goldpinger.labels" . | nindent 4 }}
+{{- with .Values.service.labels }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+{{- with .Values.service.annotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: {{ .Values.goldpinger.port }}
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "goldpinger.selectorLabels" . | nindent 4 }}
+  {{- if .Values.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+    {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }}
+  {{- end }}

packages/system/goldpinger/charts/goldpinger/templates/serviceaccount.yaml

@@ -0,0 +1,8 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "goldpinger.serviceAccountName" . }}
+  labels:
+    {{- include "goldpinger.labels" . | nindent 4 }}
+{{- end }}

packages/system/goldpinger/charts/goldpinger/templates/servicemonitor.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "goldpinger.fullname" . }}
+  {{- if .Values.serviceMonitor.namespace }}
+  namespace: {{ .Values.serviceMonitor.namespace }}
+  {{- end }}
+  labels:
+    {{- include "goldpinger.labels" . | nindent 4 }}
+    {{- range $key, $value := .Values.serviceMonitor.selector }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+spec:
+  endpoints:
+    - port: http
+      interval: {{ .Values.serviceMonitor.interval }}
+      {{- if .Values.serviceMonitor.honorLabels }}
+      honorLabels: true
+      {{- end }}
+      {{- with .Values.serviceMonitor.metricRelabelings }}
+      metricRelabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+  jobLabel: name
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "goldpinger.selectorLabels" . | nindent 6 }}
+{{- end -}}

packages/system/goldpinger/charts/goldpinger/values.yaml

@@ -0,0 +1,166 @@
+# Default values for goldpinger.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+image:
+  repository: bloomberg/goldpinger
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+  pullPolicy: IfNotPresent
+  ## Optionally specify an array of imagePullSecrets.
+  ## Secrets must be manually created in the namespace.
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  ##
+  # pullSecrets:
+  #   - myRegistryKeySecretName
+
+rbac:
+  create: true
+  clusterscoped: true
+
+serviceAccount:
+  create: true
+  name:
+
+goldpinger:
+  port: 8080
+  zapConfig: |
+    {
+      "level": "info",
+      "encoding": "json",
+      "outputPaths": [
+          "stdout"
+      ],
+      "errorOutputPaths": [
+          "stderr"
+      ],
+      "initialFields": {
+      },
+      "encoderConfig": {
+          "messageKey": "message",
+          "levelKey": "level",
+          "levelEncoder": "lowercase",
+          "timeKey": "ts",
+          "timeEncoder": "ISO8601",
+          "callerKey": "caller",
+          "callerEncoder": "Short"
+      }
+    }
+
+extraEnv: []
+
+service:
+  type: ClusterIP
+  port: 8081
+  annotations: {}
+  labels: {}
+  loadBalancerSourceRanges: {}
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+## Set a priorityClassName for the pod. If left blank a default priority will be set.
+priorityClassName:
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #  cpu: 100m
+  #  memory: 128Mi
+  # requests:
+  #  cpu: 100m
+  #  memory: 128Mi
+
+podAnnotations: {}
+
+podLabels: {}
+
+updateStrategy: {}
+  # type: RollingUpdate
+  # rollingUpdate:
+  #   maxUnavailable: 1
+
+## Node labels for pod assignment
+## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+##
+nodeSelector: {}
+
+## Tolerations for pod assignment
+## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+##
+tolerations: []
+
+## Affinity for pod assignment
+## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+##
+affinity: {}
+
+## Enable this if pod security policy enabled in your cluster
+## It will bind ServiceAccount with unrestricted podSecurityPolicy
+## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+podSecurityPolicy:
+  enabled: false
+  policyName: unrestricted-psp
+
+## Set security context of the goldpinger container
+## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+containerSecurityContext:
+  capabilities:
+    drop:
+      - ALL
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
+## Set security context of the pod
+## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  fsGroup: 2000
+  seccompProfile:
+    type: RuntimeDefault
+
+serviceMonitor:
+  enabled: false
+  selector:
+    prometheus: "kube-prometheus"
+  # namespace: monitoring
+  interval: 30s
+  # honorLabels: true
+  metricRelabelings: []
+  # - action: drop
+  #   source_labels: [__name__]
+  #   regex: goldpinger_peers_response_time_s_bucket
+
+## Custom PrometheusRule to be defined
+## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
+prometheusRule:
+  enabled: false
+  rules:
+    - alert: goldpinger_nodes_unhealthy
+      expr: |
+        sum(goldpinger_nodes_health_total{job="{{ template "goldpinger.fullname" . }}", status="unhealthy"})
+        BY (instance, goldpinger_instance) > 0
+      for: 5m
+      annotations:
+        description: |
+          Goldpinger instance {{ "{{ $labels.goldpinger_instance }}" }} has been reporting unhealthy nodes for at least 5 minutes.
+        summary: Instance {{ "{{ $labels.instance }}" }} down
+      labels:
+        severity: warning

