Add nats-operator

FerretDB

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.8.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.8.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/ferretdb/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+name: ferretdb
+description: Managed FerretDB service
+icon: ferretdb.svg
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.22.0"

packages/apps/ferretdb/Makefile

@@ -0,0 +1,2 @@
+generate:
+	readme-generator -v values.yaml -s values.schema.json -r README.md

packages/apps/ferretdb/README.md

@@ -0,0 +1,34 @@
+# Managed FerretDB Service
+
+## Parameters
+
+### Common parameters
+
+| Name                     | Description                                                                                                             | Value   |
+| ------------------------ | ----------------------------------------------------------------------------------------------------------------------- | ------- |
+| `external`               | Enable external access from outside the cluster                                                                         | `false` |
+| `size`                   | Persistent Volume size                                                                                                  | `10Gi`  |
+| `replicas`               | Number of Postgres replicas                                                                                             | `2`     |
+| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.           | `0`     |
+| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances). | `0`     |
+
+### Configuration parameters
+
+| Name    | Description         | Value |
+| ------- | ------------------- | ----- |
+| `users` | Users configuration | `{}`  |
+
+### Backup parameters
+
+| Name                     | Description                                    | Value                                                  |
+| ------------------------ | ---------------------------------------------- | ------------------------------------------------------ |
+| `backup.enabled`         | Enable pereiodic backups                       | `false`                                                |
+| `backup.s3Region`        | The AWS S3 region where backups are stored     | `us-east-1`                                            |
+| `backup.s3Bucket`        | The S3 bucket used for storing backups         | `s3.example.org/postgres-backups`                      |
+| `backup.schedule`        | Cron schedule for automated backups            | `0 2 * * *`                                            |
+| `backup.cleanupStrategy` | The strategy for cleaning up old backups       | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.s3AccessKey`     | The access key for S3, used for authentication | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3SecretKey`     | The secret key for S3, used for authentication | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.resticPassword`  | The password for Restic backup encryption      | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
+
+

packages/apps/ferretdb/ferretdb.svg

@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   width="200mm"
+   height="195.323mm"
+   viewBox="0 0 200 195.323"
+   version="1.1"
+   id="svg948"
+   inkscape:version="1.1.1 (c3084ef, 2021-09-22)"
+   sodipodi:docname="ferretdb.svg"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <sodipodi:namedview
+     id="namedview950"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:document-units="mm"
+     showgrid="false"
+     inkscape:zoom="0.64052329"
+     inkscape:cx="-69.474445"
+     inkscape:cy="579.99452"
+     inkscape:window-width="3440"
+     inkscape:window-height="1387"
+     inkscape:window-x="0"
+     inkscape:window-y="25"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="layer1" />
+  <defs
+     id="defs945" />
+  <g
+     inkscape:label="Layer 1"
+     inkscape:groupmode="layer"
+     id="layer1">
+    <path
+       d="M 95.871302,0.25836635 C 73.52529,3.312081 51.107429,17.502874 38.138123,36.831094 c -2.083712,3.125567 -5.676318,9.628178 -5.676318,10.274847 0,0.0719 1.724451,-0.970003 3.808162,-2.335187 25.651206,-16.921175 56.260205,-20.046742 81.156963,-8.298921 5.42484,2.550751 8.83781,5.029648 13.68783,9.879665 8.15521,8.191137 14.11894,19.148592 18.25044,33.554942 2.15556,7.400765 3.95187,17.495992 4.4189,24.35786 0.10778,1.86816 0.39518,3.52075 0.57482,3.62853 1.00593,0.61075 5.53261,-5.96372 8.73003,-12.645965 5.06558,-10.634111 7.43669,-21.0886 7.40077,-32.692714 -0.036,-16.418213 -5.71224,-30.213814 -17.13674,-41.710153 C 143.22184,10.640997 130.43216,3.6354156 117.03174,0.90503536 113.90617,0.29429263 111.6069,0.11466224 105.75097,0.00688441 101.69132,-0.02904391 97.272414,0.07873086 95.871302,0.25836635 Z"
+       id="path824"
+       style="fill:#216778;stroke-width:0.0359261" />
+    <path
+       d="m 48.377049,48.219658 c -2.335194,1.149625 -6.251134,4.742233 -9.700036,8.873735 -1.54482,1.832222 -3.880014,4.095564 -5.604464,5.388902 -4.02372,3.017795 -10.885597,9.735963 -14.370424,14.083015 -18.1785821,22.525641 -23.2441594,48.21277 -14.585984,74.00768 7.113359,21.12453 23.567499,35.13569 48.859444,41.4946 9.843739,2.51482 24.60935,3.91593 30.788632,2.94593 l 1.580747,-0.25148 -2.442972,-1.43704 C 69.42972,185.49312 60.017093,172.27233 57.39449,157.57857 c -0.790373,-4.45483 -0.826299,-12.35856 -0.03593,-16.70562 1.760377,-9.77189 6.682247,-18.7534 13.364494,-24.35786 3.125567,-2.6226 8.586328,-5.31706 12.933381,-6.35891 6.538543,-1.58075 10.526335,-3.37705 14.657827,-6.64633 2.658538,-2.0837 4.993728,-5.2452 6.933738,-9.340763 1.65259,-3.484834 5.17335,-14.550063 5.17335,-16.310439 0,-1.221482 -1.25742,-2.874082 -3.05372,-3.987789 -0.93408,-0.574812 -2.40705,-0.898147 -6.17927,-1.293338 C 84.949773,70.888992 76.866409,67.943063 67.094521,60.218953 65.693406,59.105246 64.00488,57.847837 63.322285,57.416727 62.639691,57.021536 61.2745,55.512639 60.340423,54.111526 c -2.838159,-4.131492 -6.358912,-6.790025 -9.053367,-6.825953 -0.574817,0 -1.904081,0.431119 -2.910011,0.934085 z m 17.639695,16.633763 c 1.221486,0.610741 2.55075,1.401113 2.981863,1.724447 l 0.790373,0.646669 -1.257411,5.029649 c -1.077783,4.38298 -1.257413,5.496687 -1.149634,8.622257 0.107777,3.089642 0.215555,3.77223 0.934077,4.778161 1.18556,1.616673 3.233345,2.586676 5.532613,2.586676 3.269271,0 5.820021,-1.86815 10.059296,-7.436693 1.221486,-1.580744 2.19149,-2.442973 3.628532,-3.125571 2.227415,-1.113706 3.808162,-1.221481 8.765958,-0.790372 l 3.305202,0.323335 v 1.940007 c 0,3.053724 1.616677,4.814099 4.921857,5.317065 l 1.58075,0.21555 -0.57481,1.329266 c -2.51483,6.071499 -8.981521,12.93338 -15.05302,15.987093 -0.970004,0.46703 -3.161494,1.32926 -4.850018,1.90408 -2.766306,0.89815 -3.520754,1.00593 -8.262994,1.00593 -4.706313,0 -5.496687,-0.10778 -8.083363,-0.97001 -7.795954,-2.58667 -13.58005,-8.334832 -16.202652,-16.058942 -0.934077,-2.73038 -0.970004,-10.670039 -0.03593,-13.975231 1.257413,-4.562611 3.484828,-8.33485 5.820023,-9.80782 1.508893,-0.970003 4.311126,-0.646669 7.149285,0.754454 z"
+       id="path826"
+       style="fill:#216778;stroke-width:0.0359261" />
+    <path
+       d="m 181.55494,78.397542 c 0,1.616673 -1.7963,9.089295 -3.30519,13.759681 -5.67632,17.495987 -15.95117,33.195677 -29.35159,44.656087 -9.41263,8.08336 -16.09488,11.64004 -26.69306,14.26265 -6.82596,1.68852 -11.28078,2.22741 -19.93897,2.44297 -10.813737,0.2874 -21.483776,-0.6826 -31.040108,-2.76631 -1.832229,-0.39519 -3.377049,-0.64667 -3.484828,-0.53889 -0.431112,0.39519 1.221487,5.89187 2.658529,8.80189 2.622602,5.38891 5.604466,9.41262 10.921522,14.72968 5.604465,5.60446 9.771888,8.6941 16.238576,12.03522 16.023019,8.263 34.417169,9.37671 53.278339,3.1615 19.90304,-6.50262 34.52495,-18.25043 42.39275,-34.05791 5.24521,-10.4904 7.40077,-21.69934 6.6104,-34.489 -0.97001,-15.77155 -6.79003,-31.219754 -15.23265,-40.344967 -1.32926,-1.437041 -2.55075,-2.586676 -2.73038,-2.586676 -0.17963,0 -0.32334,0.431109 -0.32334,0.934075 z"
+       id="path828"
+       style="fill:#216778;stroke-width:0.0359261" />
+  </g>
+</svg>

packages/apps/ferretdb/templates/backup-cronjob.yaml

@@ -0,0 +1,99 @@
+{{- if .Values.backup.enabled }}
+{{ $image := .Files.Get "images/backup.json" | fromJson }}
+
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ .Release.Name }}-backup
+spec:
+  schedule: "{{ .Values.backup.schedule }}"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 2
+      template:
+        spec:
+          restartPolicy: OnFailure
+      template:
+        metadata:
+          annotations:
+            checksum/config: {{ include (print $.Template.BasePath "/backup-script.yaml") . | sha256sum }}
+            checksum/secret: {{ include (print $.Template.BasePath "/backup-secret.yaml") . | sha256sum }}
+        spec:
+          restartPolicy: Never
+          containers:
+          - name: mysqldump
+            image: "{{ index $image "image.name" }}@{{ index $image "containerimage.digest" }}"
+            command:
+            - /bin/sh
+            - /scripts/backup.sh
+            env:
+            - name: REPO_PREFIX
+              value: {{ required "s3Bucket is not specified!" .Values.backup.s3Bucket | quote }}
+            - name: CLEANUP_STRATEGY
+              value: {{ required "cleanupStrategy is not specified!" .Values.backup.cleanupStrategy | quote }}
+            - name: PGUSER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-postgres-superuser
+                  key: username
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-postgres-superuser
+                  key: password
+            - name: PGHOST
+              value: {{ .Release.Name }}-postgres-rw
+            - name: PGPORT
+              value: "5432"
+            - name: PGDATABASE
+              value: postgres
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-backup
+                  key: s3AccessKey
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-backup
+                  key: s3SecretKey
+            - name: AWS_DEFAULT_REGION
+              value: {{ .Values.backup.s3Region }}
+            - name: RESTIC_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-backup
+                  key: resticPassword
+            volumeMounts:
+            - mountPath: /scripts
+              name: scripts
+            - mountPath: /tmp
+              name: tmp
+            - mountPath: /.cache
+              name: cache
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsNonRoot: true
+          volumes:
+          - name: scripts
+            secret:
+              secretName: {{ .Release.Name }}-backup-script
+          - name: tmp
+            emptyDir: {}
+          - name: cache
+            emptyDir: {}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 9000
+            runAsGroup: 9000
+            seccompProfile:
+              type: RuntimeDefault
+{{- end }}

packages/apps/ferretdb/templates/backup-script.yaml

@@ -0,0 +1,50 @@
+{{- if .Values.backup.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-backup-script
+stringData:
+  backup.sh: |
+    #!/bin/sh
+    set -e
+    set -o pipefail
+
+    JOB_ID="job-$(uuidgen|cut -f1 -d-)"
+    DB_LIST=$(psql -Atq -c 'SELECT datname FROM pg_catalog.pg_database;' | grep -v '^\(postgres\|app\|template.*\)$')
+    echo DB_LIST=$(echo "$DB_LIST" | shuf) # shuffle list
+    echo "Job ID: $JOB_ID"
+    echo "Target repo: $REPO_PREFIX"
+    echo "Cleanup strategy: $CLEANUP_STRATEGY"
+    echo "Start backup for:"
+    echo "$DB_LIST"
+    echo
+    echo "Backup started at `date +%Y-%m-%d\ %H:%M:%S`"
+    for db in $DB_LIST; do
+      (
+        set -x
+        restic -r "s3:${REPO_PREFIX}/$db" cat config >/dev/null 2>&1 || \
+          restic -r "s3:${REPO_PREFIX}/$db" init --repository-version 2
+        restic -r "s3:${REPO_PREFIX}/$db" unlock --remove-all >/dev/null 2>&1 || true # no locks, k8s takes care of it
+        pg_dump -Z0 -Ft -d "$db" | \
+          restic -r "s3:${REPO_PREFIX}/$db" backup --tag "$JOB_ID" --stdin --stdin-filename dump.tar
+        restic -r "s3:${REPO_PREFIX}/$db" tag --tag "$JOB_ID" --set "completed"
+      )
+    done
+    echo "Backup finished at `date +%Y-%m-%d\ %H:%M:%S`"
+
+    echo
+    echo "Run cleanup:"
+    echo
+
+    echo "Cleanup started at `date +%Y-%m-%d\ %H:%M:%S`"
+    for db in $DB_LIST; do
+      (
+        set -x
+        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags --keep-tag "completed" # keep completed snapshots only
+        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags $CLEANUP_STRATEGY
+        restic prune -r "s3:${REPO_PREFIX}/$db"
+      )
+    done
+    echo "Cleanup finished at `date +%Y-%m-%d\ %H:%M:%S`"
+{{- end }}

