fix default values

fix monitoring schema generation
Merge branch 'origin/main' into openapi-schema-generation
2026-03-30 05:03:40 +00:00 · 2024-05-09 10:32:49 +02:00 · 2024-05-08 21:11:26 +02:00 · 2024-05-08 21:10:47 +02:00 · 2024-05-08 13:46:37 +02:00 · 2024-05-03 23:10:10 +02:00
102 changed files with 33371 additions and 27166 deletions
--- a/3
+++ b/3
@@ -3,7 +3,6 @@
 build:
 	make -C packages/apps/http-cache image
 	make -C packages/apps/kubernetes image
-	make -C packages/system/kubeovn image
 	make -C packages/system/dashboard image
 	make -C packages/core/installer image
 	make manifests
@@ -21,4 +20,4 @@ repos:
 	make -C packages/extra repo

 assets:
-	make -C packages/core/installer/ assets
+	make -C packages/core/talos/ assets
--- a/manifests/cozystack-installer.yaml
+++ b/manifests/cozystack-installer.yaml
@@ -54,11 +54,6 @@ spec:
  selector:
    matchLabels:
      app: cozystack
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxSurge: 0
-      maxUnavailable: 1
  template:
    metadata:
      labels:
@@ -68,7 +63,7 @@ spec:
      serviceAccountName: cozystack
      containers:
      - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.6.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.4.0"
        env:
        - name: KUBERNETES_SERVICE_HOST
          value: localhost
@@ -87,7 +82,7 @@ spec:
            fieldRef:
              fieldPath: metadata.name
      - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.6.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.4.0"
        command:
        - /usr/bin/darkhttpd
        - /cozystack/assets
--- a/packages/apps/Makefile
+++ b/packages/apps/Makefile
@@ -11,7 +11,7 @@ repo:
 	rm -rf "$(TMP)"

 fix-chartnames:
-	find . -maxdepth 2 -name Chart.yaml  | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done
+	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done

 gen-versions-map: fix-chartnames
 	../../hack/gen_versions_map.sh
--- a/packages/apps/http-cache/images/nginx-cache.json
+++ b/packages/apps/http-cache/images/nginx-cache.json
@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:aa7a9874c35d7fac8668a623744acbf376b48aed2ef1dc4b3a19054fdcff99cf",
-  "containerimage.digest": "sha256:d825427d433dda95db40264c6559b44c7bbb726e69279e90fe73fe8fc9265abb"
+  "containerimage.config.digest": "sha256:2be806d1d79cbb979b71774d75e610ebbaf1c22608402249a83e043860d754c7",
+  "containerimage.digest": "sha256:49e22533ee97b90a716923aebf5f2654c4a8b47db0b2fab9daf8ecc34c40e7d0"
 }
--- a/packages/apps/kubernetes/Chart.yaml
+++ b/packages/apps/kubernetes/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.2.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.19.4"
+appVersion: "1.19.0"
--- a/packages/apps/kubernetes/images/ubuntu-container-disk.json
+++ b/packages/apps/kubernetes/images/ubuntu-container-disk.json
@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:24cee18d0bc9ed40e741412da86820dd99bdb9ffa4c794c81856725a4a10d86e",
-  "containerimage.digest": "sha256:6a43369905e0630bb401e1cf73084bbef3060e960756f261676cd3bea4195e9a"
+  "containerimage.config.digest": "sha256:a7e8e6e35ac07bcf6253c9cfcf21fd3c315bd0653ad0427dd5f0cae95ffd3722",
+  "containerimage.digest": "sha256:c03bffeeb70fe7dd680d2eca3021d2405fbcd9961dd38437f5673560c31c72cc"
 }
--- a/packages/apps/kubernetes/templates/cluster.yaml
+++ b/packages/apps/kubernetes/templates/cluster.yaml
@@ -39,9 +39,7 @@ metadata:
 spec:
  dataStoreName: "{{ $etcd }}"
  addons:
-    coreDNS:
-      dnsServiceIPs:
-      - 10.95.0.10
+    coreDNS: {}
    konnectivity: {}
  kubelet:
    cgroupfs: systemd
@@ -57,7 +55,7 @@ spec:
      className: "{{ $ingress }}"
  deployment:
  replicas: 2
-  version: 1.29.4
+  version: 1.29.0
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
 kind: KubevirtCluster
@@ -76,21 +74,6 @@ metadata:
 spec:
  template:
    spec:
-      diskSetup:
-        filesystems:
-        - device: /dev/vdb
-          filesystem: xfs
-          label: containerd
-          partition: "none"
-        - device: /dev/vdc
-          filesystem: xfs
-          label: kubelet
-          partition: "none"
-      mounts:
-      - ["LABEL=containerd", "/var/lib/containerd"]
-      - ["LABEL=kubelet", "/var/lib/kubelet"]
-      preKubeadmCommands:
-      - sed -i 's|root:x:|root::|' /etc/passwd
      joinConfiguration:
        nodeRegistration:
          kubeletExtraArgs: {}
@@ -125,32 +108,17 @@ spec:
                  sockets: 1
                devices:
                  disks:
-                  - name: system
-                    disk:
+                  - disk:
                      bus: virtio
-                      pciAddress: 0000:07:00.0
-                  - name: containerd
-                    disk:
-                      bus: virtio
-                      pciAddress: 0000:08:00.0
-                  - name: kubelet
-                    disk:
-                      bus: virtio
-                      pciAddress: 0000:09:00.0
+                    name: containervolume
                  networkInterfaceMultiqueue: true
                memory:
                  guest: {{ $group.resources.memory }}
              evictionStrategy: External
              volumes:
-              - name: system
-                containerDisk:
+              - containerDisk:
                  image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}"
-              - name: containerd
-                emptyDisk:
-                  capacity: 20Gi
-              - name: kubelet
-                emptyDisk:
-                  capacity: 20Gi
+                name: containervolume
 ---
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: MachineDeployment
@@ -178,5 +146,5 @@ spec:
        kind: KubevirtMachineTemplate
        name: {{ $.Release.Name }}-{{ $groupName }}
        namespace: default
-      version: v1.29.4
+      version: v1.29.0
 {{- end }}
--- a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml
@@ -26,9 +26,7 @@ spec:
  values:
    cilium:
      tunnel: disabled
-      autoDirectNodeRoutes: false
-      bpf:
-        masquerade: true
+      autoDirectNodeRoutes: true
      cgroup:
        autoMount:
          enabled: true
@@ -40,9 +38,9 @@ spec:
        chainingMode: ~
        customConf: false
        configMap: ""
-      routingMode: tunnel
+      routingMode: native
      enableIPv4Masquerade: true
-      ipv4NativeRoutingCIDR: ""
+      ipv4NativeRoutingCIDR: "10.244.0.0/16"
  dependsOn:
  - name: {{ .Release.Name }}
    namespace: {{ .Release.Namespace }}
--- a/packages/apps/mysql/templates/mariadb.yaml
+++ b/packages/apps/mysql/templates/mariadb.yaml
@@ -4,11 +4,9 @@ kind: MariaDB
 metadata:
  name: {{ .Release.Name }}
 spec:
-  {{- if (and .Values.users.root .Values.users.root.password) }}
  rootPasswordSecretKeyRef:
    name: {{ .Release.Name }}
    key: root-password
-  {{- end }}

  image: "mariadb:11.0.2"

--- a/packages/apps/mysql/templates/secret.yaml
+++ b/packages/apps/mysql/templates/secret.yaml
@@ -7,3 +7,11 @@ stringData:
  {{- range $name, $u := .Values.users }}
  {{ $name }}-password: {{ $u.password }}
  {{- end }}
+  {{- if not (and .Values.users.root .Values.users.root.password) }}
+  {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace .Release.Name }}
+  {{- if and $existingSecret (index $existingSecret.data "root-password") }}
+  root-password: {{ index $existingSecret.data "root-password" }}
+  {{- else }}
+  root-password: {{ randAlphaNum 10 }}
+  {{- end }}
+  {{- end }}
--- a/packages/apps/postgres/Chart.yaml
+++ b/packages/apps/postgres/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.1
+version: 0.2.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/postgres/templates/init-script.yaml
+++ b/packages/apps/postgres/templates/init-script.yaml
@@ -100,13 +100,13 @@ stringData:
    echo "== assign roles to users"
    psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
    {{- range $database, $d := .Values.databases }}
-    {{- range $user, $u := $.Values.users }}
-    {{- if has $user $d.roles.admin }}
+    {{- range $user, $u := $.Values.roles }}
+    {{- if has $user $d.users.admin }}
    GRANT {{ $database }}_admin TO {{ $user }};
    {{- else }}
    REVOKE {{ $database }}_admin FROM {{ $user }};
    {{- end }}
-    {{- if has $user $d.roles.readonly }}
+    {{- if has $user $d.users.readonly }}
    GRANT {{ $database }}_readonly TO {{ $user }};
    {{- else }}
    REVOKE {{ $database }}_readonly FROM {{ $user }};
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -5,15 +5,12 @@ http-cache 0.2.0 HEAD
 kafka 0.1.0 760f86d2
 kafka 0.2.0 HEAD
 kubernetes 0.1.0 f642698
-kubernetes 0.2.0 7cd7de73
-kubernetes 0.3.0 7caccec1
-kubernetes 0.4.0 HEAD
+kubernetes 0.2.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 HEAD
 postgres 0.1.0 f642698
-postgres 0.2.0 7cd7de73
-postgres 0.2.1 HEAD
+postgres 0.2.0 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 HEAD
 redis 0.1.1 f642698
--- a/packages/core/fluxcd/Makefile
+++ b/packages/core/fluxcd/Makefile
@@ -11,10 +11,3 @@ apply:

 diff:
 	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f-
-
-update:
-	rm -rf charts
-	helm repo add fluxcd-community https://fluxcd-community.github.io/helm-charts
-	helm repo update fluxcd-community
-	helm pull fluxcd-community/flux2 --untar --untardir charts
-	sed -i 's/\.{{ \.Values\.clusterDomain | default "cluster\.local" }}\.//g' `grep -rl '.{{ .Values.clusterDomain | default "cluster.local" }}.' charts`
--- a/packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml
+++ b/packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml
@@ -44,7 +44,7 @@ spec:
        - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default"  }}
        {{- end}}
        {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
+        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
        {{- end}}
        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
        - --log-level={{ .Values.logLevel | default "info" }}
--- a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml
+++ b/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml
@@ -43,7 +43,7 @@ spec:
        - --no-cross-namespace-refs=true
        {{- end}}
        {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
+        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
        {{- end}}
        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
        - --log-level={{ .Values.logLevel | default "info" }}
--- a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml
+++ b/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml
@@ -43,7 +43,7 @@ spec:
        - --no-cross-namespace-refs=true
        {{- end}}
        {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
+        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
        {{- end}}
        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
        - --log-level={{ .Values.logLevel | default "info" }}
--- a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml
+++ b/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml
@@ -44,7 +44,7 @@ spec:
        - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default"  }}
        {{- end}}
        {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
+        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
        {{- end}}
        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
        - --log-level={{ .Values.logLevel | default "info" }}
--- a/packages/core/fluxcd/charts/flux2/templates/source-controller.yaml
+++ b/packages/core/fluxcd/charts/flux2/templates/source-controller.yaml
@@ -38,14 +38,14 @@ spec:
      containers:
      - args:
        {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
+        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
        {{- end}}
        - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
        - --log-level={{ .Values.logLevel | default "info" }}
        - --log-encoding=json
        - --enable-leader-election
        - --storage-path=/data
-        - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc
+        - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
        {{- range .Values.sourceController.container.additionalArgs }}
        - {{ . }}
        {{- end}}
--- a/packages/core/installer/Makefile
+++ b/packages/core/installer/Makefile
@@ -34,8 +34,8 @@ image-cozystack:
 image-talos:
 	test -f ../../../_out/assets/installer-amd64.tar || make talos-installer
 	docker load -i ../../../_out/assets/installer-amd64.tar
-	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
-	docker push $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
+	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) ghcr.io/aenix-io/cozystack/talos:$(call settag,$(TALOS_VERSION))
+	docker push ghcr.io/aenix-io/cozystack/talos:$(call settag,$(TALOS_VERSION))

 image-matchbox:
 	test -f ../../../_out/assets/kernel-amd64 || make talos-kernel
--- a/packages/core/installer/hack/gen-profiles.sh
+++ b/packages/core/installer/hack/gen-profiles.sh
@@ -35,20 +35,16 @@ for profile in $PROFILES; do
  if [ "$profile" = "nocloud" ]; then
    image_options="{ diskSize: 1306525696, diskFormat: raw }"
    out_format=".xz"
-    platform="nocloud"
-    kind="image"
  else
    image_options="{}"
    out_format="raw"
-    platform="metal"
-    kind="$profile"
  fi

  cat > images/talos/profiles/$profile.yaml <<EOT
 # this file generated by hack/gen-profiles.sh
 # do not edit it
 arch: amd64
-platform: ${platform}
+platform: metal
 secureboot: false
 version: ${TALOS_VERSION}
 input:
@@ -69,7 +65,7 @@ input:
    - imageRef: ghcr.io/siderolabs/drbd:${DRBD_VERSION}
    - imageRef: ghcr.io/siderolabs/zfs:${ZFS_VERSION}
 output:
-  kind: ${kind}
+  kind: ${profile}
  imageOptions: ${image_options}
  outFormat: ${out_format}
 EOT
--- a/packages/core/installer/images/cozystack.json
+++ b/packages/core/installer/images/cozystack.json
@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:8726af130b534d259ae28a92d84fb866df045765739a59146974d85554e5f188",
-  "containerimage.digest": "sha256:bc9109b0ed072ecbb143ea74edb9bf8a801b4903e0b849aeaa79488c4a9fb7f2"
+  "containerimage.config.digest": "sha256:cf9793f2de9d8f1400234a73f9446f3f9876b807463dae985d3cef4aafb33aae",
+  "containerimage.digest": "sha256:ce3d54b388d9027ed6ca2d3d67b1759e9f061e5736f61a75d586f33a1ee19fa4"
 }
--- a/packages/core/installer/images/cozystack.tag
+++ b/packages/core/installer/images/cozystack.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cozystack:v0.6.0
+ghcr.io/aenix-io/cozystack/cozystack:v0.4.0
--- a/packages/core/installer/images/matchbox.json
+++ b/packages/core/installer/images/matchbox.json
@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:05f6f9ed2e662dde64ace18dbbd69001b39778841bda812d7b6b86e064270e64",
-  "containerimage.digest": "sha256:56ef77367394c4b073c862974726d882036c9b95d27a56a774987fe3244c35f6"
+  "containerimage.config.digest": "sha256:68ea72fcc581352fabfd87fa6fd482968cc85ee520cab7a614f1244d7ae36eb0",
+  "containerimage.digest": "sha256:cea915e08a19eb6892f3facf3b3648368cd4a05abefc49bc2616ba3340c27e82"
 }
--- a/packages/core/installer/images/talos/profiles/nocloud.yaml
+++ b/packages/core/installer/images/talos/profiles/nocloud.yaml
@@ -1,7 +1,7 @@
 # this file generated by hack/gen-profiles.sh
 # do not edit it
 arch: amd64
-platform: nocloud
+platform: metal
 secureboot: false
 version: v1.7.1
 input:
@@ -22,6 +22,6 @@ input:
    - imageRef: ghcr.io/siderolabs/drbd:9.2.8-v1.7.1
    - imageRef: ghcr.io/siderolabs/zfs:2.2.3-v1.7.1
 output:
-  kind: image
+  kind: nocloud
  imageOptions: { diskSize: 1306525696, diskFormat: raw }
  outFormat: .xz
--- a/packages/core/installer/templates/cozystack.yaml
+++ b/packages/core/installer/templates/cozystack.yaml
@@ -35,11 +35,6 @@ spec:
  selector:
    matchLabels:
      app: cozystack
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxSurge: 0
-      maxUnavailable: 1
  template:
    metadata:
      labels:
--- a/packages/extra/Makefile
+++ b/packages/extra/Makefile
@@ -11,7 +11,7 @@ repo:
 	rm -rf "$(TMP)"

