This PR fixes an issue with accessing external IPs of cluster from
cluster itself
```
Policy verdict log: flow 0x6c9bf32e local EP ID 1155, remote ID remote-node, proto 6, ingress, action deny, auth: disabled, match none, 172.27.88.13:46124 -> 10.244.4.174:30274 tcp SYN
xx drop (Policy denied) flow 0x6c9bf32e to endpoint 1155, ifindex 247, file bpf_lxc.c:2181, , identity remote-node->56986: 172.27.88.13:46124 -> 10.244.4.174:30274 tcp SYN
```
related doc:
https://docs.cilium.io/en/stable/security/policy/language/#entities-based
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Expanded network access for the tenant application to allow
connections from both external sources and within the cluster.
- **Chores**
- Updated the tenant application to version 1.9.2.
- Adjusted version mappings to reflect the latest release.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Every tenant now creates a configmap in its __tenant__ namespace with a
sha256 of its values. Tenants (and eventually all other apps), watch the
configmap in their __release__ namespace, by referencing it in the
valuesFrom part of the HelmRelease. `tenant-root` is an exception, since
it is the only tenant where the release namespace is the same as the
tenant namespace. It references a different configmap in its valesFrom,
created and reconciled by the cozystack installer script. Part of #802.
Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Introduced a new configurable parameter for tenant resource quotas,
enabling flexible CPU and memory management.
- Added a new YAML template for Kubernetes ResourceQuota configuration.
- Updated application version to 1.8.0.
- **Documentation**
- Added documentation for the new `resourceQuotas` parameter in tenant
configuration.
- **Chores**
- Updated versioning entries for the tenant application.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **Chores**
- Updated tenant application version from 1.6.6 to 1.6.7
- Updated version tracking in package management system
- Minor configuration adjustments in kubeconfig template
- Enhanced logic for determining API server endpoint based on kubeconfig
presence
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
- **Version Updates**
- Tenant application version bumped from 1.6.5 to 1.6.6
- Monitoring application version updated from 1.5.3 to 1.5.4
- **Monitoring Configuration**
- Adjusted metrics storage deduplication interval: shortterm from 5
minutes to 15 seconds, longterm from 15 seconds to 5 minutes
- Updated resource configurations for VM components, including new
resource specifications for vminsert, vmselect, and vmstorage
- Increased memory limits and requests for VMAgent from 500Mi to 1024Mi
and from 200Mi to 768Mi, respectively
- **Performance Improvements**
- Enhanced resource allocation for monitoring services
- More flexible configuration options for metrics storage
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<img width="1675" alt="Screenshot 2024-12-23 at 13 40 30"
src="https://github.com/user-attachments/assets/cc123697-4efd-4a4f-909c-793cec8d91bd"
/>
<img width="1673" alt="Screenshot 2024-12-23 at 13 40 45"
src="https://github.com/user-attachments/assets/3be63e8d-9ee6-487d-90d0-3583dc968dfc"
/>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Introduced a new `pluginConfig` section in the Kubeapps dashboard
configuration for managing a broader range of applications.
- **Bug Fixes**
- Enhanced URL generation logic to ensure proper encoding of package
identifiers.
- **Chores**
- Updated image digests in the configuration for both the dashboard and
kubeappsapis sections.
- Removed unnecessary patch application steps from the build process.
- Upgraded the Go version used for building the application.
- Updated the application version for the tenant package from `1.6.3` to
`1.6.4`.
- Added a new version `1.6.4 HEAD` for the tenant package.
- Adjusted RBAC configuration to streamline permissions and enhance
group-based access management.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Co-authored-by: klinch0 <68821526+klinch0@users.noreply.github.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Introduced new roles and role bindings for enhanced role-based access
control, including specific permissions for viewing, using, and
administering resources.
- Added a new dashboard role for access to helm repositories and charts.
- **Bug Fixes**
- Updated application version from 1.6.2 to 1.6.3.
- **Chores**
- Updated version declarations for the tenant package in the versions
map.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Introduced a new `super-admin` role with comprehensive permissions
across resources, enhancing access control.
- **Version Updates**
- Application version updated from `1.6.1` to `1.6.2`.
- Various packages, including `tenant`, updated to reflect new version
identifiers.
These updates improve user access management and ensure the application
is running on the latest version.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Enhanced Kubernetes configuration template for tenant-specific
context, improving configurability and security.
