[feat] Hetzner

Add Hetzner CCM
Add Hetzner RobotLB

Signed-off-by: Ahmad Murzahmatov <gwynbleidd2106@yandex.com>

.github/workflows/tags.yaml

@@ -118,6 +118,7 @@ jobs:
           git config user.name  "cozystack-bot"
           git config user.email "217169706+cozystack-bot@users.noreply.github.com"
           git remote set-url origin https://cozystack-bot:${GH_PAT}@github.com/${GITHUB_REPOSITORY}
+          git config --unset-all http.https://github.com/.extraheader || true
           git add .
           git commit -m "Prepare release ${GITHUB_REF#refs/tags/}" -s || echo "No changes to commit"
           git push origin HEAD || true

.pre-commit-config.yaml

@@ -12,10 +12,10 @@ repos:
       name: Run 'make generate' in all app directories
       entry: |
         /bin/bash -c '
-          for dir in ./packages/apps/*/; do
+          for dir in ./packages/apps/*/ ./packages/extra/*/ ./packages/system/cozystack-api/; do
             if [ -d "$dir" ]; then
               echo "Running make generate in $dir"
-              (cd "$dir" && make generate)
+              make generate -C "$dir"
             fi
           done
           git diff --color=always | cat

docs/changelogs/template.md

@@ -0,0 +1,11 @@
+## Major Features and Improvements
+
+## Security
+
+## Fixes
+
+## Dependencies
+
+## Documentation
+
+## Development, Testing, and CI/CD

docs/changelogs/v0.31.1.md

@@ -0,0 +1,8 @@
+## Fixes
+
+* [build] Update Talos Linux v1.10.3 and fix assets. (@kvaps in https://github.com/cozystack/cozystack/pull/1006)
+* [ci] Fix uploading released artifacts to GitHub. (@kvaps in https://github.com/cozystack/cozystack/pull/1009)
+* [ci] Separate build and testing jobs. (@kvaps in https://github.com/cozystack/cozystack/pull/1005)
+* [docs] Write a full release post for v0.31.1. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/999)
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.31.0...v0.31.1

docs/changelogs/v0.31.2.md

@@ -0,0 +1,12 @@
+## Security
+
+* Resolve a security problem that allowed a tenant administrator to gain enhanced privileges outside the tenant. (@kvaps in https://github.com/cozystack/cozystack/pull/1062, backported in https://github.com/cozystack/cozystack/pull/1066)
+
+## Fixes
+
+* [platform] Fix dependencies in `distro-full` bundle. (@klinch0 in  https://github.com/cozystack/cozystack/pull/1056, backported in https://github.com/cozystack/cozystack/pull/1064)
+* [platform] Fix RBAC for annotating namespaces. (@kvaps in https://github.com/cozystack/cozystack/pull/1031, backported in https://github.com/cozystack/cozystack/pull/1037)
+* [platform] Reduce system resource consumption by using smaller resource presets for VerticalPodAutoscaler, SeaweedFS, and KubeOVN. (@klinch0 in https://github.com/cozystack/cozystack/pull/1054, backported in https://github.com/cozystack/cozystack/pull/1058)
+* [dashboard] Fix a number of issues in the Cozystack Dashboard (@kvaps in https://github.com/cozystack/cozystack/pull/1042, backported in https://github.com/cozystack/cozystack/pull/1066)
+* [apps] Specify minimal working resource presets. (@kvaps in https://github.com/cozystack/cozystack/pull/1040, backported in https://github.com/cozystack/cozystack/pull/1041)
+* [apps] Update built-in documentation and configuration reference for managed Clickhouse application. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1059, backported in https://github.com/cozystack/cozystack/pull/1065)

docs/changelogs/v0.32.1.md

@@ -0,0 +1,38 @@
+## Major Features and Improvements
+
+* [postgres] Introduce new functionality for backup and restore in PostgreSQL. (@klinch0 in https://github.com/cozystack/cozystack/pull/1086)
+* [apps] Refactor resources in managed applications. (@kvaps in https://github.com/cozystack/cozystack/pull/1106)
+* [system] Make VMAgent's `extraArgs` tunable. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1091)
+
+## Fixes
+
+* [postgres] Escape users and database names. (@kvaps in https://github.com/cozystack/cozystack/pull/1087)
+* [tenant] Fix monitoring agents HelmReleases for tenant clusters. (@klinch0 in https://github.com/cozystack/cozystack/pull/1079)
+* [kubernetes] Wrap cert-manager CRDs in a conditional. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1076)
+* [kubernetes] Remove `useCustomSecretForPatchContainerd` option and enable it by default. (@kvaps in https://github.com/cozystack/cozystack/pull/1104)
+* [apps] Increase default resource presets for Clickhouse and Kafka from `nano` to `small`. Update OpenAPI specs and readme's. (@kvaps in https://github.com/cozystack/cozystack/pull/1103 and https://github.com/cozystack/cozystack/pull/1105)
+* [linstor] Add configurable DRBD network options for connection and timeout settings, replacing scripted logic for detecting devices that lost connection. (@kvaps in https://github.com/cozystack/cozystack/pull/1094)
+
+## Dependencies
+
+* Update cozy-proxy to v0.2.0 (@kvaps in https://github.com/cozystack/cozystack/pull/1081)
+* Update Kafka Operator to 0.45.1-rc1 (@kvaps in https://github.com/cozystack/cozystack/pull/1082 and https://github.com/cozystack/cozystack/pull/1102)
+* Update Flux Operator to 0.23.0 (@kingdonb in https://github.com/cozystack/cozystack/pull/1078)
+
+## Documentation
+
+* [docs] Release notes for v0.32.0 and two beta-versions. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1043)
+
+## Development, Testing, and CI/CD
+
+* [tests] Add Kafka, Redis. (@gwynbleidd2106 in https://github.com/cozystack/cozystack/pull/1077)
+* [tests] Increase disk space for VMs in tests. (@kvaps in https://github.com/cozystack/cozystack/pull/1097)
+* [tests] Upd Kubernetes v1.33. (@kvaps in https://github.com/cozystack/cozystack/pull/1083)
+* [tests] increase postgres timeouts. (@kvaps in https://github.com/cozystack/cozystack/pull/1108)
+* [tests] don't wait for postgres ro service. (@kvaps in https://github.com/cozystack/cozystack/pull/1109)
+* [ci] Setup systemd timer to tear down sandbox. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1092)
+* [ci] Split testing job into several. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1075)
+* [ci] Run E2E tests as separate parallel jobs. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1093)
+* [ci] Refactor GitHub workflows. (@kvaps in https://github.com/cozystack/cozystack/pull/1107)
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.32.0...v0.32.1

packages/apps/clickhouse/README.md

@@ -75,6 +75,6 @@ This setting is ignored if the corresponding `resources` value is set.
 | `micro`     | `500m` | `256Mi` |
 | `small`     | `1`    | `512Mi` |
 | `medium`    | `1`    | `1Gi`   |
-| `large`     | `3`    | `2Gi`   |
+| `large`     | `2`    | `2Gi`   |
 | `xlarge`    | `4`    | `4Gi`   |
 | `2xlarge`   | `8`    | `8Gi`   |

packages/apps/ferretdb/README.md

@@ -62,6 +62,6 @@ This setting is ignored if the corresponding `resources` value is set.
 | `micro`     | `500m` | `256Mi` |
 | `small`     | `1`    | `512Mi` |
 | `medium`    | `1`    | `1Gi`   |
-| `large`     | `3`    | `2Gi`   |
+| `large`     | `2`    | `2Gi`   |
 | `xlarge`    | `4`    | `4Gi`   |
 | `2xlarge`   | `8`    | `8Gi`   |

packages/apps/http-cache/README.md

@@ -100,7 +100,7 @@ This setting is ignored if the corresponding `resources` value is set.
 | `micro`     | `500m` | `256Mi` |
 | `small`     | `1`    | `512Mi` |
 | `medium`    | `1`    | `1Gi`   |
-| `large`     | `3`    | `2Gi`   |
+| `large`     | `2`    | `2Gi`   |
 | `xlarge`    | `4`    | `4Gi`   |
 | `2xlarge`   | `8`    | `8Gi`   |
 

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.6.0@sha256:b7633717cd7449c0042ae92d8ca9b36e4d69566561f5c7d44e21058e7d05c6d5
+ghcr.io/cozystack/cozystack/nginx-cache:0.6.0@sha256:50ac1581e3100bd6c477a71161cb455a341ffaf9e5e2f6086802e4e25271e8af

packages/apps/kafka/README.md

@@ -46,7 +46,7 @@ This setting is ignored if the corresponding `resources` value is set.
 | `micro`     | `500m` | `256Mi` |
 | `small`     | `1`    | `512Mi` |
 | `medium`    | `1`    | `1Gi`   |
-| `large`     | `3`    | `2Gi`   |
+| `large`     | `2`    | `2Gi`   |
 | `xlarge`    | `4`    | `4Gi`   |
 | `2xlarge`   | `8`    | `8Gi`   |
 

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.25.1
+version: 0.25.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/README.md

@@ -146,7 +146,7 @@ This setting is ignored if the corresponding `resources` value is set.
 | `micro`     | `500m` | `256Mi` |
 | `small`     | `1`    | `512Mi` |
 | `medium`    | `1`    | `1Gi`   |
-| `large`     | `3`    | `2Gi`   |
+| `large`     | `2`    | `2Gi`   |
 | `xlarge`    | `4`    | `4Gi`   |
 | `2xlarge`   | `8`    | `8Gi`   |
 

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.25.1@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.25.2@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.25.1@sha256:412ed2b3c77249bd1b973e6dc9c87976d31863717fb66ba74ccda573af737eb1
+ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.25.2@sha256:e522960064290747a67502d4e8927c591bdb290bad1f0bae88a02758ebfd380f