 fix-chartnames:
-	find . -maxdepth 2 -name Chart.yaml | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done
+	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done

 gen-versions-map: fix-chartnames
 	../../hack/gen_versions_map.sh
--- a/packages/extra/etcd/Chart.yaml
+++ b/packages/extra/etcd/Chart.yaml
@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: https://www.svgrepo.com/show/353714/etcd.svg
 type: application
-version: 2.1.0
+version: 2.0.0
--- a/packages/extra/etcd/templates/etcd-cluster.yaml
+++ b/packages/extra/etcd/templates/etcd-cluster.yaml
@@ -1,23 +1,9 @@
-{{- define "calculateQuotaBackendBytes" -}}
-{{- $units := dict "Ki" 1024 "Mi" 1048576 "Gi" 1073741824 -}}
-{{- $value := regexFind "[0-9.]+" . -}}
-{{- $unit := regexFind "[a-zA-Z]+" . -}}
-{{- $numericValue := float64 $value -}}
-{{- $bytes := mulf $numericValue (index $units $unit) -}}
-{{- $result := mulf $bytes 0.95 -}}
-{{- printf "%.0f" $result -}}
-{{- end -}}
 ---
 apiVersion: etcd.aenix.io/v1alpha1
 kind: EtcdCluster
 metadata:
  name: etcd
 spec:
-  options:
-    quota-backend-bytes: {{ include "calculateQuotaBackendBytes" .Values.size | quote }}
-    auto-compaction-mode: "periodic"
-    auto-compaction-retention: "5m"
-    snapshot-count: "10000"
  replicas: {{ .Values.replicas }}
  storage:
    volumeClaimTemplate:
--- a/packages/extra/etcd/templates/etcd-defrag.yaml
+++ b/packages/extra/etcd/templates/etcd-defrag.yaml
@@ -1,31 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: {{ .Release.Name }}-defrag
-spec:
-  schedule: "0 * * * *"
-  successfulJobsHistoryLimit: 3
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-          - name: etcd-defrag
-            image: ghcr.io/ahrtr/etcd-defrag:v0.13.0
-            args:
-            - --endpoints={{ range $i, $e := until (int .Values.replicas) }}{{ if $i }},{{ end }}https://{{ $.Release.Name }}-{{ $i }}.{{ $.Release.Name }}-headless.{{ $.Release.Namespace }}.svc:2379{{ end }}
-            - --cacert=/etc/etcd/pki/client/cert/ca.crt
-            - --cert=/etc/etcd/pki/client/cert/tls.crt
-            - --key=/etc/etcd/pki/client/cert/tls.key
-            - --cluster
-            - --defrag-rule
-            - "dbQuotaUsage > 0.8 || dbSize - dbSizeInUse > 200*1024*1024"
-            volumeMounts:
-            - mountPath: /etc/etcd/pki/client/cert
-              name: client-certificate
-              readOnly: true
-          volumes:
-          - name: client-certificate
-            secret:
-              secretName: {{ .Release.Name }}-client-tls
-          restartPolicy: OnFailure
--- a/packages/extra/versions_map
+++ b/packages/extra/versions_map
@@ -1,6 +1,4 @@
 etcd 1.0.0 f7eaab0
-etcd 2.0.0 a6d0f7cf
-etcd 2.0.1 6fc1cc7d
-etcd 2.1.0 HEAD
+etcd 2.0.0 HEAD
 ingress 1.0.0 HEAD
 monitoring 1.0.0 HEAD
--- a/packages/system/Makefile
+++ b/packages/system/Makefile
@@ -9,4 +9,4 @@ repo:
 	cd "$(OUT)" && helm repo index .

 fix-chartnames:
-	find . -maxdepth 2 -name Chart.yaml | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: cozy-$$i/" "$$i/Chart.yaml"; done
+	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: cozy-$$i/" "$$i/Chart.yaml"; done
--- a/packages/system/cilium/charts/cilium/Chart.yaml
+++ b/packages/system/cilium/charts/cilium/Chart.yaml
@@ -122,7 +122,7 @@ annotations:
      description: |
        CiliumPodIPPool defines an IP pool that can be used for pooled IPAM (i.e. the multi-pool IPAM mode).
 apiVersion: v2
-appVersion: 1.14.10
+appVersion: 1.14.9
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.14/Documentation/images/logo-solo.svg
@@ -138,4 +138,4 @@ kubeVersion: '>= 1.16.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.14.10
+version: 1.14.9
--- a/packages/system/cilium/charts/cilium/README.md
+++ b/packages/system/cilium/charts/cilium/README.md
@@ -1,6 +1,6 @@
 # cilium

-![Version: 1.14.10](https://img.shields.io/badge/Version-1.14.10-informational?style=flat-square) ![AppVersion: 1.14.10](https://img.shields.io/badge/AppVersion-1.14.10-informational?style=flat-square)
+![Version: 1.14.9](https://img.shields.io/badge/Version-1.14.9-informational?style=flat-square) ![AppVersion: 1.14.9](https://img.shields.io/badge/AppVersion-1.14.9-informational?style=flat-square)

 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -131,7 +131,7 @@ contributors across the globe, there is almost always someone available to help.
 | bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. |
 | bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. |
 | bpfClockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. |
-| certgen | object | `{"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:5586de5019abc104637a9818a626956cd9b1e827327b958186ec412ae3d5dea6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.11","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. |
+| certgen | object | `{"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. |
 | certgen.annotations | object | `{"cronJob":{},"job":{}}` | Annotations to be added to the hubble-certgen initial Job and CronJob |
 | certgen.extraVolumeMounts | list | `[]` | Additional certgen volumeMounts. |
 | certgen.extraVolumes | list | `[]` | Additional certgen volumes. |
@@ -155,12 +155,12 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.10","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:5c16f8b8e22ce41e11998e70846fbcecea3a6b683a38253809ead8d871f6d8a3","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.9","useDigest":true}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
 | clustermesh.apiserver.kvstoremesh.extraVolumeMounts | list | `[]` | Additional KVStoreMesh volumeMounts. |
-| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:871ec4e3b07401d90b4433c7e2b7210b9b0c5f1a536caab3d0281a5faeea5070","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.10","useDigest":true}` | KVStoreMesh image. |
+| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:9d9efb25806660f3663b9cd803fb8679f2b115763470002a9770e2c1eb1e5b22","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.9","useDigest":true}` | KVStoreMesh image. |
 | clustermesh.apiserver.kvstoremesh.resources | object | `{}` | Resource requests and limits for the KVStoreMesh container |
 | clustermesh.apiserver.kvstoremesh.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | KVStoreMesh Security context |
 | clustermesh.apiserver.metrics.enabled | bool | `true` | Enables exporting apiserver metrics in OpenMetrics format. |
@@ -312,7 +312,7 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:d52f476c29a97c8b250fdbfbb8472191a268916f6a8503671d0da61e323b02cc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.27.4-21905253931655328edaacf3cd16aeda73bbea2f","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:39b75548447978230dedcf25da8940e4d3540c741045ef391a8e74dbb9661a86","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.7-bbde4095997ea57ead209f56158790d47224a0f5","useDigest":true}` | Envoy container image. |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
 | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
@@ -419,7 +419,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.10","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:f506f3c6e0a979437cde79eb781654fda4f10ddb5642cebc4dc81254cfb7eeaa","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.9","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -511,7 +511,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.10","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.9","useDigest":true}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -596,7 +596,7 @@ contributors across the globe, there is almost always someone available to help.
 | nodeinit.extraEnv | list | `[]` | Additional nodeinit environment variables. |
 | nodeinit.extraVolumeMounts | list | `[]` | Additional nodeinit volumeMounts. |
 | nodeinit.extraVolumes | list | `[]` | Additional nodeinit volumes. |
-| nodeinit.image | object | `{"digest":"sha256:e1d442546e868db1a3289166c14011e0dbd32115b338b963e56f830972bc22a2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f","useDigest":true}` | node-init image. |
+| nodeinit.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}` | node-init image. |
 | nodeinit.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | nodeinit.podAnnotations | object | `{}` | Annotations to be added to node-init pods. |
 | nodeinit.podLabels | object | `{}` | Labels to be added to node-init pods. |
@@ -619,7 +619,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14","awsDigest":"sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6","azureDigest":"sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4","genericDigest":"sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.10","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:765314779093b54750f83280f009229f20fe1f28466a633d9bb4143d2ad669c5","awsDigest":"sha256:041ad5b49ae63ba0f1974e1a1d9ebf9f52541cd2813088fa687f9d544125a1ec","azureDigest":"sha256:2d3b9d868eb03fa9256d34192a734a2abab283f527a9c97b7cefcd3401649d17","genericDigest":"sha256:1552d653870dd8ebbd16ee985a5497dd78a2097370978b0cfbd2da2072f30712","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.9","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -666,7 +666,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.10","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.9","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
--- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml
+++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml
@@ -61,7 +61,7 @@ spec:
        image: {{ include "cilium.image" .Values.envoy.image | quote }}
        imagePullPolicy: {{ .Values.envoy.image.pullPolicy }}
        command:
-        - /usr/bin/cilium-envoy-starter
+        - /usr/bin/cilium-envoy
        args:
        - '-c /var/run/cilium/envoy/bootstrap-config.json'
        - '--base-id 0'
--- a/packages/system/cilium/charts/cilium/values.yaml
+++ b/packages/system/cilium/charts/cilium/values.yaml
@@ -143,10 +143,10 @@ rollOutCiliumPods: false
 image:
  override: ~
  repository: "quay.io/cilium/cilium"
-  tag: "v1.14.10"
+  tag: "v1.14.9"
  pullPolicy: "IfNotPresent"
  # cilium-digest
-  digest: "sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031"
+  digest: "sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301"
  useDigest: true

 # -- Affinity for cilium-agent.
@@ -933,8 +933,8 @@ certgen:
  image:
    override: ~
    repository: "quay.io/cilium/certgen"
-    tag: "v0.1.11"
-    digest: "sha256:5586de5019abc104637a9818a626956cd9b1e827327b958186ec412ae3d5dea6"
+    tag: "v0.1.9"
+    digest: "sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f"
    useDigest: true
    pullPolicy: "IfNotPresent"
  # -- Seconds after which the completed job pod will be deleted
@@ -1109,9 +1109,9 @@ hubble:
    image:
      override: ~
      repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.14.10"
+      tag: "v1.14.9"
       # hubble-relay-digest
-      digest: "sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0"
+      digest: "sha256:f506f3c6e0a979437cde79eb781654fda4f10ddb5642cebc4dc81254cfb7eeaa"
      useDigest: true
      pullPolicy: "IfNotPresent"

@@ -1853,9 +1853,9 @@ envoy:
  image:
    override: ~
    repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.27.4-21905253931655328edaacf3cd16aeda73bbea2f"
+    tag: "v1.26.7-bbde4095997ea57ead209f56158790d47224a0f5"
    pullPolicy: "IfNotPresent"
-    digest: "sha256:d52f476c29a97c8b250fdbfbb8472191a268916f6a8503671d0da61e323b02cc"
+    digest: "sha256:39b75548447978230dedcf25da8940e4d3540c741045ef391a8e74dbb9661a86"
    useDigest: true

  # -- Additional containers added to the cilium Envoy DaemonSet.
@@ -2269,15 +2269,15 @@ operator:
  image:
    override: ~
    repository: "quay.io/cilium/operator"
-    tag: "v1.14.10"
+    tag: "v1.14.9"
    # operator-generic-digest
-    genericDigest: "sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909"
+    genericDigest: "sha256:1552d653870dd8ebbd16ee985a5497dd78a2097370978b0cfbd2da2072f30712"
    # operator-azure-digest
-    azureDigest: "sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4"
+    azureDigest: "sha256:2d3b9d868eb03fa9256d34192a734a2abab283f527a9c97b7cefcd3401649d17"
    # operator-aws-digest
-    awsDigest: "sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6"
+    awsDigest: "sha256:041ad5b49ae63ba0f1974e1a1d9ebf9f52541cd2813088fa687f9d544125a1ec"
    # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14"
+    alibabacloudDigest: "sha256:765314779093b54750f83280f009229f20fe1f28466a633d9bb4143d2ad669c5"
    useDigest: true
    pullPolicy: "IfNotPresent"
    suffix: ""
@@ -2468,8 +2468,6 @@ nodeinit:
    override: ~
    repository: "quay.io/cilium/startup-script"
    tag: "62093c5c233ea914bfa26a10ba41f8780d9b737f"
-    digest: "sha256:e1d442546e868db1a3289166c14011e0dbd32115b338b963e56f830972bc22a2"
-    useDigest: true
    pullPolicy: "IfNotPresent"

  # -- The priority class to use for the nodeinit pod.
@@ -2556,9 +2554,9 @@ preflight:
  image:
    override: ~
    repository: "quay.io/cilium/cilium"
-    tag: "v1.14.10"
+    tag: "v1.14.9"
    # cilium-digest
-    digest: "sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031"
+    digest: "sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301"
    useDigest: true
    pullPolicy: "IfNotPresent"

@@ -2706,9 +2704,9 @@ clustermesh:
    image:
      override: ~
      repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.14.10"
+      tag: "v1.14.9"
      # clustermesh-apiserver-digest
-      digest: "sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798"
+      digest: "sha256:5c16f8b8e22ce41e11998e70846fbcecea3a6b683a38253809ead8d871f6d8a3"
      useDigest: true
      pullPolicy: "IfNotPresent"

@@ -2753,9 +2751,9 @@ clustermesh:
      image:
        override: ~
        repository: "quay.io/cilium/kvstoremesh"
-        tag: "v1.14.10"
+        tag: "v1.14.9"
        # kvstoremesh-digest
-        digest: "sha256:871ec4e3b07401d90b4433c7e2b7210b9b0c5f1a536caab3d0281a5faeea5070"
+        digest: "sha256:9d9efb25806660f3663b9cd803fb8679f2b115763470002a9770e2c1eb1e5b22"
        useDigest: true
        pullPolicy: "IfNotPresent"

--- a/packages/system/cilium/charts/cilium/values.yaml.tmpl
+++ b/packages/system/cilium/charts/cilium/values.yaml.tmpl
@@ -1854,9 +1854,9 @@ envoy:
  image:
    override: ~
    repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.27.4-21905253931655328edaacf3cd16aeda73bbea2f"
+    tag: "v1.26.7-bbde4095997ea57ead209f56158790d47224a0f5"
    pullPolicy: "${PULL_POLICY}"
-    digest: "sha256:d52f476c29a97c8b250fdbfbb8472191a268916f6a8503671d0da61e323b02cc"
+    digest: "sha256:39b75548447978230dedcf25da8940e4d3540c741045ef391a8e74dbb9661a86"
    useDigest: true

  # -- Additional containers added to the cilium Envoy DaemonSet.
@@ -2469,8 +2469,6 @@ nodeinit:
    override: ~
    repository: "${CILIUM_NODEINIT_REPO}"
    tag: "${CILIUM_NODEINIT_VERSION}"
-    digest: "${CILIUM_NODEINIT_DIGEST}"
-    useDigest: true
    pullPolicy: "${PULL_POLICY}"