packages/apps/ferretdb/templates/backup-secret.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.backup.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-backup
+stringData:
+  s3AccessKey: {{ required "s3AccessKey is not specified!" .Values.backup.s3AccessKey }}
+  s3SecretKey: {{ required "s3SecretKey is not specified!" .Values.backup.s3SecretKey }}
+  resticPassword: {{ required "resticPassword is not specified!" .Values.backup.resticPassword }}
+{{- end }}

packages/apps/ferretdb/templates/external-svc.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
+  {{- if .Values.external }}
+  externalTrafficPolicy: Local
+  allocateLoadBalancerNodePorts: false
+  {{- end }}
+  ports:
+  - name: ferretdb
+    port: 27017
+  selector:
+    app: {{ .Release.Name }}

packages/apps/ferretdb/templates/ferretdb.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}
+    spec:
+      containers:
+      - name: ferretdb
+        image: ghcr.io/ferretdb/ferretdb:1.22.0
+        ports:
+        - containerPort: 27017
+        env:
+          - name: FERRETDB_POSTGRESQL_URL
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Release.Name }}-postgres-app
+                key: uri

packages/apps/ferretdb/templates/init-job.yaml

@@ -0,0 +1,66 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Release.Name }}-init-job
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  template:
+    metadata:
+      name: {{ .Release.Name }}-init-job
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/init-script.yaml") . | sha256sum }}
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: postgres
+        image: ghcr.io/cloudnative-pg/postgresql:15.3
+        command:
+        - bash
+        - /scripts/init.sh
+        env:
+        - name: PGUSER
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Release.Name }}-postgres-superuser
+              key: username
+        - name: PGPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Release.Name }}-postgres-superuser
+              key: password
+        - name: PGHOST
+          value: {{ .Release.Name }}-postgres-rw
+        - name: PGPORT
+          value: "5432"
+        - name: PGDATABASE
+          value: postgres
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+        volumeMounts:
+        - mountPath: /etc/secret
+          name: secret
+        - mountPath: /scripts
+          name: scripts
+      securityContext:
+        fsGroup: 26
+        runAsGroup: 26
+        runAsNonRoot: true
+        runAsUser: 26
+        seccompProfile:
+          type: RuntimeDefault
+      volumes:
+      - name: secret
+        secret:
+          secretName: {{ .Release.Name }}-postgres-superuser
+      - name: scripts
+        secret:
+          secretName: {{ .Release.Name }}-init-script

packages/apps/ferretdb/templates/init-script.yaml

@@ -0,0 +1,104 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-init-script
+stringData:
+  init.sh: |
+    #!/bin/bash
+    set -e
+    echo "== create users"
+    {{- if .Values.users }}
+    psql -v ON_ERROR_STOP=1 <<\EOT
+    {{- range $user, $u := .Values.users }}
+    SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;'
+    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec
+    ALTER ROLE {{ $user }} WITH PASSWORD '{{ $u.password }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
+    COMMENT ON ROLE {{ $user }} IS 'user managed by helm';
+    {{- end }}
+    EOT
+    {{- end }}
+
+    echo "== delete users"
+    MANAGED_USERS=$(echo '\du+' | psql | awk -F'|' '$4 == " user managed by helm" {print $1}' | awk NF=NF RS= OFS=' ')
+    DEFINED_USERS="{{ join " " (keys .Values.users) }}"
+    DELETE_USERS=$(for user in $MANAGED_USERS; do case " $DEFINED_USERS " in *" $user "*) :;; *) echo $user;; esac; done)
+
+    echo "users to delete: $DELETE_USERS"
+    for user in $DELETE_USERS; do
+    # https://stackoverflow.com/a/51257346/2931267
+    psql -v ON_ERROR_STOP=1 --echo-all <<EOT
+    REASSIGN OWNED BY $user TO postgres;
+    DROP OWNED BY $user;
+    DROP USER $user;
+    EOT
+    done
+    
+    echo "== create roles"
+    psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
+    SELECT 'CREATE ROLE app_admin NOINHERIT;'
+    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'app_admin')\gexec
+    COMMENT ON ROLE app_admin IS 'role managed by helm';
+    EOT
+
+    echo "== grant privileges on databases to roles"
+    psql -v ON_ERROR_STOP=1 --echo-all -d "app" <<\EOT
+    ALTER DATABASE app OWNER TO app_admin;
+
+    DO $$
+    DECLARE
+        schema_record record;
+    BEGIN
+        -- Loop over all schemas
+        FOR schema_record IN SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT IN ('pg_catalog', 'information_schema') LOOP
+            -- Changing Schema Ownership
+            EXECUTE format('ALTER SCHEMA %I OWNER TO %I', schema_record.schema_name, 'app_admin');
+    
+            -- Add rights for the admin role
+            EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
+            EXECUTE format('GRANT ALL ON ALL TABLES IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
+            EXECUTE format('GRANT ALL ON ALL SEQUENCES IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
+            EXECUTE format('GRANT ALL ON ALL FUNCTIONS IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
+            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON TABLES TO %I', schema_record.schema_name, 'app_admin');
+            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON SEQUENCES TO %I', schema_record.schema_name, 'app_admin');
+            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON FUNCTIONS TO %I', schema_record.schema_name, 'app_admin');
+        END LOOP;
+    END$$;
+    EOT
+
+    echo "== setup event trigger for schema creation"
+    psql -v ON_ERROR_STOP=1 --echo-all -d "app" <<\EOT
+    CREATE OR REPLACE FUNCTION auto_grant_schema_privileges()
+    RETURNS event_trigger LANGUAGE plpgsql AS $$
+    DECLARE
+      obj record;
+    BEGIN
+      FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'CREATE SCHEMA' LOOP
+        EXECUTE format('ALTER SCHEMA %I OWNER TO %I', obj.object_identity, 'app_admin');
+        EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', obj.object_identity, 'app_admin');
+
+        -- Set owner for schema
+        EXECUTE format('ALTER SCHEMA %I OWNER TO %I', obj.object_identity, 'app_admin');
+
+        -- Set privileges for admin role
+        EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', obj.object_identity, 'app_admin');
+        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON TABLES TO %I', obj.object_identity, 'app_admin');
+        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON SEQUENCES TO %I', obj.object_identity, 'app_admin');
+        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON FUNCTIONS TO %I', obj.object_identity, 'app_admin');
+      END LOOP;
+    END;
+    $$;
+
+    DROP EVENT TRIGGER IF EXISTS trigger_auto_grant;
+    CREATE EVENT TRIGGER trigger_auto_grant ON ddl_command_end
+    WHEN TAG IN ('CREATE SCHEMA')
+    EXECUTE PROCEDURE auto_grant_schema_privileges();
+    EOT
+
+    echo "== assign roles to users"
+    psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
+    GRANT app_admin TO app;
+    {{- range $user, $u := $.Values.users }}
+    GRANT app_admin TO {{ $user }};
+    {{- end }}
+    EOT

packages/apps/ferretdb/templates/postgres.yaml

@@ -0,0 +1,45 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: {{ .Release.Name }}-postgres
+spec:
+  instances: {{ .Values.replicas }}
+  enableSuperuserAccess: true
+
+  minSyncReplicas: {{ .Values.quorum.minSyncReplicas }}
+  maxSyncReplicas: {{ .Values.quorum.maxSyncReplicas }}
+
+  monitoring:
+    enablePodMonitor: true
+
+  storage:
+    size: {{ required ".Values.size is required" .Values.size }}
+
+  {{- if .Values.users }}
+  managed:
+    roles:
+    {{- range $user, $config := .Values.users }}
+    - name: {{ $user }}
+      ensure: present
+      passwordSecret:
+        name: {{ printf "%s-user-%s" $.Release.Name $user }}
+      login: true
+      inRoles:
+      - app
+    {{- end }}
+  {{- end }}
+
+{{- range $user, $config := .Values.users }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-user-%s" $.Release.Name $user }}
+  labels:
+    cnpg.io/reload: "true"
+type: kubernetes.io/basic-auth
+data:
+  username: {{ $user | b64enc }}
+  password: {{ $config.password | b64enc }}
+{{- end }}

packages/apps/ferretdb/values.schema.json

@@ -0,0 +1,81 @@
+{
+    "title": "Chart Values",
+    "type": "object",
+    "properties": {
+        "external": {
+            "type": "boolean",
+            "description": "Enable external access from outside the cluster",
+            "default": false
+        },
+        "size": {
+            "type": "string",
+            "description": "Persistent Volume size",
+            "default": "10Gi"
+        },
+        "replicas": {
+            "type": "number",
+            "description": "Number of Postgres replicas",
+            "default": 2
+        },
+        "quorum": {
+            "type": "object",
+            "properties": {
+                "minSyncReplicas": {
+                    "type": "number",
+                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.",
+                    "default": 0
+                },
+                "maxSyncReplicas": {
+                    "type": "number",
+                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).",
+                    "default": 0
+                }
+            }
+        },
+        "backup": {
+            "type": "object",
+            "properties": {
+                "enabled": {
+                    "type": "boolean",
+                    "description": "Enable pereiodic backups",
+                    "default": false
+                },
+                "s3Region": {
+                    "type": "string",
+                    "description": "The AWS S3 region where backups are stored",
+                    "default": "us-east-1"
+                },
+                "s3Bucket": {
+                    "type": "string",
+                    "description": "The S3 bucket used for storing backups",
+                    "default": "s3.example.org/postgres-backups"
+                },
+                "schedule": {
+                    "type": "string",
+                    "description": "Cron schedule for automated backups",
+                    "default": "0 2 * * *"
+                },
+                "cleanupStrategy": {
+                    "type": "string",
+                    "description": "The strategy for cleaning up old backups",
+                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+                },
+                "s3AccessKey": {
+                    "type": "string",
+                    "description": "The access key for S3, used for authentication",
+                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
+                },
+                "s3SecretKey": {
+                    "type": "string",
+                    "description": "The secret key for S3, used for authentication",
+                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
+                },
+                "resticPassword": {
+                    "type": "string",
+                    "description": "The password for Restic backup encryption",
+                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
+                }
+            }
+        }
+    }
+}

packages/apps/ferretdb/values.yaml

@@ -0,0 +1,48 @@
+## @section Common parameters
+
+## @param external Enable external access from outside the cluster
+## @param size Persistent Volume size
+## @param replicas Number of Postgres replicas
+##
+external: false
+size: 10Gi
+replicas: 2
+
+## Configuration for the quorum-based synchronous replication
+## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.
+## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).
+quorum:
+  minSyncReplicas: 0
+  maxSyncReplicas: 0
+
+## @section Configuration parameters
+
+## @param users [object] Users configuration
+## Example:
+## users:
+##   user1:
+##     password: strongpassword
+##   user2:
+##     password: hackme
+##
+users: {}
+
+## @section Backup parameters
+
+## @param backup.enabled Enable pereiodic backups
+## @param backup.s3Region The AWS S3 region where backups are stored
+## @param backup.s3Bucket The S3 bucket used for storing backups
+## @param backup.schedule Cron schedule for automated backups
+## @param backup.cleanupStrategy The strategy for cleaning up old backups
+## @param backup.s3AccessKey The access key for S3, used for authentication
+## @param backup.s3SecretKey The secret key for S3, used for authentication
+## @param backup.resticPassword The password for Restic backup encryption
+backup:
+  enabled: false
+  s3Region: us-east-1
+  s3Bucket: s3.example.org/postgres-backups
+  schedule: "0 2 * * *"
+  cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+  s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
+  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
+  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0