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.25.1@sha256:445c2727b04ac68595b43c988ff17b3d69a7b22b0644fde3b10c65b47a7bc036
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.25.2@sha256:761e7235ff9cb7f6f223f00954943e6a5af32ed6624ee592a8610122f96febb0

packages/apps/kubernetes/templates/helmreleases/delete.yaml

@@ -40,6 +40,7 @@ spec:
                 {{ .Release.Name }}-fluxcd-operator
                 {{ .Release.Name }}-fluxcd
                 {{ .Release.Name }}-gpu-operator
+                {{ .Release.Name }}-velero
                 -p '{"spec": {"suspend": true}}'
                 --type=merge --field-manager=flux-client-side-apply || true
 ---
@@ -79,6 +80,8 @@ rules:
       - {{ .Release.Name }}-fluxcd-operator
       - {{ .Release.Name }}-fluxcd
       - {{ .Release.Name }}-gpu-operator
+      - {{ .Release.Name }}-velero
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

packages/apps/mysql/README.md

@@ -119,7 +119,7 @@ This setting is ignored if the corresponding `resources` value is set.
 | `micro`     | `500m` | `256Mi` |
 | `small`     | `1`    | `512Mi` |
 | `medium`    | `1`    | `1Gi`   |
-| `large`     | `3`    | `2Gi`   |
+| `large`     | `2`    | `2Gi`   |
 | `xlarge`    | `4`    | `4Gi`   |
 | `2xlarge`   | `8`    | `8Gi`   |
 

packages/apps/nats/README.md

@@ -42,7 +42,7 @@ This setting is ignored if the corresponding `resources` value is set.
 | `micro`     | `500m` | `256Mi` |
 | `small`     | `1`    | `512Mi` |
 | `medium`    | `1`    | `1Gi`   |
-| `large`     | `3`    | `2Gi`   |
+| `large`     | `2`    | `2Gi`   |
 | `xlarge`    | `4`    | `4Gi`   |
 | `2xlarge`   | `8`    | `8Gi`   |
 

packages/apps/postgres/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.17.0
+version: 0.17.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/postgres/README.md

@@ -11,7 +11,50 @@ This managed service is controlled by the CloudNativePG operator, ensuring effic
 - Docs: <https://cloudnative-pg.io/docs/>
 - Github: <https://github.com/cloudnative-pg/cloudnative-pg>
 
-## HowTos
+## Operations
+
+### How to enable backups
+
+To back up a PostgreSQL application, an external S3-compatible storage is required.
+
+To start regular backups, update the application, setting `backup.enabled` to `true`, and fill in the path and credentials to an  `backup.*`:
+
+```yaml
+## @param backup.enabled Enable regular backups
+## @param backup.schedule Cron schedule for automated backups
+## @param backup.retentionPolicy Retention policy
+## @param backup.destinationPath Path to store the backup (i.e. s3://bucket/path/to/folder)
+## @param backup.endpointURL S3 Endpoint used to upload data to the cloud
+## @param backup.s3AccessKey Access key for S3, used for authentication
+## @param backup.s3SecretKey Secret key for S3, used for authentication
+backup:
+  enabled: false
+  retentionPolicy: 30d
+  destinationPath: s3://bucket/path/to/folder/
+  endpointURL: http://minio-gateway-service:9000
+  schedule: "0 2 * * * *"
+  s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
+  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
+```
+
+### How to recover a backup
+
+CloudNativePG supports point-in-time-recovery.
+Recovering a backup is done by creating a new database instance and restoring the data in it.
+
+Create a new PostgreSQL application with a different name, but identical configuration.
+Set `bootstrap.enabled` to `true` and fill in the name of the database instance to recover from and the recovery time:
+
+```yaml
+## @param bootstrap.enabled Restore database cluster from a backup
+## @param bootstrap.recoveryTime Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest
+## @param bootstrap.oldName Name of database cluster before deleting
+##
+bootstrap:
+  enabled: false
+  recoveryTime: ""  # leave empty for latest or exact timestamp; example: 2020-11-26 15:22:00.00000+00
+  oldName: "<previous-postgres-instance>"
+```
 
 ### How to switch primary/secondary replica
 
@@ -19,24 +62,6 @@ See:
 
 - <https://cloudnative-pg.io/documentation/1.15/rolling_update/#manual-updates-supervised>
 
-### How to restore backup
-
-find snapshot:
-
-```bash
-restic -r s3:s3.example.org/postgres-backups/database_name snapshots
-```
-
-restore:
-
-```bash
-restic -r s3:s3.example.org/postgres-backups/database_name restore latest --target /tmp/
-```
-
-more details:
-
-- <https://blog.aenix.io/restic-effective-backup-from-stdin-4bc1e8f083c1>
-
 ## Parameters
 
 ### Common parameters
@@ -60,23 +85,23 @@ more details:
 
 ### Backup parameters
 
-| Name                     | Description                                                          | Value                               |
-| ------------------------ | -------------------------------------------------------------------- | ----------------------------------- |
-| `backup.enabled`         | Enable pereiodic backups                                             | `false`                             |
-| `backup.schedule`        | Cron schedule for automated backups                                  | `0 2 * * * *`                       |
-| `backup.retentionPolicy` | The retention policy                                                 | `30d`                               |
-| `backup.destinationPath` | The path where to store the backup (i.e. s3://bucket/path/to/folder) | `s3://BUCKET_NAME/`                 |
-| `backup.endpointURL`     | Endpoint to be used to upload data to the cloud                      | `http://minio-gateway-service:9000` |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                       | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`  |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                       | `ju3eum4dekeich9ahM1te8waeGai0oog`  |
+| Name                     | Description                                                | Value                               |
+| ------------------------ | ---------------------------------------------------------- | ----------------------------------- |
+| `backup.enabled`         | Enable regular backups                                     | `false`                             |
+| `backup.schedule`        | Cron schedule for automated backups                        | `0 2 * * * *`                       |
+| `backup.retentionPolicy` | Retention policy                                           | `30d`                               |
+| `backup.destinationPath` | Path to store the backup (i.e. s3://bucket/path/to/folder) | `s3://bucket/path/to/folder/`       |
+| `backup.endpointURL`     | S3 Endpoint used to upload data to the cloud               | `http://minio-gateway-service:9000` |
+| `backup.s3AccessKey`     | Access key for S3, used for authentication                 | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`  |
+| `backup.s3SecretKey`     | Secret key for S3, used for authentication                 | `ju3eum4dekeich9ahM1te8waeGai0oog`  |
 
 ### Bootstrap parameters
 
 | Name                     | Description                                                                                                                             | Value   |
 | ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `bootstrap.enabled`      | Restore cluster from backup                                                                                                             | `false` |
-| `bootstrap.recoveryTime` | Time stamp up to which recovery will proceed, expressed in RFC 3339 format, if empty, will restore latest                               | `""`    |
-| `bootstrap.oldName`      | Name of cluster before deleting                                                                                                         | `""`    |
+| `bootstrap.enabled`      | Restore database cluster from a backup                                                                                                  | `false` |
+| `bootstrap.recoveryTime` | Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest                    | `""`    |
+| `bootstrap.oldName`      | Name of database cluster before deleting                                                                                                | `""`    |
 | `resources`              | Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
 | `resourcesPreset`        | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.       | `micro` |
 
@@ -103,7 +128,7 @@ This setting is ignored if the corresponding `resources` value is set.
 | `micro`     | `500m` | `256Mi` |
 | `small`     | `1`    | `512Mi` |
 | `medium`    | `1`    | `1Gi`   |
-| `large`     | `3`    | `2Gi`   |
+| `large`     | `2`    | `2Gi`   |
 | `xlarge`    | `4`    | `4Gi`   |
 | `2xlarge`   | `8`    | `8Gi`   |
 

packages/apps/postgres/values.schema.json

@@ -62,7 +62,7 @@
             "properties": {
                 "enabled": {
                     "type": "boolean",
-                    "description": "Enable pereiodic backups",
+                    "description": "Enable regular backups",
                     "default": false
                 },
                 "schedule": {
@@ -72,27 +72,27 @@
                 },
                 "retentionPolicy": {
                     "type": "string",
-                    "description": "The retention policy",
+                    "description": "Retention policy",
                     "default": "30d"
                 },
                 "destinationPath": {
                     "type": "string",
-                    "description": "The path where to store the backup (i.e. s3://bucket/path/to/folder)",
-                    "default": "s3://BUCKET_NAME/"
+                    "description": "Path to store the backup (i.e. s3://bucket/path/to/folder)",
+                    "default": "s3://bucket/path/to/folder/"
                 },
                 "endpointURL": {
                     "type": "string",
-                    "description": "Endpoint to be used to upload data to the cloud",
+                    "description": "S3 Endpoint used to upload data to the cloud",
                     "default": "http://minio-gateway-service:9000"
                 },
                 "s3AccessKey": {
                     "type": "string",
-                    "description": "The access key for S3, used for authentication",
+                    "description": "Access key for S3, used for authentication",
                     "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
                 },
                 "s3SecretKey": {
                     "type": "string",
-                    "description": "The secret key for S3, used for authentication",
+                    "description": "Secret key for S3, used for authentication",
                     "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
                 }
             }
@@ -102,17 +102,17 @@
             "properties": {
                 "enabled": {
                     "type": "boolean",
-                    "description": "Restore cluster from backup",
+                    "description": "Restore database cluster from a backup",
                     "default": false
                 },
                 "recoveryTime": {
                     "type": "string",
-                    "description": "Time stamp up to which recovery will proceed, expressed in RFC 3339 format, if empty, will restore latest",
+                    "description": "Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest",
                     "default": ""
                 },
                 "oldName": {
                     "type": "string",
-                    "description": "Name of cluster before deleting",
+                    "description": "Name of database cluster before deleting",
                     "default": ""
                 }
             }

packages/apps/postgres/values.yaml

@@ -59,17 +59,17 @@ databases: {}
 
 ## @section Backup parameters
 
-## @param backup.enabled Enable pereiodic backups
+## @param backup.enabled Enable regular backups
 ## @param backup.schedule Cron schedule for automated backups
-## @param backup.retentionPolicy The retention policy
-## @param backup.destinationPath The path where to store the backup (i.e. s3://bucket/path/to/folder)
-## @param backup.endpointURL Endpoint to be used to upload data to the cloud
-## @param backup.s3AccessKey The access key for S3, used for authentication
-## @param backup.s3SecretKey The secret key for S3, used for authentication
+## @param backup.retentionPolicy Retention policy
+## @param backup.destinationPath Path to store the backup (i.e. s3://bucket/path/to/folder)
+## @param backup.endpointURL S3 Endpoint used to upload data to the cloud
+## @param backup.s3AccessKey Access key for S3, used for authentication
+## @param backup.s3SecretKey Secret key for S3, used for authentication
 backup:
   enabled: false
   retentionPolicy: 30d
-  destinationPath: s3://BUCKET_NAME/
+  destinationPath: s3://bucket/path/to/folder/
   endpointURL: http://minio-gateway-service:9000
   schedule: "0 2 * * * *"
   s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
@@ -77,9 +77,9 @@ backup:
 