  # -- The priority class to use for the nodeinit pod.
--- a/packages/system/dashboard/Makefile
+++ b/packages/system/dashboard/Makefile
@@ -14,7 +14,6 @@ update-chart:
 	helm pull bitnami/kubeapps --untar --untardir charts
 	rm -rf charts/kubeapps/charts/postgresql/
 	ln -s ../../images charts/kubeapps/images
-	sed -i 's/.cluster.local//g' charts/kubeapps/templates/kubeappsapis/deployment.yaml

 update-dockerfiles:
 	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/vmware-tanzu/kubeapps  | awk -F'[/^]' 'END{print $$3}') && \
--- a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml
+++ b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml
@@ -133,7 +133,7 @@ spec:
            # longer-term pass something to the plugins so that the plugins won't need to
            # know these details). Currently they're used directly by the flux plugin
            - name: REDIS_ADDR
-              value: {{ printf "%s-master.%s.svc:6379" (include "kubeapps.redis.fullname" .) .Release.Namespace }}
+              value: {{ printf "%s-master.%s.svc.cluster.local:6379" (include "kubeapps.redis.fullname" .) .Release.Namespace }}
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
--- a/packages/system/dashboard/images/dashboard.json
+++ b/packages/system/dashboard/images/dashboard.json
@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:8126f86f18708a9157206884c63dc9df7f3090a33e05f4a1b94f2a7da7610c74",
-  "containerimage.digest": "sha256:e1a285812d1ce34bcf5c37db2a5c12ec99887c930b46ac261895dc98f674c066"
+  "containerimage.config.digest": "sha256:78b413d1c9a4ecf3bec9383444b3e85c01d8b33bf903c6443bfa5bdfd8b5bc04",
+  "containerimage.digest": "sha256:ddfaadb33e33123f553a36a3ee5857a1bf53f312043f91d76ad24316591fd26e"
 }
--- a/packages/system/dashboard/images/dashboard.tag
+++ b/packages/system/dashboard/images/dashboard.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/dashboard:v0.6.0
+ghcr.io/aenix-io/cozystack/dashboard:v0.4.0
--- a/packages/system/dashboard/images/kubeapps-apis.json
+++ b/packages/system/dashboard/images/kubeapps-apis.json
@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:79ac02f0fe54d2007b222efe05596a1bf35b8557e406d018f825a2334bd73249",
-  "containerimage.digest": "sha256:1c1dbee8e5c4be14e5df36a69be75a6a2907445564379e23b7f8fbea1afc7093"
+  "containerimage.config.digest": "sha256:bfc18fe2675fa774463e6de108e6a474b7b8c1601027f6160208e493fe2cbfde",
+  "containerimage.digest": "sha256:2c5c2e9b123d9a795bb17f33755a826e98c1bd537544d21c9cd395ad509ecb25"
 }
--- a/packages/system/dashboard/images/kubeapps-apis.tag
+++ b/packages/system/dashboard/images/kubeapps-apis.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.6.0
+ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.4.0
--- a/packages/system/kamaji/values.yaml
+++ b/packages/system/kamaji/values.yaml
@@ -1,8 +1,3 @@
 kamaji:
  etcd:
    deploy: false
-
-  # Fix https://github.com/clastix/kamaji/pull/467
-  image:
-    repository: ghcr.io/kvaps/test
-    tag: kamaji-v0.6.0-fix
--- a/packages/system/kubeovn/Makefile
+++ b/packages/system/kubeovn/Makefile
@@ -1,28 +1,9 @@
-KUBEOVN_TAG = v1.13.0
-
 NAME=kubeovn
 NAMESPACE=cozy-$(NAME)

-include ../../../scripts/common-envs.mk
 include ../../../scripts/package-system.mk

 update:
 	rm -rf charts && mkdir -p charts/kube-ovn
 	curl -sSL https://github.com/kubeovn/kube-ovn/archive/refs/heads/master.tar.gz | \
-	tar xzvf - --strip 1 kube-ovn-master/charts
-	patch -p4 --no-backup-if-mismatch < patches/cozyconfig.diff
-	ln -s ../../images charts/kube-ovn/images
-	sed -i '/image:/ s/{{.*}}/{{ include "kubeovn.image" . }}/g' `grep -rl image: charts/kube-ovn/templates/`
-
-image:
-	docker buildx build images/kubeovn \
-		--provenance false \
-		--tag $(REGISTRY)/kubeovn:$(call settag,$(TAG)) \
-		--tag $(REGISTRY)/kubeovn:$(call settag,$(KUBEOVN_TAG)) \
-		--tag $(REGISTRY)/kubeovn:$(call settag,$(KUBEOVN_TAG)-$(TAG)) \
-		--cache-from type=registry,ref=$(REGISTRY)/kubeovn:latest \
-		--cache-to type=inline \
-		--metadata-file images/kubeovn.json \
-		--push=$(PUSH) \
-		--load=$(LOAD)
-	echo "$(REGISTRY)/kubeovn:$(call settag,$(TAG))" > images/kubeovn.tag
+	tar -C charts/kube-ovn -xzvf - --strip 2 kube-ovn-master/charts
--- a/packages/system/kubeovn/charts/kube-ovn/Chart.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/Chart.yaml
@@ -15,12 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.13.0
+version: 0.1.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "1.13.0"
-
-kubeVersion: ">= 1.23.0-0"
--- a/packages/system/kubeovn/charts/kube-ovn/README.md
+++ b/packages/system/kubeovn/charts/kube-ovn/README.md
@@ -10,13 +10,13 @@ $ kubectl label node -lnode-role.kubernetes.io/control-plane  kube-ovn/role=mast
 $ kubectl label node -lovn.kubernetes.io/ovs_dp_type!=userspace ovn.kubernetes.io/ovs_dp_type=kernel  --overwrite

 # standard install 
-$ helm install --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0}
+$ helm install --debug kubeovn ./charts --set MASTER_NODES=${Node0}

 # high availability install
-$ helm install --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0},${Node1},${Node2}
+$ helm install --debug kubeovn ./charts --set MASTER_NODES=${Node0},${Node1},${Node2}

 # upgrade to this version
-$ helm upgrade --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0},${Node1},${Node2}
+$ helm upgrade --debug kubeovn ./charts --set MASTER_NODES=${Node0},${Node1},${Node2}
 ```

 If `MASTER_NODES` unspecified Helm will take internal IPs of nodes with `kube-ovn/role=master` label
@@ -32,7 +32,7 @@ machine:
    - name: openvswitch
 ```