packages/apps/http-cache/images/nginx-cache.json

@@ -32,17 +32,7 @@
       }
     }
   },
-  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/iixrpj9up3jfyyrovbx167irv",
-  "containerimage.config.digest": "sha256:a359a6c83a1861ac146c42030e513b925ec155207b77baf5f61f19c507ab3ee5",
-  "containerimage.descriptor": {
-    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:57b113a4392b958612c14ed348147c221fe17d3ad6623fb7bd778e54139f45b9",
-    "size": 1094,
-    "platform": {
-      "architecture": "amd64",
-      "os": "linux"
-    }
-  },
-  "containerimage.digest": "sha256:57b113a4392b958612c14ed348147c221fe17d3ad6623fb7bd778e54139f45b9",
-  "image.name": "ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0,ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0-v0.8.0"
+  "buildx.build.ref": "amd64/amd64/gaibgudlqaxqxufa236q5ffdk",
+  "containerimage.config.digest": "sha256:677b0b84d7a11a31971857863a6a83b5bb863583eca86a2c2b1b89c61659e549",
+  "containerimage.digest": "sha256:7f864e2c9c86b77e08953258521117503309f84783ea11c617db8c2534f8b545"
 }

packages/apps/kubernetes/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.6.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.19.4"
+appVersion: "1.30.1"

packages/apps/kubernetes/Makefile

@@ -1,4 +1,4 @@
-UBUNTU_CONTAINER_DISK_TAG = v1.29.1
+UBUNTU_CONTAINER_DISK_TAG = v1.30.1
 
 include ../../../scripts/common-envs.mk
 

packages/apps/kubernetes/images/ubuntu-container-disk.json

@@ -32,17 +32,7 @@
       }
     }
   },
-  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/yscjdwk0a8zfgvypn9gfzoeqj",
-  "containerimage.config.digest": "sha256:62f92e19bf0610f85515bef28db8465650a25346472f52360736ad3a49ce7529",
-  "containerimage.descriptor": {
-    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:f1176049da8651f438b2035c5a2cb6fd253ae868c4640e56785c91364069e0d8",
-    "size": 506,
-    "platform": {
-      "architecture": "amd64",
-      "os": "linux"
-    }
-  },
-  "containerimage.digest": "sha256:f1176049da8651f438b2035c5a2cb6fd253ae868c4640e56785c91364069e0d8",
-  "image.name": "ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.29.1,ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.29.1-v0.8.0"
+  "buildx.build.ref": "amd64/amd64/kk2drcq44gorgb3xwa8908pfc",
+  "containerimage.config.digest": "sha256:363589eb47379eb7548f047aae24045278f14db0b2026022b6bec33a04370f15",
+  "containerimage.digest": "sha256:f242fd77903f5f5a94ed157e98b0c4532e5ba91734d9653eaf26cfe4b23b017b"
 }

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.29.1
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1

packages/apps/kubernetes/images/ubuntu-container-disk/Dockerfile

@@ -26,8 +26,8 @@ RUN qemu-img resize image.img 5G \
  && guestfish --remote sh "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" \
  && guestfish --remote sh 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list' \
 # kubernetes repo
- && guestfish --remote sh "curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" \
- && guestfish --remote sh "echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list" \
+ && guestfish --remote sh "curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.30/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" \
+ && guestfish --remote sh "echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list" \
 # install containerd
  && guestfish --remote command "apt-get update -y" \
  && guestfish --remote command "apt-get install -y containerd.io" \

packages/apps/kubernetes/templates/cluster.yaml

@@ -2,6 +2,58 @@
 {{- $etcd := index $myNS.metadata.annotations "namespace.cozystack.io/etcd" }}
 {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
 {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+{{- $kubevirtmachinetemplateNames := list }}
+{{- define "kubevirtmachinetemplate" -}}
+spec:
+  virtualMachineBootstrapCheck:
+    checkStrategy: ssh
+  virtualMachineTemplate:
+    metadata:
+      namespace: {{ $.Release.Namespace }}
+      labels:
+        {{- range .group.roles }}
+        node-role.kubernetes.io/{{ . }}: ""
+        {{- end }}
+    spec:
+      runStrategy: Always
+      template:
+        spec:
+          domain:
+            cpu:
+              threads: 1
+              cores: {{ .group.resources.cpu }}
+              sockets: 1
+            devices:
+              disks:
+              - name: system
+                disk:
+                  bus: virtio
+                  pciAddress: 0000:07:00.0
+              - name: containerd
+                disk:
+                  bus: virtio
+                  pciAddress: 0000:08:00.0
+              - name: kubelet
+                disk:
+                  bus: virtio
+                  pciAddress: 0000:09:00.0
+              networkInterfaceMultiqueue: true
+            memory:
+              guest: {{ .group.resources.memory }}
+          evictionStrategy: External
+          volumes:
+          - name: system
+            containerDisk:
+              image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}"
+          - name: containerd
+            emptyDisk:
+              capacity: 20Gi
+          - name: kubelet
+            emptyDisk:
+              capacity: 20Gi
+{{- end }}
+
+
 ---
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: Cluster
@@ -57,7 +109,7 @@ spec:
       className: "{{ $ingress }}"
   deployment:
   replicas: 2
-  version: 1.29.4
+  version: 1.30.1
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
 kind: KubevirtCluster
@@ -101,60 +153,20 @@ spec:
         skipPhases:
         - addon/kube-proxy
 ---
+{{- $context := deepCopy $ }}
+{{- $_ := set $context "group" $group }}
+{{- $kubevirtmachinetemplate := include "kubevirtmachinetemplate" $context }}
+{{- $kubevirtmachinetemplateHash := $kubevirtmachinetemplate | sha256sum | trunc 6 }}
+{{- $kubevirtmachinetemplateName := printf "%s-%s-%s" $.Release.Name $groupName $kubevirtmachinetemplateHash }}
+{{- $kubevirtmachinetemplateNames = append $kubevirtmachinetemplateNames $kubevirtmachinetemplateName }}
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
 kind: KubevirtMachineTemplate
 metadata:
-  name: {{ $.Release.Name }}-{{ $groupName }}
+  name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }}
   namespace: {{ $.Release.Namespace }}
 spec:
   template:
-    spec:
-      virtualMachineBootstrapCheck:
-        checkStrategy: ssh
-      virtualMachineTemplate:
-        metadata:
-          namespace: {{ $.Release.Namespace }}
-          labels:
-            {{- range $group.roles }}
-            node-role.kubernetes.io/{{ . }}: ""
-            {{- end }}
-        spec:
-          runStrategy: Always
-          template:
-            spec:
-              domain:
-                cpu:
-                  threads: 1
-                  cores: {{ $group.resources.cpu }}
-                  sockets: 1
-                devices:
-                  disks:
-                  - name: system
-                    disk:
-                      bus: virtio
-                      pciAddress: 0000:07:00.0
-                  - name: containerd
-                    disk:
-                      bus: virtio
-                      pciAddress: 0000:08:00.0
-                  - name: kubelet
-                    disk:
-                      bus: virtio
-                      pciAddress: 0000:09:00.0
-                  networkInterfaceMultiqueue: true
-                memory:
-                  guest: {{ $group.resources.memory }}
-              evictionStrategy: External
-              volumes:
-              - name: system
-                containerDisk:
-                  image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}"
-              - name: containerd
-                emptyDisk:
-                  capacity: 20Gi
-              - name: kubelet
-                emptyDisk:
-                  capacity: 20Gi
+    {{- $kubevirtmachinetemplate | nindent 4 }}
 ---
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: MachineDeployment
@@ -171,6 +183,8 @@ spec:
   template:
     metadata:
       labels:
+        cluster.x-k8s.io/cluster-name: {{ $.Release.Name }}
+        cluster.x-k8s.io/deployment-name: {{ $.Release.Name }}-{{ $groupName }}
         {{- range $group.roles }}
         node-role.kubernetes.io/{{ . }}: ""
         {{- end }}
@@ -180,12 +194,42 @@ spec:
           apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
           kind: KubeadmConfigTemplate
           name: {{ $.Release.Name }}-{{ $groupName }}
-          namespace: default
+          namespace: {{ $.Release.Namespace }}
       clusterName: {{ $.Release.Name }}
       infrastructureRef:
         apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
         kind: KubevirtMachineTemplate
-        name: {{ $.Release.Name }}-{{ $groupName }}
+        name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }}
         namespace: default
-      version: v1.29.4
+      version: v1.30.1
+{{- end }}
+---
+{{- /*
+We must preserve all previous KubevirtMachineTemplates until a MachineSet references them.
+*/ -}}
+{{- $mss := (lookup "cluster.x-k8s.io/v1beta1" "MachineSet" $.Release.Namespace "").items }}
+{{- $oldKubevirtmachinetemplates := dict }}
+{{- range $kmt := (lookup "infrastructure.cluster.x-k8s.io/v1alpha1" "KubevirtMachineTemplate" .Release.Namespace "").items }}
+{{- range $or := $kmt.metadata.ownerReferences }}
+{{- if and (eq $or.kind "Cluster") (eq $or.name $.Release.Name) }}
+{{- range $ms := $mss }}
+{{- if and (eq $ms.spec.template.spec.infrastructureRef.kind "KubevirtMachineTemplate") (eq $ms.spec.template.spec.infrastructureRef.name $kmt.metadata.name) }}
+{{- if not (has $kmt.metadata.name $kubevirtmachinetemplateNames) }}
+{{- $oldKubevirtmachinetemplates = merge $oldKubevirtmachinetemplates (dict $kmt.metadata.name $kmt) }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- range $oldKubevirtmachinetemplates }}
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
+kind: KubevirtMachineTemplate
+metadata:
+  name: {{ .metadata.name }}
+  namespace: {{ .metadata.Namespace }}
+spec:
+  {{- .spec | toYaml | nindent 2 }}
 {{- end }}

packages/apps/kubernetes/templates/helmreleases/delete.yaml

@@ -20,7 +20,7 @@ spec:
           effect: "NoSchedule"
       containers:
         - name: kubectl
-          image: docker.io/clastix/kubectl:v1.29.1
+          image: docker.io/clastix/kubectl:v1.30.1
           command:
             - /bin/sh
             - -c

packages/apps/versions_map

@@ -1,6 +1,7 @@
 clickhouse 0.1.0 ca79f72
 clickhouse 0.2.0 7cd7de73
 clickhouse 0.2.1 HEAD
+ferretdb 0.1.0 HEAD
 http-cache 0.1.0 a956713
 http-cache 0.2.0 HEAD
 kafka 0.1.0 760f86d2
@@ -10,7 +11,8 @@ kubernetes 0.1.0 f642698
 kubernetes 0.2.0 7cd7de73
 kubernetes 0.3.0 7caccec1
 kubernetes 0.4.0 6cae6ce8
-kubernetes 0.5.0 HEAD
+kubernetes 0.5.0 6bd2d455
+kubernetes 0.6.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 HEAD

packages/core/installer/images/cozystack.json

@@ -1,10 +1,10 @@
 {
-  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/cyr9s3a1cszjq9tt9vrh2czxt",
+  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/ta5cc9q3mqtwjyuvg8fviqhe6",
   "containerimage.descriptor": {
     "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
-    "digest": "sha256:48e9f676f4eca5f7036648a56767c31beb0aca8fdc6d6798bd65de74886ed1ef",
+    "digest": "sha256:bcaef325861d91b955f536bdd57ae3a6099d8657f081054a6dee3c027cfce97f",
     "size": 685
   },
-  "containerimage.digest": "sha256:48e9f676f4eca5f7036648a56767c31beb0aca8fdc6d6798bd65de74886ed1ef",
-  "image.name": "ghcr.io/aenix-io/cozystack/cozystack:v0.8.0"
+  "containerimage.digest": "sha256:bcaef325861d91b955f536bdd57ae3a6099d8657f081054a6dee3c027cfce97f",
+  "image.name": "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0"
 }

packages/core/installer/images/cozystack.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cozystack:v0.8.0
+ghcr.io/aenix-io/cozystack/cozystack:v0.9.0

