Update Cilium v1.14.10

* Fix datastore creation depends on created secrets

* Add basic topologySpreadConstraints

* Fix kubernetes chart post-rendering

* Update release images

manifests/cozystack-installer.yaml

@@ -63,7 +63,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.3.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.4.0"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -82,7 +82,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.3.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.4.0"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/http-cache/images/nginx-cache.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:e406d5ac59cc06bbab51e16ae9a520143ad4f54952ef8f8cca982dc89454d616",
-  "containerimage.digest": "sha256:08e5063e65d2adc17278abee0ab43ce31cf37bc9bc7eb7988ef16f1f1c459862"
+  "containerimage.config.digest": "sha256:9eb68d2d503d7e22afc6fde2635f566fd3456bbdb3caad5dc9f887be1dc2b8ab",
+  "containerimage.digest": "sha256:1f44274dbc2c3be2a98e6cef83d68a041ae9ef31abb8ab069a525a2a92702bdd"
 }

packages/apps/kubernetes/images/ubuntu-container-disk.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:62baab666445d76498fb14cc1d0865fc82e4bdd5cb1d7ba80475dc5024184622",
-  "containerimage.digest": "sha256:9363d717f966f4e7927da332eaaf17401b42203a2fcb493b428f94d096dae3a5"
+  "containerimage.config.digest": "sha256:a7e8e6e35ac07bcf6253c9cfcf21fd3c315bd0653ad0427dd5f0cae95ffd3722",
+  "containerimage.digest": "sha256:c03bffeeb70fe7dd680d2eca3021d2405fbcd9961dd38437f5673560c31c72cc"
 }

packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml

@@ -15,6 +15,12 @@ spec:
       labels:
         app: {{ .Release.Name }}-cluster-autoscaler
     spec:
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: "NoSchedule"
       containers:
       - image: ghcr.io/kvaps/test:cluster-autoscaller
         name: cluster-autoscaler

packages/apps/kubernetes/templates/csi/deploy.yaml

@@ -16,12 +16,10 @@ spec:
     spec:
       serviceAccountName: {{ .Release.Name }}-kcsi
       priorityClassName: system-cluster-critical
-      nodeSelector:
-        node-role.kubernetes.io/control-plane: ""
       tolerations:
         - key: CriticalAddonsOnly
           operator: Exists
-        - key: node-role.kubernetes.io/master
+        - key: node-role.kubernetes.io/control-plane
           operator: Exists
           effect: "NoSchedule"
       containers:

packages/apps/kubernetes/templates/helmreleases/delete.yaml

@@ -12,6 +12,12 @@ spec:
     spec:
       serviceAccountName: {{ .Release.Name }}-flux-teardown
       restartPolicy: Never
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: "NoSchedule"
       containers:
         - name: kubectl
           image: docker.io/clastix/kubectl:v1.29.1

packages/apps/kubernetes/templates/kccm/manager.yaml

@@ -14,6 +14,12 @@ spec:
       labels:
         k8s-app: {{ .Release.Name }}-kccm
     spec:
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: "NoSchedule"
       containers:
       - name: kubevirt-cloud-controller-manager
         args:
@@ -44,6 +50,4 @@ spec:
       - secret:
           secretName: {{ .Release.Name }}-admin-kubeconfig
         name: kubeconfig
-      tolerations:
-      - operator: Exists
       serviceAccountName: {{ .Release.Name }}-kccm

packages/core/installer/images/cozystack.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:29b11ecbb92bae830f2e55cd4b6f7f3ada09b2f5514c0eeee395bd2dbd12fb81",
-  "containerimage.digest": "sha256:791df989ff37a76062c7c638dbfc93435df9ee0db48797f2045c80b6d6b937c0"
+  "containerimage.config.digest": "sha256:aefc3ca9f56f69270d7ce6f56a1ce5b531332d5641481eb54c8e74b66b0f3341",
+  "containerimage.digest": "sha256:a2bf43cb7eb812166edfeb1a4fae6a76a4ddba93be2c0ba9040a804ccb53c261"
 }

packages/core/installer/images/cozystack.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cozystack:v0.3.1
+ghcr.io/aenix-io/cozystack/cozystack:v0.4.0

packages/core/installer/images/matchbox.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:d63ac434876b4e47c130e6b99f0c9657e718f9d97f522f5ccd878eab75844122",
-  "containerimage.digest": "sha256:9963580a02ac4ddccafb60f2411365910bcadd73f92d1c9187a278221306a4ed"
+  "containerimage.config.digest": "sha256:68ea72fcc581352fabfd87fa6fd482968cc85ee520cab7a614f1244d7ae36eb0",
+  "containerimage.digest": "sha256:cea915e08a19eb6892f3facf3b3648368cd4a05abefc49bc2616ba3340c27e82"
 }

packages/core/installer/images/matchbox.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/matchbox:v1.6.4
+ghcr.io/aenix-io/cozystack/matchbox:v1.7.1

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -3,24 +3,25 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.6.4
+version: v1.7.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.6.4
+    imageRef: ghcr.io/siderolabs/installer:v1.7.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240115
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240115
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240115
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20231114
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.6-v1.6.4
-    - imageRef: ghcr.io/siderolabs/zfs:2.1.14-v1.6.4
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
 output:
   kind: initramfs
+  imageOptions: {}
   outFormat: raw

packages/core/installer/images/talos/profiles/installer.yaml

@@ -3,24 +3,25 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.6.4
+version: v1.7.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.6.4
+    imageRef: ghcr.io/siderolabs/installer:v1.7.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240115
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240115
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240115
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20231114
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.6-v1.6.4
-    - imageRef: ghcr.io/siderolabs/zfs:2.1.14-v1.6.4
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
 output:
   kind: installer
+  imageOptions: {}
   outFormat: raw

packages/core/installer/images/talos/profiles/iso.yaml

@@ -3,24 +3,25 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.6.4
+version: v1.7.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.6.4
+    imageRef: ghcr.io/siderolabs/installer:v1.7.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240115
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240115
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240115
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20231114
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.6-v1.6.4
-    - imageRef: ghcr.io/siderolabs/zfs:2.1.14-v1.6.4
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
 output:
   kind: iso
+  imageOptions: {}
   outFormat: raw

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -3,24 +3,25 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.6.4
+version: v1.7.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.6.4
+    imageRef: ghcr.io/siderolabs/installer:v1.7.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240115
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240115
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240115
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20231114
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.6-v1.6.4
-    - imageRef: ghcr.io/siderolabs/zfs:2.1.14-v1.6.4
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
 output:
   kind: kernel
+  imageOptions: {}
   outFormat: raw

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -3,25 +3,25 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.6.4
+version: v1.7.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.6.4
+    imageRef: ghcr.io/siderolabs/installer:v1.7.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20240115
-    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240115
-    - imageRef: ghcr.io/siderolabs/i915-ucode:20240115
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/intel-ucode:20231114
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240115
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.6-v1.6.4
-    - imageRef: ghcr.io/siderolabs/zfs:2.1.14-v1.6.4
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20240410
+    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20240410
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20240410
+    - imageRef: ghcr.io/siderolabs/i915-ucode:20240410
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20240410
+    - imageRef: ghcr.io/siderolabs/intel-ucode:20240312
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20240410
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
 output:
-  kind: image
+  kind: nocloud
   imageOptions: { diskSize: 1306525696, diskFormat: raw }
   outFormat: .xz

packages/core/platform/bundles/distro-full.yaml

@@ -52,6 +52,12 @@ releases:
   privileged: true
   dependsOn: [cilium]
 
+- name: etcd-operator
+  releaseName: etcd-operator
+  chart: cozy-etcd-operator
+  namespace: cozy-etcd-operator
+  dependsOn: [cilium,cert-manager]
+
 - name: grafana-operator
   releaseName: grafana-operator
   chart: cozy-grafana-operator

packages/core/platform/bundles/distro-hosted.yaml

@@ -26,6 +26,12 @@ releases:
   privileged: true
   dependsOn: [victoria-metrics-operator]
 
+- name: etcd-operator
+  releaseName: etcd-operator
+  chart: cozy-etcd-operator
+  namespace: cozy-etcd-operator
+  dependsOn: [cert-manager]
+
 - name: grafana-operator
   releaseName: grafana-operator
   chart: cozy-grafana-operator

packages/core/platform/bundles/paas-full.yaml

@@ -81,6 +81,12 @@ releases:
   privileged: true
   dependsOn: [cilium,kubeovn]
 
+- name: etcd-operator
+  releaseName: etcd-operator
+  chart: cozy-etcd-operator
+  namespace: cozy-etcd-operator
+  dependsOn: [cilium,kubeovn,cert-manager]
+
 - name: grafana-operator
   releaseName: grafana-operator
   chart: cozy-grafana-operator

packages/core/platform/bundles/paas-hosted.yaml

@@ -26,6 +26,12 @@ releases:
   privileged: true
   dependsOn: [victoria-metrics-operator]
 
+- name: etcd-operator
+  releaseName: etcd-operator
+  chart: cozy-etcd-operator
+  namespace: cozy-etcd-operator
+  dependsOn: [cert-manager]
+
 - name: grafana-operator
   releaseName: grafana-operator
   chart: cozy-grafana-operator

packages/core/platform/templates/helmreleases.yaml

@@ -23,9 +23,11 @@ spec:
   interval: 1m
   releaseName: {{ $x.releaseName | default $x.name }}
   install:
+    crds: CreateReplace
     remediation:
       retries: -1
   upgrade:
+    crds: CreateReplace
     remediation:
       retries: -1
   chart:

packages/extra/etcd/Chart.yaml

@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: https://www.svgrepo.com/show/353714/etcd.svg
 type: application
-version: 1.0.0
+version: 2.0.0

packages/extra/etcd/templates/datastore.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: kamaji.clastix.io/v1alpha1
+kind: DataStore
+metadata:
+  name: {{ .Release.Namespace }}
+spec:
+  driver: etcd
+  endpoints:
+  - etcd-0.etcd-headless.{{ .Release.Namespace }}.svc:2379
+  - etcd-1.etcd-headless.{{ .Release.Namespace }}.svc:2379
+  - etcd-2.etcd-headless.{{ .Release.Namespace }}.svc:2379
+  tlsConfig:
+    certificateAuthority:
+      certificate:
+        secretReference:
+          keyPath: tls.crt
+          name: etcd-ca-tls
+          namespace: {{ .Release.Namespace }}
+      privateKey:
+        secretReference:
+          keyPath: tls.key
+          name: etcd-ca-tls
+          namespace: {{ .Release.Namespace }}
+    clientCertificate:
+      certificate:
+        secretReference:
+          keyPath: tls.crt
+          name: etcd-client-tls
+          namespace: {{ .Release.Namespace }}
+      privateKey:
+        secretReference:
+          keyPath: tls.key
+          name: etcd-client-tls
+          namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: etcd-ca-tls
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/resource-policy: keep
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: etcd-client-tls
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/resource-policy: keep