 ## @section Bootstrap parameters
 
-## @param bootstrap.enabled Restore cluster from backup
-## @param bootstrap.recoveryTime Time stamp up to which recovery will proceed, expressed in RFC 3339 format, if empty, will restore latest
-## @param bootstrap.oldName Name of cluster before deleting
+## @param bootstrap.enabled Restore database cluster from a backup
+## @param bootstrap.recoveryTime Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest
+## @param bootstrap.oldName Name of database cluster before deleting
 ##
 bootstrap:
   enabled: false

packages/apps/redis/README.md

@@ -45,6 +45,6 @@ This setting is ignored if the corresponding `resources` value is set.
 | `micro`     | `500m` | `256Mi` |
 | `small`     | `1`    | `512Mi` |
 | `medium`    | `1`    | `1Gi`   |
-| `large`     | `3`    | `2Gi`   |
+| `large`     | `2`    | `2Gi`   |
 | `xlarge`    | `4`    | `4Gi`   |
 | `2xlarge`   | `8`    | `8Gi`   |

packages/apps/tcp-balancer/README.md

@@ -52,6 +52,6 @@ This setting is ignored if the corresponding `resources` value is set.
 | `micro`     | `500m` | `256Mi` |
 | `small`     | `1`    | `512Mi` |
 | `medium`    | `1`    | `1Gi`   |
-| `large`     | `3`    | `2Gi`   |
+| `large`     | `2`    | `2Gi`   |
 | `xlarge`    | `4`    | `4Gi`   |
 | `2xlarge`   | `8`    | `8Gi`   |

packages/apps/versions_map

@@ -55,7 +55,8 @@ kafka 0.7.1 4369b031
 kafka 0.8.0 HEAD
 kubernetes 0.24.0 62cb694d
 kubernetes 0.25.0 70f82667
-kubernetes 0.25.1 HEAD
+kubernetes 0.25.1 acd4663a
+kubernetes 0.25.2 HEAD
 mysql 0.1.0 263e47be
 mysql 0.2.0 c24a103f
 mysql 0.3.0 53f2365e
@@ -103,7 +104,8 @@ postgres 0.12.1 632224a3
 postgres 0.14.0 62cb694d
 postgres 0.15.1 4369b031
 postgres 0.16.0 70f82667
-postgres 0.17.0 HEAD
+postgres 0.17.0 acd4663a
+postgres 0.17.1 HEAD
 rabbitmq 0.1.0 263e47be
 rabbitmq 0.2.0 53f2365e
 rabbitmq 0.3.0 6c5cf5bf
@@ -155,7 +157,8 @@ virtual-machine 0.9.1 93bdf411
 virtual-machine 0.10.0 6130f43d
 virtual-machine 0.10.2 632224a3
 virtual-machine 0.11.0 4369b031
-virtual-machine 0.12.0 HEAD
+virtual-machine 0.12.0 70f82667
+virtual-machine 0.12.1 HEAD
 vm-disk 0.1.0 d971f2ff
 vm-disk 0.1.1 6130f43d
 vm-disk 0.1.2 632224a3
@@ -172,7 +175,8 @@ vm-instance 0.6.0 721c12a7
 vm-instance 0.7.0 6130f43d
 vm-instance 0.7.2 632224a3
 vm-instance 0.8.0 4369b031
-vm-instance 0.9.0 HEAD
+vm-instance 0.9.0 70f82667
+vm-instance 0.10.0 HEAD
 vpn 0.1.0 263e47be
 vpn 0.2.0 53f2365e
 vpn 0.3.0 6c5cf5bf

packages/apps/virtual-machine/Chart.yaml

@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.12.0
+version: 0.12.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/virtual-machine/templates/dashboard-resourcemap.yaml

@@ -3,6 +3,13 @@ kind: Role
 metadata:
   name: {{ .Release.Name }}-dashboard-resources
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ include "virtual-machine.fullname" . }}
+  verbs: ["get", "list", "watch"]
 - apiGroups:
   - cozystack.io
   resources:

packages/apps/virtual-machine/templates/secret.yaml

@@ -9,7 +9,7 @@ stringData:
   key{{ $k }}: {{ quote $v }} 
   {{- end }}
 {{- end }}
-{{- if .Values.cloudInit }}
+{{- if or .Values.cloudInit .Values.sshKeys }}
 ---
 apiVersion: v1
 kind: Secret
@@ -17,5 +17,17 @@ metadata:
   name: {{ include "virtual-machine.fullname" . }}-cloud-init
 stringData:
   userdata: |
-    {{- .Values.cloudInit | nindent 4 }}
+    {{- if .Values.cloudInit }}
+    {{-   .Values.cloudInit | nindent 4 }}
+    {{- else if and (.Values.sshKeys) (not .Values.cloudInit) }}
+    {{- /*
+      We usually provide ssh keys in cloud-init metadata, because userdata it not typed and can be used for any purpose.
+      However, if user provides ssh keys but not cloud-init, we still need to provide a minimal cloud-init config to avoid errors.
+    */}}
+    #cloud-config
+    ssh_authorized_keys:
+      {{- range .Values.sshKeys }}
+      - {{ quote . }} 
+      {{- end }}
+    {{- end }}
 {{- end }}

packages/apps/virtual-machine/templates/vm.yaml

@@ -92,7 +92,7 @@ spec:
           - disk:
               bus: scsi
             name: systemdisk
-          {{- if .Values.sshKeys }}
+          {{- if or .Values.cloudInit .Values.sshKeys }}
           - disk:
               bus: virtio
             name: cloudinitdisk
@@ -122,28 +122,11 @@ spec:
         - name: systemdisk
           dataVolume:
             name: {{ include "virtual-machine.fullname" . }}
-
-        {{- if and .Values.sshKeys .Values.cloudInit }}
+        {{- if or .Values.cloudInit .Values.sshKeys }}
         - name: cloudinitdisk
           cloudInitNoCloud:
             secretRef:
               name: {{ include "virtual-machine.fullname" . }}-cloud-init
-        {{- else if .Values.sshKeys }}
-        - name: cloudinitdisk
-          cloudInitNoCloud:
-            userData: |
-              {{ printf "%s" "#cloud-config" }}
-              ssh_authorized_keys:
-                {{- range .Values.sshKeys }}
-                - {{ . }}
-                {{- end }}
-              chpasswd:
-                expire: false
-        {{- else }}
-        - name: cloudinitdisk
-          cloudInitNoCloud:
-            userData: |
-              {{ printf "%s" "#cloud-config" }}
         {{- end }}
 
       networks:

packages/apps/vm-instance/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.0
+version: 0.10.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 0.8.0
+appVersion: 0.10.0

packages/apps/vm-instance/templates/dashboard-resourcemap.yaml

@@ -3,6 +3,13 @@ kind: Role
 metadata:
   name: {{ .Release.Name }}-dashboard-resources
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ include "virtual-machine.fullname" . }}
+  verbs: ["get", "list", "watch"]
 - apiGroups:
   - cozystack.io
   resources:

packages/apps/vm-instance/templates/secret.yaml

@@ -9,7 +9,7 @@ stringData:
   key{{ $k }}: {{ quote $v }} 
   {{- end }}
 {{- end }}
-{{- if .Values.cloudInit }}
+{{- if or .Values.cloudInit .Values.sshKeys }}
 ---
 apiVersion: v1
 kind: Secret
@@ -17,5 +17,17 @@ metadata:
   name: {{ include "virtual-machine.fullname" . }}-cloud-init
 stringData:
   userdata: |
-    {{- .Values.cloudInit | nindent 4 }}
+    {{- if .Values.cloudInit }}
+    {{-   .Values.cloudInit | nindent 4 }}
+    {{- else if and (.Values.sshKeys) (not .Values.cloudInit) }}
+    {{- /*
+      We usually provide ssh keys in cloud-init metadata, because userdata it not typed and can be used for any purpose.
+      However, if user provides ssh keys but not cloud-init, we still need to provide a minimal cloud-init config to avoid errors.
+    */}}
+    #cloud-config
+    ssh_authorized_keys:
+      {{- range .Values.sshKeys }}
+      - {{ quote . }} 
+      {{- end }}
+    {{- end }}
 {{- end }}