packages/core/installer/images/matchbox.json

@@ -1,4 +1,45 @@
 {
-  "containerimage.config.digest": "sha256:ed483d1187cdfeb92df319a30dde57141ceb1d4bafcc28ba006a1e60abc445ff",
-  "containerimage.digest": "sha256:000a46c2bffc3cf13909dc0ca570cdcea9692d85b1ef2a875afe08ea8136d2c2"
+  "buildx.build.provenance": {
+    "buildType": "https://mobyproject.org/buildkit@v1",
+    "materials": [
+      {
+        "uri": "pkg:docker/quay.io/poseidon/matchbox@v0.10.0?platform=linux%2Famd64",
+        "digest": {
+          "sha256": "e14cc4a8f6e8f1182fce74d04fe949b6bfc91b04132b3944297661e2c38c9790"
+        }
+      }
+    ],
+    "invocation": {
+      "configSource": {
+        "entryPoint": "Dockerfile"
+      },
+      "parameters": {
+        "frontend": "dockerfile.v0",
+        "locals": [
+          {
+            "name": "context"
+          },
+          {
+            "name": "dockerfile"
+          }
+        ]
+      },
+      "environment": {
+        "platform": "linux/amd64"
+      }
+    }
+  },
+  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/k5n5is33n6zu6an3nmlnylejx",
+  "containerimage.config.digest": "sha256:4676a205eae74f1b16a9065921c612ee85e123ab6566a238edb4bbaf79b2e148",
+  "containerimage.descriptor": {
+    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+    "digest": "sha256:7aa044756c40c2a222668f735ad9490b52341b57dca27e57b98f5de235d87ad7",
+    "size": 1488,
+    "platform": {
+      "architecture": "amd64",
+      "os": "linux"
+    }
+  },
+  "containerimage.digest": "sha256:7aa044756c40c2a222668f735ad9490b52341b57dca27e57b98f5de235d87ad7",
+  "image.name": "ghcr.io/aenix-io/cozystack/matchbox:v0.9.0,ghcr.io/aenix-io/cozystack/matchbox:v1.7.1-v0.9.0"
 }

packages/extra/ingress/Chart.yaml

@@ -3,4 +3,4 @@ name: ingress
 description: NGINX Ingress Controller
 icon: https://docs.nginx.com/nginx-ingress-controller/images/icons/NGINX-Ingress-Controller-product-icon.svg
 type: application
-version: 1.1.0
+version: 1.2.0

packages/extra/ingress/templates/nginx-scrape.yaml

@@ -3,12 +3,11 @@ apiVersion: operator.victoriametrics.com/v1beta1
 kind: VMPodScrape
 metadata:
   name: nginx-ingress-controller
-  namespace: cozy-monitoring
 spec:
   jobLabel: jobLabel
   namespaceSelector:
     matchNames:
-    - cozy-ingress-nginx
+    - {{ .Release.Namespace }}
   podMetricsEndpoints:
   - port: metrics
     honorLabels: true
@@ -29,12 +28,11 @@ apiVersion: operator.victoriametrics.com/v1beta1
 kind: VMPodScrape
 metadata:
   name: nginx-ingress-controller-detailed
-  namespace: cozy-monitoring
 spec:
   jobLabel: jobLabel
   namespaceSelector:
     matchNames:
-    - cozy-ingress-nginx
+    - {{ .Release.Namespace }}
   podMetricsEndpoints:
   - port: metrics2
     honorLabels: true

packages/extra/versions_map

@@ -3,6 +3,7 @@ etcd 2.0.0 a6d0f7cf
 etcd 2.0.1 6fc1cc7d
 etcd 2.1.0 HEAD
 ingress 1.0.0 f642698
-ingress 1.1.0 HEAD
+ingress 1.1.0 838bee5d
+ingress 1.2.0 HEAD
 monitoring 1.0.0 f642698
 monitoring 1.1.0 HEAD

packages/system/capi-operator/charts/cluster-api-operator/Chart.lock

@@ -1,6 +0,0 @@
-dependencies:
-- name: cert-manager
-  repository: https://charts.jetstack.io
-  version: v1.13.2
-digest: sha256:b92a86c20cdd8a5e44995e71addefd379fdf302410a7dde388623f0e06187406
-generated: "2024-01-16T12:59:42.630842426Z"

packages/system/capi-operator/charts/cluster-api-operator/Chart.yaml

@@ -1,11 +1,6 @@
 apiVersion: v2
-appVersion: 0.8.1
-dependencies:
-- condition: cert-manager.enabled
-  name: cert-manager
-  repository: https://charts.jetstack.io
-  version: v1.13.2
+appVersion: 0.11.0
 description: Cluster API Operator
 name: cluster-api-operator
 type: application
-version: 0.8.1
+version: 0.11.0

packages/system/capi-operator/charts/cluster-api-operator/templates/addon.yaml

@@ -28,6 +28,7 @@ metadata:
   annotations:
     "helm.sh/hook": "post-install"
     "helm.sh/hook-weight": "1"
+    "argocd.argoproj.io/sync-wave": "1"
   name: {{ $addonNamespace }}
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
@@ -38,6 +39,7 @@ metadata:
   annotations:
     "helm.sh/hook": "post-install"
     "helm.sh/hook-weight": "2"
+    "argocd.argoproj.io/sync-wave": "2"
 {{- if or $addonVersion $.Values.secretName }}
 spec:
 {{- end}}

packages/system/capi-operator/charts/cluster-api-operator/templates/cert-manager.namespace.yaml

@@ -1,8 +0,0 @@
-{{- if index .Values "cert-manager" "enabled" }}
-apiVersion: v1
-kind: Namespace
-metadata:
-  annotations:
-    "helm.sh/hook": "pre-install"
-  name: {{ index .Values "cert-manager" "namespace" }}
-{{- end }}

packages/system/capi-operator/charts/cluster-api-operator/templates/core.yaml

@@ -37,12 +37,22 @@ metadata:
   annotations:
     "helm.sh/hook": "post-install"
     "helm.sh/hook-weight": "2"
+    "argocd.argoproj.io/sync-wave": "2"
 {{- if or $coreVersion $.Values.configSecret.name }}
 spec:
 {{- end}}
 {{- if $coreVersion }}
   version: {{ $coreVersion }}
 {{- end }}
+{{- if $.Values.manager }}
+  manager:
+{{- if and $.Values.manager.featureGates $.Values.manager.featureGates.core }}
+    featureGates:
+    {{- range $key, $value := $.Values.manager.featureGates.core }}
+      {{ $key }}: {{ $value }}
+    {{- end }}
+{{- end }}
+{{- end }}
 {{- if $.Values.configSecret.name }}
   configSecret:
     name: {{ $.Values.configSecret.name }}

packages/system/capi-operator/charts/cluster-api-operator/templates/deployment.yaml

@@ -95,10 +95,17 @@ spec:
         - containerPort: 9443
           name: webhook-server
           protocol: TCP
+        - containerPort: {{ ( split ":" $.Values.metricsBindAddr)._1 | int }}
+          name: metrics
+          protocol: TCP
         {{- with .Values.resources.manager }}
         resources:
         {{- toYaml . | nindent 12 }}
         {{- end }}
+        {{- with .Values.env.manager }}
+        env:
+        {{- toYaml . | nindent 12 }}
+        {{- end }}
         {{- with .Values.containerSecurityContext.manager }}
         securityContext:
         {{- toYaml . | nindent 12 }}

packages/system/capi-operator/charts/cluster-api-operator/templates/infra-conditions.yaml

@@ -9,6 +9,7 @@ metadata:
   annotations:
     "helm.sh/hook": "post-install"
     "helm.sh/hook-weight": "1"
+    "argocd.argoproj.io/sync-wave": "1"
   name: capi-kubeadm-bootstrap-system
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
@@ -19,6 +20,7 @@ metadata:
   annotations:
     "helm.sh/hook": "post-install"
     "helm.sh/hook-weight": "2"
+    "argocd.argoproj.io/sync-wave": "2"
 {{- with .Values.configSecret }}
 spec:
   configSecret:
@@ -37,6 +39,7 @@ metadata:
   annotations:
     "helm.sh/hook": "post-install"
     "helm.sh/hook-weight": "1"
+    "argocd.argoproj.io/sync-wave": "1"
   name: capi-kubeadm-control-plane-system
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
@@ -47,6 +50,7 @@ metadata:
   annotations:
     "helm.sh/hook": "post-install"
     "helm.sh/hook-weight": "2"
+    "argocd.argoproj.io/sync-wave": "2"
 {{- with .Values.configSecret }}
 spec:
   configSecret:

packages/system/capi-operator/charts/cluster-api-operator/templates/infra.yaml

@@ -28,6 +28,7 @@ metadata:
   annotations:
     "helm.sh/hook": "post-install"
     "helm.sh/hook-weight": "1"
+    "argocd.argoproj.io/sync-wave": "1"
   name: {{ $infrastructureNamespace }}
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
@@ -38,12 +39,26 @@ metadata:
   annotations:
     "helm.sh/hook": "post-install"
     "helm.sh/hook-weight": "2"
-{{- if or $infrastructureVersion $.Values.configSecret.name }}
+    "argocd.argoproj.io/sync-wave": "2"
+{{- if or $infrastructureVersion $.Values.configSecret.name $.Values.manager }}
 spec:
 {{- end }}
 {{- if $infrastructureVersion }}
   version: {{ $infrastructureVersion }}
 {{- end }}
+{{- if $.Values.manager }}
+  manager:
+{{- if and (kindIs "map" $.Values.manager.featureGates) (hasKey $.Values.manager.featureGates $infrastructureName) }}
+{{- range $key, $value := $.Values.manager.featureGates }}
+  {{- if eq $key $infrastructureName }}
+    featureGates:
+    {{- range $k, $v := $value }}
+      {{ $k }}: {{ $v }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
 {{- if $.Values.configSecret.name }}
   configSecret:
     name: {{ $.Values.configSecret.name }}

packages/system/capi-operator/charts/cluster-api-operator/values.yaml

@@ -1,10 +1,4 @@
 ---
-# Cert Manager options
-# Full list of supported values is available at https://artifacthub.io/packages/helm/cert-manager/cert-manager
-cert-manager:
-  enabled: false
-  fullnameOverride: "cert-manager"
-  namespace: "cert-manager"
 # ---
 # Cluster API provider options
 core: ""
@@ -12,6 +6,7 @@ bootstrap: ""
 controlPlane: ""
 infrastructure: ""
 addon: ""
+manager.featureGates: {}
 # ---
 # Common configuration secret options
 configSecret: {}
@@ -24,8 +19,10 @@ leaderElection:
 image:
   manager:
     repository: registry.k8s.io/capi-operator/cluster-api-operator
-    tag: v0.8.1
+    tag: v0.11.0
     pullPolicy: IfNotPresent
+env:
+  manager: []
 healthAddr: ":8081"
 metricsBindAddr: "127.0.0.1:8080"
 diagnosticsAddress: "8443"

packages/system/capi-providers/templates/providers.yaml

@@ -3,24 +3,30 @@ apiVersion: operator.cluster.x-k8s.io/v1alpha2
 kind: CoreProvider
 metadata:
   name: cluster-api
+spec:
+  # https://github.com/kubernetes-sigs/cluster-api
+  version: v1.7.3
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
 kind: ControlPlaneProvider
 metadata:
   name: kamaji
 spec:
-  # fix: https://github.com/clastix/cluster-api-control-plane-provider-kamaji/pull/78
-  deployment:
-    containers:
-    - name: manager
-      imageUrl: ghcr.io/kvaps/test:cluster-api-control-plane-provider-kamaji-v0.7.1-fix
+  # https://github.com/clastix/cluster-api-control-plane-provider-kamaji
+  version: v0.10.0
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
 kind: BootstrapProvider
 metadata:
   name: kubeadm
+spec:
+  # https://github.com/kubernetes-sigs/cluster-api
+  version: v1.7.3
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
 kind: InfrastructureProvider
 metadata:
   name: kubevirt
+spec:
+  # https://github.com/kubevirt/cloud-provider-kubevirt
+  version: v0.5.1

packages/system/cilium/images/cilium.json

@@ -11,7 +11,7 @@
       {
         "uri": "pkg:docker/golang@1.22-bookworm?platform=linux%2Famd64",
         "digest": {
-          "sha256": "7dcf6f2084586b44844aea8615db684c9361cf6bebf235a1750595633ed021bd"
+          "sha256": "6c2780255bb7b881e904e303be0d7a079054160b2ce1efde446693c0850a39ad"
         }
       },
       {
@@ -45,17 +45,7 @@
       }
     }
   },
-  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/fsidbune5vw82lhgf2ofhwo0g",
-  "containerimage.config.digest": "sha256:79635c7d6c1f3a457406d39590ee94168caa925eae7a82bac4fed42e751f135d",
-  "containerimage.descriptor": {
-    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:3cee2f43abcc7ae34dddf589345b871d4eb6a4f0281c7758844b05c7c5ec4965",
-    "size": 2083,
-    "platform": {
-      "architecture": "amd64",
-      "os": "linux"
-    }
-  },
-  "containerimage.digest": "sha256:3cee2f43abcc7ae34dddf589345b871d4eb6a4f0281c7758844b05c7c5ec4965",
-  "image.name": "ghcr.io/aenix-io/cozystack/cilium:1.15.5,ghcr.io/aenix-io/cozystack/cilium:1.15.5-v0.8.0"
+  "buildx.build.ref": "amd64/amd64/ydz7c2pwlqaadvlo84t1spegq",
+  "containerimage.config.digest": "sha256:1f918c5f4bd8a1c90596b7d4256c8a208482141ae3363ab0b4627203b3fa3b32",
+  "containerimage.digest": "sha256:90e2235e75febcac777c0338fa93d5e7522d82d029facb0c318305ed178a42ac"
 }