packages/extra/etcd/templates/etcd-cluster.yaml

@@ -0,0 +1,176 @@
+---
+apiVersion: etcd.aenix.io/v1alpha1
+kind: EtcdCluster
+metadata:
+  name: etcd
+spec:
+  storage: {}
+  security:
+    tls:
+      peerTrustedCASecret: etcd-peer-ca-tls
+      peerSecret: etcd-peer-tls
+      serverSecret: etcd-server-tls
+      clientTrustedCASecret: etcd-ca-tls
+      clientSecret: etcd-client-tls
+  podTemplate:
+    spec:
+      topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: "kubernetes.io/hostname"
+        whenUnsatisfiable: ScheduleAnyway
+        labelSelector:
+          matchLabels:
+            app.kubernetes.io/instance: etcd
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: etcd-selfsigning-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-peer-ca
+spec:
+  isCA: true
+  usages:
+  - "signing"
+  - "key encipherment"
+  - "cert sign"
+  commonName: etcd-peer-ca
+  subject:
+    organizations:
+      - ACME Inc.
+    organizationalUnits:
+      - Widgets
+  secretName: etcd-peer-ca-tls
+  privateKey:
+    algorithm: RSA
+    size: 4096
+  issuerRef:
+    name: etcd-selfsigning-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-ca
+spec:
+  isCA: true
+  usages:
+  - "signing"
+  - "key encipherment"
+  - "cert sign"
+  commonName: etcd-ca
+  subject:
+    organizations:
+      - ACME Inc.
+    organizationalUnits:
+      - Widgets
+  secretName: etcd-ca-tls
+  privateKey:
+    algorithm: RSA
+    size: 4096
+  issuerRef:
+    name: etcd-selfsigning-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: etcd-peer-issuer
+spec:
+  ca:
+    secretName: etcd-peer-ca-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: etcd-issuer
+spec:
+  ca:
+    secretName: etcd-ca-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-server
+spec:
+  secretName: etcd-server-tls
+  isCA: false
+  usages:
+    - "server auth"
+    - "signing"
+    - "key encipherment"
+  dnsNames:
+  - etcd-0
+  - etcd-0.etcd-headless
+  - etcd-0.etcd-headless.{{ .Release.Namespace }}.svc
+  - etcd-1
+  - etcd-1.etcd-headless
+  - etcd-1.etcd-headless.{{ .Release.Namespace }}.svc
+  - etcd-2
+  - etcd-2.etcd-headless
+  - etcd-2.etcd-headless.{{ .Release.Namespace }}.svc
+  - localhost
+  - "127.0.0.1"
+  privateKey:
+    rotationPolicy: Always
+    algorithm: RSA
+    size: 4096
+  issuerRef:
+    name: etcd-issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-peer
+spec:
+  secretName: etcd-peer-tls
+  isCA: false
+  usages:
+    - "server auth"
+    - "client auth"
+    - "signing"
+    - "key encipherment"
+  dnsNames:
+  - etcd-0
+  - etcd-0.etcd-headless
+  - etcd-0.etcd-headless.{{ .Release.Namespace }}.svc
+  - etcd-1
+  - etcd-1.etcd-headless
+  - etcd-1.etcd-headless.{{ .Release.Namespace }}.svc
+  - etcd-2
+  - etcd-2.etcd-headless
+  - etcd-2.etcd-headless.{{ .Release.Namespace }}.svc
+  - localhost
+  - "127.0.0.1"
+  privateKey:
+    rotationPolicy: Always
+    algorithm: RSA
+    size: 4096
+  issuerRef:
+    name: etcd-peer-issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-client
+spec:
+  commonName: root
+  secretName: etcd-client-tls
+  usages:
+  - "signing"
+  - "key encipherment"
+  - "client auth"
+  privateKey:
+    rotationPolicy: Always
+    algorithm: RSA
+    size: 4096
+  issuerRef:
+    name: etcd-issuer
+    kind: Issuer

packages/extra/etcd/templates/kamaji-etcd.yaml

@@ -1,19 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: kamaji-etcd
-spec:
-  chart:
-    spec:
-      chart: cozy-kamaji-etcd
-      reconcileStrategy: Revision
-      sourceRef:
-        kind: HelmRepository
-        name: cozystack-system
-        namespace: cozy-system
-      version: '*'
-  interval: 1m0s
-  timeout: 5m0s
-  values:
-    kamaji-etcd:
-      fullnameOverride: etcd

packages/extra/versions_map

@@ -1,3 +1,4 @@
-etcd 1.0.0 HEAD
+etcd 1.0.0 f7eaab0
+etcd 2.0.0 HEAD
 ingress 1.0.0 HEAD
 monitoring 1.0.0 HEAD

packages/system/cilium/charts/cilium/Chart.yaml

@@ -122,7 +122,7 @@ annotations:
       description: |
         CiliumPodIPPool defines an IP pool that can be used for pooled IPAM (i.e. the multi-pool IPAM mode).
 apiVersion: v2
-appVersion: 1.14.9
+appVersion: 1.14.10
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.14/Documentation/images/logo-solo.svg
@@ -138,4 +138,4 @@ kubeVersion: '>= 1.16.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.14.9
+version: 1.14.10

packages/system/cilium/charts/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.14.9](https://img.shields.io/badge/Version-1.14.9-informational?style=flat-square) ![AppVersion: 1.14.9](https://img.shields.io/badge/AppVersion-1.14.9-informational?style=flat-square)
+![Version: 1.14.10](https://img.shields.io/badge/Version-1.14.10-informational?style=flat-square) ![AppVersion: 1.14.10](https://img.shields.io/badge/AppVersion-1.14.10-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -131,7 +131,7 @@ contributors across the globe, there is almost always someone available to help.
 | bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. |
 | bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. |
 | bpfClockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. |
-| certgen | object | `{"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. |
+| certgen | object | `{"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:5586de5019abc104637a9818a626956cd9b1e827327b958186ec412ae3d5dea6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.11","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. |
 | certgen.annotations | object | `{"cronJob":{},"job":{}}` | Annotations to be added to the hubble-certgen initial Job and CronJob |
 | certgen.extraVolumeMounts | list | `[]` | Additional certgen volumeMounts. |
 | certgen.extraVolumes | list | `[]` | Additional certgen volumes. |
@@ -155,12 +155,12 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:5c16f8b8e22ce41e11998e70846fbcecea3a6b683a38253809ead8d871f6d8a3","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.9","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.10","useDigest":true}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
 | clustermesh.apiserver.kvstoremesh.extraVolumeMounts | list | `[]` | Additional KVStoreMesh volumeMounts. |
-| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:9d9efb25806660f3663b9cd803fb8679f2b115763470002a9770e2c1eb1e5b22","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.9","useDigest":true}` | KVStoreMesh image. |
+| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:871ec4e3b07401d90b4433c7e2b7210b9b0c5f1a536caab3d0281a5faeea5070","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.10","useDigest":true}` | KVStoreMesh image. |
 | clustermesh.apiserver.kvstoremesh.resources | object | `{}` | Resource requests and limits for the KVStoreMesh container |
 | clustermesh.apiserver.kvstoremesh.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | KVStoreMesh Security context |
 | clustermesh.apiserver.metrics.enabled | bool | `true` | Enables exporting apiserver metrics in OpenMetrics format. |
@@ -312,7 +312,7 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:39b75548447978230dedcf25da8940e4d3540c741045ef391a8e74dbb9661a86","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.7-bbde4095997ea57ead209f56158790d47224a0f5","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:d52f476c29a97c8b250fdbfbb8472191a268916f6a8503671d0da61e323b02cc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.27.4-21905253931655328edaacf3cd16aeda73bbea2f","useDigest":true}` | Envoy container image. |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
 | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
@@ -419,7 +419,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:f506f3c6e0a979437cde79eb781654fda4f10ddb5642cebc4dc81254cfb7eeaa","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.9","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.10","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -511,7 +511,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.9","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.10","useDigest":true}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -596,7 +596,7 @@ contributors across the globe, there is almost always someone available to help.
 | nodeinit.extraEnv | list | `[]` | Additional nodeinit environment variables. |
 | nodeinit.extraVolumeMounts | list | `[]` | Additional nodeinit volumeMounts. |
 | nodeinit.extraVolumes | list | `[]` | Additional nodeinit volumes. |
-| nodeinit.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}` | node-init image. |
+| nodeinit.image | object | `{"digest":"sha256:e1d442546e868db1a3289166c14011e0dbd32115b338b963e56f830972bc22a2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f","useDigest":true}` | node-init image. |
 | nodeinit.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | nodeinit.podAnnotations | object | `{}` | Annotations to be added to node-init pods. |
 | nodeinit.podLabels | object | `{}` | Labels to be added to node-init pods. |
@@ -619,7 +619,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:765314779093b54750f83280f009229f20fe1f28466a633d9bb4143d2ad669c5","awsDigest":"sha256:041ad5b49ae63ba0f1974e1a1d9ebf9f52541cd2813088fa687f9d544125a1ec","azureDigest":"sha256:2d3b9d868eb03fa9256d34192a734a2abab283f527a9c97b7cefcd3401649d17","genericDigest":"sha256:1552d653870dd8ebbd16ee985a5497dd78a2097370978b0cfbd2da2072f30712","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.9","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14","awsDigest":"sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6","azureDigest":"sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4","genericDigest":"sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.10","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -666,7 +666,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.9","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.10","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |

packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml

@@ -61,7 +61,7 @@ spec:
         image: {{ include "cilium.image" .Values.envoy.image | quote }}
         imagePullPolicy: {{ .Values.envoy.image.pullPolicy }}
         command:
-        - /usr/bin/cilium-envoy
+        - /usr/bin/cilium-envoy-starter
         args:
         - '-c /var/run/cilium/envoy/bootstrap-config.json'
         - '--base-id 0'

packages/system/cilium/charts/cilium/values.yaml

@@ -143,10 +143,10 @@ rollOutCiliumPods: false
 image:
   override: ~
   repository: "quay.io/cilium/cilium"
-  tag: "v1.14.9"
+  tag: "v1.14.10"
   pullPolicy: "IfNotPresent"
   # cilium-digest
-  digest: "sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301"
+  digest: "sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031"
   useDigest: true
 
 # -- Affinity for cilium-agent.
@@ -933,8 +933,8 @@ certgen:
   image:
     override: ~
     repository: "quay.io/cilium/certgen"
-    tag: "v0.1.9"
-    digest: "sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f"
+    tag: "v0.1.11"
+    digest: "sha256:5586de5019abc104637a9818a626956cd9b1e827327b958186ec412ae3d5dea6"
     useDigest: true
     pullPolicy: "IfNotPresent"
   # -- Seconds after which the completed job pod will be deleted
@@ -1109,9 +1109,9 @@ hubble:
     image:
       override: ~
       repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.14.9"
+      tag: "v1.14.10"
        # hubble-relay-digest
-      digest: "sha256:f506f3c6e0a979437cde79eb781654fda4f10ddb5642cebc4dc81254cfb7eeaa"
+      digest: "sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0"
       useDigest: true
       pullPolicy: "IfNotPresent"
 
@@ -1853,9 +1853,9 @@ envoy:
   image:
     override: ~
     repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.26.7-bbde4095997ea57ead209f56158790d47224a0f5"
+    tag: "v1.27.4-21905253931655328edaacf3cd16aeda73bbea2f"
     pullPolicy: "IfNotPresent"
-    digest: "sha256:39b75548447978230dedcf25da8940e4d3540c741045ef391a8e74dbb9661a86"
+    digest: "sha256:d52f476c29a97c8b250fdbfbb8472191a268916f6a8503671d0da61e323b02cc"
     useDigest: true
 
   # -- Additional containers added to the cilium Envoy DaemonSet.
@@ -2269,15 +2269,15 @@ operator:
   image:
     override: ~
     repository: "quay.io/cilium/operator"
-    tag: "v1.14.9"
+    tag: "v1.14.10"
     # operator-generic-digest
-    genericDigest: "sha256:1552d653870dd8ebbd16ee985a5497dd78a2097370978b0cfbd2da2072f30712"
+    genericDigest: "sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909"
     # operator-azure-digest
-    azureDigest: "sha256:2d3b9d868eb03fa9256d34192a734a2abab283f527a9c97b7cefcd3401649d17"
+    azureDigest: "sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4"
     # operator-aws-digest
-    awsDigest: "sha256:041ad5b49ae63ba0f1974e1a1d9ebf9f52541cd2813088fa687f9d544125a1ec"
+    awsDigest: "sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6"
     # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:765314779093b54750f83280f009229f20fe1f28466a633d9bb4143d2ad669c5"
+    alibabacloudDigest: "sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14"
     useDigest: true
     pullPolicy: "IfNotPresent"
     suffix: ""
@@ -2468,6 +2468,8 @@ nodeinit:
     override: ~
     repository: "quay.io/cilium/startup-script"
     tag: "62093c5c233ea914bfa26a10ba41f8780d9b737f"
+    digest: "sha256:e1d442546e868db1a3289166c14011e0dbd32115b338b963e56f830972bc22a2"
+    useDigest: true
     pullPolicy: "IfNotPresent"
 
   # -- The priority class to use for the nodeinit pod.
@@ -2554,9 +2556,9 @@ preflight:
   image:
     override: ~
     repository: "quay.io/cilium/cilium"
-    tag: "v1.14.9"
+    tag: "v1.14.10"
     # cilium-digest
-    digest: "sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301"
+    digest: "sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031"
     useDigest: true
     pullPolicy: "IfNotPresent"
 
@@ -2704,9 +2706,9 @@ clustermesh:
     image:
       override: ~
       repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.14.9"
+      tag: "v1.14.10"
       # clustermesh-apiserver-digest
-      digest: "sha256:5c16f8b8e22ce41e11998e70846fbcecea3a6b683a38253809ead8d871f6d8a3"
+      digest: "sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798"
       useDigest: true
       pullPolicy: "IfNotPresent"
 
@@ -2751,9 +2753,9 @@ clustermesh:
       image:
         override: ~
         repository: "quay.io/cilium/kvstoremesh"
-        tag: "v1.14.9"
+        tag: "v1.14.10"
         # kvstoremesh-digest
-        digest: "sha256:9d9efb25806660f3663b9cd803fb8679f2b115763470002a9770e2c1eb1e5b22"
+        digest: "sha256:871ec4e3b07401d90b4433c7e2b7210b9b0c5f1a536caab3d0281a5faeea5070"
         useDigest: true
         pullPolicy: "IfNotPresent"
 

packages/system/cilium/charts/cilium/values.yaml.tmpl

@@ -1854,9 +1854,9 @@ envoy:
   image:
     override: ~
     repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.26.7-bbde4095997ea57ead209f56158790d47224a0f5"
+    tag: "v1.27.4-21905253931655328edaacf3cd16aeda73bbea2f"
     pullPolicy: "${PULL_POLICY}"
-    digest: "sha256:39b75548447978230dedcf25da8940e4d3540c741045ef391a8e74dbb9661a86"
+    digest: "sha256:d52f476c29a97c8b250fdbfbb8472191a268916f6a8503671d0da61e323b02cc"
     useDigest: true
 