packages/apps/vm-instance/templates/vm.yaml

@@ -54,24 +54,24 @@ spec:
           disks:
           {{- range $i, $disk := .Values.disks }}
           - name: disk-{{ $disk.name }}
-            {{- $disk := lookup "cdi.kubevirt.io/v1beta1" "DataVolume" $.Release.Namespace (printf "vm-disk-%s" $disk.name) }}
-            {{- if $disk }}
-            {{- if and (hasKey $disk.metadata.annotations "vm-disk.cozystack.io/optical") (eq (index $disk.metadata.annotations "vm-disk.cozystack.io/optical") "true") }}
-            cdrom: {}
+            {{- $dv := lookup "cdi.kubevirt.io/v1beta1" "DataVolume" $.Release.Namespace (printf "vm-disk-%s" $disk.name) }}
+            {{- if $dv }}
+            {{- if and (hasKey $dv.metadata.annotations "vm-disk.cozystack.io/optical") (eq (index $dv.metadata.annotations "vm-disk.cozystack.io/optical") "true") }}
+            cdrom:
             {{- else }}
-            disk: {}
-            {{- end }}
-            {{- if eq $i 0 }}
-            bootOrder: 1
+            disk:
             {{- end }}
+              {{- with $disk.bus }}
+              bus: {{ . }}
+              {{- end }}
+            bootOrder: {{ add $i 1 }}
             {{- else }}
             {{-   fail (printf "Specified disk not exists in cluster: %s" .name) }}
             {{- end }}
           {{- end }}
-          {{- if or .Values.sshKeys .Values.cloudInit }}
+          {{- if or .Values.cloudInit .Values.sshKeys }}
           - name: cloudinitdisk
-            disk:
-              bus: virtio
+            disk: {}
           {{- end }}
           interfaces:
           - name: default
@@ -95,27 +95,11 @@ spec:
         dataVolume:
           name: vm-disk-{{ .name }}
       {{- end }}
-      {{- if and .Values.sshKeys .Values.cloudInit }}
+      {{- if or .Values.cloudInit .Values.sshKeys }}
       - name: cloudinitdisk
         cloudInitNoCloud:
           secretRef:
             name: {{ include "virtual-machine.fullname" . }}-cloud-init
-      {{- else if .Values.sshKeys }}
-      - name: cloudinitdisk
-        cloudInitNoCloud:
-          userData: |
-            {{ printf "%s" "#cloud-config" }}
-            ssh_authorized_keys:
-              {{- range .Values.sshKeys }}
-              - {{ . }}
-              {{- end }}
-            chpasswd:
-              expire: false
-      {{- else }}
-      - name: cloudinitdisk
-        cloudInitNoCloud:
-          userData: |
-            {{ printf "%s" "#cloud-config" }}
       {{- end }}
       networks:
       - name: default

packages/apps/vm-instance/values.yaml

@@ -22,6 +22,7 @@ instanceProfile: ubuntu
 ## disks:
 ## - name: example-system
 ## - name: example-data
+##   bus: sata
 disks: []
 
 ## @param gpus [array] List of GPUs to attach

packages/apps/vpn/README.md

@@ -56,7 +56,7 @@ This setting is ignored if the corresponding `resources` value is set.
 | `micro`     | `500m` | `256Mi` |
 | `small`     | `1`    | `512Mi` |
 | `medium`    | `1`    | `1Gi`   |
-| `large`     | `3`    | `2Gi`   |
+| `large`     | `2`    | `2Gi`   |
 | `xlarge`    | `4`    | `4Gi`   |
 | `2xlarge`   | `8`    | `8Gi`   |
 

packages/core/installer/hack/gen-profiles.sh

@@ -76,7 +76,7 @@ input:
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: "ghcr.io/siderolabs/installer:v1.10.3"
+    imageRef: "ghcr.io/siderolabs/installer:${TALOS_VERSION}"
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/amd-ucode:${AMD_UCODE_VERSION}
     - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:${BNX2_BNX2X_VERSION}

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -3,22 +3,22 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.10.3
+version: v1.10.5
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: "ghcr.io/siderolabs/installer:v1.10.3"
+    imageRef: "ghcr.io/siderolabs/installer:v1.10.5"
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250509
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250509
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250509
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250509
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.3
-    - imageRef: ghcr.io/siderolabs/zfs:2.3.2-v1.10.3
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250708
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250708
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250708
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20250512
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250708
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.14-v1.10.5
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.3-v1.10.5
 output:
   kind: initramfs
   imageOptions: {}

packages/core/installer/images/talos/profiles/installer.yaml

@@ -3,22 +3,22 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.10.3
+version: v1.10.5
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: "ghcr.io/siderolabs/installer:v1.10.3"
+    imageRef: "ghcr.io/siderolabs/installer:v1.10.5"
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250509
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250509
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250509
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250509
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.3
-    - imageRef: ghcr.io/siderolabs/zfs:2.3.2-v1.10.3
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250708
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250708
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250708
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20250512
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250708
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.14-v1.10.5
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.3-v1.10.5
 output:
   kind: installer
   imageOptions: {}

packages/core/installer/images/talos/profiles/iso.yaml

@@ -3,22 +3,22 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.10.3
+version: v1.10.5
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: "ghcr.io/siderolabs/installer:v1.10.3"
+    imageRef: "ghcr.io/siderolabs/installer:v1.10.5"
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250509
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250509
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250509
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250509
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.3
-    - imageRef: ghcr.io/siderolabs/zfs:2.3.2-v1.10.3
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250708
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250708
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250708
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20250512
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250708
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.14-v1.10.5
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.3-v1.10.5
 output:
   kind: iso
   imageOptions: {}

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -3,22 +3,22 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.10.3
+version: v1.10.5
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: "ghcr.io/siderolabs/installer:v1.10.3"
+    imageRef: "ghcr.io/siderolabs/installer:v1.10.5"
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250509
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250509
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250509
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250509
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.3
-    - imageRef: ghcr.io/siderolabs/zfs:2.3.2-v1.10.3
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250708
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250708
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250708
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20250512
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250708
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.14-v1.10.5
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.3-v1.10.5
 output:
   kind: kernel
   imageOptions: {}

packages/core/installer/images/talos/profiles/metal.yaml

@@ -3,22 +3,22 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.10.3
+version: v1.10.5
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: "ghcr.io/siderolabs/installer:v1.10.3"
+    imageRef: "ghcr.io/siderolabs/installer:v1.10.5"
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250509
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250509
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250509
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250509
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.3
-    - imageRef: ghcr.io/siderolabs/zfs:2.3.2-v1.10.3
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250708
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250708
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250708
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20250512
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250708
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.14-v1.10.5
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.3-v1.10.5
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -3,22 +3,22 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.10.3
+version: v1.10.5
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: "ghcr.io/siderolabs/installer:v1.10.3"
+    imageRef: "ghcr.io/siderolabs/installer:v1.10.5"
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250509
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250509
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250509
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250509
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.3
-    - imageRef: ghcr.io/siderolabs/zfs:2.3.2-v1.10.3
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250708
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250708
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250708
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20250512
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250708
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.14-v1.10.5
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.3-v1.10.5
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.33.1@sha256:03a0002be9cf5926643c295bbf05c3e250401b0f0595b9fcd147d53534f368f5
+  image: ghcr.io/cozystack/cozystack/installer:v0.34.0-beta.1@sha256:6f29c93e52d686ae6144d64bbcd92c138cbd1b432b06a74273c5dc35b11fe048

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.33.1@sha256:eed183a4104b1c142f6c4a358338749efe73baefddd53d7fe4c7149ecb892ce1
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.34.0-beta.1@sha256:f0a7a45218122b57022e51d41c0e6b18d31621c8ec504651d2347f47e5e5f256

packages/extra/bootbox/images/matchbox.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v0.33.1@sha256:ca3638c620215ace26ace3f7e8b27391847ab2158b5a67f070f43dcbea071532
+ghcr.io/cozystack/cozystack/matchbox:v0.34.0-beta.1@sha256:a0bd0076e0bc866858d3f08adca5944fb75004ad0ead2ace369d1c155d780383

packages/extra/ingress/README.md

@@ -7,7 +7,6 @@
 | Name             | Description                                                       | Value   |
 | ---------------- | ----------------------------------------------------------------- | ------- |
 | `replicas`       | Number of ingress-nginx replicas                                  | `2`     |
-| `externalIPs`    | List of externalIPs for service.                                  | `[]`    |
 | `whitelist`      | List of client networks                                           | `[]`    |
 | `clouflareProxy` | Restoring original visitor IPs when Cloudflare proxied is enabled | `false` |
 

packages/extra/ingress/values.schema.json

@@ -7,14 +7,6 @@
             "description": "Number of ingress-nginx replicas",
             "default": 2
         },
-        "externalIPs": {
-            "type": "array",
-            "description": "List of externalIPs for service.",
-            "default": "[]",
-            "items": {
-                "type": "string"
-            }
-        },
         "whitelist": {
             "type": "array",
             "description": "List of client networks",

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:b748d9add5fc4080b143d8690ca1ad851d911948ac8eb296dd9005d53d153c05
+ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:45e02729edbee171519068b23cd3516009315769b36f59465c420a618320e363

packages/system/cilium/charts/cilium/Chart.yaml

@@ -79,7 +79,7 @@ annotations:
     Pod IP Pool\n  description: |\n    CiliumPodIPPool defines an IP pool that can
     be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n"
 apiVersion: v2
-appVersion: 1.17.4
+appVersion: 1.17.5
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
@@ -95,4 +95,4 @@ kubeVersion: '>= 1.21.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.17.4
+version: 1.17.5