-and use the following options to install this Helm-chart:
+and use the following options for install this Helm-chart:

 ```
 --set cni_conf.MOUNT_LOCAL_BIN_DIR=false
--- a/packages/system/kubeovn/charts/kube-ovn/crds/crd.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/crds/crd.yaml
--- a/packages/system/kubeovn/charts/kube-ovn/images
+++ b/packages/system/kubeovn/charts/kube-ovn/images
@@ -1 +0,0 @@
-../../images
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/Chart.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/Chart.yaml
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: kube-ovn
+description: Helm chart for Kube-OVN
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.13.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.13.0"
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/README.md
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/README.md
@@ -0,0 +1,42 @@
+# Kube-OVN-helm
+
+Currently supported version: 1.9
+
+Installation :
+
+```bash
+$ kubectl label node -lbeta.kubernetes.io/os=linux kubernetes.io/os=linux --overwrite
+$ kubectl label node -lnode-role.kubernetes.io/control-plane  kube-ovn/role=master --overwrite
+$ kubectl label node -lovn.kubernetes.io/ovs_dp_type!=userspace ovn.kubernetes.io/ovs_dp_type=kernel  --overwrite
+
+# standard install 
+$ helm install --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0}
+
+# high availability install
+$ helm install --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0},${Node1},${Node2}
+
+# upgrade to this version
+$ helm upgrade --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0},${Node1},${Node2}
+```
+
+If `MASTER_NODES` unspecified Helm will take internal IPs of nodes with `kube-ovn/role=master` label
+
+### Talos Linux
+
+To install Kube-OVN on Talos Linux, declare openvswitch module in machine config:
+
+```
+machine:
+  kernel:
+    modules:
+    - name: openvswitch
+```
+
+and use the following options to install this Helm-chart:
+
+```
+--set cni_conf.MOUNT_LOCAL_BIN_DIR=false
+--set OPENVSWITCH_DIR=/var/lib/openvswitch
+--set OVN_DIR=/var/lib/ovn
+--set DISABLE_MODULES_MANAGEMENT=true
+```
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/_helpers.tpl
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/_helpers.tpl
@@ -0,0 +1,54 @@
+{{/*
+Get IP-addresses of master nodes
+*/}}
+{{- define "kubeovn.nodeIPs" -}}
+{{- $nodes := lookup "v1" "Node" "" "" -}}
+{{- $ips := list -}}
+{{- range $node := $nodes.items -}}
+  {{- $label := splitList "=" $.Values.MASTER_NODES_LABEL }}
+  {{- $key := index $label 0 }}
+  {{- $val := "" }}
+  {{- if eq (len $label) 2 }}
+  {{- $val = index $label 1 }}
+  {{- end }}
+  {{- if eq (index $node.metadata.labels $key) $val -}}
+    {{- range $address := $node.status.addresses -}}
+      {{- if eq $address.type "InternalIP" -}}
+        {{- $ips = append $ips $address.address -}}
+        {{- break -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{ join "," $ips }}
+{{- end -}}
+
+{{/*
+Number of master nodes
+*/}}
+{{- define "kubeovn.nodeCount" -}}
+  {{- len (split "," (.Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .))) }}
+{{- end -}}
+
+{{- define "kubeovn.ovs-ovn.updateStrategy" -}}
+  {{- $ds := lookup "apps/v1" "DaemonSet" $.Values.namespace "ovs-ovn" -}}
+  {{- if $ds -}}
+    {{- if eq $ds.spec.updateStrategy.type "RollingUpdate" -}}
+      RollingUpdate
+    {{- else -}}
+      {{- $imageVersion := (index $ds.spec.template.spec.containers 0).image | splitList ":" | last | trimPrefix "v" -}}
+      {{- $versionRegex := `^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)` -}}
+      {{- if regexMatch $versionRegex $imageVersion -}}
+        {{- if regexFind $versionRegex $imageVersion | semverCompare ">= 1.12.0" -}}
+          RollingUpdate
+        {{- else -}}
+          OnDelete
+        {{- end -}}
+      {{- else -}}
+        OnDelete
+      {{- end -}}
+    {{- end -}}
+  {{- else -}}
+    RollingUpdate
+  {{- end -}}
+{{- end -}}
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/central-deploy.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/central-deploy.yaml
@@ -0,0 +1,161 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: ovn-central
+  namespace: {{ .Values.namespace }}
+  annotations:
+    kubernetes.io/description: |
+      OVN components: northd, nb and sb.
+spec:
+  replicas: {{ include "kubeovn.nodeCount" . }}
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: ovn-central
+  template:
+    metadata:
+      labels:
+        app: ovn-central
+        component: network
+        type: infra
+    spec:
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+        - key: CriticalAddonsOnly
+          operator: Exists
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchLabels:
+                  app: ovn-central
+              topologyKey: kubernetes.io/hostname
+      priorityClassName: system-cluster-critical
+      serviceAccountName: ovn-ovs
+      hostNetwork: true
+      containers:
+        - name: ovn-central
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: 
+          - /kube-ovn/start-db.sh
+          securityContext:
+            capabilities:
+              add: ["SYS_NICE"]
+          env:
+            - name: ENABLE_SSL
+              value: "{{ .Values.networking.ENABLE_SSL }}"
+            - name: NODE_IPS
+              value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}"
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_IPS
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIPs
+            - name: ENABLE_BIND_LOCAL_IP
+              value: "{{- .Values.func.ENABLE_BIND_LOCAL_IP }}"
+            - name: PROBE_INTERVAL
+              value: "{{ .Values.networking.PROBE_INTERVAL }}"
+            - name: OVN_NORTHD_PROBE_INTERVAL
+              value: "{{ .Values.networking.OVN_NORTHD_PROBE_INTERVAL}}"
+            - name: OVN_LEADER_PROBE_INTERVAL
+              value: "{{ .Values.networking.OVN_LEADER_PROBE_INTERVAL }}"
+            - name: OVN_NORTHD_N_THREADS
+              value: "{{ .Values.networking.OVN_NORTHD_N_THREADS }}"
+            - name: ENABLE_COMPACT
+              value: "{{ .Values.networking.ENABLE_COMPACT }}"
+            {{- if include "kubeovn.ovs-ovn.updateStrategy" . | eq "OnDelete" }}
+            - name: OVN_VERSION_COMPATIBILITY
+              value: "21.06"
+            {{- end }}
+          resources:
+            requests:
+              cpu: {{ index .Values "ovn-central" "requests" "cpu" }}
+              memory: {{ index .Values "ovn-central" "requests" "memory" }}
+            limits:
+              cpu: {{ index .Values "ovn-central" "limits" "cpu" }}
+              memory: {{ index .Values "ovn-central" "limits" "memory" }}
+          volumeMounts:
+            - mountPath: /var/run/openvswitch
+              name: host-run-ovs
+            - mountPath: /var/run/ovn
+              name: host-run-ovn
+            - mountPath: /etc/openvswitch
+              name: host-config-openvswitch
+            - mountPath: /etc/ovn
+              name: host-config-ovn
+            - mountPath: /var/log/openvswitch
+              name: host-log-ovs
+            - mountPath: /var/log/ovn
+              name: host-log-ovn
+            - mountPath: /etc/localtime
+              name: localtime
+              readOnly: true
+            - mountPath: /var/run/tls
+              name: kube-ovn-tls
+          readinessProbe:
+            exec:
+              command:
+                - bash
+                - /kube-ovn/ovn-healthcheck.sh
+            periodSeconds: 15
+            timeoutSeconds: 45
+          livenessProbe:
+            exec:
+              command:
+                - bash
+                - /kube-ovn/ovn-healthcheck.sh
+            initialDelaySeconds: 30
+            periodSeconds: 15
+            failureThreshold: 5
+            timeoutSeconds: 45
+      nodeSelector:
+        kubernetes.io/os: "linux"
+        {{- with splitList "=" .Values.MASTER_NODES_LABEL }}
+        {{ index . 0 }}: "{{ if eq (len .) 2 }}{{ index . 1 }}{{ end }}"
+        {{- end }}
+      volumes:
+        - name: host-run-ovs
+          hostPath:
+            path: /run/openvswitch
+        - name: host-run-ovn
+          hostPath:
+            path: /run/ovn
+        - name: host-config-openvswitch
+          hostPath:
+            path: {{ .Values.OPENVSWITCH_DIR }}
+        - name: host-config-ovn
+          hostPath:
+            path: {{ .Values.OVN_DIR }}
+        - name: host-log-ovs
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/openvswitch
+        - name: host-log-ovn
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/ovn
+        - name: localtime
+          hostPath:
+            path: /etc/localtime
+        - name: kube-ovn-tls
+          secret:
+            optional: true
+            secretName: kube-ovn-tls
+
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-deploy.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-deploy.yaml
@@ -0,0 +1,190 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: kube-ovn-controller
+  namespace: {{ .Values.namespace }}
+  annotations:
+    kubernetes.io/description: |
+      kube-ovn controller
+spec:
+  replicas: {{ include "kubeovn.nodeCount" . }}
+  selector:
+    matchLabels:
+      app: kube-ovn-controller
+  strategy:
+    rollingUpdate:
+      maxSurge: 0%
+      maxUnavailable: 100%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: kube-ovn-controller
+        component: network
+        type: infra
+    spec:
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+        - key: CriticalAddonsOnly
+          operator: Exists
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - preference:
+                matchExpressions:
+                  - key: "ovn.kubernetes.io/ic-gw"
+                    operator: NotIn
+                    values:
+                      - "true"
+              weight: 100
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchLabels:
+                  app: kube-ovn-controller
+              topologyKey: kubernetes.io/hostname
+      priorityClassName: system-cluster-critical
+      serviceAccountName: ovn
+      hostNetwork: true
+      containers:
+        - name: kube-ovn-controller
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+          - /kube-ovn/start-controller.sh
+          - --default-ls={{ .Values.networking.DEFAULT_SUBNET }}
+          - --default-cidr=
+          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
+          {{ .Values.dual_stack.POD_CIDR }}
+          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
+          {{ .Values.ipv4.POD_CIDR }}
+          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
+          {{ .Values.ipv6.POD_CIDR }}
+          {{- end }}
+          - --default-gateway=
+          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
+          {{ .Values.dual_stack.POD_GATEWAY }}
+          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
+          {{ .Values.ipv4.POD_GATEWAY }}
+          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
+          {{ .Values.ipv6.POD_GATEWAY }}
+          {{- end }}
+          - --default-gateway-check={{- .Values.func.CHECK_GATEWAY }}
+          - --default-logical-gateway={{- .Values.func.LOGICAL_GATEWAY }}
+          - --default-u2o-interconnection={{- .Values.func.U2O_INTERCONNECTION }}
+          - --default-exclude-ips={{- .Values.networking.EXCLUDE_IPS }}
+          - --cluster-router={{ .Values.networking.DEFAULT_VPC }}
+          - --node-switch={{ .Values.networking.NODE_SUBNET }}
+          - --node-switch-cidr=
+          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
+          {{ .Values.dual_stack.JOIN_CIDR }}
+          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
+          {{ .Values.ipv4.JOIN_CIDR }}
+          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
+          {{ .Values.ipv6.JOIN_CIDR }}
+          {{- end }}
+          - --service-cluster-ip-range=
+          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
+          {{ .Values.dual_stack.SVC_CIDR }}
+          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
+          {{ .Values.ipv4.SVC_CIDR }}
+          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
+          {{ .Values.ipv6.SVC_CIDR }}
+          {{- end }}
+          - --network-type={{- .Values.networking.NETWORK_TYPE }}
+          - --default-provider-name={{ .Values.networking.vlan.PROVIDER_NAME }}
+          - --default-interface-name={{- .Values.networking.vlan.VLAN_INTERFACE_NAME }}
+          - --default-exchange-link-name={{- .Values.networking.EXCHANGE_LINK_NAME }}
+          - --default-vlan-name={{- .Values.networking.vlan.VLAN_NAME }}
+          - --default-vlan-id={{- .Values.networking.vlan.VLAN_ID }}
+          - --ls-dnat-mod-dl-dst={{- .Values.func.LS_DNAT_MOD_DL_DST }}
+          - --ls-ct-skip-dst-lport-ips={{- .Values.func.LS_CT_SKIP_DST_LPORT_IPS }}
+          - --pod-nic-type={{- .Values.networking.POD_NIC_TYPE }}
+          - --enable-lb={{- .Values.func.ENABLE_LB }}
+          - --enable-np={{- .Values.func.ENABLE_NP }}
+          - --enable-eip-snat={{- .Values.networking.ENABLE_EIP_SNAT }}
+          - --enable-external-vpc={{- .Values.func.ENABLE_EXTERNAL_VPC }}
+          - --enable-ecmp={{- .Values.networking.ENABLE_ECMP }}
+          - --logtostderr=false
+          - --alsologtostderr=true
+          - --gc-interval={{- .Values.performance.GC_INTERVAL }}
+          - --inspect-interval={{- .Values.performance.INSPECT_INTERVAL }}
+          - --log_file=/var/log/kube-ovn/kube-ovn-controller.log
+          - --log_file_max_size=0
+          - --enable-lb-svc={{- .Values.func.ENABLE_LB_SVC }}
+          - --keep-vm-ip={{- .Values.func.ENABLE_KEEP_VM_IP }}
+          - --enable-metrics={{- .Values.networking.ENABLE_METRICS }}
+          - --node-local-dns-ip={{- .Values.networking.NODE_LOCAL_DNS_IP }}
+          env:
+            - name: ENABLE_SSL
+              value: "{{ .Values.networking.ENABLE_SSL }}"
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: KUBE_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: OVN_DB_IPS
+              value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}"
+            - name: POD_IPS
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIPs
+            - name: ENABLE_BIND_LOCAL_IP
+              value: "{{- .Values.func.ENABLE_BIND_LOCAL_IP }}"
+          volumeMounts:
+            - mountPath: /etc/localtime
+              name: localtime
+              readOnly: true
+            - mountPath: /var/log/kube-ovn
+              name: kube-ovn-log
+            # ovn-ic log directory
+            - mountPath: /var/log/ovn
+              name: ovn-log
+            - mountPath: /var/run/tls
+              name: kube-ovn-tls
+          readinessProbe:
+            exec:
+              command:
+                - /kube-ovn/kube-ovn-controller-healthcheck
+            periodSeconds: 3
+            timeoutSeconds: 45
+          livenessProbe:
+            exec:
+              command:
+                - /kube-ovn/kube-ovn-controller-healthcheck
+            initialDelaySeconds: 300
+            periodSeconds: 7
+            failureThreshold: 5
+            timeoutSeconds: 45
+          resources:
+            requests:
+              cpu: {{ index .Values "kube-ovn-controller" "requests" "cpu" }}
+              memory: {{ index .Values "kube-ovn-controller" "requests" "memory" }}
+            limits:
+              cpu: {{ index .Values "kube-ovn-controller" "limits" "cpu" }}
+              memory: {{ index .Values "kube-ovn-controller" "limits" "memory" }}
+      nodeSelector:
+        kubernetes.io/os: "linux"
+      volumes:
+        - name: localtime
+          hostPath:
+            path: /etc/localtime
+        - name: kube-ovn-log
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn
+        - name: ovn-log
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/ovn
+        - name: kube-ovn-tls
+          secret:
+            optional: true
+            secretName: kube-ovn-tls
+
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-svc.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-svc.yaml
@@ -0,0 +1,16 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: kube-ovn-controller
+  namespace: {{ .Values.namespace }}
+  labels:
+    app: kube-ovn-controller
+spec:
+  selector:
+    app: kube-ovn-controller
+  ports:
+    - port: 10660
+      name: metrics
+  {{- if eq .Values.networking.NET_STACK "dual_stack" }}
+  ipFamilyPolicy: PreferDualStack
+  {{- end }}
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ic-controller-deploy.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ic-controller-deploy.yaml
@@ -43,7 +43,7 @@ spec:
      hostNetwork: true
      containers:
        - name: ovn-ic-controller
-          image: {{ include "kubeovn.image" . }}
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command: ["/kube-ovn/start-ic-controller.sh"]
          args:
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/kube-ovn-crd.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/kube-ovn-crd.yaml
@@ -1268,15 +1268,9 @@ spec:
      - jsonPath: .status.v4Eip
        name: V4Eip
        type: string
-      - jsonPath: .status.v6Eip
-        name: V6Eip
-        type: string
      - jsonPath: .status.v4Ip
        name: V4Ip
        type: string
-      - jsonPath: .status.v6Ip
-        name: V6Ip
-        type: string
      - jsonPath: .status.ready
        name: Ready
        type: boolean
@@ -1331,8 +1325,6 @@ spec:
                  type: string
                v4Ip:
                  type: string
-                v6Ip:
-                  type: string
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -1361,15 +1353,9 @@ spec:
      - jsonPath: .status.v4Eip
        name: V4Eip
        type: string
-      - jsonPath: .status.v6Eip
-        name: V6Eip
-        type: string
      - jsonPath: .status.v4IpCidr
        name: V4IpCidr
        type: string
-      - jsonPath: .status.v6IpCidr
-        name: V6IpCidr
-        type: string
      - jsonPath: .status.ready
        name: Ready
        type: boolean
@@ -1384,12 +1370,8 @@ spec:
                  type: boolean
                v4Eip:
                  type: string
-                v6Eip:
-                  type: string
                v4IpCidr:
                  type: string
-                v6IpCidr:
-                  type: string
                vpc:
                  type: string
                conditions:
@@ -1422,8 +1404,6 @@ spec:
                  type: string
                v4IpCidr:
                  type: string
-                v6IpCidr:
-                  type: string
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -1458,15 +1438,9 @@ spec:
        - jsonPath: .status.v4Eip
          name: V4Eip
          type: string
-        - jsonPath: .status.v6Eip
-          name: V6Eip
-          type: string
        - jsonPath: .status.v4Ip