   # -- Additional containers added to the cilium Envoy DaemonSet.
@@ -2469,6 +2469,8 @@ nodeinit:
     override: ~
     repository: "${CILIUM_NODEINIT_REPO}"
     tag: "${CILIUM_NODEINIT_VERSION}"
+    digest: "${CILIUM_NODEINIT_DIGEST}"
+    useDigest: true
     pullPolicy: "${PULL_POLICY}"
 
   # -- The priority class to use for the nodeinit pod.

packages/system/dashboard/images/dashboard.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:ac9429d9bf66dd913a37fa9c22a6a2ccdc5d6bef50986bfef7868b5643ecaab2",
-  "containerimage.digest": "sha256:b551704d07e93f9837d36bb610ae5d10508325c31e9bd98a019452eed12ed96f"
+  "containerimage.config.digest": "sha256:78b413d1c9a4ecf3bec9383444b3e85c01d8b33bf903c6443bfa5bdfd8b5bc04",
+  "containerimage.digest": "sha256:ddfaadb33e33123f553a36a3ee5857a1bf53f312043f91d76ad24316591fd26e"
 }

packages/system/dashboard/images/dashboard.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/dashboard:latest
+ghcr.io/aenix-io/cozystack/dashboard:v0.4.0

packages/system/dashboard/images/kubeapps-apis.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:ab059b6397905b2a2084def06582e61b49c4a8a3374747e87b08c82621357420",
-  "containerimage.digest": "sha256:9c1093da42482f116b27407edcdf8b24122885e295cbb632e565213c66fc07c0"
+  "containerimage.config.digest": "sha256:273a8e7055816068b2975d8ac10f0f7d114cafef74057680ffc60414d4d8cf4c",
+  "containerimage.digest": "sha256:5e111f09ee9c34281e2ef02cb0d41700943f8c036014110765bb002831148547"
 }

packages/system/dashboard/images/kubeapps-apis.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubeapps-apis:latest
+ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.4.0

packages/system/etcd-operator/.helmignore

@@ -0,0 +1,3 @@
+images
+hack
+.gitkeep

packages/system/etcd-operator/Chart.yaml

@@ -0,0 +1,2 @@
+name: cozy-etcd-operator
+version: 0.4.0

packages/system/etcd-operator/Makefile

@@ -0,0 +1,8 @@
+NAME=etcd-operator
+NAMESPACE=cozy-${NAME}
+
+include ../../../scripts/package-system.mk
+
+update:
+	rm -rf charts
+	helm pull oci://ghcr.io/aenix-io/charts/etcd-operator --untar --untardir charts

packages/system/etcd-operator/charts/etcd-operator/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+appVersion: v0.2.0
+name: etcd-operator
+type: application
+version: 0.2.0

packages/system/etcd-operator/charts/etcd-operator/README.md

@@ -0,0 +1,63 @@
+# etcd-operator
+
+![Version: 0.0.0](https://img.shields.io/badge/Version-0.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square)
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| etcdOperator.args[0] | string | `"--health-probe-bind-address=:8081"` |  |
+| etcdOperator.args[1] | string | `"--metrics-bind-address=127.0.0.1:8080"` |  |
+| etcdOperator.args[2] | string | `"--leader-elect"` |  |
+| etcdOperator.envVars | object | `{}` |  |
+| etcdOperator.image.pullPolicy | string | `"IfNotPresent"` |  |
+| etcdOperator.image.repository | string | `"ghcr.io/aenix-io/etcd-operator"` |  |
+| etcdOperator.image.tag | string | `""` |  |
+| etcdOperator.livenessProbe.httpGet.path | string | `"/healthz"` |  |
+| etcdOperator.livenessProbe.httpGet.port | int | `8081` |  |
+| etcdOperator.livenessProbe.initialDelaySeconds | int | `15` |  |
+| etcdOperator.livenessProbe.periodSeconds | int | `20` |  |
+| etcdOperator.readinessProbe.httpGet.path | string | `"/readyz"` |  |
+| etcdOperator.readinessProbe.httpGet.port | int | `8081` |  |
+| etcdOperator.readinessProbe.initialDelaySeconds | int | `5` |  |
+| etcdOperator.readinessProbe.periodSeconds | int | `10` |  |
+| etcdOperator.resources.limits.cpu | string | `"500m"` |  |
+| etcdOperator.resources.limits.memory | string | `"128Mi"` |  |
+| etcdOperator.resources.requests.cpu | string | `"100m"` |  |
+| etcdOperator.resources.requests.memory | string | `"64Mi"` |  |
+| etcdOperator.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| etcdOperator.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| etcdOperator.service.port | int | `9443` |  |
+| etcdOperator.service.type | string | `"ClusterIP"` |  |
+| fullnameOverride | string | `""` |  |
+| imagePullSecrets | list | `[]` |  |
+| kubeRbacProxy.args[0] | string | `"--secure-listen-address=0.0.0.0:8443"` |  |
+| kubeRbacProxy.args[1] | string | `"--upstream=http://127.0.0.1:8080/"` |  |
+| kubeRbacProxy.args[2] | string | `"--logtostderr=true"` |  |
+| kubeRbacProxy.args[3] | string | `"--v=0"` |  |
+| kubeRbacProxy.image.pullPolicy | string | `"IfNotPresent"` |  |
+| kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` |  |
+| kubeRbacProxy.image.tag | string | `"v0.16.0"` |  |
+| kubeRbacProxy.livenessProbe | object | `{}` |  |
+| kubeRbacProxy.readinessProbe | object | `{}` |  |
+| kubeRbacProxy.resources.limits.cpu | string | `"500m"` |  |
+| kubeRbacProxy.resources.limits.memory | string | `"128Mi"` |  |
+| kubeRbacProxy.resources.requests.cpu | string | `"100m"` |  |
+| kubeRbacProxy.resources.requests.memory | string | `"64Mi"` |  |
+| kubeRbacProxy.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| kubeRbacProxy.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| kubeRbacProxy.service.port | int | `8443` |  |
+| kubeRbacProxy.service.type | string | `"ClusterIP"` |  |
+| kubernetesClusterDomain | string | `"cluster.local"` |  |
+| nameOverride | string | `""` |  |
+| nodeSelector | object | `{}` |  |
+| podAnnotations | object | `{}` |  |
+| podLabels | object | `{}` |  |
+| podSecurityContext | object | `{}` |  |
+| replicaCount | int | `1` |  |
+| securityContext.runAsNonRoot | bool | `true` |  |
+| serviceAccount.annotations | object | `{}` |  |
+| serviceAccount.create | bool | `true` |  |
+| tolerations | list | `[]` |  |
+

packages/system/etcd-operator/charts/etcd-operator/templates/_helpers.tpl

@@ -1,7 +1,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "proxmox-csi-plugin.name" -}}
+{{- define "etcd-operator.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "proxmox-csi-plugin.fullname" -}}
+{{- define "etcd-operator.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -26,17 +26,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "proxmox-csi-plugin.chart" -}}
+{{- define "etcd-operator.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "proxmox-csi-plugin.labels" -}}
-helm.sh/chart: {{ include "proxmox-csi-plugin.chart" . }}
-app.kubernetes.io/name: {{ include "proxmox-csi-plugin.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
+{{- define "etcd-operator.labels" -}}
+helm.sh/chart: {{ include "etcd-operator.chart" . }}
+{{ include "etcd-operator.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -46,26 +45,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "proxmox-csi-plugin.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "proxmox-csi-plugin.name" . }}
+{{- define "etcd-operator.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "etcd-operator.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/component: controller
-{{- end }}
-
-{{- define "proxmox-csi-plugin-node.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "proxmox-csi-plugin.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/component: node
-{{- end }}
-
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "proxmox-csi-plugin.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "proxmox-csi-plugin.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
 {{- end }}

packages/system/etcd-operator/charts/etcd-operator/templates/cert-manager/certificate.yml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    {{- include "etcd-operator.labels" . | nindent 4 }}
+  name: {{ include "etcd-operator.fullname" . }}-serving-cert
+spec:
+  dnsNames:
+    - {{ include "etcd-operator.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc
+    - {{ include "etcd-operator.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesClusterDomain }}
+  issuerRef:
+    kind: Issuer
+    name: {{ include "etcd-operator.fullname" . }}-selfsigned-issuer
+  secretName: webhook-server-cert

packages/system/etcd-operator/charts/etcd-operator/templates/cert-manager/issuer.yml

@@ -0,0 +1,8 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    {{- include "etcd-operator.labels" . | nindent 4 }}
+  name: {{ include "etcd-operator.fullname" . }}-selfsigned-issuer
+spec:
+  selfSigned: {}

packages/system/etcd-operator/charts/etcd-operator/templates/cert-manager/mutatingwebhookconfiguration.yml

@@ -0,0 +1,29 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "etcd-operator.fullname" . }}-serving-cert
+  labels:
+    {{- include "etcd-operator.labels" . | nindent 4 }}
+  name: {{ include "etcd-operator.fullname" . }}-mutating-webhook-configuration
+webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        name: {{ include "etcd-operator.fullname" . }}-webhook-service
+        namespace: {{ .Release.Namespace }}
+        path: /mutate-etcd-aenix-io-v1alpha1-etcdcluster
+    failurePolicy: Fail
+    name: metcdcluster.kb.io
+    rules:
+      - apiGroups:
+          - etcd.aenix.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - etcdclusters
+    sideEffects: None

packages/system/etcd-operator/charts/etcd-operator/templates/cert-manager/validatingwebhookconfiguration.yml

@@ -0,0 +1,29 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "etcd-operator.fullname" . }}-serving-cert
+  labels:
+    {{- include "etcd-operator.labels" . | nindent 4 }}
+  name: {{ include "etcd-operator.fullname" . }}-validating-webhook-configuration
+webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        name: {{ include "etcd-operator.fullname" . }}-webhook-service
+        namespace: {{ .Release.Namespace }}
+        path: /validate-etcd-aenix-io-v1alpha1-etcdcluster
+    failurePolicy: Fail
+    name: vetcdcluster.kb.io
+    rules:
+      - apiGroups:
+          - etcd.aenix.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - etcdclusters
+    sideEffects: None

packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml

@@ -0,0 +1,81 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "etcd-operator.labels" . | nindent 4 }}
+  name: {{ include "etcd-operator.fullname" . }}-manager-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - etcd.aenix.io
+    resources:
+      - etcdclusters
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - etcd.aenix.io
+    resources:
+      - etcdclusters/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - etcd.aenix.io
+    resources:
+      - etcdclusters/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+    - policy
+    resources:
+    - poddisruptionbudgets
+    verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch

packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-metrics-reader.yml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "etcd-operator.labels" . | nindent 4 }}
+  name: {{ include "etcd-operator.fullname" . }}-metrics-reader
+rules:
+  - nonResourceURLs:
+      - /metrics
+    verbs:
+      - get

packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-proxy-role.yml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "etcd-operator.labels" . | nindent 4 }}
+  name: {{ include "etcd-operator.fullname" . }}-proxy-role
+rules:
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create

packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrolebinding-manager-rolebinding.yml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    {{- include "etcd-operator.labels" . | nindent 4 }}
+  name: {{ include "etcd-operator.fullname" . }}-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "etcd-operator.fullname" . }}-manager-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "etcd-operator.fullname" . }}-controller-manager
+    namespace: {{ .Release.Namespace }}

packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrolebinding-proxy-rolebinding.yml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    {{- include "etcd-operator.labels" . | nindent 4 }}
+  name: {{ include "etcd-operator.fullname" . }}-proxy-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "etcd-operator.fullname" . }}-proxy-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "etcd-operator.fullname" . }}-controller-manager
+    namespace: {{ .Release.Namespace }}

packages/system/etcd-operator/charts/etcd-operator/templates/rbac/role-leader-election-role.yml