packages/system/cilium/charts/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.17.4](https://img.shields.io/badge/Version-1.17.4-informational?style=flat-square) ![AppVersion: 1.17.4](https://img.shields.io/badge/AppVersion-1.17.4-informational?style=flat-square)
+![Version: 1.17.5](https://img.shields.io/badge/Version-1.17.5-informational?style=flat-square) ![AppVersion: 1.17.5](https://img.shields.io/badge/AppVersion-1.17.5-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -85,7 +85,7 @@ contributors across the globe, there is almost always someone available to help.
 | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
 | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true |
 | authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. |
-| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:37f7b378a29ceb4c551b1b5582e27747b855bbfaa73fa11914fe0df028dc581f","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.37.0","useDigest":true}` | init container image of SPIRE agent and server |
+| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:f85340bf132ae937d2c2a763b8335c9bab35d6e8293f70f606b9c6178d84f42b","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.37.0","useDigest":true}` | init container image of SPIRE agent and server |
 | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into |
 | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration |
 | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations |
@@ -197,7 +197,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
 | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:0b72f3046cf36ff9b113d53cc61185e893edb5fe728a2c9e561c1083f806453d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.17.4","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:78dc40b9cb8d7b1ad21a76ff3e11541809acda2ac4ef94150cc832100edc247d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.17.5","useDigest":true}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
@@ -243,6 +243,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.service.enableSessionAffinity | string | `"HAOnly"` | Defines when to enable session affinity. Each replica in a clustermesh-apiserver deployment runs its own discrete etcd cluster. Remote clients connect to one of the replicas through a shared Kubernetes Service. A client reconnecting to a different backend will require a full resync to ensure data integrity. Session affinity can reduce the likelihood of this happening, but may not be supported by all cloud providers. Possible values:  - "HAOnly" (default) Only enable session affinity for deployments with more than 1 replica.  - "Always" Always enable session affinity.  - "Never" Never enable session affinity. Useful in environments where            session affinity is not supported, but may lead to slightly            degraded performance due to more frequent reconnections. |
 | clustermesh.apiserver.service.externalTrafficPolicy | string | `"Cluster"` | The externalTrafficPolicy of service used for apiserver access. |
 | clustermesh.apiserver.service.internalTrafficPolicy | string | `"Cluster"` | The internalTrafficPolicy of service used for apiserver access. |
+| clustermesh.apiserver.service.labels | object | `{}` | Labels for the clustermesh-apiserver service. |
 | clustermesh.apiserver.service.loadBalancerClass | string | `nil` | Configure a loadBalancerClass. Allows to configure the loadBalancerClass on the clustermesh-apiserver LB service in case the Service type is set to LoadBalancer (requires Kubernetes 1.24+). |
 | clustermesh.apiserver.service.loadBalancerIP | string | `nil` | Configure a specific loadBalancerIP. Allows to configure a specific loadBalancerIP on the clustermesh-apiserver LB service in case the Service type is set to LoadBalancer. |
 | clustermesh.apiserver.service.loadBalancerSourceRanges | list | `[]` | Configure loadBalancerSourceRanges. Allows to configure the source IP ranges allowed to access the clustermesh-apiserver LB service in case the Service type is set to LoadBalancer. |
@@ -377,7 +378,7 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.httpRetryCount | int | `3` | Maximum number of retries for each HTTP request |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:a04218c6879007d60d96339a441c448565b6f86650358652da27582e0efbf182","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.32.6-1746661844-0f602c28cb2aa57b29078195049fb257d5b5246c","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:9f69e290a7ea3d4edf9192acd81694089af048ae0d8a67fb63bd62dc1d72203e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.32.6-1749271279-0864395884b263913eac200ee2048fd985f8e626","useDigest":true}` | Envoy container image. |
 | envoy.initialFetchTimeoutSeconds | int | `30` | Time in seconds after which the initial fetch on an xDS stream is considered timed out |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
@@ -518,7 +519,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:c16de12a64b8b56de62b15c1652d036253b40cd7fa643d7e1a404dc71dc66441","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.17.4","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:fbb8a6afa8718200fca9381ad274ed695792dbadd2417b0e99c36210ae4964ff","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.17.5","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -625,7 +626,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd`, `kvstore` or `doublewrite-readkvstore` / `doublewrite-readcrd` for migrating between identity backends). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.17.4","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.17.5","useDigest":true}` | Agent container image. |
 | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -763,7 +764,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.hostNetwork | bool | `true` | HostNetwork setting |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:eaa7b18b7cda65af1d454d54224d175fdb69a35199fa949ae7dfda2789c18dd6","awsDigest":"sha256:3c31583e57648470fbf6646ac67122ac5896ce5f979ab824d9a38cfc7eafc753","azureDigest":"sha256:d8d95049bfeab47cb1a3f995164e1ca2cdec8e6c7036c29799647999cdae07b1","genericDigest":"sha256:a3906412f477b09904f46aac1bed28eb522bef7899ed7dd81c15f78b7aa1b9b5","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.17.4","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:654db67929f716b6178a34a15cb8f95e391465085bcf48cdba49819a56fcd259","awsDigest":"sha256:3e189ec1e286f1bf23d47c45bdeac6025ef7ec3d2dc16190ee768eb94708cbc3","azureDigest":"sha256:add78783fdaced7453a324612eeb9ebecf56002b56c14c73596b3b4923321026","genericDigest":"sha256:f954c97eeb1b47ed67d08cc8fb4108fb829f869373cbb3e698a7f8ef1085b09e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.17.5","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -813,7 +814,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.17.4","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.17.5","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |

packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml

@@ -1008,7 +1008,7 @@ spec:
           defaultMode: 0400
           sources:
           - secret:
-              name: {{ .Values.hubble.tls.server.existingSecret | default "hubble-metrics-server-certs" }}
+              name: {{ .Values.hubble.metrics.tls.server.existingSecret | default "hubble-metrics-server-certs" }}
               optional: true
               items:
               - key: tls.crt

packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml

@@ -378,7 +378,7 @@ data:
   bpf-events-default-burst-limit: {{ .Values.bpf.events.default.burstLimit | quote }}
 {{- end}}
 
-{{- if .Values.bpf.mapDynamicSizeRatio }}
+{{- if ne 0.0 ( .Values.bpf.mapDynamicSizeRatio | float64) }}
   # Specifies the ratio (0.0-1.0] of total system memory to use for dynamic
   # sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps.
   bpf-map-dynamic-size-ratio: {{ .Values.bpf.mapDynamicSizeRatio | quote }}

packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/service.yaml

@@ -11,7 +11,9 @@ metadata:
     {{- with .Values.commonLabels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-
+    {{- with .Values.clustermesh.apiserver.service.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   {{- if or .Values.clustermesh.apiserver.service.annotations .Values.clustermesh.annotations }}
   annotations:
     {{- with .Values.clustermesh.annotations }}

packages/system/cilium/charts/cilium/values.schema.json

@@ -597,7 +597,8 @@
         "mapDynamicSizeRatio": {
           "type": [
             "null",
-            "number"
+            "number",
+            "string"
           ]
         },
         "masquerade": {
@@ -1246,6 +1247,9 @@
                     "Cluster"
                   ]
                 },
+                "labels": {
+                  "type": "object"
+                },
                 "loadBalancerClass": {
                   "type": [
                     "null",

packages/system/cilium/charts/cilium/values.yaml

@@ -191,10 +191,10 @@ image:
   # @schema
   override: ~
   repository: "quay.io/cilium/cilium"
-  tag: "v1.17.4"
+  tag: "v1.17.5"
   pullPolicy: "IfNotPresent"
   # cilium-digest
-  digest: "sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a"
+  digest: "sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6"
   useDigest: true
 # -- Scheduling configurations for cilium pods
 scheduling:
@@ -561,7 +561,7 @@ bpf:
   # @schema
   policyMapMax: 16384
   # @schema
-  # type: [null, number]
+  # type: [null, number, string]
   # @schema
   # -- (float64) Configure auto-sizing for all BPF maps based on available memory.
   # ref: https://docs.cilium.io/en/stable/network/ebpf/maps/
@@ -1440,9 +1440,9 @@ hubble:
       # @schema
       override: ~
       repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.17.4"
+      tag: "v1.17.5"
       # hubble-relay-digest
-      digest: "sha256:c16de12a64b8b56de62b15c1652d036253b40cd7fa643d7e1a404dc71dc66441"
+      digest: "sha256:fbb8a6afa8718200fca9381ad274ed695792dbadd2417b0e99c36210ae4964ff"
       useDigest: true
       pullPolicy: "IfNotPresent"
     # -- Specifies the resources for the hubble-relay pods
@@ -2353,9 +2353,9 @@ envoy:
     # @schema
     override: ~
     repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.32.6-1746661844-0f602c28cb2aa57b29078195049fb257d5b5246c"
+    tag: "v1.32.6-1749271279-0864395884b263913eac200ee2048fd985f8e626"
     pullPolicy: "IfNotPresent"
-    digest: "sha256:a04218c6879007d60d96339a441c448565b6f86650358652da27582e0efbf182"
+    digest: "sha256:9f69e290a7ea3d4edf9192acd81694089af048ae0d8a67fb63bd62dc1d72203e"
     useDigest: true
   # -- Additional containers added to the cilium Envoy DaemonSet.
   extraContainers: []
@@ -2710,15 +2710,15 @@ operator:
     # @schema
     override: ~
     repository: "quay.io/cilium/operator"
-    tag: "v1.17.4"
+    tag: "v1.17.5"
     # operator-generic-digest
-    genericDigest: "sha256:a3906412f477b09904f46aac1bed28eb522bef7899ed7dd81c15f78b7aa1b9b5"
+    genericDigest: "sha256:f954c97eeb1b47ed67d08cc8fb4108fb829f869373cbb3e698a7f8ef1085b09e"
     # operator-azure-digest
-    azureDigest: "sha256:d8d95049bfeab47cb1a3f995164e1ca2cdec8e6c7036c29799647999cdae07b1"
+    azureDigest: "sha256:add78783fdaced7453a324612eeb9ebecf56002b56c14c73596b3b4923321026"
     # operator-aws-digest
-    awsDigest: "sha256:3c31583e57648470fbf6646ac67122ac5896ce5f979ab824d9a38cfc7eafc753"
+    awsDigest: "sha256:3e189ec1e286f1bf23d47c45bdeac6025ef7ec3d2dc16190ee768eb94708cbc3"
     # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:eaa7b18b7cda65af1d454d54224d175fdb69a35199fa949ae7dfda2789c18dd6"
+    alibabacloudDigest: "sha256:654db67929f716b6178a34a15cb8f95e391465085bcf48cdba49819a56fcd259"
     useDigest: true
     pullPolicy: "IfNotPresent"
     suffix: ""
@@ -2993,9 +2993,9 @@ preflight:
     # @schema
     override: ~
     repository: "quay.io/cilium/cilium"
-    tag: "v1.17.4"
+    tag: "v1.17.5"
     # cilium-digest
-    digest: "sha256:24a73fe795351cf3279ac8e84918633000b52a9654ff73a6b0d7223bcff4a67a"
+    digest: "sha256:baf8541723ee0b72d6c489c741c81a6fdc5228940d66cb76ef5ea2ce3c639ea6"
     useDigest: true
     pullPolicy: "IfNotPresent"
   # -- The priority class to use for the preflight pod.
@@ -3142,9 +3142,9 @@ clustermesh:
       # @schema
       override: ~
       repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.17.4"
+      tag: "v1.17.5"
       # clustermesh-apiserver-digest
-      digest: "sha256:0b72f3046cf36ff9b113d53cc61185e893edb5fe728a2c9e561c1083f806453d"
+      digest: "sha256:78dc40b9cb8d7b1ad21a76ff3e11541809acda2ac4ef94150cc832100edc247d"
       useDigest: true
       pullPolicy: "IfNotPresent"
     # -- TCP port for the clustermesh-apiserver health API.
@@ -3246,6 +3246,8 @@ clustermesh:
       # * EKS: service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
       # * GKE: networking.gke.io/load-balancer-type: "Internal"
       annotations: {}
+      # -- Labels for the clustermesh-apiserver service.
+      labels: {}
       # @schema
       # enum: [Local, Cluster]
       # @schema
@@ -3651,7 +3653,7 @@ authentication:
           override: ~
           repository: "docker.io/library/busybox"
           tag: "1.37.0"
-          digest: "sha256:37f7b378a29ceb4c551b1b5582e27747b855bbfaa73fa11914fe0df028dc581f"
+          digest: "sha256:f85340bf132ae937d2c2a763b8335c9bab35d6e8293f70f606b9c6178d84f42b"
           useDigest: true
           pullPolicy: "IfNotPresent"
         # SPIRE agent configuration