          name: V4Ip
          type: string
-        - jsonPath: .status.v6Ip
-          name: V6Ip
-          type: string
        - jsonPath: .status.internalPort
          name: InternalPort
          type: string
@@ -1538,8 +1512,6 @@ spec:
                  type: string
                v4Ip:
                  type: string
-                v6Ip:
-                  type: string
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -1901,9 +1873,6 @@ spec:
      - name: Vpc
        type: string
        jsonPath: .spec.vpc
-      - name: Vlan
-        type: string
-        jsonPath: .spec.vlan
      - name: Protocol
        type: string
        jsonPath: .spec.protocol
@@ -1944,12 +1913,6 @@ spec:
        openAPIV3Schema:
          type: object
          properties:
-            metadata:
-              type: object
-              properties:
-                name:
-                  type: string
-                  pattern: ^[^0-9]
            status:
              type: object
              properties:
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-deploy.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-deploy.yaml
@@ -0,0 +1,139 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: kube-ovn-monitor
+  namespace: {{ .Values.namespace }}
+  annotations:
+    kubernetes.io/description: |
+      Metrics for OVN components: northd, nb and sb.
+spec:
+  replicas: 1
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 1
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: kube-ovn-monitor
+  template:
+    metadata:
+      labels:
+        app: kube-ovn-monitor
+        component: network
+        type: infra
+    spec:
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+        - key: CriticalAddonsOnly
+          operator: Exists
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchLabels:
+                  app: kube-ovn-monitor
+              topologyKey: kubernetes.io/hostname
+      priorityClassName: system-cluster-critical
+      serviceAccountName: kube-ovn-app
+      hostNetwork: true
+      containers:
+        - name: kube-ovn-monitor
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: ["/kube-ovn/start-ovn-monitor.sh"]
+          args:
+          - --log_file=/var/log/kube-ovn/kube-ovn-monitor.log
+          - --logtostderr=false
+          - --alsologtostderr=true
+          - --log_file_max_size=0
+          securityContext:
+            runAsUser: 0
+            privileged: false
+          env:
+            - name: ENABLE_SSL
+              value: "{{ .Values.networking.ENABLE_SSL }}"
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: POD_IPS
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIPs
+            - name: ENABLE_BIND_LOCAL_IP
+              value: "{{- .Values.func.ENABLE_BIND_LOCAL_IP }}"
+          resources:
+            requests:
+              cpu: {{ index .Values "kube-ovn-monitor" "requests" "cpu" }}
+              memory: {{ index .Values "kube-ovn-monitor" "requests" "memory" }}
+            limits:
+              cpu: {{ index .Values "kube-ovn-monitor" "limits" "cpu" }}
+              memory: {{ index .Values "kube-ovn-monitor" "limits" "memory" }}
+          volumeMounts:
+            - mountPath: /var/run/openvswitch
+              name: host-run-ovs
+            - mountPath: /var/run/ovn
+              name: host-run-ovn
+            - mountPath: /etc/openvswitch
+              name: host-config-openvswitch
+            - mountPath: /etc/ovn
+              name: host-config-ovn
+            - mountPath: /var/log/ovn
+              name: host-log-ovn
+              readOnly: true
+            - mountPath: /etc/localtime
+              name: localtime
+              readOnly: true
+            - mountPath: /var/run/tls
+              name: kube-ovn-tls
+            - mountPath: /var/log/kube-ovn
+              name: kube-ovn-log
+          livenessProbe:
+            failureThreshold: 3
+            initialDelaySeconds: 30
+            periodSeconds: 7
+            successThreshold: 1
+            tcpSocket:
+              port: 10661
+            timeoutSeconds: 3
+          readinessProbe:
+            failureThreshold: 3
+            initialDelaySeconds: 30
+            periodSeconds: 7
+            successThreshold: 1
+            tcpSocket:
+              port: 10661
+            timeoutSeconds: 3
+      nodeSelector:
+        kubernetes.io/os: "linux"
+        {{- with splitList "=" .Values.MASTER_NODES_LABEL }}
+        {{ index . 0 }}: "{{ if eq (len .) 2 }}{{ index . 1 }}{{ end }}"
+        {{- end }}
+      volumes:
+        - name: host-run-ovs
+          hostPath:
+            path: /run/openvswitch
+        - name: host-run-ovn
+          hostPath:
+            path: /run/ovn
+        - name: host-config-openvswitch
+          hostPath:
+            path: {{ .Values.OPENVSWITCH_DIR }}
+        - name: host-config-ovn
+          hostPath:
+            path: {{ .Values.OVN_DIR }}
+        - name: host-log-ovn
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/ovn
+        - name: localtime
+          hostPath:
+            path: /etc/localtime
+        - name: kube-ovn-tls
+          secret:
+            optional: true
+            secretName: kube-ovn-tls
+        - name: kube-ovn-log
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-svc.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-svc.yaml
@@ -0,0 +1,18 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: kube-ovn-monitor
+  namespace: {{ .Values.namespace }}
+  labels:
+    app: kube-ovn-monitor
+spec:
+  ports:
+    - name: metrics
+      port: 10661
+  type: ClusterIP
+  selector:
+    app: kube-ovn-monitor
+  sessionAffinity: None
+  {{- if eq .Values.networking.NET_STACK "dual_stack" }}
+  ipFamilyPolicy: PreferDualStack
+  {{- end }}
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/nb-svc.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/nb-svc.yaml
@@ -0,0 +1,19 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: ovn-nb
+  namespace: {{ .Values.namespace }}
+spec:
+  ports:
+    - name: ovn-nb
+      protocol: TCP
+      port: 6641
+      targetPort: 6641
+  type: ClusterIP
+  {{- if eq .Values.networking.NET_STACK "dual_stack" }}
+  ipFamilyPolicy: PreferDualStack
+  {{- end }}
+  selector:
+    app: ovn-central
+    ovn-nb-leader: "true"
+  sessionAffinity: None
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/northd-svc.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/northd-svc.yaml
@@ -0,0 +1,19 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: ovn-northd
+  namespace: {{ .Values.namespace }}
+spec:
+  ports:
+    - name: ovn-northd
+      protocol: TCP
+      port: 6643
+      targetPort: 6643
+  type: ClusterIP
+  {{- if eq .Values.networking.NET_STACK "dual_stack" }}
+  ipFamilyPolicy: PreferDualStack
+  {{- end }}
+  selector:
+    app: ovn-central
+    ovn-northd-leader: "true"
+  sessionAffinity: None
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CR.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CR.yaml
@@ -0,0 +1,256 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.k8s.io/system-only: "true"
+  name: system:ovn
+rules:
+  - apiGroups:
+      - "kubeovn.io"
+    resources:
+      - vpcs
+      - vpcs/status
+      - vpc-nat-gateways
+      - vpc-nat-gateways/status
+      - subnets
+      - subnets/status
+      - ippools
+      - ippools/status
+      - ips
+      - vips
+      - vips/status
+      - vlans
+      - vlans/status
+      - provider-networks
+      - provider-networks/status
+      - security-groups
+      - security-groups/status
+      - iptables-eips
+      - iptables-fip-rules
+      - iptables-dnat-rules
+      - iptables-snat-rules
+      - iptables-eips/status
+      - iptables-fip-rules/status
+      - iptables-dnat-rules/status
+      - iptables-snat-rules/status
+      - ovn-eips
+      - ovn-fips
+      - ovn-snat-rules
+      - ovn-eips/status
+      - ovn-fips/status
+      - ovn-snat-rules/status
+      - ovn-dnat-rules
+      - ovn-dnat-rules/status
+      - switch-lb-rules
+      - switch-lb-rules/status
+      - vpc-dnses
+      - vpc-dnses/status
+      - qos-policies
+      - qos-policies/status
+    verbs:
+      - "*"
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - namespaces
+    verbs:
+      - get
+      - list
+      - patch
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods/exec
+    verbs:
+      - create
+  - apiGroups:
+      - "k8s.cni.cncf.io"
+    resources:
+      - network-attachment-definitions
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+      - networking.k8s.io
+    resources:
+      - networkpolicies
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - services/status
+    verbs:
+      - get
+      - list
+      - update
+      - create
+      - delete
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - create
+      - update
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+      - deployments
+      - deployments/scale
+    verbs:
+      - get
+      - list
+      - create
+      - delete
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+      - update
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - "*"
+  - apiGroups:
+      - "kubevirt.io"
+    resources:
+      - virtualmachines
+      - virtualmachineinstances
+    verbs:
+      - get
+      - list
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.k8s.io/system-only: "true"
+  name: system:ovn-ovs
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+    verbs:
+      - get
+  - apiGroups:
+      - apps
+    resources:
+      - controllerrevisions
+    verbs:
+      - get
+      - list
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.k8s.io/system-only: "true"
+  name: system:kube-ovn-cni
+rules:
+  - apiGroups:
+      - "kubeovn.io"
+      - ""
+    resources:
+      - subnets
+      - provider-networks
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+      - "kubeovn.io"
+    resources:
+      - ovn-eips
+      - ovn-eips/status
+      - nodes
+    verbs:
+      - get
+      - list
+      - patch
+      - watch
+  - apiGroups:
+      - "kubeovn.io"
+    resources:
+      - ips
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+      - update
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.k8s.io/system-only: "true"
+  name: system:kube-ovn-app
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - nodes
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+    verbs:
+      - get
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CRB.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CRB.yaml
@@ -0,0 +1,54 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ovn
+roleRef:
+  name: system:ovn
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: ovn
+    namespace: {{ .Values.namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ovn-ovs
+roleRef:
+  name: system:ovn-ovs
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: ovn-ovs
+    namespace: {{ .Values.namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kube-ovn-cni
+roleRef:
+  name: system:kube-ovn-cni
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: kube-ovn-cni
+    namespace: {{ .Values.namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kube-ovn-app
+roleRef:
+  name: system:kube-ovn-app
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: kube-ovn-app
+    namespace: {{ .Values.namespace }}
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-dpdk-ds.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-dpdk-ds.yaml
@@ -0,0 +1,164 @@
+{{- if .Values.HYBRID_DPDK }}
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: ovs-ovn-dpdk
+  namespace: {{ .Values.namespace }}
+  annotations:
+    kubernetes.io/description: |
+      This daemon set launches the openvswitch daemon.
+spec:
+  selector:
+    matchLabels:
+      app: ovs-dpdk
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        app: ovs-dpdk
+        component: network
+        type: infra
+    spec:
+      tolerations:
+      - operator: Exists
+      priorityClassName: system-node-critical
+      serviceAccountName: ovn-ovs
+      hostNetwork: true
+      hostPID: true
+      containers:
+        - name: openvswitch
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}-dpdk
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: ["/kube-ovn/start-ovs-dpdk-v2.sh"]
+          securityContext:
+            runAsUser: 0
+            privileged: true
+          env:
+            - name: ENABLE_SSL
+              value: "{{ .Values.networking.ENABLE_SSL }}"
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: HW_OFFLOAD
+              value: "{{- .Values.func.HW_OFFLOAD }}"
+            - name: TUNNEL_TYPE
+              value: "{{- .Values.networking.TUNNEL_TYPE }}"
+            - name: DPDK_TUNNEL_IFACE
+              value: "{{- .Values.networking.DPDK_TUNNEL_IFACE }}"
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: OVN_DB_IPS
+              value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}"
+            - name: OVN_REMOTE_PROBE_INTERVAL
+              value: "{{ .Values.networking.OVN_REMOTE_PROBE_INTERVAL }}"
+            - name: OVN_REMOTE_OPENFLOW_INTERVAL
+              value: "{{ .Values.networking.OVN_REMOTE_OPENFLOW_INTERVAL }}"
+          volumeMounts:
+            - mountPath: /opt/ovs-config
+              name: host-config-ovs
+            - name: shareddir
+              mountPath: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods
+            - name: hugepage
+              mountPath: /dev/hugepages
+            - mountPath: /lib/modules
+              name: host-modules
+              readOnly: true
+            - mountPath: /var/run/openvswitch
+              name: host-run-ovs
+              mountPropagation: HostToContainer
+            - mountPath: /var/run/ovn
+              name: host-run-ovn
+            - mountPath: /sys
+              name: host-sys
+            - mountPath: /etc/openvswitch
+              name: host-config-openvswitch
+            - mountPath: /etc/ovn
+              name: host-config-ovn
+            - mountPath: /var/log/openvswitch
+              name: host-log-ovs
+            - mountPath: /var/log/ovn
+              name: host-log-ovn
+            - mountPath: /etc/localtime
+              name: localtime
+              readOnly: true
+            - mountPath: /var/run/tls
+              name: kube-ovn-tls
+          readinessProbe:
+            exec:
+              command:
+                - bash
+                - -c
+                - LOG_ROTATE=true /kube-ovn/ovs-healthcheck.sh
+            periodSeconds: 5
+            timeoutSeconds: 45
+          livenessProbe:
+            exec:
+              command:
+                - bash
+                - /kube-ovn/ovs-healthcheck.sh
+            initialDelaySeconds: 60
+            periodSeconds: 5
+            failureThreshold: 5
+            timeoutSeconds: 45
+          resources:
+            requests:
+              cpu: {{ index .Values "ovs-ovn" "requests" "cpu" }}
+              memory: {{ index .Values "ovs-ovn" "requests" "memory" }}
+            limits:
+              cpu: {{ index .Values "ovs-ovn" "limits" "cpu" }}
+              {{.Values.HUGEPAGE_SIZE_TYPE}}: {{.Values.HUGEPAGES}}
+              memory: {{ index .Values "ovs-ovn" "limits" "memory" }}
+      nodeSelector:
+        kubernetes.io/os: "linux"
+        ovn.kubernetes.io/ovs_dp_type: "userspace"
+      volumes:
+        - name: host-config-ovs
+          hostPath:
+            path: /opt/ovs-config
+            type: DirectoryOrCreate
+        - name: shareddir
+          hostPath:
+            path: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods
+            type: ''
+        - name: hugepage
+          emptyDir:
+            medium: HugePages
+        - name: host-modules
+          hostPath:
+            path: /lib/modules
+        - name: host-run-ovs
+          hostPath:
+            path: /run/openvswitch
+        - name: host-run-ovn
+          hostPath:
+            path: /run/ovn
+        - name: host-sys
+          hostPath:
+            path: /sys
+        - name: host-config-openvswitch
+          hostPath:
+            path: {{ .Values.OPENVSWITCH_DIR }}
+        - name: host-config-ovn
+          hostPath:
+            path: {{ .Values.OVN_DIR }}
+        - name: host-log-ovs
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/openvswitch
+        - name: host-log-ovn
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/ovn
+        - name: localtime
+          hostPath:
+            path: /etc/localtime
+        - name: kube-ovn-tls
+          secret:
+            optional: true
+            secretName: kube-ovn-tls
+{{- end }}
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-sa.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-sa.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ovn
+  namespace: {{ .Values.namespace }}
+{{-  if .Values.global.registry.imagePullSecrets }}
+imagePullSecrets:
+{{- range $index, $secret := .Values.global.registry.imagePullSecrets }}
+{{- if $secret }}
+- name: {{ $secret | quote}}
+{{- end }}
+{{- end }}
+{{- end }}
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ovn-ovs
+  namespace: {{ .Values.namespace }}
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-ovn-cni
+  namespace: {{ .Values.namespace }}
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-ovn-app
+  namespace: {{ .Values.namespace }}
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-tls-secret.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-tls-secret.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.networking.ENABLE_SSL }}
+{{- $cn := "ovn" -}}
+{{- $ca := genCA "ovn-ca" 3650 -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kube-ovn-tls
+  namespace: {{ .Values.namespace }}
+data:
+{{- $existingSecret := lookup "v1" "Secret" .Values.namespace "kube-ovn-tls" }}
+  {{- if $existingSecret }}
+  cacert: {{ index $existingSecret.data "cacert" }}
+  cert: {{ index $existingSecret.data "cert" }}
+  key: {{ index $existingSecret.data "key" }}
+  {{- else }}
+  {{- with genSignedCert $cn nil nil 3650 $ca }}
+  cacert: {{ b64enc $ca.Cert }}
+  cert: {{ b64enc .Cert }}
+  key: {{ b64enc .Key }}
+  {{- end }}
+  {{- end }}
+{{- end }}
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-ds.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-ds.yaml
@@ -0,0 +1,206 @@
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: kube-ovn-cni
+  namespace: {{ .Values.namespace }}
+  annotations:
+    kubernetes.io/description: |
+      This daemon set launches the kube-ovn cni daemon.
+spec:
+  selector:
+    matchLabels:
+      app: kube-ovn-cni
+  template:
+    metadata:
+      labels:
+        app: kube-ovn-cni
+        component: network
+        type: infra
+    spec:
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+        - key: CriticalAddonsOnly
+          operator: Exists
+      priorityClassName: system-node-critical
+      serviceAccountName: kube-ovn-cni
+      hostNetwork: true