@@ -0,0 +1,38 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    {{- include "etcd-operator.labels" . | nindent 4 }}
+  name: {{ include "etcd-operator.fullname" . }}-leader-election-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch

packages/system/etcd-operator/charts/etcd-operator/templates/rbac/rolebinding-leader-election-rolebinding.yml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    {{- include "etcd-operator.labels" . | nindent 4 }}
+  name: {{ include "etcd-operator.fullname" . }}-leader-election-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "etcd-operator.fullname" . }}-leader-election-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "etcd-operator.fullname" . }}-controller-manager
+    namespace: {{ .Release.Namespace }}

packages/system/etcd-operator/charts/etcd-operator/templates/workload/configmap-env.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.etcdOperator.envVars }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "etcd-operator.labels" . }}-env
+  labels:
+    {{- include "etcd-operator.labels" . | nindent 4 }}
+data:
+  {{- range $k, $v := .Values.etcdOperator.envVars }}
+    {{- if typeOf $v | eq "string" }}
+      {{- print (tpl $k $) ": " (tpl $v $ | quote) | nindent 2 }}
+    {{- else }}
+      {{- print (tpl $k $) ": " ($v | quote) | nindent 2 }}
+    {{- end }}
+  {{- end }}
+{{- end }}

packages/system/etcd-operator/charts/etcd-operator/templates/workload/deployment.yml

@@ -0,0 +1,114 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "etcd-operator.fullname" . }}-controller-manager
+  labels:
+    {{- include "etcd-operator.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "etcd-operator.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "etcd-operator.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: etcd-operator
+          image: {{ .Values.etcdOperator.image.repository }}:{{ .Values.etcdOperator.image.tag | default .Chart.AppVersion }}
+          imagePullPolicy: {{ .Values.etcdOperator.image.pullPolicy }}
+          {{- with .Values.etcdOperator.args }}
+          args:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          ports:
+            - containerPort: {{ .Values.etcdOperator.service.port }}
+              name: webhook-server
+              protocol: TCP
+          {{- with .Values.etcdOperator.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.etcdOperator.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.etcdOperator.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.etcdOperator.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.etcdOperator.envVars }}
+          envFrom:
+            - configMapRef:
+                name: {{ include "etcd-operator.fullname" . }}-env
+          {{- end }}
+          volumeMounts:
+            - mountPath: /tmp/k8s-webhook-server/serving-certs
+              name: cert
+              readOnly: true
+        - name: kube-rbac-proxy
+          image: {{ .Values.kubeRbacProxy.image.repository }}:{{ .Values.kubeRbacProxy.image.tag }}
+          imagePullPolicy: {{ .Values.kubeRbacProxy.image.pullPolicy }}
+          {{- with .Values.kubeRbacProxy.args }}
+          args:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          ports:
+            - containerPort: {{ .Values.kubeRbacProxy.service.port }}
+              name: https
+              protocol: TCP
+          {{- with .Values.kubeRbacProxy.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.kubeRbacProxy.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.kubeRbacProxy.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.kubeRbacProxy.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "etcd-operator.fullname" . }}-controller-manager
+      terminationGracePeriodSeconds: 10
+      volumes:
+        - name: cert
+          secret:
+            defaultMode: 420
+            secretName: webhook-server-cert
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

packages/system/etcd-operator/charts/etcd-operator/templates/workload/service-controller-manager-metrics-service.yml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "etcd-operator.fullname" . }}-controller-manager-metrics-service
+  labels:
+    {{- include "etcd-operator.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.kubeRbacProxy.service.type }}
+  ports:
+    - name: https
+      port: {{ .Values.kubeRbacProxy.service.port }}
+      protocol: TCP
+      targetPort: https
+  selector:
+    {{- include "etcd-operator.selectorLabels" . | nindent 4 }}

packages/system/etcd-operator/charts/etcd-operator/templates/workload/service-webhook-service.yml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "etcd-operator.labels" . | nindent 4 }}
+  name: {{ include "etcd-operator.fullname" . }}-webhook-service
+spec:
+  type: {{ .Values.etcdOperator.service.type }}
+  ports:
+    - port: 443
+      protocol: TCP
+      targetPort: {{ .Values.etcdOperator.service.port }}
+  selector:
+    {{- include "etcd-operator.selectorLabels" . | nindent 4 }}

packages/system/etcd-operator/charts/etcd-operator/templates/workload/serviceaccount.yml

@@ -2,12 +2,11 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "proxmox-cloud-controller-manager.serviceAccountName" . }}
+  name: {{ include "etcd-operator.fullname" . }}-controller-manager
   labels:
-    {{- include "proxmox-cloud-controller-manager.labels" . | nindent 4 }}
+    {{- include "etcd-operator.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  namespace: {{ .Release.Namespace }}
 {{- end }}

packages/system/etcd-operator/charts/etcd-operator/values.schema.json

@@ -0,0 +1,284 @@
+{
+    "$schema": "https://json-schema.org/draft/2020-12/schema",
+    "properties": {
+        "affinity": {
+            "properties": {},
+            "type": "object"
+        },
+        "etcdOperator": {
+            "properties": {
+                "args": {
+                    "items": {
+                        "type": "string"
+                    },
+                    "type": "array"
+                },
+                "envVars": {
+                    "properties": {},
+                    "type": "object"
+                },
+                "image": {
+                    "properties": {
+                        "pullPolicy": {
+                            "type": "string"
+                        },
+                        "repository": {
+                            "type": "string"
+                        },
+                        "tag": {
+                            "type": "string"
+                        }
+                    },
+                    "type": "object"
+                },
+                "livenessProbe": {
+                    "properties": {
+                        "httpGet": {
+                            "properties": {
+                                "path": {
+                                    "type": "string"
+                                },
+                                "port": {
+                                    "type": "integer"
+                                }
+                            },
+                            "type": "object"
+                        },
+                        "initialDelaySeconds": {
+                            "type": "integer"
+                        },
+                        "periodSeconds": {
+                            "type": "integer"
+                        }
+                    },
+                    "type": "object"
+                },
+                "readinessProbe": {
+                    "properties": {
+                        "httpGet": {
+                            "properties": {
+                                "path": {
+                                    "type": "string"
+                                },
+                                "port": {
+                                    "type": "integer"
+                                }
+                            },
+                            "type": "object"
+                        },
+                        "initialDelaySeconds": {
+                            "type": "integer"
+                        },
+                        "periodSeconds": {
+                            "type": "integer"
+                        }
+                    },
+                    "type": "object"
+                },
+                "resources": {
+                    "properties": {
+                        "limits": {
+                            "properties": {
+                                "cpu": {
+                                    "type": "string"
+                                },
+                                "memory": {
+                                    "type": "string"
+                                }
+                            },
+                            "type": "object"
+                        },
+                        "requests": {
+                            "properties": {
+                                "cpu": {
+                                    "type": "string"
+                                },
+                                "memory": {
+                                    "type": "string"
+                                }
+                            },
+                            "type": "object"
+                        }
+                    },
+                    "type": "object"
+                },
+                "securityContext": {
+                    "properties": {
+                        "allowPrivilegeEscalation": {
+                            "type": "boolean"
+                        },
+                        "capabilities": {
+                            "properties": {
+                                "drop": {
+                                    "items": {
+                                        "type": "string"
+                                    },
+                                    "type": "array"
+                                }
+                            },
+                            "type": "object"
+                        }
+                    },
+                    "type": "object"
+                },
+                "service": {
+                    "properties": {
+                        "port": {
+                            "type": "integer"
+                        },
+                        "type": {
+                            "type": "string"
+                        }
+                    },
+                    "type": "object"
+                }
+            },
+            "type": "object"
+        },
+        "fullnameOverride": {
+            "type": "string"
+        },
+        "imagePullSecrets": {
+            "type": "array"
+        },
+        "kubeRbacProxy": {
+            "properties": {
+                "args": {
+                    "items": {
+                        "type": "string"
+                    },
+                    "type": "array"
+                },
+                "image": {
+                    "properties": {
+                        "pullPolicy": {
+                            "type": "string"
+                        },
+                        "repository": {
+                            "type": "string"
+                        },
+                        "tag": {
+                            "type": "string"
+                        }
+                    },
+                    "type": "object"
+                },
+                "livenessProbe": {
+                    "properties": {},
+                    "type": "object"
+                },
+                "readinessProbe": {
+                    "properties": {},
+                    "type": "object"
+                },
+                "resources": {
+                    "properties": {
+                        "limits": {
+                            "properties": {
+                                "cpu": {
+                                    "type": "string"
+                                },
+                                "memory": {
+                                    "type": "string"
+                                }
+                            },
+                            "type": "object"
+                        },
+                        "requests": {
+                            "properties": {
+                                "cpu": {
+                                    "type": "string"
+                                },
+                                "memory": {
+                                    "type": "string"
+                                }
+                            },
+                            "type": "object"
+                        }
+                    },
+                    "type": "object"
+                },
+                "securityContext": {
+                    "properties": {
+                        "allowPrivilegeEscalation": {
+                            "type": "boolean"
+                        },
+                        "capabilities": {
+                            "properties": {
+                                "drop": {
+                                    "items": {
+                                        "type": "string"
+                                    },
+                                    "type": "array"
+                                }
+                            },
+                            "type": "object"
+                        }
+                    },
+                    "type": "object"
+                },
+                "service": {
+                    "properties": {
+                        "port": {
+                            "type": "integer"
+                        },
+                        "type": {
+                            "type": "string"
+                        }
+                    },
+                    "type": "object"
+                }
+            },
+            "type": "object"
+        },
+        "kubernetesClusterDomain": {
+            "type": "string"
+        },
+        "nameOverride": {
+            "type": "string"
+        },
+        "nodeSelector": {
+            "properties": {},
+            "type": "object"
+        },
+        "podAnnotations": {
+            "properties": {},
+            "type": "object"
+        },
+        "podLabels": {
+            "properties": {},
+            "type": "object"
+        },
+        "podSecurityContext": {
+            "properties": {},
+            "type": "object"
+        },
+        "replicaCount": {
+            "type": "integer"
+        },
+        "securityContext": {
+            "properties": {
+                "runAsNonRoot": {
+                    "type": "boolean"
+                }
+            },
+            "type": "object"
+        },
+        "serviceAccount": {
+            "properties": {
+                "annotations": {
+                    "properties": {},
+                    "type": "object"
+                },
+                "create": {
+                    "type": "boolean"
+                }
+            },
+            "type": "object"
+        },
+        "tolerations": {
+            "type": "array"
+        }
+    },
+    "type": "object"
+}

packages/system/etcd-operator/charts/etcd-operator/values.yaml

@@ -0,0 +1,98 @@
+etcdOperator:
+  image:
+    repository: ghcr.io/aenix-io/etcd-operator
+    pullPolicy: IfNotPresent
+    # Overrides the image tag whose default is the chart appVersion.
+    tag: ""
+  args:
+    - --health-probe-bind-address=:8081
+    - --metrics-bind-address=127.0.0.1:8080
+    - --leader-elect
+  service:
+    type: ClusterIP
+    port: 9443
+  envVars: {}
+  livenessProbe:
+    httpGet:
+      path: /healthz
+      port: 8081
+    initialDelaySeconds: 15
+    periodSeconds: 20
+  readinessProbe:
+    httpGet:
+      path: /readyz
+      port: 8081
+    initialDelaySeconds: 5
+    periodSeconds: 10
+  resources:
+    limits:
+      cpu: 500m
+      memory: 128Mi
+    requests:
+      cpu: 100m
+      memory: 64Mi
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+
+kubeRbacProxy:
+  image:
+    repository: gcr.io/kubebuilder/kube-rbac-proxy
+    pullPolicy: IfNotPresent
+    tag: v0.16.0
+  args:
+    - --secure-listen-address=0.0.0.0:8443
+    - --upstream=http://127.0.0.1:8080/
+    - --logtostderr=true
+    - --v=0
+  service:
+    type: ClusterIP
+    port: 8443
+  livenessProbe: {}
+  readinessProbe: {}
+  resources:
+    limits:
+      cpu: 500m
+      memory: 128Mi
+    requests:
+      cpu: 100m
+      memory: 64Mi
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+
+kubernetesClusterDomain: cluster.local
+
+replicaCount: 1
+
+imagePullSecrets: []
+
+nameOverride: ""
+
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+
+podAnnotations: {}
+
+podLabels: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext:
+  runAsNonRoot: true
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

packages/system/proxmox-csi/Chart.yaml

@@ -1,2 +0,0 @@
-name: app
-version: 0.0.0

packages/system/proxmox-csi/Makefile

@@ -1,13 +0,0 @@
-include ../../hack/app-helm.mk
-
-update:
-	rm -rf charts
-	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/sergelogvinov/proxmox-cloud-controller-manager | awk -F'[/^]' 'END{print $$3}') && \
-	curl -sSL https://github.com/sergelogvinov/proxmox-cloud-controller-manager/archive/refs/tags/$${tag}.tar.gz | \
-	tar xzvf - --strip 1 proxmox-cloud-controller-manager-$${tag#*v}/charts
-	sed -i 's/^  namespace: .*/  namespace: kube-system/' charts/proxmox-cloud-controller-manager/templates/rolebinding.yaml
-	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/sergelogvinov/proxmox-csi-plugin | awk -F'[/^]' 'END{print $$3}') && \
-	curl -sSL https://github.com/sergelogvinov/proxmox-csi-plugin/archive/refs/tags/$${tag}.tar.gz | \
-	tar xzvf - --strip 1 proxmox-csi-plugin-$${tag#*v}/charts
-	rm -f charts/proxmox-csi-plugin/templates/namespace.yaml
-	patch -p 3 < patches/namespace.patch