packages/system/cilium/charts/cilium/values.yaml.tmpl

@@ -566,7 +566,7 @@ bpf:
   # @schema
   policyMapMax: 16384
   # @schema
-  # type: [null, number]
+  # type: [null, number, string]
   # @schema
   # -- (float64) Configure auto-sizing for all BPF maps based on available memory.
   # ref: https://docs.cilium.io/en/stable/network/ebpf/maps/
@@ -3276,6 +3276,8 @@ clustermesh:
       # * EKS: service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
       # * GKE: networking.gke.io/load-balancer-type: "Internal"
       annotations: {}
+      # -- Labels for the clustermesh-apiserver service.
+      labels: {}
       # @schema
       # enum: [Local, Cluster]
       # @schema

packages/system/cilium/images/cilium/Dockerfile

@@ -1,2 +1,2 @@
-ARG VERSION=v1.17.4
+ARG VERSION=v1.17.5
 FROM quay.io/cilium/cilium:${VERSION}

packages/system/cilium/values.yaml

@@ -14,7 +14,7 @@ cilium:
     mode: "kubernetes"
   image:
     repository: ghcr.io/cozystack/cozystack/cilium
-    tag: 1.17.4
-    digest: "sha256:91f628cbdc4652b4459af79c5a0501282cc0bc0a9fc11e3d8cb65e884f94e751"
+    tag: 1.17.5
+    digest: "sha256:2def2dccfc17870be6e1d63584c25b32e812f21c9cdcfa06deadd2787606654d"
   envoy:
     enabled: false

packages/system/cozystack-api/Makefile

@@ -21,3 +21,8 @@ image-cozystack-api:
 	IMAGE="$(REGISTRY)/cozystack-api:$(call settag,$(TAG))@$$(yq e '."containerimage.digest"' images/cozystack-api.json -o json -r)" \
 		yq -i '.cozystackAPI.image = strenv(IMAGE)' values.yaml
 	rm -f images/cozystack-api.json
+
+generate:
+	rm -rf openapi-schemas
+	mkdir -p openapi-schemas
+	find ../../apps ../../extra -maxdepth 2 -name values.schema.json -exec sh -c 'ln -s ../{} openapi-schemas/$$(basename $$(dirname {})).json' \;