packages/system/dashboard/images/dashboard.json

@@ -35,17 +35,7 @@
       }
     }
   },
-  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/o70jr31zju6q5ffssjqf8c5us",
-  "containerimage.config.digest": "sha256:2c68c6ce6620a8c8afd84fed1c2265738d661a47ded0be21b2517b0309ed7307",
-  "containerimage.descriptor": {
-    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:fdabfe2caa3fe2d92ca4a07b60a55c91163d7db25aa12cc4c6034c32ac1dcb17",
-    "size": 703,
-    "platform": {
-      "architecture": "amd64",
-      "os": "linux"
-    }
-  },
-  "containerimage.digest": "sha256:fdabfe2caa3fe2d92ca4a07b60a55c91163d7db25aa12cc4c6034c32ac1dcb17",
-  "image.name": "ghcr.io/aenix-io/cozystack/dashboard:v0.8.0"
+  "buildx.build.ref": "amd64/amd64/vvxs4dbzlno0vtdl1zudk54fj",
+  "containerimage.config.digest": "sha256:52a7ac58f30de8bec104f3fa9b3dcc674f37edfee184c5d4229e24f69f4ddcb2",
+  "containerimage.digest": "sha256:8906436ebd6452549f0634c6db693c7c3248c123f0c882bb8b1bde34ec05aeb6"
 }

packages/system/dashboard/images/dashboard.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/dashboard:v0.8.0
+ghcr.io/aenix-io/cozystack/dashboard:v0.9.0

packages/system/dashboard/images/kubeapps-apis.json

@@ -41,17 +41,7 @@
       }
     }
   },
-  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/ggf28zo7pywc734xde1oado8l",
-  "containerimage.config.digest": "sha256:62c4a42cb62f918a2e4bb295f6faaceb96a2dae7fb8cf4bd6850bc072064b4ce",
-  "containerimage.descriptor": {
-    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:a5eab0f2a900ac1963b24bbdbe35bffbee7ba146c86742d6e8bea8c070610d9c",
-    "size": 1890,
-    "platform": {
-      "architecture": "amd64",
-      "os": "linux"
-    }
-  },
-  "containerimage.digest": "sha256:a5eab0f2a900ac1963b24bbdbe35bffbee7ba146c86742d6e8bea8c070610d9c",
-  "image.name": "ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.8.0"
+  "buildx.build.ref": "amd64/amd64/p2w3cwt8rnd7ivkbmg86ugjj0",
+  "containerimage.config.digest": "sha256:28621d87b70bc82caf060b33313051703456a2915e95371bcbe5c0e1e5b9daa3",
+  "containerimage.digest": "sha256:1b6826f030c6d288f9d91476b636300e544bbf55687e59f6de1765d1320faf7b"
 }

packages/system/dashboard/images/kubeapps-apis.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.8.0
+ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.9.0

packages/system/ingress-nginx/values.yaml

@@ -1,7 +1,7 @@
 ingress-nginx:
   controller:
     extraArgs:
-      enable-ssl-passthrough: true
+      enable-ssl-passthrough: ""
     image:
       registry: ghcr.io
       image: kvaps/ingress-nginx-with-protobuf-exporter/controller
@@ -32,8 +32,8 @@ ingress-nginx:
       #real-ip-header: "proxy_protocol"
       #enable-real-ip: "true"
       # keep-alive
-      proxy-connect-timeout: "10s"
-      proxy-read-timeout: "10s"
+      proxy-connect-timeout: "10"
+      proxy-read-timeout: "10"
       keep-alive-requests: "1000000"
       upstream-keepalive-requests: "100000"
       upstream-keepalive-time: '1m'

packages/system/kamaji/charts/kamaji/Chart.yaml

@@ -3,7 +3,7 @@ annotations:
   catalog.cattle.io/display-name: Kamaji
   catalog.cattle.io/release-name: kamaji
 apiVersion: v2
-appVersion: v0.5.0
+appVersion: v1.0.0
 description: Kamaji is the Hosted Control Plane Manager for Kubernetes.
 home: https://github.com/clastix/kamaji
 icon: https://github.com/clastix/kamaji/raw/master/assets/logo-colored.png
@@ -21,4 +21,4 @@ name: kamaji
 sources:
 - https://github.com/clastix/kamaji
 type: application
-version: 0.15.2
+version: 1.0.0

packages/system/kamaji/charts/kamaji/README.md

@@ -1,6 +1,6 @@
 # kamaji
 
-![Version: 0.15.2](https://img.shields.io/badge/Version-0.15.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.5.0](https://img.shields.io/badge/AppVersion-v0.5.0-informational?style=flat-square)
+![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.0](https://img.shields.io/badge/AppVersion-v1.0.0-informational?style=flat-square)
 
 Kamaji is the Hosted Control Plane Manager for Kubernetes.
 
@@ -77,7 +77,7 @@ Here the values you can override:
 | datastore.driver | string | `"etcd"` | (string) The Kamaji Datastore driver, supported: etcd, MySQL, PostgreSQL (defaults=etcd). |
 | datastore.enabled | bool | `true` | (bool) Enable the Kamaji Datastore creation (default=true) |
 | datastore.endpoints | list | `[]` | (array) List of endpoints of the selected Datastore. When letting the Chart install the etcd datastore, this field is populated automatically. |
-| datastore.nameOverride | string | `nil` | The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to.  |
+| datastore.nameOverride | string | `nil` | The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. |
 | datastore.tlsConfig.certificateAuthority.certificate.keyPath | string | `nil` | Key of the Secret which contains the content of the certificate. |
 | datastore.tlsConfig.certificateAuthority.certificate.name | string | `nil` | Name of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. |
 | datastore.tlsConfig.certificateAuthority.certificate.namespace | string | `nil` | Namespace of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. |
@@ -90,6 +90,7 @@ Here the values you can override:
 | datastore.tlsConfig.clientCertificate.privateKey.keyPath | string | `nil` | Key of the Secret which contains the content of the private key. |
 | datastore.tlsConfig.clientCertificate.privateKey.name | string | `nil` | Name of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. |
 | datastore.tlsConfig.clientCertificate.privateKey.namespace | string | `nil` | Namespace of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. |
+| datastore.tlsConfig.enabled | bool | `true` |  |
 | etcd.compactionInterval | int | `0` | ETCD Compaction interval (e.g. "5m0s"). (default: "0" (disabled)) |
 | etcd.deploy | bool | `true` | Install an etcd with enabled multi-tenancy along with Kamaji |
 | etcd.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.6"}` | Install specific etcd image |
@@ -133,6 +134,7 @@ Here the values you can override:
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.name | string | `"kamaji-controller-manager"` |  |
 | serviceMonitor.enabled | bool | `false` | Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured |
+| telemetry | object | `{"disabled":false}` | Disable the analytics traces collection |
 | temporaryDirectoryPath | string | `"/tmp/kamaji"` | Directory which will be used to work with temporary files. (default "/tmp/kamaji") |
 | tolerations | list | `[]` | Kubernetes node taints that the Kamaji controller pods would tolerate |
 

packages/system/kamaji/charts/kamaji/crds/datastore.yaml

@@ -71,10 +71,12 @@ spec:
                               minLength: 1
                               type: string
                             name:
-                              description: name is unique within a namespace to reference a secret resource.
+                              description: name is unique within a namespace to reference
+                                a secret resource.
                               type: string
                             namespace:
-                              description: namespace defines the space within which the secret name must be unique.
+                              description: namespace defines the space within which
+                                the secret name must be unique.
                               type: string
                           required:
                             - keyPath
@@ -98,10 +100,12 @@ spec:
                               minLength: 1
                               type: string
                             name:
-                              description: name is unique within a namespace to reference a secret resource.
+                              description: name is unique within a namespace to reference
+                                a secret resource.
                               type: string
                             namespace:
-                              description: namespace defines the space within which the secret name must be unique.
+                              description: namespace defines the space within which
+                                the secret name must be unique.
                               type: string
                           required:
                             - keyPath
@@ -118,6 +122,7 @@ spec:
                     - etcd
                     - MySQL
                     - PostgreSQL
+                    - NATS
                   type: string
                 endpoints:
                   description: |-
@@ -128,7 +133,9 @@ spec:
                   minItems: 1
                   type: array
                 tlsConfig:
-                  description: Defines the TLS/SSL configuration required to connect to the data store in a secure way.
+                  description: |-
+                    Defines the TLS/SSL configuration required to connect to the data store in a secure way.
+                    This value is optional.
                   properties:
                     certificateAuthority:
                       description: |-
@@ -152,10 +159,12 @@ spec:
                                   minLength: 1
                                   type: string
                                 name:
-                                  description: name is unique within a namespace to reference a secret resource.
+                                  description: name is unique within a namespace to
+                                    reference a secret resource.
                                   type: string
                                 namespace:
-                                  description: namespace defines the space within which the secret name must be unique.
+                                  description: namespace defines the space within which
+                                    the secret name must be unique.
                                   type: string
                               required:
                                 - keyPath
@@ -179,10 +188,12 @@ spec:
                                   minLength: 1
                                   type: string
                                 name:
-                                  description: name is unique within a namespace to reference a secret resource.
+                                  description: name is unique within a namespace to
+                                    reference a secret resource.
                                   type: string
                                 namespace:
-                                  description: namespace defines the space within which the secret name must be unique.
+                                  description: namespace defines the space within which
+                                    the secret name must be unique.
                                   type: string
                               required:
                                 - keyPath
@@ -193,7 +204,8 @@ spec:
                         - certificate
                       type: object
                     clientCertificate:
-                      description: Specifies the SSL/TLS key and private key pair used to connect to the data store.
+                      description: Specifies the SSL/TLS key and private key pair used
+                        to connect to the data store.
                       properties:
                         certificate:
                           properties:
@@ -212,10 +224,12 @@ spec:
                                   minLength: 1
                                   type: string
                                 name:
-                                  description: name is unique within a namespace to reference a secret resource.
+                                  description: name is unique within a namespace to
+                                    reference a secret resource.
                                   type: string
                                 namespace:
-                                  description: namespace defines the space within which the secret name must be unique.
+                                  description: namespace defines the space within which
+                                    the secret name must be unique.
                                   type: string
                               required:
                                 - keyPath
@@ -239,10 +253,12 @@ spec:
                                   minLength: 1
                                   type: string
                                 name:
-                                  description: name is unique within a namespace to reference a secret resource.
+                                  description: name is unique within a namespace to
+                                    reference a secret resource.
                                   type: string
                                 namespace:
-                                  description: namespace defines the space within which the secret name must be unique.
+                                  description: namespace defines the space within which
+                                    the secret name must be unique.
                                   type: string
                               required:
                                 - keyPath
@@ -255,18 +271,17 @@ spec:
                       type: object
                   required:
                     - certificateAuthority
-                    - clientCertificate
                   type: object
               required:
                 - driver
                 - endpoints
-                - tlsConfig
               type: object
             status:
               description: DataStoreStatus defines the observed state of DataStore.
               properties:
                 usedBy:
-                  description: List of the Tenant Control Planes, namespaced named, using this data store.
+                  description: List of the Tenant Control Planes, namespaced named,
+                    using this data store.
                   items:
                     type: string
                   type: array

packages/system/kamaji/charts/kamaji/templates/controller.yaml

@@ -34,6 +34,9 @@ spec:
         - --metrics-bind-address={{ .Values.metricsBindAddress }}
         - --tmp-directory={{ .Values.temporaryDirectoryPath }}
         - --datastore={{ include "datastore.fullname" . }}
+        {{- if .Values.telemetry.disabled }}
+        - --disable-telemetry
+        {{- end }}
         {{- if .Values.loggingDevel.enable }}
         - --zap-devel
         {{- end }}

packages/system/kamaji/charts/kamaji/templates/datastore.yaml

@@ -20,9 +20,14 @@ spec:
       secretReference:
         {{- .Values.datastore.basicAuth.passwordSecret | toYaml | nindent 8 }}
 {{- end }}
+{{- if .Values.datastore.tlsConfig.enabled }}
   tlsConfig:
     certificateAuthority:
       {{- include "datastore.certificateAuthority" . | indent 6 }}
+
+    {{- if .Values.datastore.tlsConfig.clientCertificate }}
     clientCertificate:
       {{- include "datastore.clientCertificate" . | indent 6 }}
+    {{- end }}
+{{- end}}
 {{- end}}

packages/system/kamaji/charts/kamaji/templates/validatingwebhookconfiguration.yaml