packages/system/proxmox-csi/README.md

@@ -1,6 +0,0 @@
-# Proxmox CSI Plugin
-
-Plugin that provides CSI interface for Proxmox
-
-- GitHub: https://github.com/sergelogvinov/proxmox-csi-plugin
-- Telegram: https://t.me/ru_talos

packages/system/proxmox-csi/charts/proxmox-cloud-controller-manager/Chart.yaml

@@ -1,24 +0,0 @@
-apiVersion: v2
-name: proxmox-cloud-controller-manager
-description: A Helm chart for Kubernetes
-type: application
-home: https://github.com/sergelogvinov/proxmox-cloud-controller-manager
-icon: https://proxmox.com/templates/yoo_nano2/favicon.ico
-sources:
-- https://github.com/sergelogvinov/proxmox-cloud-controller-manager
-keywords:
-- ccm
-maintainers:
-- name: sergelogvinov
-  url: https://github.com/sergelogvinov
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.6
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: v0.2.0

packages/system/proxmox-csi/charts/proxmox-cloud-controller-manager/README.md

@@ -1,81 +0,0 @@
-# proxmox-cloud-controller-manager
-
-![Version: 0.1.6](https://img.shields.io/badge/Version-0.1.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.2.0](https://img.shields.io/badge/AppVersion-v0.2.0-informational?style=flat-square)
-
-A Helm chart for Kubernetes
-
-**Homepage:** <https://github.com/sergelogvinov/proxmox-cloud-controller-manager>
-
-## Maintainers
-
-| Name | Email | Url |
-| ---- | ------ | --- |
-| sergelogvinov |  | <https://github.com/sergelogvinov> |
-
-## Source Code
-
-* <https://github.com/sergelogvinov/proxmox-cloud-controller-manager>
-
-Example:
-
-```yaml
-# proxmox-ccm.yaml
-
-config:
-  clusters:
-    - url: https://cluster-api-1.exmple.com:8006/api2/json
-      insecure: false
-      token_id: "kubernetes@pve!csi"
-      token_secret: "key"
-      region: cluster-1
-
-enabledControllers:
-  # Remove `cloud-node` if you use it with Talos CCM
-  - cloud-node
-  - cloud-node-lifecycle
-
-# Deploy CCM only on control-plane nodes
-nodeSelector:
-  node-role.kubernetes.io/control-plane: ""
-tolerations:
-  - key: node-role.kubernetes.io/control-plane
-    effect: NoSchedule
-```
-
-Deploy chart:
-
-```shell
-helm upgrade -i --namespace=kube-system -f proxmox-ccm.yaml \
-		proxmox-cloud-controller-manager charts/proxmox-cloud-controller-manager
-```
-
-## Values
-
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| replicaCount | int | `1` |  |
-| image.repository | string | `"ghcr.io/sergelogvinov/proxmox-cloud-controller-manager"` | Proxmox CCM image. |
-| image.pullPolicy | string | `"IfNotPresent"` | Always or IfNotPresent |
-| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
-| imagePullSecrets | list | `[]` |  |
-| nameOverride | string | `""` |  |
-| fullnameOverride | string | `""` |  |
-| extraArgs | list | `[]` | Any extra arguments for talos-cloud-controller-manager |
-| enabledControllers | list | `["cloud-node","cloud-node-lifecycle"]` | List of controllers should be enabled. Use '*' to enable all controllers. Support only `cloud-node,cloud-node-lifecycle` controllers. |
-| logVerbosityLevel | int | `2` | Log verbosity level. See https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md for description of individual verbosity levels. |
-| existingConfigSecret | string | `nil` | Proxmox cluster config stored in secrets. |
-| existingConfigSecretKey | string | `"config.yaml"` | Proxmox cluster config stored in secrets key. |
-| config | object | `{"clusters":[]}` | Proxmox cluster config. |
-| serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | Pods Service Account. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ |
-| priorityClassName | string | `"system-cluster-critical"` | CCM pods' priorityClassName. |
-| podAnnotations | object | `{}` | Annotations for data pods. ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
-| podSecurityContext | object | `{"fsGroup":10258,"fsGroupChangePolicy":"OnRootMismatch","runAsGroup":10258,"runAsNonRoot":true,"runAsUser":10258}` | Pods Security Context. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod |
-| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"seccompProfile":{"type":"RuntimeDefault"}}` | Container Security Context. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod |
-| resources | object | `{"requests":{"cpu":"10m","memory":"32Mi"}}` | Resource requests and limits. ref: https://kubernetes.io/docs/user-guide/compute-resources/ |
-| updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | Deployment update stategy type. ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#updating-a-deployment |
-| nodeSelector | object | `{}` | Node labels for data pods assignment. ref: https://kubernetes.io/docs/user-guide/node-selection/ |
-| tolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane","operator":"Exists"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","operator":"Exists"}]` | Tolerations for data pods assignment. ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ |
-| affinity | object | `{}` | Affinity for data pods assignment. ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
-
-----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.2](https://github.com/norwoodj/helm-docs/releases/v1.11.2)

packages/system/proxmox-csi/charts/proxmox-cloud-controller-manager/README.md.gotmpl

@@ -1,52 +0,0 @@
-{{ template "chart.header" . }}
-
-{{ template "chart.deprecationWarning" . }}
-
-{{ template "chart.badgesSection" . }}
-
-{{ template "chart.description" . }}
-
-{{ template "chart.homepageLine" . }}
-
-{{ template "chart.maintainersSection" . }}
-
-{{ template "chart.sourcesSection" . }}
-
-{{ template "chart.requirementsSection" . }}
-
-Example:
-
-```yaml
-# proxmox-ccm.yaml
-
-config:
-  clusters:
-    - url: https://cluster-api-1.exmple.com:8006/api2/json
-      insecure: false
-      token_id: "kubernetes@pve!csi"
-      token_secret: "key"
-      region: cluster-1
-
-enabledControllers:
-  # Remove `cloud-node` if you use it with Talos CCM
-  - cloud-node
-  - cloud-node-lifecycle
-
-# Deploy CCM only on control-plane nodes
-nodeSelector:
-  node-role.kubernetes.io/control-plane: ""
-tolerations:
-  - key: node-role.kubernetes.io/control-plane
-    effect: NoSchedule
-```
-
-Deploy chart:
-
-```shell
-helm upgrade -i --namespace=kube-system -f proxmox-ccm.yaml \
-		proxmox-cloud-controller-manager charts/proxmox-cloud-controller-manager
-```
-
-{{ template "chart.valuesSection" . }}
-
-{{ template "helm-docs.versionFooter" . }}

packages/system/proxmox-csi/charts/proxmox-cloud-controller-manager/ci/values.yaml

@@ -1,27 +0,0 @@
-
-image:
-  repository: ghcr.io/sergelogvinov/proxmox-cloud-controller-manager
-  pullPolicy: Always
-  tag: edge
-
-nodeSelector:
-  node-role.kubernetes.io/control-plane: ""
-
-logVerbosityLevel: 4
-
-enabledControllers:
-  - cloud-node
-  - cloud-node-lifecycle
-
-config:
-  clusters:
-    - url: https://cluster-api-1.exmple.com:8006/api2/json
-      insecure: false
-      token_id: "user!token-id"
-      token_secret: "secret"
-      region: cluster-1
-    - url: https://cluster-api-2.exmple.com:8006/api2/json
-      insecure: false
-      token_id: "user!token-id"
-      token_secret: "secret"
-      region: cluster-2

packages/system/proxmox-csi/charts/proxmox-cloud-controller-manager/templates/_helpers.tpl

@@ -1,69 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "proxmox-cloud-controller-manager.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "proxmox-cloud-controller-manager.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "proxmox-cloud-controller-manager.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "proxmox-cloud-controller-manager.labels" -}}
-helm.sh/chart: {{ include "proxmox-cloud-controller-manager.chart" . }}
-{{ include "proxmox-cloud-controller-manager.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "proxmox-cloud-controller-manager.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "proxmox-cloud-controller-manager.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "proxmox-cloud-controller-manager.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "proxmox-cloud-controller-manager.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
-
-{{/*
-Generate string of enabled controllers. Might have a trailing comma (,) which needs to be trimmed.
-*/}}
-{{- define "proxmox-cloud-controller-manager.enabledControllers" }}
-{{- range .Values.enabledControllers -}}{{ . }},{{- end -}}
-{{- end }}

packages/system/proxmox-csi/charts/proxmox-cloud-controller-manager/templates/deployment.yaml

@@ -1,102 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "proxmox-cloud-controller-manager.fullname" . }}
-  labels:
-    {{- include "proxmox-cloud-controller-manager.labels" . | nindent 4 }}
-  namespace: {{ .Release.Namespace }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  strategy:
-    type: {{ .Values.updateStrategy.type }}
-  selector:
-    matchLabels:
-      {{- include "proxmox-cloud-controller-manager.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      annotations:
-      {{- if .Values.config }}
-        checksum/config: {{ toJson .Values.config | sha256sum }}
-      {{- end }}
-      {{- with .Values.podAnnotations }}
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        {{- include "proxmox-cloud-controller-manager.selectorLabels" . | nindent 8 }}
-    spec:
-      enableServiceLinks: false
-      {{- if .Values.priorityClassName }}
-      priorityClassName: {{ .Values.priorityClassName }}
-      {{- end }}
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "proxmox-cloud-controller-manager.serviceAccountName" . }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      containers:
-        - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          args:
-            - --v={{ .Values.logVerbosityLevel }}
-            - --cloud-provider=proxmox
-            - --cloud-config=/etc/proxmox/config.yaml
-            - --controllers={{- trimAll "," (include "proxmox-cloud-controller-manager.enabledControllers" . ) }}
-            - --leader-elect-resource-name=cloud-controller-manager-proxmox
-            - --use-service-account-credentials
-            - --secure-port=10258
-          {{- with .Values.extraArgs }}
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 10258
-              scheme: HTTPS
-            initialDelaySeconds: 20
-            periodSeconds: 30
-            timeoutSeconds: 5
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-          volumeMounts:
-            - name: cloud-config
-              mountPath: /etc/proxmox
-              readOnly: true
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      topologySpreadConstraints:
-        - maxSkew: 1
-          topologyKey: kubernetes.io/hostname
-          whenUnsatisfiable: DoNotSchedule
-          labelSelector:
-            matchLabels:
-              {{- include "proxmox-cloud-controller-manager.selectorLabels" . | nindent 14 }}
-      volumes:
-        {{- if .Values.existingConfigSecret }}
-        - name: cloud-config
-          secret:
-            secretName: {{ .Values.existingConfigSecret }}
-            items:
-              - key: {{ .Values.existingConfigSecretKey }}
-                path: config.yaml
-            defaultMode: 416
-        {{- else }}
-        - name: cloud-config
-          secret:
-            secretName: {{ include "proxmox-cloud-controller-manager.fullname" . }}
-            defaultMode: 416
-        {{- end }}

packages/system/proxmox-csi/charts/proxmox-cloud-controller-manager/templates/role.yaml

@@ -1,53 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: system:{{ include "proxmox-cloud-controller-manager.fullname" . }}
-  labels:
-    {{- include "proxmox-cloud-controller-manager.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - get
-  - create
-  - update
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
-  - update
-- apiGroups:
-  - ""
-  resources:
-  - nodes
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - nodes/status
-  verbs:
-  - patch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  verbs:
-  - create
-  - get
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts/token
-  verbs:
-  - create

packages/system/proxmox-csi/charts/proxmox-cloud-controller-manager/templates/rolebinding.yaml

@@ -1,26 +0,0 @@
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: system:{{ include "proxmox-cloud-controller-manager.fullname" . }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:{{ include "proxmox-cloud-controller-manager.fullname" . }}
-subjects:
-- kind: ServiceAccount
-  name: {{ include "proxmox-cloud-controller-manager.fullname" . }}
-  namespace: {{ .Release.Namespace }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: system:{{ include "proxmox-cloud-controller-manager.fullname" . }}:extension-apiserver-authentication-reader
-  namespace: kube-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: extension-apiserver-authentication-reader
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "proxmox-cloud-controller-manager.fullname" . }}
-    namespace: {{ .Release.Namespace }}

packages/system/proxmox-csi/charts/proxmox-cloud-controller-manager/templates/secrets.yaml