packages/system/cozystack-api/openapi-schemas/bootbox.json

@@ -0,0 +1 @@
+../../../extra/bootbox/values.schema.json

packages/system/cozystack-api/openapi-schemas/bucket.json

@@ -0,0 +1 @@
+../../../apps/bucket/values.schema.json

packages/system/cozystack-api/openapi-schemas/clickhouse.json

@@ -0,0 +1 @@
+../../../apps/clickhouse/values.schema.json

packages/system/cozystack-api/openapi-schemas/etcd.json

@@ -0,0 +1 @@
+../../../extra/etcd/values.schema.json

packages/system/cozystack-api/openapi-schemas/ferretdb.json

@@ -0,0 +1 @@
+../../../apps/ferretdb/values.schema.json

packages/system/cozystack-api/openapi-schemas/http-cache.json

@@ -0,0 +1 @@
+../../../apps/http-cache/values.schema.json

packages/system/cozystack-api/openapi-schemas/info.json

@@ -0,0 +1 @@
+../../../extra/info/values.schema.json

packages/system/cozystack-api/openapi-schemas/ingress.json

@@ -0,0 +1 @@
+../../../extra/ingress/values.schema.json

packages/system/cozystack-api/openapi-schemas/kafka.json

@@ -0,0 +1 @@
+../../../apps/kafka/values.schema.json

packages/system/cozystack-api/openapi-schemas/kubernetes.json

@@ -0,0 +1 @@
+../../../apps/kubernetes/values.schema.json

packages/system/cozystack-api/openapi-schemas/monitoring.json

@@ -0,0 +1 @@
+../../../extra/monitoring/values.schema.json

packages/system/cozystack-api/openapi-schemas/mysql.json

@@ -0,0 +1 @@
+../../../apps/mysql/values.schema.json

packages/system/cozystack-api/openapi-schemas/nats.json

@@ -0,0 +1 @@
+../../../apps/nats/values.schema.json

packages/system/cozystack-api/openapi-schemas/postgres.json

@@ -0,0 +1 @@
+../../../apps/postgres/values.schema.json

packages/system/cozystack-api/openapi-schemas/rabbitmq.json

@@ -0,0 +1 @@
+../../../apps/rabbitmq/values.schema.json

packages/system/cozystack-api/openapi-schemas/redis.json

@@ -0,0 +1 @@
+../../../apps/redis/values.schema.json

packages/system/cozystack-api/openapi-schemas/seaweedfs.json

@@ -0,0 +1 @@
+../../../extra/seaweedfs/values.schema.json

packages/system/cozystack-api/openapi-schemas/tcp-balancer.json

@@ -0,0 +1 @@
+../../../apps/tcp-balancer/values.schema.json

packages/system/cozystack-api/openapi-schemas/tenant.json

@@ -0,0 +1 @@
+../../../apps/tenant/values.schema.json

packages/system/cozystack-api/openapi-schemas/virtual-machine.json

@@ -0,0 +1 @@
+../../../apps/virtual-machine/values.schema.json

packages/system/cozystack-api/openapi-schemas/vm-disk.json

@@ -0,0 +1 @@
+../../../apps/vm-disk/values.schema.json

packages/system/cozystack-api/openapi-schemas/vm-instance.json

@@ -0,0 +1 @@
+../../../apps/vm-instance/values.schema.json

packages/system/cozystack-api/openapi-schemas/vpn.json

@@ -0,0 +1 @@
+../../../apps/vpn/values.schema.json

packages/system/cozystack-api/templates/configmap.yaml

@@ -10,6 +10,7 @@ data:
         kind: Bucket
         singular: bucket
         plural: buckets
+        openAPISchema: {{ .Files.Get "openapi-schemas/bucket.json" | fromJson | toJson | quote }}
       release:
         prefix: bucket-
         labels:
@@ -24,6 +25,7 @@ data:
         kind: ClickHouse
         singular: clickhouse
         plural: clickhouses
+        openAPISchema: {{ .Files.Get "openapi-schemas/clickhouse.json" | fromJson | toJson | quote }}
       release:
         prefix: clickhouse-
         labels:
@@ -38,6 +40,7 @@ data:
         kind: HTTPCache
         singular: httpcache
         plural: httpcaches
+        openAPISchema: {{ .Files.Get "openapi-schemas/http-cache.json" | fromJson | toJson | quote }}
       release:
         prefix: http-cache-
         labels:
@@ -52,6 +55,7 @@ data:
         kind: NATS
         singular: nats
         plural: natses
+        openAPISchema: {{ .Files.Get "openapi-schemas/nats.json" | fromJson | toJson | quote }}
       release:
         prefix: nats-
         labels:
@@ -66,6 +70,7 @@ data:
         kind: TCPBalancer
         singular: tcpbalancer
         plural: tcpbalancers
+        openAPISchema: {{ .Files.Get "openapi-schemas/tcp-balancer.json" | fromJson | toJson | quote }}
       release:
         prefix: tcp-balancer-
         labels:
@@ -80,6 +85,7 @@ data:
         kind: VirtualMachine
         singular: virtualmachine
         plural: virtualmachines
+        openAPISchema: {{ .Files.Get "openapi-schemas/virtual-machine.json" | fromJson | toJson | quote }}
       release:
         prefix: virtual-machine-
         labels:
@@ -94,6 +100,7 @@ data:
         kind: VPN
         singular: vpn
         plural: vpns
+        openAPISchema: {{ .Files.Get "openapi-schemas/vpn.json" | fromJson | toJson | quote }}
       release:
         prefix: vpn-
         labels:
@@ -108,6 +115,7 @@ data:
         kind: MySQL
         singular: mysql
         plural: mysqls
+        openAPISchema: {{ .Files.Get "openapi-schemas/mysql.json" | fromJson | toJson | quote }}
       release:
         prefix: mysql-
         labels:
@@ -122,6 +130,7 @@ data:
         kind: Tenant
         singular: tenant
         plural: tenants
+        openAPISchema: {{ .Files.Get "openapi-schemas/tenant.json" | fromJson | toJson | quote }}
       release:
         prefix: tenant-
         labels:
@@ -136,6 +145,7 @@ data:
         kind: Kubernetes
         singular: kubernetes
         plural: kuberneteses
+        openAPISchema: {{ .Files.Get "openapi-schemas/kubernetes.json" | fromJson | toJson | quote }}
       release:
         prefix: kubernetes-
         labels:
@@ -150,6 +160,7 @@ data:
         kind: Redis
         singular: redis
         plural: redises
+        openAPISchema: {{ .Files.Get "openapi-schemas/redis.json" | fromJson | toJson | quote }}
       release:
         prefix: redis-
         labels:
@@ -164,6 +175,7 @@ data:
         kind: RabbitMQ
         singular: rabbitmq
         plural: rabbitmqs
+        openAPISchema: {{ .Files.Get "openapi-schemas/rabbitmq.json" | fromJson | toJson | quote }}
       release:
         prefix: rabbitmq-
         labels:
@@ -178,6 +190,7 @@ data:
         kind: Postgres
         singular: postgres
         plural: postgreses
+        openAPISchema: {{ .Files.Get "openapi-schemas/postgres.json" | fromJson | toJson | quote }}
       release:
         prefix: postgres-
         labels:
@@ -192,6 +205,7 @@ data:
         kind: FerretDB
         singular: ferretdb
         plural: ferretdb
+        openAPISchema: {{ .Files.Get "openapi-schemas/ferretdb.json" | fromJson | toJson | quote }}
       release:
         prefix: ferretdb-
         labels:
@@ -206,6 +220,7 @@ data:
         kind: Kafka
         singular: kafka
         plural: kafkas
+        openAPISchema: {{ .Files.Get "openapi-schemas/kafka.json" | fromJson | toJson | quote }}
       release:
         prefix: kafka-
         labels:
@@ -220,6 +235,7 @@ data:
         kind: VMDisk
         plural: vmdisks
         singular: vmdisk
+        openAPISchema: {{ .Files.Get "openapi-schemas/vm-disk.json" | fromJson | toJson | quote }}
       release:
         prefix: vm-disk-
         labels:
@@ -234,6 +250,7 @@ data:
         kind: VMInstance
         plural: vminstances
         singular: vminstance
+        openAPISchema: {{ .Files.Get "openapi-schemas/vm-instance.json" | fromJson | toJson | quote }}
       release:
         prefix: vm-instance-
         labels:
@@ -248,6 +265,7 @@ data:
         kind: Monitoring
         plural: monitorings
         singular: monitoring
+        openAPISchema: {{ .Files.Get "openapi-schemas/monitoring.json" | fromJson | toJson | quote }}
       release:
         prefix: ""
         labels:
@@ -262,6 +280,7 @@ data:
         kind: Etcd
         plural: etcds
         singular: etcd
+        openAPISchema: {{ .Files.Get "openapi-schemas/etcd.json" | fromJson | toJson | quote }}
       release:
         prefix: ""
         labels:
@@ -276,6 +295,7 @@ data:
         kind: Ingress
         plural: ingresses
         singular: ingress
+        openAPISchema: {{ .Files.Get "openapi-schemas/ingress.json" | fromJson | toJson | quote }}
       release:
         prefix: ""
         labels:
@@ -290,6 +310,7 @@ data:
         kind: SeaweedFS
         plural: seaweedfses
         singular: seaweedfs
+        openAPISchema: {{ .Files.Get "openapi-schemas/seaweedfs.json" | fromJson | toJson | quote }}
       release:
         prefix: ""
         labels:
@@ -304,6 +325,7 @@ data:
         kind: BootBox
         plural: bootboxes
         singular: bootbox
+        openAPISchema: {{ .Files.Get "openapi-schemas/bootbox.json" | fromJson | toJson | quote }}
       release:
         prefix: ""
         labels:
@@ -318,6 +340,7 @@ data:
         kind: Info
         plural: infos
         singular: info
+        openAPISchema: {{ .Files.Get "openapi-schemas/info.json" | fromJson | toJson | quote }}
       release:
         prefix: ""
         labels:

packages/system/cozystack-api/values.yaml

@@ -1,2 +1,2 @@
 cozystackAPI:
-  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.33.1@sha256:ee6b71d3ab1c1484490ff1dc57a7df82813c4f18d6393f149d32acf656aa779d
+  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.34.0-beta.1@sha256:724a166d2daa9cae3caeb18bffdc7146d80de310a6f97360c2beaef340076e6d

packages/system/cozystack-controller/values.yaml

@@ -1,5 +1,5 @@
 cozystackController:
-  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.33.1@sha256:4777488e14f0313b153b153388c78ab89e3a39582c30266f2321704df1976922
+  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.34.0-beta.1@sha256:cf0b80f2540ac8f6ddd226b3bab87e001602eb0ebc8a527a1c14a0a6f23eb427
   debug: false
   disableTelemetry: false
-  cozystackVersion: "v0.33.1"
+  cozystackVersion: "v0.34.0-beta.1"

packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml

@@ -76,7 +76,7 @@ data:
       "kubeappsNamespace": {{ .Release.Namespace | quote }},
       "helmGlobalNamespace": {{ include "kubeapps.helmGlobalPackagingNamespace" . | quote }},
       "carvelGlobalNamespace": {{ .Values.kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace | quote }},
-      "appVersion": "v0.33.1",
+      "appVersion": "v0.34.0-beta.1",
       "authProxyEnabled": {{ .Values.authProxy.enabled }},
       "oauthLoginURI": {{ .Values.authProxy.oauthLoginURI | quote }},
       "oauthLogoutURI": {{ .Values.authProxy.oauthLogoutURI | quote }},

packages/system/dashboard/images/dashboard/Dockerfile

@@ -1,7 +1,7 @@
 FROM bitnami/node:20.15.1 AS build
 WORKDIR /app
 
-ARG COMMIT_REF=6856b66f9244ef1b2703a2f30899366e0ba040de
+ARG COMMIT_REF=e1382f51c6db1bca0a8ecd454407c8e282fe0243
 RUN wget -O- https://github.com/cozystack/kubeapps/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=2 kubeapps-${COMMIT_REF}/dashboard
 
 RUN yarn install --frozen-lockfile

packages/system/dashboard/images/kubeapps-apis/Dockerfile

@@ -4,7 +4,7 @@
 # syntax = docker/dockerfile:1
 
 FROM alpine AS source
-ARG COMMIT_REF=6856b66f9244ef1b2703a2f30899366e0ba040de
+ARG COMMIT_REF=e1382f51c6db1bca0a8ecd454407c8e282fe0243
 RUN apk add --no-cache patch
 WORKDIR /source
 RUN wget -O- https://github.com/cozystack/kubeapps/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1

packages/system/dashboard/values.yaml

@@ -19,8 +19,8 @@ kubeapps:
     image:
       registry: ghcr.io/cozystack/cozystack
       repository: dashboard
-      tag: v0.33.1
-      digest: "sha256:5e514516bd3dc0c693bb346ddeb9740e0439a59deb2a56b87317286e3ce79ac9"
+      tag: v0.34.0-beta.1
+      digest: "sha256:ac2b5348d85fe37ad70a4cc159881c4eaded9175a4b586cfa09a52b0fbe5e1e5"
   redis:
     master:
       resourcesPreset: "none"
@@ -37,8 +37,8 @@ kubeapps:
     image:
       registry: ghcr.io/cozystack/cozystack
       repository: kubeapps-apis
-      tag: v0.33.1
-      digest: "sha256:ea5b21a27c97b14880042d2a642670e3461e7d946c65b5b557d2eb8df9f03a87"
+      tag: v0.34.0-beta.1
+      digest: "sha256:0270aea2e4b21a906db7f03214e7f6b0786be64a1b66e998e4ed8ef7da12da58"
     pluginConfig:
       flux:
         packages:

packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml

@@ -8,7 +8,7 @@ annotations:
     - name: Upstream Project
       url: https://github.com/controlplaneio-fluxcd/flux-operator
 apiVersion: v2
-appVersion: v0.23.0
+appVersion: v0.24.0
 description: 'A Helm chart for deploying the Flux Operator. '
 home: https://github.com/controlplaneio-fluxcd
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
@@ -25,4 +25,4 @@ sources:
 - https://github.com/controlplaneio-fluxcd/flux-operator
 - https://github.com/controlplaneio-fluxcd/charts
 type: application
-version: 0.23.0
+version: 0.24.0

packages/system/fluxcd-operator/charts/flux-operator/README.md

@@ -1,6 +1,6 @@
 # flux-operator
 
-![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.23.0](https://img.shields.io/badge/AppVersion-v0.23.0-informational?style=flat-square)
+![Version: 0.24.0](https://img.shields.io/badge/Version-0.24.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.24.0](https://img.shields.io/badge/AppVersion-v0.24.0-informational?style=flat-square)
 