@@ -8,6 +8,27 @@ metadata:
     {{- include "kamaji.labels" $data | nindent 4 }}
   name: kamaji-validating-webhook-configuration
 webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        name: {{ include "kamaji.webhookServiceName" . }}
+        namespace: {{ .Release.Namespace }}
+        path: /telemetry
+    failurePolicy: Ignore
+    name: telemetry.kamaji.clastix.io
+    rules:
+      - apiGroups:
+          - kamaji.clastix.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        resources:
+          - tenantcontrolplanes
+    sideEffects: None
   - admissionReviewVersions:
       - v1
     clientConfig:

packages/system/kamaji/charts/kamaji/values.yaml

@@ -60,7 +60,7 @@ etcd:
     # -- The custom annotations to add to the PVC
     customAnnotations: {}
     #  volumeType: local
-  
+
   # -- (array) Kubernetes affinity rules to apply to Kamaji etcd pods
   tolerations: []
 
@@ -162,7 +162,7 @@ loggingDevel:
 datastore:
   # -- (bool) Enable the Kamaji Datastore creation (default=true)
   enabled: true
-  # -- (string) The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. 
+  # -- (string) The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to.
   nameOverride:
   # -- (string) The Kamaji Datastore driver, supported: etcd, MySQL, PostgreSQL (defaults=etcd).
   driver: etcd
@@ -184,6 +184,7 @@ datastore:
       # -- The Secret key where the data is stored.
       keyPath:
   tlsConfig:
+    enabled: true
     certificateAuthority:
       certificate:
         # -- Name of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore.
@@ -218,4 +219,9 @@ datastore:
 cfssl:
   image:
     repository: cfssl/cfssl
-    tag: latest
+    tag: latest
+
+# -- Disable the analytics traces collection
+telemetry:
+  disabled: false 
+  

packages/system/kamaji/values.yaml

@@ -1,8 +1,3 @@
 kamaji:
   etcd:
     deploy: false
-
-  # Fix https://github.com/clastix/kamaji/pull/467
-  image:
-    repository: ghcr.io/kvaps/test
-    tag: kamaji-v0.6.0-fix

packages/system/kubeovn/images/kubeovn.json

@@ -5,13 +5,13 @@
       {
         "uri": "pkg:docker/kubeovn/kube-ovn-base@v1.13.0?platform=linux%2Famd64",
         "digest": {
-          "sha256": "c9348ac30ee286aa2c801600f5587e54d07b96b9e137919fa28a84f4ed6806d2"
+          "sha256": "b383903ab2427169bfd27ac49ec1f835e01be552dd391aae92a63d6a5d04f05d"
         }
       },
       {
         "uri": "pkg:docker/golang@1.22-bookworm?platform=linux%2Famd64",
         "digest": {
-          "sha256": "7dcf6f2084586b44844aea8615db684c9361cf6bebf235a1750595633ed021bd"
+          "sha256": "6c2780255bb7b881e904e303be0d7a079054160b2ce1efde446693c0850a39ad"
         }
       }
     ],
@@ -35,17 +35,7 @@
       }
     }
   },
-  "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/uy5qpumete0kfxr1v5cf2dyjo",
-  "containerimage.config.digest": "sha256:b83d8f607c54ba91b71517099aef98c5f373ef64d268e53fe7f95e15e18ec0af",
-  "containerimage.descriptor": {
-    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "digest": "sha256:9bedea10c9d2fc0b1213338b4b73b056d5e8ea53302395696d623e6be48bc0be",
-    "size": 5015,
-    "platform": {
-      "architecture": "amd64",
-      "os": "linux"
-    }
-  },
-  "containerimage.digest": "sha256:9bedea10c9d2fc0b1213338b4b73b056d5e8ea53302395696d623e6be48bc0be",
-  "image.name": "ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0,ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0-v0.8.0"
+  "buildx.build.ref": "amd64/amd64/59sogfe3191kwbdbmplhsarwj",
+  "containerimage.config.digest": "sha256:c60b915c03796938fee46e305997e540bd71f688f9f6b7c4b5846168501768fb",
+  "containerimage.digest": "sha256:731d2f079c6ef243731f2f7fd70f36b4da4c50626622b496241ecfe9f98913c0"
 }

packages/system/kubevirt-operator/templates/kubevirt-operator.yaml

@@ -354,6 +354,7 @@ spec:
                         type: boolean
                     type: object
                   emulatedMachines:
+                    description: Deprecated. Use architectureConfiguration instead.
                     items:
                       type: string
                     type: array
@@ -624,6 +625,22 @@ spec:
                       binding:
                         additionalProperties:
                           properties:
+                            domainAttachmentType:
+                              description: 'DomainAttachmentType is a standard domain
+                                network attachment method kubevirt supports. Supported
+                                values: "tap". The standard domain attachment can
+                                be used instead or in addition to the sidecarImage.
+                                version: 1alphav1'
+                              type: string
+                            migration:
+                              description: 'Migration means the VM using the plugin
+                                can be safely migrated version: 1alphav1'
+                              properties:
+                                method:
+                                  description: 'Method defines a pre-defined migration
+                                    methodology version: 1alphav1'
+                                  type: string
+                              type: object
                             networkAttachmentDefinition:
                               description: 'NetworkAttachmentDefinition references
                                 to a NetworkAttachmentDefinition CR object. Format:
@@ -650,6 +667,7 @@ spec:
                       type: boolean
                     type: object
                   ovmfPath:
+                    description: Deprecated. Use architectureConfiguration instead.
                     type: string
                   permittedHostDevices:
                     description: PermittedHostDevices holds information about devices
@@ -883,6 +901,14 @@ spec:
                           AutoattachSerialConsole is disabled.
                         type: object
                     type: object
+                  vmRolloutStrategy:
+                    description: VMRolloutStrategy defines how changes to a VM object
+                      propagate to its VMI
+                    enum:
+                    - Stage
+                    - LiveUpdate
+                    nullable: true
+                    type: string
                   vmStateStorageClass:
                     description: VMStateStorageClass is the name of the storage class
                       to use for the PVCs created to preserve VM state, like TPM.
@@ -3422,6 +3448,7 @@ spec:
                         type: boolean
                     type: object
                   emulatedMachines:
+                    description: Deprecated. Use architectureConfiguration instead.
                     items:
                       type: string
                     type: array
@@ -3692,6 +3719,22 @@ spec:
                       binding:
                         additionalProperties:
                           properties:
+                            domainAttachmentType:
+                              description: 'DomainAttachmentType is a standard domain
+                                network attachment method kubevirt supports. Supported
+                                values: "tap". The standard domain attachment can
+                                be used instead or in addition to the sidecarImage.
+                                version: 1alphav1'
+                              type: string
+                            migration:
+                              description: 'Migration means the VM using the plugin
+                                can be safely migrated version: 1alphav1'
+                              properties:
+                                method:
+                                  description: 'Method defines a pre-defined migration
+                                    methodology version: 1alphav1'
+                                  type: string
+                              type: object
                             networkAttachmentDefinition:
                               description: 'NetworkAttachmentDefinition references
                                 to a NetworkAttachmentDefinition CR object. Format:
@@ -3718,6 +3761,7 @@ spec:
                       type: boolean
                     type: object
                   ovmfPath:
+                    description: Deprecated. Use architectureConfiguration instead.
                     type: string
                   permittedHostDevices:
                     description: PermittedHostDevices holds information about devices
@@ -3951,6 +3995,14 @@ spec:
                           AutoattachSerialConsole is disabled.
                         type: object
                     type: object
+                  vmRolloutStrategy:
+                    description: VMRolloutStrategy defines how changes to a VM object
+                      propagate to its VMI
+                    enum:
+                    - Stage
+                    - LiveUpdate
+                    nullable: true
+                    type: string
                   vmStateStorageClass:
                     description: VMStateStorageClass is the name of the storage class
                       to use for the PVCs created to preserve VM state, like TPM.
@@ -6970,6 +7022,13 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - kubevirt.io
+  resources:
+  - kubevirts
+  verbs:
+  - get
+  - list
 - apiGroups:
   - subresources.kubevirt.io
   resources:
@@ -7275,6 +7334,13 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - kubevirt.io
+  resources:
+  - kubevirts
+  verbs:
+  - get
+  - list
 - apiGroups:
   - subresources.kubevirt.io
   resources:
@@ -7439,14 +7505,14 @@ spec:
         - virt-operator
         env:
         - name: VIRT_OPERATOR_IMAGE
-          value: quay.io/kubevirt/virt-operator:v1.1.0
+          value: quay.io/kubevirt/virt-operator:v1.2.2
         - name: WATCH_NAMESPACE
           valueFrom:
             fieldRef:
               fieldPath: metadata.annotations['olm.targetNamespaces']
         - name: KUBEVIRT_VERSION
-          value: v1.1.0
-        image: quay.io/kubevirt/virt-operator:v1.1.0
+          value: v1.2.2
+        image: quay.io/kubevirt/virt-operator:v1.2.2
         imagePullPolicy: IfNotPresent
         name: virt-operator
         ports:

packages/system/nats-operator/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-nats-operator
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/nats-operator/Makefile

@@ -0,0 +1,10 @@
+export NAME=nats-operator
+export NAMESPACE=cozy-$(NAME)
+
+include ../../../scripts/package-system.mk
+
+update:
+	rm -rf charts
+	helm repo add nats https://nats-io.github.io/k8s/helm/charts/
+	helm repo update nats
+	helm pull nats/nats-operator --untar --untardir charts

packages/system/nats-operator/charts/nats-operator/.helmignore

@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+
+# Chart specific files
+README.md

packages/system/nats-operator/charts/nats-operator/Chart.yaml

@@ -0,0 +1,22 @@
+apiVersion: v2
+appVersion: 0.8.3
+description: NATS operator creates/configures/manages nats clusters atop Kubernetes
+home: https://github.com/nats-io/nats-operator
+icon: https://nats.io/img/nats-icon-color.png
+keywords:
+- addressing
+- discovery
+- messaging
+- nats
+- operator
+- pubsub
+maintainers:
+- email: richerlariviere@gmail.com
+  name: richerlariviere
+- email: wally@nats.io
+  name: Waldemar Quevedo
+  url: https://github.com/wallyqs
+name: nats-operator
+sources:
+- https://github.com/nats-io/nats-operator
+version: 0.8.3

packages/system/nats-operator/charts/nats-operator/config/client-auth.json

@@ -0,0 +1,25 @@
+{
+  "users": [
+    {{- if and (.Values.cluster.auth.username) (not .Values.cluster.auth.users) }}
+    {
+      "username": "{{ .Values.cluster.auth.username }}",
+      "password": "{{ .Values.cluster.auth.password }}"
+    }
+    {{- end }}
+
+    {{- if .Values.cluster.auth.users }}
+    {{ $length := len .Values.cluster.auth.users }}
+    {{- range $index, $user := .Values.cluster.auth.users }}
+    {
+      "username": "{{ $user.username }}",
+      "password": "{{ $user.password }}"
+      {{- if $user.permissions }},
+      "permissions": {{ toJson $user.permissions | replace "\\u003e" ">"}}
+      {{- end}}
+    }{{- if lt (add1 $index) $length }},{{ end }}
+    {{- end}}
+    {{- end }}
+  ]{{- if .Values.cluster.auth.defaultPermissions }},
+  "default_permissions": {{ toJson .Values.cluster.auth.defaultPermissions | replace "\\u003e" ">" }}
+  {{- end}}
+}

packages/system/nats-operator/charts/nats-operator/crds/customresourcedefinition.yaml