packages/system/goldpinger/values.yaml

@@ -0,0 +1,5 @@
+goldpinger:
+  serviceMonitor:
+    enabled: true
+  prometheusRule:
+    enabled: true

packages/system/kafka-operator/templates/alerts.yaml

@@ -0,0 +1,7 @@
+{{- $files := .Files.Glob "alerts/*.yaml" -}}
+{{- range $path, $file := $files }}
+---
+# from: {{ $path }}
+{{ toString $file }}
+
+{{- end -}}

packages/system/kamaji/charts/kamaji/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: kamaji-etcd
   repository: https://clastix.github.io/charts
-  version: 0.8.0
-digest: sha256:525b0eb2b5bae709d62de9328312d42c54b5219c6df67061de0da79eeca04fb3
-generated: "2024-08-25T08:44:24.92211307+02:00"
+  version: 0.9.1
+digest: sha256:522ec6321e2e394bd89f88a59446b39d6871838c63583346fdca10db36f1bbdb
+generated: "2025-02-17T09:27:31.011938073+03:00"

packages/system/kamaji/images/kamaji/Dockerfile

@@ -1,7 +1,7 @@
 # Build the manager binary
 FROM golang:1.23 as builder
 
-ARG VERSION=edge-24.9.2
+ARG VERSION=edge-24.12.1
 ARG TARGETOS TARGETARCH
 
 WORKDIR /workspace
@@ -9,7 +9,7 @@ WORKDIR /workspace
 RUN curl -sSL https://github.com/clastix/kamaji/archive/refs/tags/${VERSION}.tar.gz | tar -xzvf- --strip=1
 
 COPY patches /patches
-RUN git apply /patches/disable-datastore-check.diff
+RUN git apply /patches/*.diff
 
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build \
     -ldflags "-X github.com/clastix/kamaji/internal.GitRepo=$GIT_REPO -X github.com/clastix/kamaji/internal.GitTag=$GIT_LAST_TAG -X github.com/clastix/kamaji/internal.GitCommit=$GIT_HEAD_COMMIT -X github.com/clastix/kamaji/internal.GitDirty=$GIT_MODIFIED -X github.com/clastix/kamaji/internal.BuildTime=$BUILD_DATE" \

packages/system/kamaji/values.yaml

@@ -3,7 +3,7 @@ kamaji:
     deploy: false
   image:
     pullPolicy: IfNotPresent
-    tag: v0.25.2@sha256:229646a728b58dd0c55dae7abd721ab23e3feecd61f55fa3ad24bb3a614d558f
+    tag: v0.26.0@sha256:0ae4b7f5a86a2b1657edb3e383460953eef1f98cf386302aeb1c1206d843a1fc
     repository: ghcr.io/aenix-io/cozystack/kamaji
   resources:
     limits:

packages/system/keycloak-configure/templates/configure-kk.yaml

@@ -7,6 +7,7 @@
 {{- $existingK8sSecret := lookup "v1" "Secret" .Release.Namespace "k8s-client" }}
 {{- $existingKubeappsSecret := lookup "v1" "Secret" .Release.Namespace "kubeapps-client" }}
 {{- $existingAuthConfig := lookup "v1" "Secret" "cozy-dashboard" "kubeapps-auth-config" }}
+{{- $cozystackBranding:= lookup "v1" "ConfigMap" "cozy-system" "cozystack-branding" }}
 