 The [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator) provides a
 declarative API for the installation and upgrade of CNCF [Flux](https://fluxcd.io) and the
@@ -38,6 +38,8 @@ see the Flux Operator [documentation](https://fluxcd.control-plane.io/operator/)
 | commonLabels | object | `{}` | Common labels to add to all deployed objects including pods. |
 | extraArgs | list | `[]` | Container extra arguments. |
 | extraEnvs | list | `[]` | Container extra environment variables. |
+| extraVolumeMounts | list | `[]` | Container extra volume mounts. |
+| extraVolumes | list | `[]` | Pod extra volumes. |
 | fullnameOverride | string | `""` |  |
 | hostNetwork | bool | `false` | If `true`, the container ports (`8080` and `8081`) are exposed on the host network. |
 | image | object | `{"imagePullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/controlplaneio-fluxcd/flux-operator","tag":""}` | Container image settings. The image tag defaults to the chart appVersion. |

packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml

@@ -586,6 +586,9 @@ spec:
                     description: ServerVersion is the version of the Kubernetes API
                       server.
                     type: string
+                required:
+                - platform
+                - serverVersion
                 type: object
               components:
                 description: ComponentsStatus is the status of the Flux controller
@@ -637,6 +640,23 @@ spec:
                 - entitlement
                 - status
                 type: object
+              operator:
+                description: Operator is the version information of the Flux Operator.
+                properties:
+                  apiVersion:
+                    description: APIVersion is the API version of the Flux Operator.
+                    type: string
+                  platform:
+                    description: Platform is the os/arch of Flux Operator.
+                    type: string
+                  version:
+                    description: Version is the version number of Flux Operator.
+                    type: string
+                required:
+                - apiVersion
+                - platform
+                - version
+                type: object
               reconcilers:
                 description: |-
                   ReconcilersStatus is the list of Flux reconcilers and
@@ -858,8 +878,10 @@ spec:
                   - a PEM-encoded CA certificate (`ca.crt`)
                   - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`)
 
-                  When connecting to a Git provider that uses self-signed certificates, the CA certificate
+                  When connecting to a Git or OCI provider that uses self-signed certificates, the CA certificate
                   must be set in the Secret under the 'ca.crt' key to establish the trust relationship.
+                  When connecting to an OCI provider that supports client certificates (mTLS), the client certificate
+                  and private key must be set in the Secret under the 'tls.crt' and 'tls.key' keys, respectively.
                 properties:
                   name:
                     description: Name of the referent.
@@ -884,11 +906,21 @@ spec:
                       ExcludeBranch specifies the regular expression to filter the branches
                       that the input provider should exclude.
                     type: string
+                  excludeTag:
+                    description: |-
+                      ExcludeTag specifies the regular expression to filter the tags
+                      that the input provider should exclude.
+                    type: string
                   includeBranch:
                     description: |-
                       IncludeBranch specifies the regular expression to filter the branches
                       that the input provider should include.
                     type: string
+                  includeTag:
+                    description: |-
+                      IncludeTag specifies the regular expression to filter the tags
+                      that the input provider should include.
+                    type: string
                   labels:
                     description: Labels specifies the list of labels to filter the
                       input provider response.
@@ -896,13 +928,17 @@ spec:
                       type: string
                     type: array
                   limit:
+                    default: 100
                     description: |-
                       Limit specifies the maximum number of input sets to return.
                       When not set, the default limit is 100.
                     type: integer
                   semver:
-                    description: Semver specifies the semantic version range to filter
-                      and order the tags.
+                    description: |-
+                      Semver specifies a semantic version range to filter and sort the tags.
+                      If this field is not specified, the tags will be sorted in reverse
+                      alphabetical order.
+                      Supported only for tags at the moment.
                     type: string
                 type: object
               schedule:
@@ -933,10 +969,12 @@ spec:
               secretRef:
                 description: |-
                   SecretRef specifies the Kubernetes Secret containing the basic-auth credentials
-                  to access the input provider. The secret must contain the keys
-                  'username' and 'password'.
-                  When connecting to a Git provider, the password should be a personal access token
+                  to access the input provider.
+                  When connecting to a Git provider, the secret must contain the keys
+                  'username' and 'password', and the password should be a personal access token
                   that grants read-only access to the repository.
+                  When connecting to an OCI provider, the secret must contain a Kubernetes
+                  Image Pull Secret, as if created by `kubectl create secret docker-registry`.
                 properties:
                   name:
                     description: Name of the referent.
@@ -944,6 +982,14 @@ spec:
                 required:
                 - name
                 type: object
+              serviceAccountName:
+                description: |-
+                  ServiceAccountName specifies the name of the Kubernetes ServiceAccount
+                  used for authentication with AWS, Azure or GCP services through
+                  workload identity federation features. If not specified, the
+                  authentication for these cloud providers will use the ServiceAccount
+                  of the operator (or any other environment authentication configuration).
+                type: string
               skip:
                 description: Skip defines whether we need to skip input provider response
                   updates.
@@ -966,12 +1012,20 @@ spec:
                 - GitLabBranch
                 - GitLabTag
                 - GitLabMergeRequest
+                - AzureDevOpsBranch
+                - AzureDevOpsTag
+                - AzureDevOpsPullRequest
+                - OCIArtifactTag
+                - ACRArtifactTag
+                - ECRArtifactTag
+                - GARArtifactTag
                 type: string
               url:
                 description: |-
-                  URL specifies the HTTP/S address of the input provider API.
+                  URL specifies the HTTP/S or OCI address of the input provider API.
                   When connecting to a Git provider, the URL should point to the repository address.
-                pattern: ^((http|https)://.*){0,1}$
+                  When connecting to an OCI provider, the URL should point to the OCI repository address.
+                pattern: ^((http|https|oci)://.*){0,1}$
                 type: string
             required:
             - type
@@ -981,6 +1035,27 @@ spec:
               rule: self.type != 'Static' || !has(self.url)
             - message: spec.url must not be empty when spec.type is not 'Static'
               rule: self.type == 'Static' || has(self.url)
+            - message: spec.url must start with 'http://' or 'https://' when spec.type
+                is a Git provider
+              rule: '!self.type.startsWith(''Git'') || self.url.startsWith(''http'')'
+            - message: spec.url must start with 'http://' or 'https://' when spec.type
+                is a Git provider
+              rule: '!self.type.startsWith(''AzureDevOps'') || self.url.startsWith(''http'')'
+            - message: spec.url must start with 'oci://' when spec.type is an OCI
+                provider
+              rule: '!self.type.endsWith(''ArtifactTag'') || self.url.startsWith(''oci'')'
+            - message: cannot specify spec.serviceAccountName when spec.type is not
+                one of AzureDevOps* or *ArtifactTag
+              rule: '!has(self.serviceAccountName) || self.type.startsWith(''AzureDevOps'')
+                || self.type.endsWith(''ArtifactTag'')'
+            - message: cannot specify spec.certSecretRef when spec.type is one of
+                Static, AzureDevOps*, ACRArtifactTag, ECRArtifactTag or GARArtifactTag
+              rule: '!has(self.certSecretRef) || !(self.url == ''Static'' || self.type.startsWith(''AzureDevOps'')
+                || (self.type.endsWith(''ArtifactTag'') && self.type != ''OCIArtifactTag''))'
+            - message: cannot specify spec.secretRef when spec.type is one of Static,
+                ACRArtifactTag, ECRArtifactTag or GARArtifactTag
+              rule: '!has(self.secretRef) || !(self.url == ''Static'' || (self.type.endsWith(''ArtifactTag'')
+                && self.type != ''OCIArtifactTag''))'
           status:
             description: ResourceSetInputProviderStatus defines the observed state
               of ResourceSetInputProvider.

packages/system/fluxcd-operator/charts/flux-operator/templates/deployment.yaml

@@ -99,9 +99,15 @@ spec:
           volumeMounts:
             - name: temp
               mountPath: /tmp
+            {{- if .Values.extraVolumeMounts }}
+              {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
       volumes:
         - name: temp
           emptyDir: {}
+        {{- if .Values.extraVolumes }}
+          {{- toYaml .Values.extraVolumes | nindent 8 }}
+        {{- end }}
       {{- with .Values.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}

packages/system/fluxcd-operator/charts/flux-operator/values.yaml

@@ -116,12 +116,18 @@ nodeSelector: { } # @schema type: object
 # -- If `true`, the container ports (`8080` and `8081`) are exposed on the host network.
 hostNetwork: false # @schema default: false
 
+# -- Pod extra volumes.
+extraVolumes: [ ] # @schema item: object ; uniqueItems: true
+
 # -- Container extra environment variables.
 extraEnvs: [ ] # @schema item: object ; uniqueItems: true
 
 # -- Container extra arguments.
 extraArgs: [ ] # @schema item: string ; uniqueItems: true
 
+# -- Container extra volume mounts.
+extraVolumeMounts: [ ] # @schema item: object ; uniqueItems: true
+
 # -- Container logging level flag.
 logLevel: "info" # @schema enum:[debug,info,error]
 

packages/system/fluxcd/charts/flux-instance/Chart.yaml

@@ -8,7 +8,7 @@ annotations:
     - name: Upstream Project
       url: https://github.com/controlplaneio-fluxcd/flux-operator
 apiVersion: v2
-appVersion: v0.23.0
+appVersion: v0.24.0
 description: 'A Helm chart for deploying a Flux instance managed by Flux Operator. '
 home: https://github.com/controlplaneio-fluxcd
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
@@ -25,4 +25,4 @@ sources:
 - https://github.com/controlplaneio-fluxcd/flux-operator
 - https://github.com/controlplaneio-fluxcd/charts
 type: application
-version: 0.23.0
+version: 0.24.0

packages/system/fluxcd/charts/flux-instance/README.md

@@ -1,6 +1,6 @@
 # flux-instance
 
-![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.23.0](https://img.shields.io/badge/AppVersion-v0.23.0-informational?style=flat-square)
+![Version: 0.24.0](https://img.shields.io/badge/Version-0.24.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.24.0](https://img.shields.io/badge/AppVersion-v0.24.0-informational?style=flat-square)
 
 This chart is a thin wrapper around the `FluxInstance` custom resource, which is
 used by the [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator)

packages/system/hetzner-ccm/Chart.yaml

@@ -0,0 +1,2 @@
+name: hetzner-ccm
+version: 1.26.0  # Placeholder, the actual version will be automatically set during the build process

packages/system/hetzner-ccm/Makefile

@@ -0,0 +1,10 @@
+export NAME=hetzner-ccm
+export NAMESPACE=kube-system
+
+include ../../../scripts/package.mk
+
+update:
+	rm -rf charts
+	helm repo add hcloud https://charts.hetzner.cloud
+	helm repo update hcloud
+	helm pull hcloud/hcloud-cloud-controller-manager --untar --untardir charts