@@ -1,11 +0,0 @@
-{{- if ne (len .Values.config.clusters) 0 }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "proxmox-cloud-controller-manager.fullname" . }}
-  labels:
-    {{- include "proxmox-cloud-controller-manager.labels" . | nindent 4 }}
-  namespace: {{ .Release.Namespace }}
-data:
-  config.yaml: {{ toYaml .Values.config | b64enc | quote }}
-{{- end }}

packages/system/proxmox-csi/charts/proxmox-cloud-controller-manager/values.edge.yaml

@@ -1,13 +0,0 @@
-
-image:
-  pullPolicy: Always
-  tag: edge
-
-nodeSelector:
-  node-role.kubernetes.io/control-plane: ""
-
-logVerbosityLevel: 4
-
-enabledControllers:
-  - cloud-node
-  - cloud-node-lifecycle

packages/system/proxmox-csi/charts/proxmox-cloud-controller-manager/values.talos.yaml

@@ -1,8 +0,0 @@
-
-nodeSelector:
-  node-role.kubernetes.io/control-plane: ""
-
-logVerbosityLevel: 4
-
-enabledControllers:
-  - cloud-node-lifecycle

packages/system/proxmox-csi/charts/proxmox-cloud-controller-manager/values.yaml

@@ -1,125 +0,0 @@
-# Default values for proxmox-cloud-controller-manager.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicaCount: 1
-
-image:
-  # -- Proxmox CCM image.
-  repository: ghcr.io/sergelogvinov/proxmox-cloud-controller-manager
-  # -- Always or IfNotPresent
-  pullPolicy: IfNotPresent
-  # -- Overrides the image tag whose default is the chart appVersion.
-  tag: ""
-
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-
-# -- Any extra arguments for talos-cloud-controller-manager
-extraArgs: []
-  # - --cluster-name=kubernetes
-
-# -- List of controllers should be enabled.
-# Use '*' to enable all controllers.
-# Support only `cloud-node,cloud-node-lifecycle` controllers.
-enabledControllers:
-  - cloud-node
-  - cloud-node-lifecycle
-  # - route
-  # - service
-
-# -- Log verbosity level. See https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md
-# for description of individual verbosity levels.
-logVerbosityLevel: 2
-
-# -- Proxmox cluster config stored in secrets.
-existingConfigSecret: ~
-# -- Proxmox cluster config stored in secrets key.
-existingConfigSecretKey: config.yaml
-
-# -- Proxmox cluster config.
-config:
-  clusters: []
-  #   - url: https://cluster-api-1.exmple.com:8006/api2/json
-  #     insecure: false
-  #     token_id: "login!name"
-  #     token_secret: "secret"
-  #     region: cluster-1
-
-# -- Pods Service Account.
-# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-  # Annotations to add to the service account
-  annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
-
-# -- CCM pods' priorityClassName.
-priorityClassName: system-cluster-critical
-
-# -- Annotations for data pods.
-# ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
-podAnnotations: {}
-
-# -- Pods Security Context.
-# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
-podSecurityContext:
-  runAsNonRoot: true
-  runAsUser: 10258
-  runAsGroup: 10258
-  fsGroup: 10258
-  fsGroupChangePolicy: "OnRootMismatch"
-
-# -- Container Security Context.
-# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-    - ALL
-  seccompProfile:
-    type: RuntimeDefault
-
-# -- Resource requests and limits.
-# ref: https://kubernetes.io/docs/user-guide/compute-resources/
-resources:
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  requests:
-    cpu: 10m
-    memory: 32Mi
-
-# -- Deployment update stategy type.
-# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#updating-a-deployment
-updateStrategy:
-  type: RollingUpdate
-  rollingUpdate:
-    maxUnavailable: 1
-
-# -- Node labels for data pods assignment.
-# ref: https://kubernetes.io/docs/user-guide/node-selection/
-nodeSelector: {}
-  # node-role.kubernetes.io/control-plane: ""
-
-# -- Tolerations for data pods assignment.
-# ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-tolerations:
-  - effect: NoSchedule
-    key: node-role.kubernetes.io/control-plane
-    operator: Exists
-  - effect: NoSchedule
-    key: node.cloudprovider.kubernetes.io/uninitialized
-    operator: Exists
-
-# -- Affinity for data pods assignment.
-# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-affinity: {}

packages/system/proxmox-csi/charts/proxmox-csi-plugin/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

packages/system/proxmox-csi/charts/proxmox-csi-plugin/Chart.yaml

@@ -1,26 +0,0 @@
-apiVersion: v2
-name: proxmox-csi-plugin
-description: A CSI plugin for Proxmox
-type: application
-home: https://github.com/sergelogvinov/proxmox-csi-plugin
-icon: https://proxmox.com/templates/yoo_nano2/favicon.ico
-sources:
-- https://github.com/sergelogvinov/proxmox-csi-plugin
-keywords:
-- storage
-- block-storage
-- volume
-maintainers:
-- name: sergelogvinov
-  url: https://github.com/sergelogvinov
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.6
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: v0.3.0

packages/system/proxmox-csi/charts/proxmox-csi-plugin/README.md

@@ -1,116 +0,0 @@
-# proxmox-csi-plugin
-
-![Version: 0.1.6](https://img.shields.io/badge/Version-0.1.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.3.0](https://img.shields.io/badge/AppVersion-v0.3.0-informational?style=flat-square)
-
-A CSI plugin for Proxmox
-
-**Homepage:** <https://github.com/sergelogvinov/proxmox-csi-plugin>
-
-## Maintainers
-
-| Name | Email | Url |
-| ---- | ------ | --- |
-| sergelogvinov |  | <https://github.com/sergelogvinov> |
-
-## Source Code
-
-* <https://github.com/sergelogvinov/proxmox-csi-plugin>
-
-Example:
-
-```yaml
-# proxmox-csi.yaml
-
-config:
-  clusters:
-    - url: https://cluster-api-1.exmple.com:8006/api2/json
-      insecure: false
-      token_id: "kubernetes-csi@pve!csi"
-      token_secret: "key"
-      region: cluster-1
-
-# Deploy Node CSI driver only on proxmox nodes
-node:
-  nodeSelector:
-    # It will work only with Talos CCM, remove it overwise
-    node.cloudprovider.kubernetes.io/platform: nocloud
-  tolerations:
-    - operator: Exists
-
-# Deploy CSI controller only on control-plane nodes
-nodeSelector:
-  node-role.kubernetes.io/control-plane: ""
-tolerations:
-  - key: node-role.kubernetes.io/control-plane
-    effect: NoSchedule
-
-# Define storage classes
-# See https://pve.proxmox.com/wiki/Storage
-storageClass:
-  - name: proxmox-data-xfs
-    storage: data
-    reclaimPolicy: Delete
-    fstype: xfs
-  - name: proxmox-data
-    storage: data
-    reclaimPolicy: Delete
-    fstype: ext4
-    cache: writethrough
-```
-
-Deploy chart:
-
-```shell
-helm upgrade -i --namespace=csi-proxmox -f proxmox-csi.yaml \
-		proxmox-csi-plugin charts/proxmox-csi-plugin/
-```
-
-## Values
-
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| replicaCount | int | `1` |  |
-| imagePullSecrets | list | `[]` |  |
-| nameOverride | string | `""` |  |
-| fullnameOverride | string | `""` |  |
-| priorityClassName | string | `"system-cluster-critical"` | Controller pods priorityClassName. |
-| serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | Pods Service Account. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ |
-| provisionerName | string | `"csi.proxmox.sinextra.dev"` | CSI Driver provisioner name. Currently, cannot be customized. |
-| clusterID | string | `"kubernetes"` | Cluster name. Currently, cannot be customized. |
-| logVerbosityLevel | int | `5` | Log verbosity level. See https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md for description of individual verbosity levels. |
-| timeout | string | `"3m"` | Connection timeout between sidecars. |
-| existingConfigSecret | string | `nil` | Proxmox cluster config stored in secrets. |
-| existingConfigSecretKey | string | `"config.yaml"` | Proxmox cluster config stored in secrets key. |
-| configFile | string | `"/etc/proxmox/config.yaml"` | Proxmox cluster config path. |
-| config | object | `{"clusters":[]}` | Proxmox cluster config. |
-| storageClass | list | `[]` | Storage class defenition. |
-| controller.plugin.image | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/sergelogvinov/proxmox-csi-controller","tag":""}` | Controller CSI Driver. |
-| controller.plugin.resources | object | `{"requests":{"cpu":"10m","memory":"16Mi"}}` | Controller resource requests and limits. ref: https://kubernetes.io/docs/user-guide/compute-resources/ |
-| controller.attacher.image | object | `{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-attacher","tag":"v4.3.0"}` | CSI Attacher. |
-| controller.attacher.resources | object | `{"requests":{"cpu":"10m","memory":"16Mi"}}` | Attacher resource requests and limits. ref: https://kubernetes.io/docs/user-guide/compute-resources/ |
-| controller.provisioner.image | object | `{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-provisioner","tag":"v3.5.0"}` | CSI Provisioner. |
-| controller.provisioner.resources | object | `{"requests":{"cpu":"10m","memory":"16Mi"}}` | Provisioner resource requests and limits. ref: https://kubernetes.io/docs/user-guide/compute-resources/ |
-| controller.resizer.image | object | `{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-resizer","tag":"v1.8.0"}` | CSI Resizer. |
-| controller.resizer.resources | object | `{"requests":{"cpu":"10m","memory":"16Mi"}}` | Resizer resource requests and limits. ref: https://kubernetes.io/docs/user-guide/compute-resources/ |
-| node.plugin.image | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/sergelogvinov/proxmox-csi-node","tag":""}` | Node CSI Driver. |
-| node.plugin.resources | object | `{}` | Node CSI Driver resource requests and limits. ref: https://kubernetes.io/docs/user-guide/compute-resources/ |
-| node.driverRegistrar.image | object | `{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/csi-node-driver-registrar","tag":"v2.8.0"}` | Node CSI driver registrar. |
-| node.driverRegistrar.resources | object | `{"requests":{"cpu":"10m","memory":"16Mi"}}` | Node registrar resource requests and limits. ref: https://kubernetes.io/docs/user-guide/compute-resources/ |
-| node.nodeSelector | object | `{}` | Node labels for node-plugin assignment. ref: https://kubernetes.io/docs/user-guide/node-selection/ |
-| node.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/unschedulable","operator":"Exists"},{"effect":"NoSchedule","key":"node.kubernetes.io/disk-pressure","operator":"Exists"}]` | Tolerations for node-plugin assignment. ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ |
-| livenessprobe.image | object | `{"pullPolicy":"IfNotPresent","repository":"registry.k8s.io/sig-storage/livenessprobe","tag":"v2.10.0"}` | Common livenessprobe sidecar. |
-| livenessprobe.failureThreshold | int | `5` | Failure threshold for livenessProbe |
-| livenessprobe.initialDelaySeconds | int | `10` | Initial delay seconds for livenessProbe |
-| livenessprobe.timeoutSeconds | int | `10` | Timeout seconds for livenessProbe |
-| livenessprobe.periodSeconds | int | `60` | Period seconds for livenessProbe |
-| livenessprobe.resources | object | `{"requests":{"cpu":"10m","memory":"16Mi"}}` | Liveness probe resource requests and limits. ref: https://kubernetes.io/docs/user-guide/compute-resources/ |
-| podAnnotations | object | `{}` | Annotations for controller pod. ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
-| podSecurityContext | object | `{"fsGroup":65532,"fsGroupChangePolicy":"OnRootMismatch","runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532}` | Controller Security Context. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod |
-| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Controller Container Security Context. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod |
-| updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | Controller deployment update stategy type. ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#updating-a-deployment |
-| nodeSelector | object | `{}` | Node labels for controller assignment. ref: https://kubernetes.io/docs/user-guide/node-selection/ |
-| tolerations | list | `[]` | Tolerations for controller assignment. ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ |
-| affinity | object | `{}` | Affinity for controller assignment. ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
-
-----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