@@ -0,0 +1,305 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: natsclusters.nats.io
+  annotations:
+    "helm.sh/hook": "crd-install"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+spec:
+  group: nats.io
+  scope: Namespaced
+  names:
+    kind: NatsCluster
+    listKind: NatsClusterList
+    plural: natsclusters
+    singular: natscluster
+    shortNames:
+    - nats
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            properties:
+              size:
+                type: integer
+              version:
+                type: string
+              serverImage:
+                type: string
+              natsConfig:
+                type: object
+                properties:
+                  debug:
+                    type: boolean
+                  trace:
+                    type: boolean
+                  write_deadline:
+                    type: string
+                  maxConnections:
+                    type: integer
+                  maxPayload:
+                    type: integer
+                  maxPending:
+                    type: integer
+                  maxSubscriptions:
+                    type: integer
+                  maxControlLine:
+                    type: integer
+                  disableLogtime:
+                    type: boolean
+              useServerName:
+                type: boolean
+              paused:
+                type: boolean
+              pod:
+                type: object
+                properties:
+                  labels:
+                    x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                  annotations:
+                    x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                  nodeSelector:
+                    x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                  antiAffinity:
+                    type: boolean
+                  resources:
+                    x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                  tolerations:
+                    type: array
+                    items:
+                      x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                  natsEnv:
+                    type: array
+                    items:
+                      x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                  enableConfigReload:
+                    type: boolean
+                  reloaderImage:
+                    type: string
+                  reloaderImageTag:
+                    type: string
+                  reloaderImagePullPolicy:
+                    type: string
+                  reloaderResources:
+                    x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                  enableMetrics:
+                    type: boolean
+                  metricsImage:
+                    type: string
+                  metricsImageTag:
+                    type: string
+                  metricsImagePullPolicy:
+                    type: string
+                  enableClientsHostPort:
+                    type: boolean
+                  advertiseExternalIP:
+                    type: boolean
+                  bootconfigImage:
+                    type: string
+                  bootconfigImageTag:
+                    type: string
+                  volumeMounts:
+                    type: array
+                    items:
+                      x-kubernetes-preserve-unknown-fields: true
+                      type: object
+              tls:
+                type: object
+                properties:
+                  serverSecret:
+                    type: string
+                  serverSecretCAFileName:
+                    type: string
+                  serverSecretKeyFileName:
+                    type: string
+                  serverSecretCertFileName:
+                    type: string
+                  routesSecret:
+                    type: string
+                  routesSecretCAFileName:
+                    type: string
+                  routesSecretKeyFileName:
+                    type: string
+                  routesSecretCertFileName:
+                    type: string
+                  gatewaySecret:
+                    type: string
+                  gatewaySecretCAFileName:
+                    type: string
+                  gatewaySecretKeyFileName:
+                    type: string
+                  gatewaySecretCertFileName:
+                    type: string
+                  leafnodeSecret:
+                    type: string
+                  leafnodeSecretCAFileName:
+                    type: string
+                  leafnodeSecretKeyFileName:
+                    type: string
+                  leafnodeSecretCertFileName:
+                    type: string
+                  websocketSecret:
+                    type: string
+                  websocketSecretCAFileName:
+                    type: string
+                  websocketSecretKeyFileName:
+                    type: string
+                  websocketSecretCertFileName:
+                    type: string
+                  websocketTLSTimeout:
+                    type: number
+                  enableHttps:
+                    type: boolean
+                  clientsTLSTimeout:
+                    type: number
+                  routesTLSTimeout:
+                    type: number
+                  gatewaysTLSTimeout:
+                    type: number
+                  leafnodesTLSTimeout:
+                    type: number
+                  verify:
+                    type: boolean
+                  cipherSuites:
+                    type: array
+                    items:
+                      type: string
+                  curvePreferences:
+                    type: array
+                    items:
+                      type: string
+              auth:
+                type: object
+                properties:
+                  enableServiceAccounts:
+                    type: boolean
+                  clientsAuthSecret:
+                    type: string
+                  clientsAuthFile:
+                    type: string
+                  clientsAuthTimeout:
+                    type: integer
+                  tlsVerifyAndMap:
+                    type: boolean
+              lameDuckDurationSeconds:
+                type: integer
+              noAdvertise:
+                type: boolean
+              template:
+                x-kubernetes-preserve-unknown-fields: true
+                type: object
+              extraRoutes:
+                type: array
+                items:
+                  type: object
+                  properties:
+                    cluster:
+                      type: string
+                    route:
+                      type: string
+              gatewayConfig:
+                type: object
+                properties:
+                  name:
+                    type: string
+                  hostPort:
+                    type: integer
+                  rejectUnknown:
+                    type: boolean
+                  gateways:
+                    type: array
+                    items:
+                      type: object
+                      properties:
+                        name:
+                          type: string
+                        url:
+                          type: string
+              leafnodeConfig:
+                type: object
+                properties:
+                  port:
+                    type: integer
+                  remotes:
+                    type: array
+                    items:
+                      type: object
+                      properties:
+                        url:
+                          type: string
+                        urls:
+                          type: array
+                          items:
+                            type: string
+                        credentials:
+                          type: string
+              operatorConfig:
+                type: object
+                properties:
+                  secret:
+                    type: string
+                  systemAccount:
+                    type: string
+                  resolver:
+                    type: string
+              websocketConfig:
+                type: object
+                properties:
+                  port:
+                    type: integer
+                  handshakeTimeout:
+                    type: integer
+                  compression:
+                    type: boolean
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: natsserviceroles.nats.io
+  annotations:
+    "helm.sh/hook": "crd-install"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+spec:
+  group: nats.io
+  scope: Namespaced
+  names:
+    kind: NatsServiceRole
+    listKind: NatsServiceRoleList
+    plural: natsserviceroles
+    singular: natsservicerole
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            properties:
+              permissions:
+                type: object
+                properties:
+                  publish:
+                    type: array
+                    items:
+                      type: string
+                  subscribe:
+                    type: array
+                    items:
+                      type: string

packages/system/nats-operator/charts/nats-operator/templates/NOTES.txt

@@ -0,0 +1,26 @@
+** Please be patient while the chart is being deployed **
+{{- if .Values.clusterScoped }}
+
+** WARNING ! **: You've installed a cluster-scoped NATS Operator. Make sure that there are no other deployments of NATS Operator in the Kubernetes cluster.
+{{- if not (eq .Release.Namespace "nats-io") }}
+
+** WARNING ! **: The namespace must be "nats-io" however you used "{{ .Release.Namespace }}" !
+{{- end }}
+{{- end}}
+
+NATS can be accessed via port 4222 on the following DNS name from within your cluster:
+
+   nats-cluster.{{ .Release.Namespace }}.svc.cluster.local
+
+NATS monitoring service can be accessed via port 8222 on the following DNS name from within your cluster:
+
+    nats-cluster-mgmt.{{ .Release.Namespace }}.svc.cluster.local
+
+To access the Monitoring svc from outside the cluster, follow the steps below:
+
+1. Get the name of a pod from the cluster that was deployed, then use port-forward to connect top it. For example:
+
+    kubectl get pods -l nats_cluster=nats-cluster
+    kubectl port-forward nats-cluster-1 8222
+
+2. Open a browser and access the NATS monitoring browsing to the Monitoring URL

packages/system/nats-operator/charts/nats-operator/templates/_helpers.tpl

@@ -0,0 +1,44 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "nats.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "nats.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "nats.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "nats.labels" -}}
+app.kubernetes.io/name: {{ template "nats.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/component: "operator"
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+helm.sh/chart: {{ include "nats.chart" . }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "nats.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "nats.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/component: "operator"
+{{- end -}}

packages/system/nats-operator/charts/nats-operator/templates/deployment.yaml

@@ -0,0 +1,130 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "nats.fullname" . }}
+{{- if and .Values.clusterScoped .Values.cluster.namespace }}
+  namespace: {{ .Values.cluster.namespace }}
+{{- end }}
+
+  labels:
+    {{- include "nats.labels" . | nindent 4 }}
+    app: {{ template "nats.name" . }}
+    chart: {{ template "nats.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  strategy:
+    type: {{ .Values.updateStrategy }}
+    {{- if eq .Values.updateStrategy "RollingUpdate" }}
+    rollingUpdate:
+      maxSurge: {{ .Values.rollingUpdateMaxSurge }}
+      maxUnavailable: {{ .Values.rollingUpdateMaxUnavailable }}
+        {{- end }}
+  selector:
+    matchLabels:
+      app: {{ template "nats.name" . }}
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        {{- include "nats.selectorLabels" . | nindent 8 }}
+        app: {{ template "nats.name" . }}
+        release: {{ .Release.Name }}
+      {{- if .Values.podLabels }}
+        {{- toYaml .Values.podLabels | nindent 8 }}
+      {{- end }}
+      {{- if .Values.podAnnotations }}
+      annotations:
+        {{- toYaml .Values.podAnnotations | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- if .Values.rbacEnabled }}
+      serviceAccountName: nats-operator
+      {{- end }}
+      containers:
+      - name: nats-operator
+        image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy  }}
+        {{- if .Values.clusterScoped }}
+        args:
+        - nats-operator
+        - --feature-gates=ClusterScoped=true
+        {{- end }}
+        env:
+        - name: MY_POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: MY_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        ports:
+        - name: readyz
+          containerPort: 8080
+        {{- if .Values.livenessProbe.enabled }}
+        livenessProbe:
+          httpGet:
+            path: /readyz
+            port: readyz
+          initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.livenessProbe.successThreshold }}
+          failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
+        {{- end }}
+        {{- if .Values.readinessProbe.enabled }}
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: readyz
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+        {{- end }}
+        resources:
+{{ toYaml .Values.resources | indent 10}}
+      {{- if .Values.securityContext.enabled }}
+      securityContext:
+        fsGroup: {{ .Values.securityContext.fsGroup }}
+        runAsUser: {{ .Values.securityContext.runAsUser }}
+      {{- end }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+      {{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
+      {{- end }}
+      {{- if .Values.schedulerName }}
+      schedulerName: "{{ .Values.schedulerName}}"
+      {{- end }}
+      {{- if eq .Values.antiAffinity "hard" }}
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - topologyKey: "kubernetes.io/hostname"
+              labelSelector:
+                matchLabels:
+                  app: "{{ template "nats.name" . }}"
+                  release: {{ .Release.Name | quote }}
+      {{- else if eq .Values.antiAffinity "soft" }}
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 1
+            podAffinityTerm:
+              topologyKey: kubernetes.io/hostname
+              labelSelector:
+                matchLabels:
+                  app: "{{ template "nats.name" . }}"
+                  release: "{{ .Release.Name }}"
+      {{- end }}
+      {{- if .Values.image.pullSecrets }}
+      imagePullSecrets:
+        {{ .Values.image.pullSecrets}}
+      {{- end }}

packages/system/nats-operator/charts/nats-operator/templates/natscluster.yaml

@@ -0,0 +1,70 @@
+---
+{{- if .Values.cluster.create }}
+apiVersion: "nats.io/v1alpha2"
+kind: "NatsCluster"
+metadata:
+  name: {{ .Values.cluster.name }}
+{{- if and .Values.clusterScoped .Values.cluster.namespace }}
+  namespace: {{ .Values.cluster.namespace }}
+{{- end }}
+spec:
+  size: {{ .Values.cluster.size }}
+  version: {{ .Values.cluster.version }}
+
+  pod:
+    {{- if .Values.cluster.annotations }}
+    annotations: {{ toYaml .Values.cluster.annotations | nindent 6 }}
+    {{- end }}
+    {{- if .Values.cluster.resources }}
+    resources: {{ toYaml .Values.cluster.resources | nindent 6 }}
+    {{- end }}
+    enableConfigReload: {{ .Values.cluster.configReload.enabled }}
+    reloaderImage: {{ .Values.cluster.configReload.repository }}
+    reloaderImageTag: {{ .Values.cluster.configReload.tag }}
+    reloaderImagePullPolicy: {{ .Values.cluster.configReload.pullPolicy }}
+    {{- if .Values.cluster.configReload.resources }}
+    reloaderResources: {{ toYaml .Values.cluster.configReload.resources | nindent 6 }}
+    {{- end }}
+    enableMetrics: {{ .Values.cluster.metrics.enabled }}
+    metricsImage: {{ .Values.cluster.metrics.repository }}
+    metricsImageTag: {{ .Values.cluster.metrics.tag }}
+    metricsImagePullPolicy: {{ .Values.cluster.metrics.pullPolicy }}
+  {{- if .Values.cluster.auth.enabled }}
+  auth:
+    enableServiceAccounts: {{ .Values.cluster.auth.enableServiceAccounts }}
+    clientsAuthSecret: {{ .Values.cluster.name }}-clients-auth
+    clientsAuthTimeout: 5
+  {{- end }}
+
+  {{- if .Values.cluster.tls.enabled }}
+  tls:
+    # Certificates to secure the NATS client connections:
+    serverSecret: {{ .Values.cluster.tls.serverSecret }}
+
+    # Certificates to secure the routes.
+    routesSecret: {{ .Values.cluster.tls.routesSecret }}
+  {{- end }}
+---
+{{- if and .Values.cluster.metrics.enabled .Values.cluster.metrics.servicemonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ .Values.cluster.name }}
+{{- if and .Values.clusterScoped .Values.cluster.namespace }}
+  namespace: {{ .Values.cluster.namespace }}
+{{- end }}
+  labels:
+    app: nats
+    nats_cluster: {{ .Values.cluster.name }}
+    prometheus: {{ .Values.cluster.metrics.servicemonitor.prometheusInstance }}
+spec:
+  jobLabel: nats-{{ .Values.cluster.name }}
+  selector:
+    matchLabels:
+      app: nats
+      nats_cluster: {{ .Values.cluster.name }}
+  endpoints:
+  - port: metrics
+    interval: 60s
+{{- end }}
+{{- end }}