+      hostPID: true
+      initContainers:
+      - name: install-cni
+        image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        command: ["/kube-ovn/install-cni.sh"]
+        securityContext:
+          runAsUser: 0
+          privileged: true
+        volumeMounts:
+          - mountPath: /opt/cni/bin
+            name: cni-bin
+          {{- if .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }}
+          - mountPath: /usr/local/bin
+            name: local-bin
+          {{- end }}
+      containers:
+      - name: cni-server
+        image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        command:
+          - bash
+          - /kube-ovn/start-cniserver.sh
+        args:
+          - --enable-mirror={{- .Values.debug.ENABLE_MIRROR }}
+          - --mirror-iface={{- .Values.debug.MIRROR_IFACE }}
+          - --node-switch={{ .Values.networking.NODE_SUBNET }}
+          - --encap-checksum=true
+          - --service-cluster-ip-range=
+          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
+          {{ .Values.dual_stack.SVC_CIDR }}
+          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
+          {{ .Values.ipv4.SVC_CIDR }}
+          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
+          {{ .Values.ipv6.SVC_CIDR }}
+          {{- end }}
+          {{- if eq .Values.networking.NETWORK_TYPE "vlan" }}
+          - --iface=
+          {{- else}}
+          - --iface={{- .Values.networking.IFACE }}
+          {{- end }}
+          - --dpdk-tunnel-iface={{- .Values.networking.DPDK_TUNNEL_IFACE }}
+          - --network-type={{- .Values.networking.TUNNEL_TYPE }}
+          - --default-interface-name={{- .Values.networking.vlan.VLAN_INTERFACE_NAME }}
+          - --cni-conf-dir={{ .Values.cni_conf.CNI_CONF_DIR }}
+          - --cni-conf-file={{ .Values.cni_conf.CNI_CONF_FILE }}
+          - --cni-conf-name={{- .Values.cni_conf.CNI_CONFIG_PRIORITY -}}-kube-ovn.conflist
+          - --logtostderr=false
+          - --alsologtostderr=true
+          - --log_file=/var/log/kube-ovn/kube-ovn-cni.log
+          - --log_file_max_size=0
+          - --enable-metrics={{- .Values.networking.ENABLE_METRICS }}
+          - --kubelet-dir={{ .Values.kubelet_conf.KUBELET_DIR }}
+          - --enable-tproxy={{ .Values.func.ENABLE_TPROXY }}
+          - --ovs-vsctl-concurrency={{ .Values.performance.OVS_VSCTL_CONCURRENCY }}
+        securityContext:
+          runAsUser: 0
+          privileged: true
+        env:
+          - name: ENABLE_SSL
+            value: "{{ .Values.networking.ENABLE_SSL }}"
+          - name: POD_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.podIP
+          - name: KUBE_NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+          - name: POD_IPS
+            valueFrom:
+              fieldRef:
+                fieldPath: status.podIPs
+          - name: ENABLE_BIND_LOCAL_IP
+            value: "{{- .Values.func.ENABLE_BIND_LOCAL_IP }}"
+          - name: DBUS_SYSTEM_BUS_ADDRESS
+            value: "unix:path=/host/var/run/dbus/system_bus_socket"
+        volumeMounts:
+          - name: host-modules
+            mountPath: /lib/modules
+            readOnly: true
+          - name: shared-dir
+            mountPath: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods
+          - mountPath: /etc/openvswitch
+            name: systemid
+            readOnly: true
+          - mountPath: /etc/cni/net.d
+            name: cni-conf
+          - mountPath: /run/openvswitch
+            name: host-run-ovs
+            mountPropagation: Bidirectional
+          - mountPath: /run/ovn
+            name: host-run-ovn
+          - mountPath: /host/var/run/dbus
+            name: host-dbus
+            mountPropagation: HostToContainer
+          - mountPath: /var/run/netns
+            name: host-ns
+            mountPropagation: HostToContainer
+          - mountPath: /var/log/kube-ovn
+            name: kube-ovn-log
+          - mountPath: /var/log/openvswitch
+            name: host-log-ovs
+          - mountPath: /var/log/ovn
+            name: host-log-ovn
+          - mountPath: /etc/localtime
+            name: localtime
+            readOnly: true
+        readinessProbe:
+          failureThreshold: 3
+          periodSeconds: 7
+          successThreshold: 1
+          tcpSocket:
+            port: 10665
+          timeoutSeconds: 3
+        livenessProbe:
+          failureThreshold: 3
+          initialDelaySeconds: 30
+          periodSeconds: 7
+          successThreshold: 1
+          tcpSocket:
+            port: 10665
+          timeoutSeconds: 3
+        resources:
+          requests:
+            cpu: {{ index .Values "kube-ovn-cni" "requests" "cpu" }}
+            memory: {{ index .Values "kube-ovn-cni" "requests" "memory" }}
+          limits:
+            cpu: {{ index .Values "kube-ovn-cni" "limits" "cpu" }}
+            memory: {{ index .Values "kube-ovn-cni" "limits" "memory" }}
+      nodeSelector:
+        kubernetes.io/os: "linux"
+      volumes:
+        - name: host-modules
+          hostPath:
+            path: /lib/modules
+        - name: shared-dir
+          hostPath:
+            path: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods
+        - name: systemid
+          hostPath:
+            path: {{ .Values.OPENVSWITCH_DIR }}
+        - name: host-run-ovs
+          hostPath:
+            path: /run/openvswitch
+        - name: host-run-ovn
+          hostPath:
+            path: /run/ovn
+        - name: cni-conf
+          hostPath:
+            path: {{ .Values.cni_conf.CNI_CONF_DIR }}
+        - name: cni-bin
+          hostPath:
+            path: {{ .Values.cni_conf.CNI_BIN_DIR }}
+        - name: host-ns
+          hostPath:
+            path: /var/run/netns
+        - name: host-dbus
+          hostPath:
+            path: /var/run/dbus
+        - name: kube-ovn-log
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn
+        - name: localtime
+          hostPath:
+            path: /etc/localtime
+        - name: host-log-ovs
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/openvswitch
+        - name: host-log-ovn
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/ovn
+        {{- if .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }}
+        - name: local-bin
+          hostPath:
+            path: {{ .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }}
+        {{- end }}
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-svc.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-svc.yaml
@@ -0,0 +1,16 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: kube-ovn-cni
+  namespace: {{ .Values.namespace }}
+  labels:
+    app: kube-ovn-cni
+spec:
+  selector:
+    app: kube-ovn-cni
+  ports:
+    - port: 10665
+      name: metrics
+  {{- if eq .Values.networking.NET_STACK "dual_stack" }}
+  ipFamilyPolicy: PreferDualStack
+  {{- end }}
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovsovn-ds.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovsovn-ds.yaml
@@ -0,0 +1,221 @@
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: ovs-ovn
+  namespace: {{ .Values.namespace }}
+  annotations:
+    kubernetes.io/description: |
+      This daemon set launches the openvswitch daemon.
+    chart-version: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+spec:
+  selector:
+    matchLabels:
+      app: ovs
+  updateStrategy:
+    type: {{ include "kubeovn.ovs-ovn.updateStrategy" . }}
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        app: ovs
+        component: network
+        type: infra
+      annotations:
+        chart-version: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    spec:
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+        - key: CriticalAddonsOnly
+          operator: Exists
+      priorityClassName: system-node-critical
+      serviceAccountName: ovn-ovs
+      hostNetwork: true
+      hostPID: true
+      containers:
+        - name: openvswitch
+          {{- if .Values.DPDK }}
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.dpdkRepository }}:{{ .Values.DPDK_VERSION }}-{{ .Values.global.images.kubeovn.tag }}
+          {{- else }}
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
+          {{- end }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.DPDK }}
+          command: ["/kube-ovn/start-ovs-dpdk.sh"]
+          {{- else }}
+          command: 
+          {{- if .Values.DISABLE_MODULES_MANAGEMENT }}
+          - /bin/sh
+          - -ec
+          - |
+              ln -sf /bin/true /usr/sbin/modprobe
+              ln -sf /bin/true /usr/sbin/modinfo
+              ln -sf /bin/true /usr/sbin/rmmod
+              exec /kube-ovn/start-ovs.sh
+          {{- else }}
+          - /kube-ovn/start-ovs.sh
+          {{- end }}
+          {{- end }}
+          securityContext:
+            runAsUser: 0
+            privileged: true
+          env:
+            - name: ENABLE_SSL
+              value: "{{ .Values.networking.ENABLE_SSL }}"
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: HW_OFFLOAD
+              value: "{{- .Values.func.HW_OFFLOAD }}"
+            - name: TUNNEL_TYPE
+              value: "{{- .Values.networking.TUNNEL_TYPE }}"
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: OVN_DB_IPS
+              value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}"
+            - name: OVN_REMOTE_PROBE_INTERVAL
+              value: "{{ .Values.networking.OVN_REMOTE_PROBE_INTERVAL }}"
+            - name: OVN_REMOTE_OPENFLOW_INTERVAL
+              value: "{{ .Values.networking.OVN_REMOTE_OPENFLOW_INTERVAL }}"
+          volumeMounts:
+            - mountPath: /var/run/netns
+              name: host-ns
+              mountPropagation: HostToContainer
+            - mountPath: /lib/modules
+              name: host-modules
+              readOnly: true
+            - mountPath: /var/run/openvswitch
+              name: host-run-ovs
+            - mountPath: /var/run/ovn
+              name: host-run-ovn
+            - mountPath: /etc/openvswitch
+              name: host-config-openvswitch
+            - mountPath: /etc/ovn
+              name: host-config-ovn
+            - mountPath: /var/log/openvswitch
+              name: host-log-ovs
+            - mountPath: /var/log/ovn
+              name: host-log-ovn
+            - mountPath: /etc/localtime
+              name: localtime
+              readOnly: true
+            - mountPath: /var/run/tls
+              name: kube-ovn-tls
+            - mountPath: /var/run/containerd
+              name: cruntime
+              readOnly: true
+            {{- if .Values.DPDK }}
+            - mountPath: /opt/ovs-config
+              name: host-config-ovs
+            - mountPath: /dev/hugepages
+              name: hugepage
+            {{- end }}
+          readinessProbe:
+            exec:
+              {{- if .Values.DPDK }}
+              command:
+                - bash
+                - /kube-ovn/ovs-dpdk-healthcheck.sh
+              {{- else }}
+              command:
+                - bash
+                - -c
+                - LOG_ROTATE=true /kube-ovn/ovs-healthcheck.sh
+              {{- end }}
+            initialDelaySeconds: 10
+            periodSeconds: 5
+            timeoutSeconds: 45
+          livenessProbe:
+            exec:
+              {{- if .Values.DPDK }}
+              command:
+                - bash
+                - /kube-ovn/ovs-dpdk-healthcheck.sh
+              {{- else }}
+              command:
+                - bash
+                - /kube-ovn/ovs-healthcheck.sh
+              {{- end }}
+            initialDelaySeconds: 60
+            periodSeconds: 5
+            failureThreshold: 5
+            timeoutSeconds: 45
+          resources:
+            requests:
+              {{- if .Values.DPDK }}
+              cpu: {{ .Values.DPDK_CPU }}
+              memory: {{ .Values.DPDK_MEMORY }}
+              {{- else }}
+              cpu: {{ index .Values "ovs-ovn" "requests" "cpu" }}
+              memory: {{ index .Values "ovs-ovn" "requests" "memory" }}
+              {{- end }}
+            limits:
+              {{- if .Values.DPDK }}
+              cpu: {{ .Values.DPDK_CPU }}
+              memory: {{ .Values.DPDK_MEMORY }}
+              hugepages-1Gi: 1Gi
+              {{- else }}
+              cpu: {{ index .Values "ovs-ovn" "limits" "cpu" }}
+              memory: {{ index .Values "ovs-ovn" "limits" "memory" }}
+              {{- end }}
+      nodeSelector:
+        kubernetes.io/os: "linux"
+      volumes:
+        - name: host-modules
+          hostPath:
+            path: /lib/modules
+        - name: host-run-ovs
+          hostPath:
+            path: /run/openvswitch
+        - name: host-run-ovn
+          hostPath:
+            path: /run/ovn
+        - name: host-config-openvswitch
+          hostPath:
+            path: {{ .Values.OPENVSWITCH_DIR }}
+        - name: host-config-ovn
+          hostPath:
+            path: {{ .Values.OVN_DIR }}
+        - name: host-log-ovs
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/openvswitch
+        - name: host-log-ovn
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/ovn
+        - name: localtime
+          hostPath:
+            path: /etc/localtime
+        - name: kube-ovn-tls
+          secret:
+            optional: true
+            secretName: kube-ovn-tls
+        - name: host-ns
+          hostPath:
+            path: /var/run/netns
+        - hostPath:
+            path: /var/run/containerd
+          name: cruntime
+        {{- if .Values.DPDK }}
+        - name: host-config-ovs
+          hostPath:
+            path: /opt/ovs-config
+            type: DirectoryOrCreate
+        - name: hugepage
+          emptyDir:
+            medium: HugePages
+        {{- end }}
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-ds.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-ds.yaml
@@ -0,0 +1,137 @@
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: kube-ovn-pinger
+  namespace: {{ .Values.namespace }}
+  annotations:
+    kubernetes.io/description: |
+      This daemon set launches the openvswitch daemon.
+spec:
+  selector:
+    matchLabels:
+      app: kube-ovn-pinger
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: kube-ovn-pinger
+        component: network
+        type: infra
+    spec:
+      priorityClassName: system-node-critical
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+        - key: CriticalAddonsOnly
+          operator: Exists
+      serviceAccountName: kube-ovn-app
+      hostPID: true
+      containers:
+        - name: pinger
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
+          command:
+          - /kube-ovn/kube-ovn-pinger
+          args:
+          - --external-address=
+          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
+          {{ .Values.dual_stack.PINGER_EXTERNAL_ADDRESS }} 
+          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
+          {{ .Values.ipv4.PINGER_EXTERNAL_ADDRESS }}
+          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
+          {{ .Values.ipv6.PINGER_EXTERNAL_ADDRESS }}
+          {{- end }}
+          - --external-dns=
+          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
+          {{ .Values.dual_stack.PINGER_EXTERNAL_DOMAIN }}
+          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
+          {{ .Values.ipv4.PINGER_EXTERNAL_DOMAIN }}
+          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
+          {{ .Values.ipv6.PINGER_EXTERNAL_DOMAIN }}
+          {{- end }}
+          - --ds-namespace={{ .Values.namespace }}
+          - --logtostderr=false
+          - --alsologtostderr=true
+          - --log_file=/var/log/kube-ovn/kube-ovn-pinger.log
+          - --log_file_max_size=0
+          - --enable-metrics={{- .Values.networking.ENABLE_METRICS }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            runAsUser: 0
+            privileged: false
+          env:
+            - name: ENABLE_SSL
+              value: "{{ .Values.networking.ENABLE_SSL }}"
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: HOST_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.hostIP
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          volumeMounts:
+            - mountPath: /var/run/openvswitch
+              name: host-run-ovs
+            - mountPath: /var/run/ovn
+              name: host-run-ovn
+            - mountPath: /etc/openvswitch
+              name: host-config-openvswitch
+            - mountPath: /var/log/openvswitch
+              name: host-log-ovs
+              readOnly: true
+            - mountPath: /var/log/ovn
+              name: host-log-ovn
+              readOnly: true
+            - mountPath: /var/log/kube-ovn
+              name: kube-ovn-log
+            - mountPath: /etc/localtime
+              name: localtime
+              readOnly: true
+            - mountPath: /var/run/tls
+              name: kube-ovn-tls
+          resources:
+            requests:
+              cpu: {{ index .Values "kube-ovn-pinger" "requests" "cpu" }}
+              memory: {{ index .Values "kube-ovn-pinger" "requests" "memory" }}
+            limits:
+              cpu: {{ index .Values "kube-ovn-pinger" "limits" "cpu" }}
+              memory: {{ index .Values "kube-ovn-pinger" "limits" "memory" }}
+      nodeSelector:
+        kubernetes.io/os: "linux"
+      volumes:
+        - name: host-run-ovs
+          hostPath:
+            path: /run/openvswitch
+        - name: host-run-ovn
+          hostPath:
+            path: /run/ovn
+        - name: host-config-openvswitch
+          hostPath:
+            path: {{ .Values.OPENVSWITCH_DIR }}
+        - name: host-log-ovs
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/openvswitch
+        - name: kube-ovn-log
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn
+        - name: host-log-ovn
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/ovn
+        - name: localtime
+          hostPath:
+            path: /etc/localtime
+        - name: kube-ovn-tls
+          secret:
+            optional: true
+            secretName: kube-ovn-tls
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-svc.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-svc.yaml
@@ -0,0 +1,16 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: kube-ovn-pinger
+  namespace: {{ .Values.namespace }}
+  labels:
+    app: kube-ovn-pinger
+spec:
+  selector:
+    app: kube-ovn-pinger
+  ports:
+    - port: 8080
+      name: metrics
+  {{- if eq .Values.networking.NET_STACK "dual_stack" }}
+  ipFamilyPolicy: PreferDualStack
+  {{- end }}
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pre-delete-hook.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pre-delete-hook.yaml
@@ -0,0 +1,123 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-ovn-pre-delete-hook
+  namespace: {{ .Values.namespace }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": hook-succeeded