packages/system/proxmox-csi/charts/proxmox-csi-plugin/README.md.gotmpl

@@ -1,68 +0,0 @@
-{{ template "chart.header" . }}
-
-{{ template "chart.deprecationWarning" . }}
-
-{{ template "chart.badgesSection" . }}
-
-{{ template "chart.description" . }}
-
-{{ template "chart.homepageLine" . }}
-
-{{ template "chart.maintainersSection" . }}
-
-{{ template "chart.sourcesSection" . }}
-
-{{ template "chart.requirementsSection" . }}
-
-Example:
-
-```yaml
-# proxmox-csi.yaml
-
-config:
-  clusters:
-    - url: https://cluster-api-1.exmple.com:8006/api2/json
-      insecure: false
-      token_id: "kubernetes-csi@pve!csi"
-      token_secret: "key"
-      region: cluster-1
-
-# Deploy Node CSI driver only on proxmox nodes
-node:
-  nodeSelector:
-    # It will work only with Talos CCM, remove it overwise
-    node.cloudprovider.kubernetes.io/platform: nocloud
-  tolerations:
-    - operator: Exists
-
-# Deploy CSI controller only on control-plane nodes
-nodeSelector:
-  node-role.kubernetes.io/control-plane: ""
-tolerations:
-  - key: node-role.kubernetes.io/control-plane
-    effect: NoSchedule
-
-# Define storage classes
-# See https://pve.proxmox.com/wiki/Storage
-storageClass:
-  - name: proxmox-data-xfs
-    storage: data
-    reclaimPolicy: Delete
-    fstype: xfs
-  - name: proxmox-data
-    storage: data
-    reclaimPolicy: Delete
-    fstype: ext4
-    cache: writethrough
-```
-
-Deploy chart:
-
-```shell
-helm upgrade -i --namespace=csi-proxmox -f proxmox-csi.yaml \
-		proxmox-csi-plugin charts/proxmox-csi-plugin/
-```
-
-{{ template "chart.valuesSection" . }}
-
-{{ template "helm-docs.versionFooter" . }}

packages/system/proxmox-csi/charts/proxmox-csi-plugin/ci/values.yaml

@@ -1,22 +0,0 @@
-
-node:
-  nodeSelector:
-    node.cloudprovider.kubernetes.io/platform: nocloud
-  tolerations:
-    - operator: Exists
-
-nodeSelector:
-  node-role.kubernetes.io/control-plane: ""
-tolerations:
-  - key: node-role.kubernetes.io/control-plane
-    effect: NoSchedule
-
-storageClass:
-  - name: proxmox-data-xfs
-    storage: data
-    reclaimPolicy: Delete
-    fstype: xfs
-  - name: proxmox-data
-    storage: data
-    reclaimPolicy: Delete
-    ssd: true

packages/system/proxmox-csi/charts/proxmox-csi-plugin/templates/controller-clusterrole.yaml

@@ -1,37 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "proxmox-csi-plugin.fullname" . }}-controller
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "proxmox-csi-plugin.labels" . | nindent 4 }}
-rules:
-  - apiGroups: [""]
-    resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch", "create", "patch", "delete"]
-  - apiGroups: [""]
-    resources: ["persistentvolumeclaims"]
-    verbs: ["get", "list", "watch", "update"]
-  - apiGroups: [""]
-    resources: ["persistentvolumeclaims/status"]
-    verbs: ["patch"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["get","list", "watch", "create", "update", "patch"]
-
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["storageclasses"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["csinodes"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get", "list", "watch"]
-
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["volumeattachments"]
-    verbs: ["get", "list", "watch", "patch"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["volumeattachments/status"]
-    verbs: ["patch"]

packages/system/proxmox-csi/charts/proxmox-csi-plugin/templates/controller-deployment.yaml

@@ -1,157 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "proxmox-csi-plugin.fullname" . }}-controller
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "proxmox-csi-plugin.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  strategy:
-    type: {{ .Values.updateStrategy.type }}
-    rollingUpdate:
-      {{- toYaml .Values.updateStrategy.rollingUpdate | nindent 6 }}
-  selector:
-    matchLabels:
-      {{- include "proxmox-csi-plugin.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      annotations:
-        checksum/config: {{ toJson .Values.config | sha256sum }}
-      {{- with .Values.podAnnotations }}
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        {{- include "proxmox-csi-plugin.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- if .Values.priorityClassName }}
-      priorityClassName: {{ .Values.priorityClassName }}
-      {{- end }}
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      enableServiceLinks: false
-      serviceAccountName: {{ include "proxmox-csi-plugin.serviceAccountName" . }}-controller
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      containers:
-        - name: {{ include "proxmox-csi-plugin.fullname" . }}-controller
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.controller.plugin.image.repository }}:{{ .Values.controller.plugin.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.controller.plugin.image.pullPolicy }}
-          args:
-            - "-v={{ .Values.logVerbosityLevel }}"
-            - "--csi-address=unix:///csi/csi.sock"
-            - "--cloud-config={{ .Values.configFile }}"
-          resources:
-            {{- toYaml .Values.controller.plugin.resources | nindent 12 }}
-          volumeMounts:
-            - name: socket-dir
-              mountPath: /csi
-            - name: cloud-config
-              mountPath: /etc/proxmox/
-        - name: csi-attacher
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.controller.attacher.image.repository }}:{{ .Values.controller.attacher.image.tag }}"
-          imagePullPolicy: {{ .Values.controller.attacher.image.pullPolicy }}
-          args:
-            - "-v={{ .Values.logVerbosityLevel }}"
-            - "--csi-address=unix:///csi/csi.sock"
-            - "--timeout={{ .Values.timeout }}"
-            - "--leader-election"
-            - "--default-fstype=ext4"
-          volumeMounts:
-            - name: socket-dir
-              mountPath: /csi
-          resources: {{ toYaml .Values.controller.attacher.resources | nindent 12 }}
-        - name: csi-provisioner
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.controller.provisioner.image.repository }}:{{ .Values.controller.provisioner.image.tag }}"
-          imagePullPolicy: {{ .Values.controller.provisioner.image.pullPolicy }}
-          args:
-            - "-v={{ .Values.logVerbosityLevel }}"
-            - "--csi-address=unix:///csi/csi.sock"
-            - "--timeout={{ .Values.timeout }}"
-            - "--leader-election"
-            - "--default-fstype=ext4"
-            - "--feature-gates=Topology=True"
-            - "--enable-capacity"
-            - "--capacity-ownerref-level=2"
-          env:
-            - name: NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-          volumeMounts:
-            - name: socket-dir
-              mountPath: /csi
-          resources: {{ toYaml .Values.controller.provisioner.resources | nindent 12 }}
-        - name: csi-resizer
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.controller.resizer.image.repository }}:{{ .Values.controller.resizer.image.tag }}"
-          imagePullPolicy: {{ .Values.controller.resizer.image.pullPolicy }}
-          args:
-            - "-v={{ .Values.logVerbosityLevel }}"
-            - "--csi-address=unix:///csi/csi.sock"
-            - "--timeout={{ .Values.timeout }}"
-            - "--handle-volume-inuse-error=false"
-            - "--leader-election"
-          volumeMounts:
-            - name: socket-dir
-              mountPath: /csi
-          resources: {{ toYaml .Values.controller.resizer.resources | nindent 12 }}
-        - name: liveness-probe
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.livenessprobe.image.repository }}:{{ .Values.livenessprobe.image.tag }}"
-          imagePullPolicy: {{ .Values.livenessprobe.image.pullPolicy }}
-          args:
-            - "-v={{ .Values.logVerbosityLevel }}"
-            - "--csi-address=unix:///csi/csi.sock"
-          volumeMounts:
-            - name: socket-dir
-              mountPath: /csi
-          resources: {{ toYaml .Values.livenessprobe.resources | nindent 12 }}
-      volumes:
-        - name: socket-dir
-          emptyDir: {}
-        {{- if .Values.existingConfigSecret }}
-        - name: cloud-config
-          secret:
-            secretName: {{ .Values.existingConfigSecret }}
-            items:
-              - key: {{ .Values.existingConfigSecretKey }}
-                path: config.yaml
-        {{- else }}
-        - name: cloud-config
-          secret:
-            secretName: {{ include "proxmox-csi-plugin.fullname" . }}
-        {{- end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      topologySpreadConstraints:
-        - maxSkew: 1
-          topologyKey: kubernetes.io/hostname
-          whenUnsatisfiable: DoNotSchedule
-          labelSelector:
-            matchLabels:
-              {{- include "proxmox-csi-plugin.selectorLabels" . | nindent 14 }}

packages/system/proxmox-csi/charts/proxmox-csi-plugin/templates/controller-role.yaml

@@ -1,21 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "proxmox-csi-plugin.fullname" . }}-controller
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "proxmox-csi-plugin.labels" . | nindent 4 }}
-rules:
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["get", "watch", "list", "delete", "update", "create"]
-
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["csistoragecapacities"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get"]
-  - apiGroups: ["apps"]
-    resources: ["replicasets"]
-    verbs: ["get"]

packages/system/proxmox-csi/charts/proxmox-csi-plugin/templates/controller-rolebinding.yaml

@@ -1,26 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ include "proxmox-csi-plugin.fullname" . }}-controller
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ include "proxmox-csi-plugin.fullname" . }}-controller
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "proxmox-csi-plugin.serviceAccountName" . }}-controller
-    namespace: {{ .Release.Namespace }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "proxmox-csi-plugin.fullname" . }}-controller
-  namespace: {{ .Release.Namespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "proxmox-csi-plugin.fullname" . }}-controller
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "proxmox-csi-plugin.serviceAccountName" . }}-controller
-    namespace: {{ .Release.Namespace }}

packages/system/proxmox-csi/charts/proxmox-csi-plugin/templates/csidriver.yaml

@@ -1,10 +0,0 @@
-apiVersion: storage.k8s.io/v1
-kind: CSIDriver
-metadata:
-  name: {{ .Values.provisionerName }}
-spec:
-  attachRequired: true
-  podInfoOnMount: true
-  storageCapacity: true
-  volumeLifecycleModes:
-  - Persistent

packages/system/proxmox-csi/charts/proxmox-csi-plugin/templates/node-clusterrole.yaml

@@ -1,14 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "proxmox-csi-plugin.fullname" . }}-node
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "proxmox-csi-plugin.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - get

packages/system/proxmox-csi/charts/proxmox-csi-plugin/templates/node-deployment.yaml

@@ -1,135 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: {{ include "proxmox-csi-plugin.fullname" . }}-node
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "proxmox-csi-plugin.labels" . | nindent 4 }}
-spec:
-  updateStrategy:
-    type: {{ .Values.updateStrategy.type }}
-  selector:
-    matchLabels:
-      {{- include "proxmox-csi-plugin-node.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      {{- with .Values.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        {{- include "proxmox-csi-plugin-node.selectorLabels" . | nindent 8 }}
-    spec:
-      priorityClassName: system-node-critical
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      enableServiceLinks: false
-      serviceAccountName: {{ include "proxmox-csi-plugin.serviceAccountName" . }}-node
-      securityContext:
-        runAsUser: 0
-        runAsGroup: 0
-      containers:
-        - name: {{ include "proxmox-csi-plugin.fullname" . }}-node
-          securityContext:
-            privileged: true
-            capabilities:
-              drop:
-              - ALL
-              add:
-              - SYS_ADMIN
-              - CHOWN
-              - DAC_OVERRIDE
-            seccompProfile:
-              type: RuntimeDefault
-          image: "{{ .Values.node.plugin.image.repository }}:{{ .Values.node.plugin.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.node.plugin.image.pullPolicy }}
-          args:
-            - "-v={{ .Values.logVerbosityLevel }}"
-            - "--csi-address=unix:///csi/csi.sock"
-            - "--node-id=$(NODE_NAME)"
-          env:
-            - name: NODE_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-          resources: {{- toYaml .Values.node.plugin.resources | nindent 12 }}
-          volumeMounts:
-            - name: socket
-              mountPath: /csi
-            - name: kubelet
-              mountPath: /var/lib/kubelet
-              mountPropagation: Bidirectional
-            - name: dev
-              mountPath: /dev
-            - name: sys
-              mountPath: /sys
-        - name: csi-node-driver-registrar
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            # readOnlyRootFilesystem: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "{{ .Values.node.driverRegistrar.image.repository }}:{{ .Values.node.driverRegistrar.image.tag }}"
-          imagePullPolicy: {{ .Values.node.driverRegistrar.image.pullPolicy }}
-          args:
-            - "-v={{ .Values.logVerbosityLevel }}"
-            - "--csi-address=unix:///csi/csi.sock"
-            - "--kubelet-registration-path=/var/lib/kubelet/plugins/{{ .Values.provisionerName }}/csi.sock"
-          volumeMounts:
-            - name: socket
-              mountPath: /csi
-            - name: registration
-              mountPath: /registration
-          resources: {{- toYaml .Values.node.driverRegistrar.resources | nindent 12 }}
-        - name: liveness-probe
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "{{ .Values.livenessprobe.image.repository }}:{{ .Values.livenessprobe.image.tag }}"
-          imagePullPolicy: {{ .Values.livenessprobe.image.pullPolicy }}
-          args:
-            - "-v={{ .Values.logVerbosityLevel }}"
-            - "--csi-address=unix:///csi/csi.sock"
-          volumeMounts:
-            - name: socket
-              mountPath: /csi
-          resources: {{- toYaml .Values.livenessprobe.resources | nindent 12 }}
-      volumes:
-        - name: socket
-          hostPath:
-            path: /var/lib/kubelet/plugins/{{ .Values.provisionerName }}/
-            type: DirectoryOrCreate
-        - name: registration
-          hostPath:
-            path: /var/lib/kubelet/plugins_registry/
-            type: Directory
-        - name: kubelet
-          hostPath:
-            path: /var/lib/kubelet
-            type: Directory
-        - name: dev
-          hostPath:
-            path: /dev
-            type: Directory
-        - name: sys
-          hostPath:
-            path: /sys
-            type: Directory
-      {{- with .Values.node.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.node.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}

packages/system/proxmox-csi/charts/proxmox-csi-plugin/templates/node-rolebinding.yaml