- **Version Updates**
- Updated application version from 1.6.1 to 1.6.2.
- Incremented version references for multiple packages, ensuring
alignment with the latest commits.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Enhanced Keycloak client configuration with new secrets for
`k8s-client`, `kubeapps-client`, and `kubeapps-auth-config`.
- Introduced new `ClusterKeycloak` and `ClusterKeycloakRealm` resources
for improved management.
- Updated Keycloak client scopes with additional attributes and protocol
mappers.
- Added multiple CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy
configurations for better traffic control.
- **Improvements**
- Logic added to check for existing Kubernetes secrets and generate new
ones as needed, ensuring seamless configuration management.
- Enhanced network policies to provide comprehensive control over
ingress and egress traffic for various services within the tenant's
namespace.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
- **New Features**
- Integrated OpenID Connect (OIDC) for enhanced authentication.
- Added dynamic Role resource for tenant-specific access to Kubernetes
secrets.
- Introduced new Keycloak realm groups for improved role management.
- **Improvements**
- Enhanced error handling for service readiness checks.
- Streamlined configuration files for better clarity and management of
OIDC settings.
- Updated handling of API server address and improved configuration
adaptability based on OIDC settings.
- **Bug Fixes**
- Removed deprecated configurations related to Keycloak, simplifying
deployment.
These updates aim to improve security, usability, and overall system
performance.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
- **New Features**
- Introduced a new variable `$host` for improved configuration
management.
- Added a `valuesFrom` section to the `dashboard` release, allowing
external value sourcing.
- Enhanced Keycloak integration with new client scopes, roles, and
configurations for Kubeapps.
- Added support for custom pod specifications and environment variables
in Redis configurations.
- Introduced a new Kubernetes configuration file for managing access to
resources via Role and Secret.
- Updated image versions across various components to ensure
compatibility and leverage new features.
- **Bug Fixes**
- Implemented error handling to ensure required configurations are
present.
- Improved handling of request headers for the `/logos` endpoint in
Nginx configuration.
- Adjusted security context configurations to enhance deployment
security.
- **Documentation**
- Updated configuration files to reflect new dependencies and structures
for better clarity.
- Enhanced README documentation with upgrade instructions and security
defaults.
- Expanded notes on handling persistent volumes and data migration
during upgrades.
These enhancements improve the overall functionality and reliability of
the platform.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Updated application version from 1.5.0 to 1.6.0.
- Introduced new role-based access control (RBAC) roles: view, use,
admin, and super-admin, enhancing security and permissions management.
- Added new Keycloak realm groups for view, use, admin, and super-admin
roles, streamlining user management within the application.
- Integrated `keycloak-configure` release into the deployment structure,
establishing dependencies for improved configuration management.
- **Bug Fixes**
- Resolved versioning discrepancies in the tenant package.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Upstream fix:
https://github.com/kubevirt/containerized-data-importer/pull/3461
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Introduced a new version (`v1beta1`) for the CDI operator alongside
the existing version, enhancing configuration options.
- Expanded `spec` section with detailed descriptions for various
configurations including data volume management and TLS security
profiles.
- Added a new Ingress resource for the `cdi-uploadproxy` service,
improving traffic routing capabilities.
- Introduced new configuration parameters for dynamic upload proxy URL
management.
- **Improvements**
- Updated permissions for the CDI operator to manage additional
resources, improving its data handling capabilities.
- Refined deployment configuration with updated container image
references and environment variables for better operational control.
- Enhanced network policy definitions by adding specific rules for new
services while maintaining existing policies.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Currently ingress have rule to allow access from outside cluster, but
have no rule to access from within cluster.
This PR introduces fix for allow ingress access from any namespace by
default.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Introduced a new network policy for managing ingress traffic,
enhancing security and traffic management capabilities.
- The policy is dynamically configured based on the tenant's settings,
allowing for tailored network access.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
This change is aimed at improving the development experience.
- The option `make delete` has been added.
- Added check for `NAME` and `NAMESPACE` variables
- Now, any package (not just system ones) can include options such as
make show, make diff, make apply.
- Applications from packages/extra require explicit specification of the
`NAMESPACE`.
- Applications from packages/apps require explicit specification of both
`NAME` and `NAMESPACE`.
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