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.k8s.io/system-only: "true"
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "2"
+    "helm.sh/hook-delete-policy": hook-succeeded
+  name: system:kube-ovn-pre-delete-hook
+rules:
+  - apiGroups:
+      - kubeovn.io
+    resources:
+      - subnets
+    verbs:
+      - get
+      - list
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kube-ovn-pre-delete-hook
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "3"
+    "helm.sh/hook-delete-policy": hook-succeeded
+roleRef:
+  name: system:kube-ovn-pre-delete-hook
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: kube-ovn-pre-delete-hook
+    namespace: {{ .Values.namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Chart.Name }}-pre-delete-hook"
+  namespace: {{ .Values.namespace }}
+  labels:
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "4"
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  completions: 1
+  template:
+    metadata:
+      name: "{{ .Release.Name }}"
+      labels:
+        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+        app.kubernetes.io/instance: {{ .Release.Name | quote }}
+        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+        app: kube-ovn-pre-delete-hook
+        component: job
+    spec:
+      tolerations:
+        - key: ""
+          operator: "Exists"
+          effect: "NoSchedule"
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - topologyKey: kubernetes.io/hostname
+              labelSelector:
+                matchExpressions:
+                  - key: app
+                    operator: In
+                    values:
+                      - kube-ovn-pre-delete-hook
+                  - key: component
+                    operator: In
+                    values:
+                      - job
+      restartPolicy: Never
+      hostNetwork: true
+      nodeSelector:
+        kubernetes.io/os: "linux"
+      serviceAccount: kube-ovn-pre-delete-hook
+      serviceAccountName: kube-ovn-pre-delete-hook
+      containers:
+        - name: remove-subnet-finalizer
+          image: "{{ .Values.global.registry.address}}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}"
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          command:
+            - sh
+            - -c
+            - /kube-ovn/remove-subnet-finalizer.sh 2>&1 | tee -a /var/log/kube-ovn/remove-subnet-finalizer.log
+          volumeMounts:
+            - mountPath: /var/log/kube-ovn
+              name: kube-ovn-log
+      volumes:
+        - name: kube-ovn-log
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/sb-svc.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/sb-svc.yaml
@@ -0,0 +1,19 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: ovn-sb
+  namespace: {{ .Values.namespace }}
+spec:
+  ports:
+    - name: ovn-sb
+      protocol: TCP
+      port: 6642
+      targetPort: 6642
+  type: ClusterIP
+  {{- if eq .Values.networking.NET_STACK "dual_stack" }}
+  ipFamilyPolicy: PreferDualStack
+  {{- end }}
+  selector:
+    app: ovn-central
+    ovn-sb-leader: "true"
+  sessionAffinity: None
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/upgrade-ovs-ovn.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/upgrade-ovs-ovn.yaml
@@ -0,0 +1,163 @@
+{{- if eq (include "kubeovn.ovs-ovn.updateStrategy" .) "OnDelete" }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ovs-ovn-upgrade
+  namespace: {{ .Values.namespace }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": hook-succeeded
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.k8s.io/system-only: "true"
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-weight": "2"
+    "helm.sh/hook-delete-policy": hook-succeeded
+  name: system:ovs-ovn-upgrade
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+    resourceNames:
+      - ovs-ovn
+    verbs:
+      - get
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    resourceNames:
+      - ovn-central
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - list
+      - get
+      - watch
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ovs-ovn-upgrade
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-weight": "3"
+    "helm.sh/hook-delete-policy": hook-succeeded
+roleRef:
+  name: system:ovs-ovn-upgrade
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: ovs-ovn-upgrade
+    namespace: {{ .Values.namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Chart.Name }}-post-upgrade-hook"
+  namespace: {{ .Values.namespace }}
+  labels:
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-weight": "4"
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  completions: 1
+  template:
+    metadata:
+      name: "{{ .Release.Name }}"
+      labels:
+        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+        app.kubernetes.io/instance: {{ .Release.Name | quote }}
+        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+        app: post-upgrade
+        component: job
+    spec:
+      tolerations:
+        - key: ""
+          operator: "Exists"
+          effect: "NoSchedule"
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - topologyKey: kubernetes.io/hostname
+              labelSelector:
+                matchExpressions:
+                  - key: app
+                    operator: In
+                    values:
+                      - post-upgrade
+                  - key: component
+                    operator: In
+                    values:
+                      - job
+      restartPolicy: Never
+      hostNetwork: true
+      nodeSelector:
+        kubernetes.io/os: "linux"
+      serviceAccount: ovs-ovn-upgrade
+      serviceAccountName: ovs-ovn-upgrade
+      containers:
+        - name: ovs-ovn-upgrade
+          image: "{{ .Values.global.registry.address}}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}"
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: ENABLE_SSL
+              value: "{{ .Values.networking.ENABLE_SSL }}"
+            - name: OVN_DB_IPS
+              value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}"
+          command:
+            - bash
+            - -eo
+            - pipefail
+            - -c
+            - /kube-ovn/upgrade-ovs.sh 2>&1 | tee -a /var/log/kube-ovn/upgrade-ovs.log
+          volumeMounts:
+            - mountPath: /var/log/kube-ovn
+              name: kube-ovn-log
+            - mountPath: /var/run/tls
+              name: kube-ovn-tls
+      volumes:
+        - name: kube-ovn-log
+          hostPath:
+            path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn
+        - name: kube-ovn-tls
+          secret:
+            optional: true
+            secretName: kube-ovn-tls
+{{ end }}
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/vpc-nat-config.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/vpc-nat-config.yaml
@@ -0,0 +1,10 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: ovn-vpc-nat-config
+  namespace: {{ .Values.namespace }}
+  annotations:
+    kubernetes.io/description: |
+      kube-ovn vpc-nat common config
+data:
+  image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.vpcRepository }}:{{ .Values.global.images.kubeovn.tag }}
--- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/values.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/values.yaml
@@ -0,0 +1,181 @@
+# Default values for kubeovn.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+global:
+  registry:
+    address: docker.io/kubeovn
+    imagePullSecrets: []
+  images:
+    kubeovn:
+      repository: kube-ovn
+      dpdkRepository: kube-ovn-dpdk
+      vpcRepository: vpc-nat-gateway
+      tag: v1.13.0
+      support_arm: true
+      thirdparty: true
+
+image:
+  pullPolicy: IfNotPresent
+
+namespace: kube-system
+MASTER_NODES: ""
+MASTER_NODES_LABEL: "kube-ovn/role=master"
+
+networking:
+  # NET_STACK could be dual_stack, ipv4, ipv6
+  NET_STACK: ipv4
+  ENABLE_SSL: false
+  # network type could be geneve or vlan
+  NETWORK_TYPE: geneve
+  # tunnel type could be geneve, vxlan or stt
+  TUNNEL_TYPE: geneve
+  IFACE: ""
+  DPDK_TUNNEL_IFACE: "br-phy"
+  EXCLUDE_IPS: ""
+  POD_NIC_TYPE: "veth-pair"
+  vlan:
+    PROVIDER_NAME: "provider"
+    VLAN_INTERFACE_NAME: ""
+    VLAN_NAME: "ovn-vlan"
+    VLAN_ID: "100"
+  EXCHANGE_LINK_NAME: false
+  ENABLE_EIP_SNAT: true
+  DEFAULT_SUBNET: "ovn-default"
+  DEFAULT_VPC: "ovn-cluster"
+  NODE_SUBNET: "join"
+  ENABLE_ECMP: false
+  ENABLE_METRICS: true
+  NODE_LOCAL_DNS_IP: ""
+  PROBE_INTERVAL: 180000
+  OVN_NORTHD_PROBE_INTERVAL: 5000
+  OVN_LEADER_PROBE_INTERVAL: 5
+  OVN_REMOTE_PROBE_INTERVAL: 10000
+  OVN_REMOTE_OPENFLOW_INTERVAL: 180
+  OVN_NORTHD_N_THREADS: 1
+  ENABLE_COMPACT: false
+
+func:
+  ENABLE_LB: true
+  ENABLE_NP: true
+  ENABLE_EIP_SNAT: true
+  ENABLE_EXTERNAL_VPC: true
+  HW_OFFLOAD: false
+  ENABLE_LB_SVC: false
+  ENABLE_KEEP_VM_IP: true
+  LS_DNAT_MOD_DL_DST: true
+  LS_CT_SKIP_DST_LPORT_IPS: true
+  CHECK_GATEWAY: true
+  LOGICAL_GATEWAY: false
+  ENABLE_BIND_LOCAL_IP: true
+  U2O_INTERCONNECTION: false
+  ENABLE_TPROXY: false
+  ENABLE_IC: false
+
+ipv4:
+  POD_CIDR: "10.16.0.0/16"
+  POD_GATEWAY: "10.16.0.1"
+  SVC_CIDR: "10.96.0.0/12"
+  JOIN_CIDR: "100.64.0.0/16"
+  PINGER_EXTERNAL_ADDRESS: "1.1.1.1"
+  PINGER_EXTERNAL_DOMAIN: "alauda.cn."
+
+ipv6:
+  POD_CIDR: "fd00:10:16::/112"
+  POD_GATEWAY: "fd00:10:16::1"
+  SVC_CIDR: "fd00:10:96::/112"
+  JOIN_CIDR: "fd00:100:64::/112"
+  PINGER_EXTERNAL_ADDRESS: "2606:4700:4700::1111"
+  PINGER_EXTERNAL_DOMAIN: "google.com."
+
+dual_stack:
+  POD_CIDR: "10.16.0.0/16,fd00:10:16::/112"
+  POD_GATEWAY: "10.16.0.1,fd00:10:16::1"
+  SVC_CIDR: "10.96.0.0/12,fd00:10:96::/112"
+  JOIN_CIDR: "100.64.0.0/16,fd00:100:64::/112"
+  PINGER_EXTERNAL_ADDRESS: "1.1.1.1,2606:4700:4700::1111"
+  PINGER_EXTERNAL_DOMAIN: "google.com."
+
+performance:
+  GC_INTERVAL: 360
+  INSPECT_INTERVAL: 20
+  OVS_VSCTL_CONCURRENCY: 100
+
+debug:
+  ENABLE_MIRROR: false
+  MIRROR_IFACE: "mirror0"
+
+cni_conf:
+  CNI_CONFIG_PRIORITY: "01"
+  CNI_CONF_DIR: "/etc/cni/net.d"
+  CNI_BIN_DIR: "/opt/cni/bin"
+  CNI_CONF_FILE: "/kube-ovn/01-kube-ovn.conflist"
+  LOCAL_BIN_DIR: "/usr/local/bin"
+  MOUNT_LOCAL_BIN_DIR: false
+
+kubelet_conf:
+  KUBELET_DIR: "/var/lib/kubelet"
+
+log_conf:
+  LOG_DIR: "/var/log"
+
+OPENVSWITCH_DIR: "/etc/origin/openvswitch"
+OVN_DIR: "/etc/origin/ovn"
+DISABLE_MODULES_MANAGEMENT: false
+  
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+# hybrid dpdk
+HYBRID_DPDK: false
+HUGEPAGE_SIZE_TYPE: hugepages-2Mi # Default 
+HUGEPAGES: 1Gi
+
+# DPDK
+DPDK: false
+DPDK_VERSION: "19.11"
+DPDK_CPU: "1000m"                        # Default CPU configuration
+DPDK_MEMORY: "2Gi"                       # Default Memory configuration
+
+ovn-central:
+  requests:
+    cpu: "300m"
+    memory: "200Mi"
+  limits:
+    cpu: "3"
+    memory: "4Gi"
+ovs-ovn:
+  requests:
+    cpu: "200m"
+    memory: "200Mi"
+  limits:
+    cpu: "2"
+    memory: "1000Mi"
+kube-ovn-controller:
+  requests:
+    cpu: "200m"
+    memory: "200Mi"
+  limits:
+    cpu: "1000m"
+    memory: "1Gi"
+kube-ovn-cni:
+  requests:
+    cpu: "100m"
+    memory: "100Mi"
+  limits:
+    cpu: "1000m"
+    memory: "1Gi"
+kube-ovn-pinger:
+  requests:
+    cpu: "100m"
+    memory: "100Mi"
+  limits:
+    cpu: "200m"
+    memory: "400Mi"
+kube-ovn-monitor:
+  requests:
+    cpu: "200m"
+    memory: "200Mi"
+  limits:
+    cpu: "200m"
+    memory: "200Mi"
--- a/packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl
@@ -29,28 +29,3 @@ Number of master nodes
 {{- define "kubeovn.nodeCount" -}}
  {{- len (split "," (.Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .))) }}
 {{- end -}}
-
-{{- define "kubeovn.ovs-ovn.updateStrategy" -}}
-  {{- $ds := lookup "apps/v1" "DaemonSet" $.Values.namespace "ovs-ovn" -}}
-  {{- if $ds -}}
-    {{- if eq $ds.spec.updateStrategy.type "RollingUpdate" -}}
-      RollingUpdate
-    {{- else -}}
-      {{- $chartVersion := index $ds.metadata.annotations "chart-version" }}
-      {{- $newChartVersion := printf "%s-%s" .Chart.Name .Chart.Version }}
-      {{- $imageVersion := (index $ds.spec.template.spec.containers 0).image | splitList ":" | last | trimPrefix "v" -}}
-      {{- $versionRegex := `^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)` -}}
-      {{- if and (ne $newChartVersion $chartVersion) (regexMatch $versionRegex $imageVersion) -}}
-        {{- if regexFind $versionRegex $imageVersion | semverCompare ">= 1.12.0" -}}
-          RollingUpdate
-        {{- else -}}
-          OnDelete
-        {{- end -}}
-      {{- else -}}
-        OnDelete
-      {{- end -}}
-    {{- end -}}
-  {{- else -}}
-    RollingUpdate
-  {{- end -}}
-{{- end -}}
--- a/packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml
@@ -42,7 +42,7 @@ spec:
      hostNetwork: true
      containers:
        - name: ovn-central
-          image: {{ include "kubeovn.image" . }}
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command: 
          - /kube-ovn/start-db.sh
@@ -74,18 +74,12 @@ spec:
              value: "{{- .Values.func.ENABLE_BIND_LOCAL_IP }}"
            - name: PROBE_INTERVAL
              value: "{{ .Values.networking.PROBE_INTERVAL }}"
-            - name: OVN_NORTHD_PROBE_INTERVAL
-              value: "{{ .Values.networking.OVN_NORTHD_PROBE_INTERVAL}}"
            - name: OVN_LEADER_PROBE_INTERVAL
              value: "{{ .Values.networking.OVN_LEADER_PROBE_INTERVAL }}"
            - name: OVN_NORTHD_N_THREADS
              value: "{{ .Values.networking.OVN_NORTHD_N_THREADS }}"
            - name: ENABLE_COMPACT
              value: "{{ .Values.networking.ENABLE_COMPACT }}"
-            {{- if include "kubeovn.ovs-ovn.updateStrategy" . | eq "OnDelete" }}
-            - name: OVN_VERSION_COMPATIBILITY
-              value: "21.06"
-            {{- end }}
          resources:
            requests:
              cpu: {{ index .Values "ovn-central" "requests" "cpu" }}
@@ -98,6 +92,9 @@ spec:
              name: host-run-ovs
            - mountPath: /var/run/ovn
              name: host-run-ovn
+            - mountPath: /sys
+              name: host-sys
+              readOnly: true
            - mountPath: /etc/openvswitch
              name: host-config-openvswitch
            - mountPath: /etc/ovn
@@ -139,6 +136,9 @@ spec:
        - name: host-run-ovn
          hostPath:
            path: /run/ovn
+        - name: host-sys
+          hostPath:
+            path: /sys
        - name: host-config-openvswitch
          hostPath:
            path: {{ .Values.OPENVSWITCH_DIR }}
--- a/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml
@@ -49,22 +49,49 @@ spec:
      hostNetwork: true
      containers:
        - name: kube-ovn-controller
-          image: {{ include "kubeovn.image" . }}
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          args:
-          {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
          - /kube-ovn/start-controller.sh
          - --default-ls={{ .Values.networking.DEFAULT_SUBNET }}
-          - --default-cidr={{ index $cozyConfig.data "ipv4-pod-cidr" }}
-          - --default-gateway={{ index $cozyConfig.data "ipv4-pod-gateway" }}
+          - --default-cidr=
+          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
+          {{ .Values.dual_stack.POD_CIDR }}
+          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
+          {{ .Values.ipv4.POD_CIDR }}
+          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
+          {{ .Values.ipv6.POD_CIDR }}
+          {{- end }}
+          - --default-gateway=
+          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
+          {{ .Values.dual_stack.POD_GATEWAY }}
+          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
+          {{ .Values.ipv4.POD_GATEWAY }}
+          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
+          {{ .Values.ipv6.POD_GATEWAY }}
+          {{- end }}
          - --default-gateway-check={{- .Values.func.CHECK_GATEWAY }}
          - --default-logical-gateway={{- .Values.func.LOGICAL_GATEWAY }}
          - --default-u2o-interconnection={{- .Values.func.U2O_INTERCONNECTION }}
          - --default-exclude-ips={{- .Values.networking.EXCLUDE_IPS }}
          - --cluster-router={{ .Values.networking.DEFAULT_VPC }}
          - --node-switch={{ .Values.networking.NODE_SUBNET }}
-          - --node-switch-cidr={{ index $cozyConfig.data "ipv4-join-cidr" }}
-          - --service-cluster-ip-range={{ index $cozyConfig.data "ipv4-svc-cidr" }}
+          - --node-switch-cidr=
+          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
+          {{ .Values.dual_stack.JOIN_CIDR }}
+          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
+          {{ .Values.ipv4.JOIN_CIDR }}
+          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
+          {{ .Values.ipv6.JOIN_CIDR }}
+          {{- end }}
+          - --service-cluster-ip-range=
+          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
+          {{ .Values.dual_stack.SVC_CIDR }}
+          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
+          {{ .Values.ipv4.SVC_CIDR }}
+          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
+          {{ .Values.ipv6.SVC_CIDR }}
+          {{- end }}
          - --network-type={{- .Values.networking.NETWORK_TYPE }}
          - --default-provider-name={{ .Values.networking.vlan.PROVIDER_NAME }}
          - --default-interface-name={{- .Values.networking.vlan.VLAN_INTERFACE_NAME }}
@@ -72,7 +99,6 @@ spec:
          - --default-vlan-name={{- .Values.networking.vlan.VLAN_NAME }}
          - --default-vlan-id={{- .Values.networking.vlan.VLAN_ID }}
          - --ls-dnat-mod-dl-dst={{- .Values.func.LS_DNAT_MOD_DL_DST }}
-          - --ls-ct-skip-dst-lport-ips={{- .Values.func.LS_CT_SKIP_DST_LPORT_IPS }}
          - --pod-nic-type={{- .Values.networking.POD_NIC_TYPE }}
          - --enable-lb={{- .Values.func.ENABLE_LB }}
          - --enable-np={{- .Values.func.ENABLE_NP }}
@@ -87,6 +113,7 @@ spec:
          - --log_file_max_size=0
          - --enable-lb-svc={{- .Values.func.ENABLE_LB_SVC }}
          - --keep-vm-ip={{- .Values.func.ENABLE_KEEP_VM_IP }}
+          - --pod-default-fip-type={{- .Values.networking.POD_DEFAULT_FIP_TYPE }}
          - --enable-metrics={{- .Values.networking.ENABLE_METRICS }}
          - --node-local-dns-ip={{- .Values.networking.NODE_LOCAL_DNS_IP }}
          env:
--- a/packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml
@@ -40,7 +40,7 @@ spec:
      hostNetwork: true
      containers:
        - name: kube-ovn-monitor
-          image: {{ include "kubeovn.image" . }}
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command: ["/kube-ovn/start-ovn-monitor.sh"]
          args:
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CR.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CR.yaml
@@ -54,28 +54,17 @@ rules:
      - ""
    resources:
      - pods
-      - namespaces
-    verbs:
-      - get
-      - list