 {{ $k8sClient := "" }}
 {{- if $existingK8sSecret }}
@@ -29,8 +30,10 @@
   {{- $cookieSecret = randAlphaNum 16 }}
 {{- end }}
 
-{{- $wlConfigmap := lookup "v1" "ConfigMap" "cozy-dashboard" "white-label" }}
-{{- $locale := index $wlConfigmap.data "locale" }}
+{{ $branding := "" }}
+{{- if $cozystackBranding }}
+  {{- $branding = index $cozystackBranding.data "branding" }}
+{{- end }}
 
 ---
 
@@ -86,8 +89,9 @@ metadata:
 spec:
   realmName: cozy
   clusterKeycloakRef: keycloak-cozy
-  {{- if $locale }}
-  displayNameHtml: {{ $locale }}
+  {{- if $branding }}
+  displayHtmlName: {{ $branding }}
+  displayName: {{ $branding }}
   {{- end }}
 
 ---

packages/system/kubeovn/values.yaml

@@ -22,4 +22,4 @@ global:
   images:
     kubeovn:
       repository: kubeovn
-      tag: v1.13.2@sha256:6c55f8cdd696ca6799f373fc6824f2faa11f7a3185a9f29d7bbd08ff09b6b3e3
+      tag: v1.13.2@sha256:d81c6667fbba732468d7b55183cff35f9dee2f7d661710e34a865f2a3ab901a5

packages/system/kubevirt/templates/kubevirt-cr.yaml

@@ -11,6 +11,8 @@ spec:
       featureGates:
       - HotplugVolumes
       - ExpandDisks
+      - LiveMigration
+    evictionStrategy: LiveMigrate
   customizeComponents: {}
   imagePullPolicy: IfNotPresent
   monitorNamespace: tenant-root

packages/system/linstor/templates/plunger/configmap.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: linstor-plunger
+  namespace: cozy-linstor
+data:
+  plunger.sh: |
+    #!/bin/bash
+    set -e
+    while true; do 
+      # workaround for https://github.com/LINBIT/linstor-server/issues/437
+      linstor -m s l | jq -r '.[][] | select(.flags | contains(["DELETE"])) | "linstor snapshot delete \(.resource_name) \(.name)"' | sh -x
+      sleep 1m
+    done

packages/system/linstor/templates/plunger/plunger.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: linstor-plunger
+  namespace: cozy-linstor
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: linstor-plunger
+  template:
+    metadata:
+      labels:
+        app: linstor-plunger
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/plunger/configmap.yaml") . | sha256sum }}
+    spec:
+      containers:
+      - name: plunger
+        image: quay.io/piraeusdatastore/piraeus-server:v1.29.2
+        command: ["/bin/bash", "/scripts/plunger.sh"]
+        volumeMounts:
+        - mountPath: /etc/linstor/client
+          name: client-tls
+          readOnly: true
+        - mountPath: /etc/linstor
+          name: etc-linstor
+          readOnly: true
+        - mountPath: /scripts
+          name: script-volume
+          readOnly: true
+      enableServiceLinks: false
+      serviceAccountName: linstor-controller
+      tolerations:
+      - effect: NoSchedule
+        key: drbd.linbit.com/lost-quorum
+      - effect: NoSchedule
+        key: drbd.linbit.com/force-io-error
+      volumes:
+      - name: client-tls
+        projected:
+          sources:
+          - secret:
+              name: linstor-client-tls
+      - name: etc-linstor
+        configMap:
+          name: linstor-controller-config
+      - name: script-volume
+        configMap:
+          name: linstor-plunger
+          defaultMode: 0755

packages/system/linstor/templates/volumesnapshotclass.yaml

@@ -0,0 +1,8 @@
+apiVersion: snapshot.storage.k8s.io/v1
+kind: VolumeSnapshotClass
+metadata:
+ annotations:
+   snapshot.storage.kubernetes.io/is-default-class: "true"
+ name: linstor-snapshots
+driver: linstor.csi.linbit.com
+deletionPolicy: Delete