packages/system/nats-operator/charts/nats-operator/templates/rbac.yaml

@@ -0,0 +1,108 @@
+{{- if .Values.rbacEnabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: nats-io-nats-operator-crd
+rules:
+# Allow creating CRDs
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs: ["get", "list", "create", "update", "watch"]
+# Allow all actions on NatsClusters
+- apiGroups:
+  - nats.io
+  resources:
+  - natsclusters
+  - natsserviceroles
+  verbs: ["*"]
+# Allowed actions on Pods
+- apiGroups: [""]
+  resources:
+  - pods
+  verbs: ["create", "watch", "get", "patch", "update", "delete", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: nats-io-nats-operator-crd-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: nats-io-nats-operator-crd
+subjects:
+- kind: ServiceAccount
+  name: nats-operator
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.clusterScoped }}
+kind: ClusterRole
+{{- else }}
+kind: Role
+{{- end }}
+metadata:
+  name: nats-io-nats-operator
+rules:
+# Allowed actions on Pods
+- apiGroups: [""]
+  resources:
+  - pods
+  verbs: ["create", "watch", "get", "patch", "update", "delete", "list"]
+
+# Allowed actions on Services
+- apiGroups: [""]
+  resources:
+  - services
+  verbs: ["create", "watch", "get", "patch", "update", "delete", "list"]
+
+# Allowed actions on Secrets
+- apiGroups: [""]
+  resources:
+  - secrets
+  verbs: ["create", "watch", "get", "update", "delete", "list"]
+
+# Allow all actions on some special subresources
+- apiGroups: [""]
+  resources:
+  - pods/exec
+  - pods/log
+  - serviceaccounts/token
+  - events
+  verbs: ["*"]
+
+# Allow listing Namespaces and ServiceAccounts
+- apiGroups: [""]
+  resources:
+  - namespaces
+  - serviceaccounts
+  verbs: ["list", "get", "watch"]
+
+# Allow actions on Endpoints
+- apiGroups: [""]
+  resources:
+  - endpoints
+  verbs: ["create", "watch", "get", "update", "delete", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.clusterScoped }}
+kind: ClusterRoleBinding
+{{- else }}
+kind: RoleBinding
+{{- end }}
+metadata:
+  name: nats-io-nats-operator-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  {{- if .Values.clusterScoped }}
+  kind: ClusterRole
+  {{- else }}
+  kind: Role
+  {{- end }}
+  name: nats-io-nats-operator
+subjects:
+- kind: ServiceAccount
+  name: nats-operator
+  namespace: {{ .Release.Namespace }}
+{{- end }}

packages/system/nats-operator/charts/nats-operator/templates/secret.yaml

@@ -0,0 +1,12 @@
+{{- if and .Values.cluster.create .Values.cluster.auth.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.cluster.name }}-clients-auth
+{{- if and .Values.clusterScoped .Values.cluster.namespace }}
+  namespace: {{ .Values.cluster.namespace }}
+{{- end }}
+type: Opaque
+data:
+  clients-auth.json: {{ (tpl (.Files.Get "config/client-auth.json") . ) | b64enc }}
+{{- end }}

packages/system/nats-operator/charts/nats-operator/templates/serviceaccount.yaml

@@ -0,0 +1,9 @@
+{{- if .Values.rbacEnabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nats-operator
+{{- if and .Values.clusterScoped .Values.cluster.namespace }}
+  namespace: {{ .Values.cluster.namespace }}
+{{- end }}
+{{- end }}

packages/system/nats-operator/charts/nats-operator/values.yaml

@@ -0,0 +1,191 @@
+## Specify if RBAC authorization is enabled.
+## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+##
+rbacEnabled: true
+
+## Operator scope
+## NOTE: If true
+## * Make sure that no othe NATS operator is running in the cluster
+## * The Release namespace must be "nats-io"
+clusterScoped: false
+
+## Set default Replica Coint for the Operator
+replicaCount: 1
+
+image:
+  # natsio/nats-operator:0.8.3
+  registry: docker.io
+  repository: natsio/nats-operator
+  tag: 0.8.3
+  ## Specify a imagePullPolicy
+  ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+  ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+  ##
+  pullPolicy: Always
+  ## Optionally specify an array of imagePullSecrets.
+  ## Secrets must be manually created in the namespace.
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  ##
+  # pullSecrets:
+  #   - myRegistrKeySecretName
+
+## NATS Pod Security Context
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+##
+securityContext:
+  enabled: true
+  fsGroup: 1001
+  runAsUser: 1001
+
+## NATS Node selector and tolerations for pod assignment
+## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations
+##
+# nodeSelector: {}
+# tolerations: []
+
+## Use an alternate scheduler, e.g. "stork".
+## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+##
+# schedulerName:
+
+## Pods anti-affinity
+## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+##
+## Possible values: soft, hard
+antiAffinity: soft
+
+## Pod annotations
+## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+##
+podAnnotations: {}
+
+## Additional pod labels
+## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+##
+podLabels: {}
+
+## Update strategy, can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+
+updateStrategy: RollingUpdate
+# rollingUpdateMaxSurge: 25%
+# rollingUpdateMaxUnavailable: "25%
+
+## Configure resource requests and limits
+## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+##
+resources: {}
+# limits:
+#   cpu: 100m
+#   memory: 64Mi
+# requests:
+#   cpu: 10m
+#   memory: 64Mi
+
+## Configure extra options for liveness and readiness probes
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 30
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
+
+cluster:
+  ## Create a NATS Cluster when installing the operator
+  create: true
+
+  name: nats-cluster
+
+  ## Choose namespace for cluster deployment if clusterScoped is set to true
+  namespace: "nats-io"
+
+  ## Nats version
+  ## Image tags are listed here: https://hub.docker.com/_/nats?tab=tags
+  version: 1.4.1
+
+  ## Cluster Size
+  size: 3
+
+  ## Optional custom annotations to add to Pods in the cluster
+  annotations: {}
+
+  resources: {}
+  # limits:
+  #   cpu: 500m
+  #   memory: 512Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 256Mi
+
+  ## Client Authentication
+  ## ref: https://github.com/nats-io/gnatsd#authentication
+  ## note: token not supported only user/password will work with this chart version
+  ##
+  auth:
+    enabled: true
+
+    # NOTE: Only supported in Kubernetes v1.12+ clusters having the "TokenRequest" API enabled.
+    enableServiceAccounts: false
+
+    ## This is where you enter a username/password for 1 user
+    username: "my-user"
+    password: "T0pS3cr3t"
+
+    ## This is a where you can specify 2 or more users
+    users: []
+    # - username: "another-user-1"
+    #   password: "another-password-1"
+    # - username: "another-user-2"
+    #   password: "another-password-2"
+    #   permissions:
+    #     publish: ["hello.*"]
+    #     subscribe: ["hello.world"]
+
+    defaultPermissions: {}
+    # publish: ["SANDBOX.*"]
+    # subscribe: ["PUBLIC.>"]
+
+  tls:
+    enabled: false
+    # serverSecret:
+    # routesSecret:
+
+  ## Configuration Reload
+  ## NOTE: Only supported in Kubernetes v1.12+.
+  configReload:
+    enabled: false
+    registry: "docker.io"
+    repository: "connecteverything/nats-server-config-reloader"
+    tag: "0.2.2-v1alpha2"
+    pullPolicy: "IfNotPresent"
+    resources: {}
+    # limits:
+    #   cpu: 50m
+    #   memory: 32Mi
+    # requests:
+    #   cpu: 10m
+    #   memory: 32Mi
+
+  ## Prometheus Metrics Exporter
+  ##
+  metrics:
+    enabled: false
+    registry: "docker.io"
+    repository: "synadia/prometheus-nats-exporter"
+    tag: "0.6.2"
+    pullPolicy: "IfNotPresent"
+
+    # Prometheus Operator ServiceMonitor config
+    ##
+    servicemonitor:
+      enabled: false
+      prometheusInstance: default

packages/system/nats-operator/values.yaml

@@ -0,0 +1,6 @@
+nats-operator:
+  clusterScoped: true
+  cluster:
+    create: true
+    metrics:
+      enabled: true

packages/system/piraeus-operator/charts/piraeus/Chart.yaml

@@ -3,8 +3,8 @@ name: piraeus
 description: |
   The Piraeus Operator manages software defined storage clusters using LINSTOR in Kubernetes.
 type: application
-version: 2.5.0
-appVersion: "v2.5.0"
+version: 2.5.1
+appVersion: "v2.5.1"
 maintainers:
   - name: Piraeus Datastore
     url: https://piraeus.io

packages/system/piraeus-operator/charts/piraeus/templates/config.yaml

@@ -20,10 +20,11 @@ data:
         tag: v1.27.1
         image: piraeus-server
       linstor-satellite:
-        tag: v1.27.1
+        # Pin with digest to ensure we pull the version with downgraded thin-send-recv
+        tag: v1.27.1@sha256:26037f77d30d5487024e02a808d4ef913b93b745f2bb850cabc7f43a5359adff
         image: piraeus-server
       linstor-csi:
-        tag: v1.5.0
+        tag: v1.6.0
         image: piraeus-csi
       drbd-reactor:
         tag: v1.4.0
@@ -38,11 +39,11 @@ data:
         tag: v0.10
         image: ktls-utils
       drbd-module-loader:
-        tag: v9.2.8
+        tag: v9.2.9
         # The special "match" attribute is used to select an image based on the node's reported OS.
         # The operator will first check the k8s node's ".status.nodeInfo.osImage" field, and compare it against the list
         # here. If one matches, that specific image name will be used instead of the fallback image.
-        image: drbd9-jammy # Fallback image: chose a fairly recent kernel, which can hopefully compile whatever config is actually in use
+        image: drbd9-noble # Fallback image: chose a recent kernel, which can hopefully compile whatever config is actually in use
         match:
           - osImage: CentOS Linux 7
             image: drbd9-centos7
@@ -64,6 +65,8 @@ data:
             image: drbd9-focal
           - osImage: Ubuntu 22\.04
             image: drbd9-jammy
+          - osImage: Ubuntu 24\.04
+            image: drbd9-noble
           - osImage: Debian GNU/Linux 12
             image: drbd9-bookworm
           - osImage: Debian GNU/Linux 11

packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml

@@ -262,11 +262,13 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                                x-kubernetes-list-type: atomic
                             required:
                             - key
                             - operator
                             type: object
                           type: array
+                          x-kubernetes-list-type: atomic
                         matchFields:
                           description: A list of node selector requirements by node's
                             fields.
@@ -294,14 +296,17 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                                x-kubernetes-list-type: atomic
                             required:
                             - key
                             - operator
                             type: object
                           type: array
+                          x-kubernetes-list-type: atomic
                       type: object
                       x-kubernetes-map-type: atomic
                     type: array
+                    x-kubernetes-list-type: atomic
                 required:
                 - nodeSelectorTerms
                 type: object
@@ -814,11 +819,13 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                                x-kubernetes-list-type: atomic
                             required:
                             - key
                             - operator
                             type: object
                           type: array
+                          x-kubernetes-list-type: atomic
                         matchFields:
                           description: A list of node selector requirements by node's
                             fields.
@@ -846,14 +853,17 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                                x-kubernetes-list-type: atomic
                             required:
                             - key
                             - operator
                             type: object
                           type: array
+                          x-kubernetes-list-type: atomic
                       type: object
                       x-kubernetes-map-type: atomic
                     type: array
+                    x-kubernetes-list-type: atomic
                 required:
                 - nodeSelectorTerms
                 type: object

packages/system/piraeus-operator/charts/piraeus/templates/deployment.yaml

@@ -92,6 +92,7 @@ spec:
         runAsNonRoot: true
       serviceAccountName: {{ include "piraeus-operator.serviceAccountName" . }}
       terminationGracePeriodSeconds: 10
+      priorityClassName: {{ .Values.priorityClassName | default "system-cluster-critical" }}
       tolerations:
         {{- toYaml .Values.tolerations | nindent 8 }}
       volumes:

packages/system/piraeus-operator/charts/piraeus/values.yaml

@@ -93,6 +93,8 @@ tolerations:
     effect: NoSchedule
 affinity: { }
 
+priorityClassName: ""
+
 podDisruptionBudget:
   enabled: true
   minAvailable: 1