@@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ include "proxmox-csi-plugin.fullname" . }}-node
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ include "proxmox-csi-plugin.fullname" . }}-node
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "proxmox-csi-plugin.serviceAccountName" . }}-node
-    namespace: {{ .Release.Namespace }}

packages/system/proxmox-csi/charts/proxmox-csi-plugin/templates/secrets.yaml

@@ -1,12 +0,0 @@
-{{- if ne (len .Values.config.clusters) 0 }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "proxmox-csi-plugin.fullname" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "proxmox-csi-plugin.labels" . | nindent 4 }}
-type: Opaque
-data:
-  config.yaml: {{ toYaml .Values.config | b64enc | quote }}
-{{- end }}

packages/system/proxmox-csi/charts/proxmox-csi-plugin/templates/serviceaccount.yaml

@@ -1,25 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "proxmox-csi-plugin.serviceAccountName" . }}-controller
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "proxmox-csi-plugin.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "proxmox-csi-plugin.serviceAccountName" . }}-node
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "proxmox-csi-plugin.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

packages/system/proxmox-csi/charts/proxmox-csi-plugin/templates/storageclass.yaml

@@ -1,20 +0,0 @@
-{{- range $storage := .Values.storageClass }}
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: {{ $storage.name }}
-provisioner: {{ $.Values.provisionerName }}
-allowVolumeExpansion: true
-volumeBindingMode: WaitForFirstConsumer
-reclaimPolicy: {{ default "Delete" $storage.reclaimPolicy }}
-parameters:
-  csi.storage.k8s.io/fstype: {{ default "ext4" $storage.fstype }}
-  storage: {{ $storage.storage }}
-  {{- if $storage.cache }}
-  cache: {{  $storage.cache }}
-  {{- end }}
-  {{- if $storage.ssd }}
-  ssd: "true"
-  {{- end }}
----
-{{- end }}

packages/system/proxmox-csi/charts/proxmox-csi-plugin/values.edge.yaml

@@ -1,30 +0,0 @@
-
-controller:
-  plugin:
-    image:
-      pullPolicy: Always
-      tag: edge
-
-node:
-  plugin:
-    image:
-      pullPolicy: Always
-      tag: edge
-
-  nodeSelector:
-    node.cloudprovider.kubernetes.io/platform: nocloud
-
-nodeSelector:
-  node-role.kubernetes.io/control-plane: ""
-tolerations:
-  - key: node-role.kubernetes.io/control-plane
-    effect: NoSchedule
-
-storageClass:
-  - name: proxmox-data-xfs
-    storage: data
-    reclaimPolicy: Delete
-    fstype: xfs
-  - name: proxmox-data
-    storage: data
-    ssd: true

packages/system/proxmox-csi/charts/proxmox-csi-plugin/values.talos.yaml

@@ -1,21 +0,0 @@
-
-node:
-  nodeSelector:
-    node.cloudprovider.kubernetes.io/platform: nocloud
-  tolerations:
-    - operator: Exists
-
-nodeSelector:
-  node-role.kubernetes.io/control-plane: ""
-tolerations:
-  - key: node-role.kubernetes.io/control-plane
-    effect: NoSchedule
-
-storageClass:
-  - name: proxmox-data-xfs
-    storage: data
-    reclaimPolicy: Delete
-    fstype: xfs
-  - name: proxmox-data
-    storage: data
-    reclaimPolicy: Delete

packages/system/proxmox-csi/charts/proxmox-csi-plugin/values.yaml

@@ -1,222 +0,0 @@
-# Default values for proxmox-csi-plugin.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicaCount: 1
-
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-
-# -- Controller pods priorityClassName.
-priorityClassName: system-cluster-critical
-
-# -- Pods Service Account.
-# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-  # Annotations to add to the service account
-  annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
-
-# -- CSI Driver provisioner name.
-# Currently, cannot be customized.
-provisionerName: csi.proxmox.sinextra.dev
-
-# -- Cluster name.
-# Currently, cannot be customized.
-clusterID: kubernetes
-
-# -- Log verbosity level. See https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md
-# for description of individual verbosity levels.
-logVerbosityLevel: 5
-
-# -- Connection timeout between sidecars.
-timeout: 3m
-
-# -- Proxmox cluster config stored in secrets.
-existingConfigSecret: ~
-# -- Proxmox cluster config stored in secrets key.
-existingConfigSecretKey: config.yaml
-
-# -- Proxmox cluster config path.
-configFile: /etc/proxmox/config.yaml
-
-# -- Proxmox cluster config.
-config:
-  clusters: []
-  #   - url: https://cluster-api-1.exmple.com:8006/api2/json
-  #     insecure: false
-  #     token_id: "login!name"
-  #     token_secret: "secret"
-  #     region: cluster-1
-
-# -- Storage class defenition.
-storageClass: []
-  # - name: proxmox-data-xfs
-  #   storage: data
-  #   reclaimPolicy: Delete
-  #   fstype: ext4|xfs
-  #
-  #   # https://pve.proxmox.com/wiki/Performance_Tweaks
-  #   cache: directsync|none|writeback|writethrough
-  #   ssd: true
-
-controller:
-  plugin:
-    # -- Controller CSI Driver.
-    image:
-      repository: ghcr.io/sergelogvinov/proxmox-csi-controller
-      pullPolicy: IfNotPresent
-      # Overrides the image tag whose default is the chart appVersion.
-      tag: ""
-    # -- Controller resource requests and limits.
-    # ref: https://kubernetes.io/docs/user-guide/compute-resources/
-    resources:
-      requests:
-        cpu: 10m
-        memory: 16Mi
-  attacher:
-    # -- CSI Attacher.
-    image:
-      repository: registry.k8s.io/sig-storage/csi-attacher
-      pullPolicy: IfNotPresent
-      tag: v4.3.0
-    # -- Attacher resource requests and limits.
-    # ref: https://kubernetes.io/docs/user-guide/compute-resources/
-    resources:
-      requests:
-        cpu: 10m
-        memory: 16Mi
-  provisioner:
-    # -- CSI Provisioner.
-    image:
-      repository: registry.k8s.io/sig-storage/csi-provisioner
-      pullPolicy: IfNotPresent
-      tag: v3.5.0
-    # -- Provisioner resource requests and limits.
-    # ref: https://kubernetes.io/docs/user-guide/compute-resources/
-    resources:
-      requests:
-        cpu: 10m
-        memory: 16Mi
-  resizer:
-    # -- CSI Resizer.
-    image:
-      repository: registry.k8s.io/sig-storage/csi-resizer
-      pullPolicy: IfNotPresent
-      tag: v1.8.0
-    # -- Resizer resource requests and limits.
-    # ref: https://kubernetes.io/docs/user-guide/compute-resources/
-    resources:
-      requests:
-        cpu: 10m
-        memory: 16Mi
-
-node:
-  plugin:
-    # -- Node CSI Driver.
-    image:
-      repository: ghcr.io/sergelogvinov/proxmox-csi-node
-      pullPolicy: IfNotPresent
-      # Overrides the image tag whose default is the chart appVersion.
-      tag: ""
-    # -- Node CSI Driver resource requests and limits.
-    # ref: https://kubernetes.io/docs/user-guide/compute-resources/
-    resources: {}
-  driverRegistrar:
-    # -- Node CSI driver registrar.
-    image:
-      repository: registry.k8s.io/sig-storage/csi-node-driver-registrar
-      pullPolicy: IfNotPresent
-      tag: v2.8.0
-    # -- Node registrar resource requests and limits.
-    # ref: https://kubernetes.io/docs/user-guide/compute-resources/
-    resources:
-      requests:
-        cpu: 10m
-        memory: 16Mi
-
-  # -- Node labels for node-plugin assignment.
-  # ref: https://kubernetes.io/docs/user-guide/node-selection/
-  nodeSelector: {}
-
-  # -- Tolerations for node-plugin assignment.
-  # ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-  tolerations:
-    - key: node.kubernetes.io/unschedulable
-      operator: Exists
-      effect: NoSchedule
-    - key: node.kubernetes.io/disk-pressure
-      operator: Exists
-      effect: NoSchedule
-
-livenessprobe:
-  # -- Common livenessprobe sidecar.
-  image:
-    repository: registry.k8s.io/sig-storage/livenessprobe
-    pullPolicy: IfNotPresent
-    tag: v2.10.0
-  # -- Failure threshold for livenessProbe
-  failureThreshold: 5
-  # -- Initial delay seconds for livenessProbe
-  initialDelaySeconds: 10
-  # -- Timeout seconds for livenessProbe
-  timeoutSeconds: 10
-  # -- Period seconds for livenessProbe
-  periodSeconds: 60
-  # -- Liveness probe resource requests and limits.
-  # ref: https://kubernetes.io/docs/user-guide/compute-resources/
-  resources:
-    requests:
-      cpu: 10m
-      memory: 16Mi
-
-# -- Annotations for controller pod.
-# ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
-podAnnotations: {}
-
-# -- Controller Security Context.
-# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
-podSecurityContext:
-  runAsNonRoot: true
-  runAsUser: 65532
-  runAsGroup: 65532
-  fsGroup: 65532
-  fsGroupChangePolicy: OnRootMismatch
-
-# -- Controller Container Security Context.
-# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-    - ALL
-  seccompProfile:
-    type: RuntimeDefault
-  readOnlyRootFilesystem: true
-
-# -- Controller deployment update stategy type.
-# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#updating-a-deployment
-updateStrategy:
-  type: RollingUpdate
-  rollingUpdate:
-    maxUnavailable: 1
-
-# -- Node labels for controller assignment.
-# ref: https://kubernetes.io/docs/user-guide/node-selection/
-nodeSelector: {}
-  # node-role.kubernetes.io/control-plane: ""
-
-# -- Tolerations for controller assignment.
-# ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-tolerations: []
-  # - key: node-role.kubernetes.io/control-plane
-  #   effect: NoSchedule
-
-# -- Affinity for controller assignment.
-# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-affinity: {}

packages/system/proxmox-csi/patches/namespace.patch

@@ -1,13 +0,0 @@
-diff --git a/apps/proxmox-csi/charts/proxmox-cloud-controller-manager/templates/rolebinding.yaml b/apps/proxmox-csi/charts/proxmox-cloud-controller-manager/templates/rolebinding.yaml
-index 0ed037f..32b065e 100644
---- a/apps/proxmox-csi/charts/proxmox-cloud-controller-manager/templates/rolebinding.yaml
-+++ b/apps/proxmox-csi/charts/proxmox-cloud-controller-manager/templates/rolebinding.yaml
-@@ -9,7 +9,7 @@ roleRef:
- subjects:
- - kind: ServiceAccount
-   name: {{ include "proxmox-cloud-controller-manager.fullname" . }}
--  namespace: kube-system
-+  namespace: {{ .Release.Namespace }}
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding

packages/system/proxmox-csi/tests/1.yaml

@@ -1,30 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: task-pv-claim
-spec:
-  storageClassName: proxmox-lvm
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 3Gi
----
-apiVersion: v1
-kind: Pod
-metadata:
-  name: task-pv-pod
-spec:
-  volumes:
-    - name: task-pv-storage
-      persistentVolumeClaim:
-        claimName: task-pv-claim
-  containers:
-    - name: task-pv-container
-      image: nginx
-      ports:
-        - containerPort: 80
-          name: "http-server"
-      volumeMounts:
-        - mountPath: "/usr/share/nginx/html"
-          name: task-pv-storage

packages/system/proxmox-csi/values.yaml

@@ -1,22 +0,0 @@
-proxmox-cloud-controller-manager:
-  fullnameOverride: proxmox-cloud-controller-manager
-  
-  enabledControllers:
-    - cloud-node
-    - cloud-node-lifecycle
-  
-  # Deploy CCM only on control-plane nodes
-  nodeSelector:
-    node-role.kubernetes.io/control-plane: ""
-  tolerations:
-    - key: node-role.kubernetes.io/control-plane
-      effect: NoSchedule
-
-proxmox-csi-plugin:
-  fullnameOverride: proxmox-csi-plugin
-
-  nodeSelector:
-    node-role.kubernetes.io/control-plane: ""
-  tolerations:
-    - key: node-role.kubernetes.io/control-plane
-      effect: NoSchedule