-      - patch
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - get
-      - list
-      - patch
-      - update
-      - watch
-  - apiGroups:
-      - ""
-    resources:
      - pods/exec
+      - namespaces
+      - nodes
+      - configmaps
    verbs:
      - create
+      - get
+      - list
+      - watch
+      - patch
+      - update
  - apiGroups:
      - "k8s.cni.cncf.io"
    resources:
@@ -85,53 +74,40 @@ rules:
  - apiGroups:
      - ""
      - networking.k8s.io
-    resources:
-      - networkpolicies
-      - configmaps
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
      - apps
    resources:
+      - networkpolicies
      - daemonsets
    verbs:
      - get
-  - apiGroups:
-      - ""
-    resources:
-      - services
-      - services/status
-    verbs:
-      - get
-      - list
-      - update
-      - create
-      - delete
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - endpoints
-    verbs:
-      - create
-      - update
-      - get
      - list
      - watch
  - apiGroups:
+      - ""
      - apps
    resources:
+      - services/status
+    verbs:
+      - update
+  - apiGroups:
+      - ""
+      - networking.k8s.io
+      - apps
+      - extensions
+    resources:
+      - services
+      - endpoints
      - statefulsets
      - deployments
      - deployments/scale
    verbs:
-      - get
-      - list
      - create
      - delete
      - update
+      - patch
+      - get
+      - list
+      - watch
  - apiGroups:
      - ""
    resources:
@@ -172,6 +148,8 @@ rules:
      - patch
  - apiGroups:
      - ""
+      - networking.k8s.io
+      - apps
    resources:
      - services
      - endpoints
@@ -198,30 +176,26 @@ rules:
    resources:
      - subnets
      - provider-networks
+      - ovn-eips
+      - ovn-eips/status
+      - ips
    verbs:
      - get
      - list
+      - patch
+      - update
      - watch
  - apiGroups:
      - ""
-      - "kubeovn.io"
    resources:
-      - ovn-eips
-      - ovn-eips/status
-      - nodes
      - pods
+      - nodes
+      - configmaps
    verbs:
      - get
      - list
      - patch
      - watch
-  - apiGroups:
-      - "kubeovn.io"
-    resources:
-      - ips
-    verbs:
-      - get
-      - update
  - apiGroups:
      - ""
    resources:
@@ -230,14 +204,6 @@ rules:
      - create
      - patch
      - update
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - get
-      - list
-      - watch

 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -256,6 +222,8 @@ rules:
      - get
      - list
  - apiGroups:
+      - ""
+      - networking.k8s.io
      - apps
    resources:
      - daemonsets
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml
@@ -31,7 +31,7 @@ spec:
      hostPID: true
      containers:
        - name: openvswitch
-          image: {{ include "kubeovn.image" . }}-dpdk
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}-dpdk
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command: ["/kube-ovn/start-ovs-dpdk-v2.sh"]
          securityContext:
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
@@ -30,7 +30,7 @@ spec:
      hostPID: true
      initContainers:
      - name: install-cni
-        image: {{ include "kubeovn.image" . }}
+        image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        command: ["/kube-ovn/install-cni.sh"]
        securityContext:
@@ -45,18 +45,24 @@ spec:
          {{- end }}
      containers:
      - name: cni-server
-        image: {{ include "kubeovn.image" . }}
+        image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        command:
          - bash
          - /kube-ovn/start-cniserver.sh
        args:
-          {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
          - --enable-mirror={{- .Values.debug.ENABLE_MIRROR }}
          - --mirror-iface={{- .Values.debug.MIRROR_IFACE }}
          - --node-switch={{ .Values.networking.NODE_SUBNET }}
          - --encap-checksum=true
-          - --service-cluster-ip-range={{ index $cozyConfig.data "ipv4-svc-cidr" }}
+          - --service-cluster-ip-range=
+          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
+          {{ .Values.dual_stack.SVC_CIDR }}
+          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
+          {{ .Values.ipv4.SVC_CIDR }}
+          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
+          {{ .Values.ipv6.SVC_CIDR }}
+          {{- end }}
          {{- if eq .Values.networking.NETWORK_TYPE "vlan" }}
          - --iface=
          {{- else}}
@@ -90,6 +96,10 @@ spec:
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
+          - name: MODULES
+            value: "{{- .Values.performance.MODULES }}"
+          - name: RPMS
+            value: "{{- .Values.performance.RPMS }}"
          - name: POD_IPS
            valueFrom:
              fieldRef:
@@ -129,6 +139,8 @@ spec:
          - mountPath: /etc/localtime
            name: localtime
            readOnly: true
+          - mountPath: /tmp
+            name: tmp
        readinessProbe:
          failureThreshold: 3
          periodSeconds: 7
@@ -193,6 +205,9 @@ spec:
        - name: host-log-ovn
          hostPath:
            path: {{ .Values.log_conf.LOG_DIR }}/ovn
+        - name: tmp
+          hostPath:
+            path: /tmp
        {{- if .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }}
        - name: local-bin
          hostPath:
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml
@@ -6,13 +6,12 @@ metadata:
  annotations:
    kubernetes.io/description: |
      This daemon set launches the openvswitch daemon.
-    chart-version: "{{ .Chart.Name }}-{{ .Chart.Version }}"
 spec:
  selector:
    matchLabels:
      app: ovs
  updateStrategy:
-    type: {{ include "kubeovn.ovs-ovn.updateStrategy" . }}
+    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
@@ -22,8 +21,6 @@ spec:
        app: ovs
        component: network
        type: infra
-      annotations:
-        chart-version: "{{ .Chart.Name }}-{{ .Chart.Version }}"
    spec:
      tolerations:
        - effect: NoSchedule
@@ -39,9 +36,9 @@ spec:
      containers:
        - name: openvswitch
          {{- if .Values.DPDK }}
-          image: {{ include "kubeovn.image" . }}
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.dpdkRepository }}:{{ .Values.DPDK_VERSION }}-{{ .Values.global.images.kubeovn.tag }}
          {{- else }}
-          image: {{ include "kubeovn.image" . }}
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
          {{- end }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          {{- if .Values.DPDK }}
@@ -103,6 +100,9 @@ spec:
              name: host-run-ovs
            - mountPath: /var/run/ovn
              name: host-run-ovn
+            - mountPath: /sys
+              name: host-sys
+              readOnly: true
            - mountPath: /etc/openvswitch
              name: host-config-openvswitch
            - mountPath: /etc/ovn
@@ -185,6 +185,9 @@ spec:
        - name: host-run-ovn
          hostPath:
            path: /run/ovn
+        - name: host-sys
+          hostPath:
+            path: /sys
        - name: host-config-openvswitch
          hostPath:
            path: {{ .Values.OPENVSWITCH_DIR }}
--- a/packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml
@@ -31,7 +31,7 @@ spec:
      hostPID: true
      containers:
        - name: pinger
-          image: {{ include "kubeovn.image" . }}
+          image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
          command:
          - /kube-ovn/kube-ovn-pinger
          args:
--- a/packages/system/kubeovn/charts/kube-ovn/templates/pre-delete-hook.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/pre-delete-hook.yaml
@@ -104,7 +104,7 @@ spec:
      serviceAccountName: kube-ovn-pre-delete-hook
      containers:
        - name: remove-subnet-finalizer
-          image: "{{ include "kubeovn.image" . }}"
+          image: "{{ .Values.global.registry.address}}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}"
          env:
            - name: POD_NAMESPACE
              valueFrom:
--- a/packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml
@@ -1,4 +1,5 @@
-{{- if eq (include "kubeovn.ovs-ovn.updateStrategy" .) "OnDelete" }}
+{{ if (lookup "apps/v1" "DaemonSet" .Values.namespace "ovs-ovn") }}
+{{ if eq (lookup "apps/v1" "DaemonSet" .Values.namespace "ovs-ovn").spec.updateStrategy.type "OnDelete" }}
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -32,16 +33,6 @@ rules:
      - ovs-ovn
    verbs:
      - get
-  - apiGroups:
-      - apps
-    resources:
-      - deployments
-    resourceNames:
-      - ovn-central
-    verbs:
-      - get
-      - list
-      - watch
  - apiGroups:
      - ""
    resources:
@@ -55,7 +46,6 @@ rules:
    verbs:
      - list
      - get
-      - watch
      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -131,33 +121,22 @@ spec:
      serviceAccountName: ovs-ovn-upgrade
      containers:
        - name: ovs-ovn-upgrade
-          image: "{{ include "kubeovn.image" . }}"
+          image: "{{ .Values.global.registry.address}}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}"
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
-            - name: ENABLE_SSL
-              value: "{{ .Values.networking.ENABLE_SSL }}"
-            - name: OVN_DB_IPS
-              value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}"
          command:
-            - bash
-            - -eo
-            - pipefail
+            - sh
            - -c
            - /kube-ovn/upgrade-ovs.sh 2>&1 | tee -a /var/log/kube-ovn/upgrade-ovs.log
          volumeMounts:
            - mountPath: /var/log/kube-ovn
              name: kube-ovn-log
-            - mountPath: /var/run/tls
-              name: kube-ovn-tls
      volumes:
        - name: kube-ovn-log
          hostPath:
            path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn
-        - name: kube-ovn-tls
-          secret:
-            optional: true
-            secretName: kube-ovn-tls
+{{ end }}
 {{ end }}
--- a/packages/system/kubeovn/charts/kube-ovn/templates/vpc-nat-config.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/vpc-nat-config.yaml
@@ -7,4 +7,4 @@ metadata:
    kubernetes.io/description: |
      kube-ovn vpc-nat common config
 data:
-  image: {{ include "kubeovn.image" . }}
+  image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.vpcRepository }}:{{ .Values.global.images.kubeovn.tag }}
--- a/packages/system/kubeovn/charts/kube-ovn/values.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/values.yaml
@@ -40,6 +40,7 @@ networking:
    VLAN_ID: "100"
  EXCHANGE_LINK_NAME: false
  ENABLE_EIP_SNAT: true
+  POD_DEFAULT_FIP_TYPE: ""
  DEFAULT_SUBNET: "ovn-default"
  DEFAULT_VPC: "ovn-cluster"
  NODE_SUBNET: "join"
@@ -47,7 +48,6 @@ networking:
  ENABLE_METRICS: true
  NODE_LOCAL_DNS_IP: ""
  PROBE_INTERVAL: 180000
-  OVN_NORTHD_PROBE_INTERVAL: 5000
  OVN_LEADER_PROBE_INTERVAL: 5
  OVN_REMOTE_PROBE_INTERVAL: 10000
  OVN_REMOTE_OPENFLOW_INTERVAL: 180
@@ -63,17 +63,19 @@ func:
  ENABLE_LB_SVC: false
  ENABLE_KEEP_VM_IP: true
  LS_DNAT_MOD_DL_DST: true
-  LS_CT_SKIP_DST_LPORT_IPS: true
  CHECK_GATEWAY: true
  LOGICAL_GATEWAY: false
  ENABLE_BIND_LOCAL_IP: true
  U2O_INTERCONNECTION: false
  ENABLE_TPROXY: false
-  ENABLE_IC: false

 ipv4:
+  POD_CIDR: "10.16.0.0/16"
+  POD_GATEWAY: "10.16.0.1"
+  SVC_CIDR: "10.96.0.0/12"
+  JOIN_CIDR: "100.64.0.0/16"
  PINGER_EXTERNAL_ADDRESS: "1.1.1.1"
-  PINGER_EXTERNAL_DOMAIN: "kube-ovn.io."
+  PINGER_EXTERNAL_DOMAIN: "alauda.cn."

 ipv6:
  POD_CIDR: "fd00:10:16::/112"
@@ -92,6 +94,8 @@ dual_stack:
  PINGER_EXTERNAL_DOMAIN: "google.com."

 performance:
+  MODULES: "kube_ovn_fastpath.ko"
+  RPMS: "openvswitch-kmod"
  GC_INTERVAL: 360
  INSPECT_INTERVAL: 20
  OVS_VSCTL_CONCURRENCY: 100
@@ -145,7 +149,7 @@ ovs-ovn:
    cpu: "200m"
    memory: "200Mi"
  limits:
-    cpu: "2"
+    cpu: "1000m"
    memory: "1000Mi"
 kube-ovn-controller:
  requests:
--- a/packages/system/kubeovn/images/kubeovn.json
+++ b/packages/system/kubeovn/images/kubeovn.json
@@ -1,4 +0,0 @@
-{
-  "containerimage.config.digest": "sha256:f83db05cfc7228a02d1308721de535e90e355d1b147b2d36bb98e10a848c3ef6",
-  "containerimage.digest": "sha256:440075488baba3610d7f8be6283f89ab3862ff3a9556c51a0e99ec6d46315192"
-}
--- a/packages/system/kubeovn/images/kubeovn.tag
+++ b/packages/system/kubeovn/images/kubeovn.tag
@@ -1 +0,0 @@
-ghcr.io/aenix-io/cozystack/kubeovn:latest
--- a/packages/system/kubeovn/images/kubeovn/Dockerfile
+++ b/packages/system/kubeovn/images/kubeovn/Dockerfile
@@ -1,43 +0,0 @@
-ARG VERSION=v1.13.0
-ARG BASE_TAG=$VERSION
-
-FROM golang:1.22-bookworm as builder
-
-ARG COMMIT_REF=e1310e1
-
-WORKDIR /source
-
-RUN wget -O- https://github.com/kubeovn/kube-ovn/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1
-RUN sed -i 's|-z now|-z now -static|' Makefile
-RUN make build-go
-
-WORKDIR /source/dist/images
-
-# imported from https://github.com/kubeovn/kube-ovn/blob/master/dist/images/Dockerfile
-FROM kubeovn/kube-ovn-base:$BASE_TAG
-
-COPY --from=builder /source/dist/images/*.sh /kube-ovn/
-COPY --from=builder /source/dist/images/kubectl-ko /kube-ovn/kubectl-ko
-COPY --from=builder /source/dist/images/01-kube-ovn.conflist /kube-ovn/01-kube-ovn.conflist
-COPY --from=builder /source/dist/images/logrotate/* /etc/logrotate.d/
-COPY --from=builder /source/dist/images/grace_stop_ovn_controller /usr/share/ovn/scripts/grace_stop_ovn_controller
-
-WORKDIR /kube-ovn
-
-RUN /kube-ovn/iptables-wrapper-installer.sh --no-sanity-check
-RUN rm -f /usr/bin/nc &&\
-    rm -f /usr/bin/netcat &&\
-    rm -f /usr/lib/apt/methods/mirror
-RUN deluser sync
-
-COPY --from=builder /source/dist/images/kube-ovn /kube-ovn/kube-ovn
-COPY --from=builder /source/dist/images/kube-ovn-cmd /kube-ovn/kube-ovn-cmd
-COPY --from=builder /source/dist/images/kube-ovn-webhook /kube-ovn/kube-ovn-webhook
-RUN ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-controller && \
-    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-daemon && \
-    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-monitor && \
-    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-pinger && \
-    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-speaker && \
-    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-controller-healthcheck && \
-    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-leader-checker && \
-    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-ic-controller
--- a/packages/system/kubeovn/patches/cozyconfig.diff
+++ b/packages/system/kubeovn/patches/cozyconfig.diff
@@ -1,97 +0,0 @@
-
-diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
-index d9a9a67..b2e12dd 100644
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
-+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
-@@ -51,18 +51,12 @@ spec:
-           - bash
-           - /kube-ovn/start-cniserver.sh
-         args:
-+          {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
-           - --enable-mirror={{- .Values.debug.ENABLE_MIRROR }}
-           - --mirror-iface={{- .Values.debug.MIRROR_IFACE }}
-           - --node-switch={{ .Values.networking.NODE_SUBNET }}
-           - --encap-checksum=true
-          - --service-cluster-ip-range=
-          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
-          {{ .Values.dual_stack.SVC_CIDR }}
-          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
-          {{ .Values.ipv4.SVC_CIDR }}
-          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
-          {{ .Values.ipv6.SVC_CIDR }}
-          {{- end }}
-+          - --service-cluster-ip-range={{ index $cozyConfig.data "ipv4-svc-cidr" }}
-           {{- if eq .Values.networking.NETWORK_TYPE "vlan" }}
-           - --iface=
-           {{- else}}
-diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml
-index 0e69494..756eb7c 100644
--- a/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml
-+++ b/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml
-@@ -52,46 +52,19 @@ spec:
-           image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
-           imagePullPolicy: {{ .Values.image.pullPolicy }}
-           args:
-+          {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
-           - /kube-ovn/start-controller.sh
-           - --default-ls={{ .Values.networking.DEFAULT_SUBNET }}
-          - --default-cidr=
-          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
-          {{ .Values.dual_stack.POD_CIDR }}
-          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
-          {{ .Values.ipv4.POD_CIDR }}
-          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
-          {{ .Values.ipv6.POD_CIDR }}
-          {{- end }}
-          - --default-gateway=
-          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
-          {{ .Values.dual_stack.POD_GATEWAY }}
-          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
-          {{ .Values.ipv4.POD_GATEWAY }}
-          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
-          {{ .Values.ipv6.POD_GATEWAY }}
-          {{- end }}
-+          - --default-cidr={{ index $cozyConfig.data "ipv4-pod-cidr" }}
-+          - --default-gateway={{ index $cozyConfig.data "ipv4-pod-gateway" }}
-           - --default-gateway-check={{- .Values.func.CHECK_GATEWAY }}
-           - --default-logical-gateway={{- .Values.func.LOGICAL_GATEWAY }}
-           - --default-u2o-interconnection={{- .Values.func.U2O_INTERCONNECTION }}
-           - --default-exclude-ips={{- .Values.networking.EXCLUDE_IPS }}
-           - --cluster-router={{ .Values.networking.DEFAULT_VPC }}
-           - --node-switch={{ .Values.networking.NODE_SUBNET }}
-          - --node-switch-cidr=
-          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
-          {{ .Values.dual_stack.JOIN_CIDR }}
-          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
-          {{ .Values.ipv4.JOIN_CIDR }}
-          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
-          {{ .Values.ipv6.JOIN_CIDR }}
-          {{- end }}
-          - --service-cluster-ip-range=
-          {{- if eq .Values.networking.NET_STACK "dual_stack" -}}
-          {{ .Values.dual_stack.SVC_CIDR }}
-          {{- else if eq .Values.networking.NET_STACK "ipv4" -}}
-          {{ .Values.ipv4.SVC_CIDR }}
-          {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
-          {{ .Values.ipv6.SVC_CIDR }}
-          {{- end }}
-+          - --node-switch-cidr={{ index $cozyConfig.data "ipv4-join-cidr" }}
-+          - --service-cluster-ip-range={{ index $cozyConfig.data "ipv4-svc-cidr" }}
-           - --network-type={{- .Values.networking.NETWORK_TYPE }}
-           - --default-provider-name={{ .Values.networking.vlan.PROVIDER_NAME }}
-           - --default-interface-name={{- .Values.networking.vlan.VLAN_INTERFACE_NAME }}
-diff --git a/packages/system/kubeovn/charts/kube-ovn/values.yaml b/packages/system/kubeovn/charts/kube-ovn/values.yaml
-index bfffc4d..b880749 100644
--- a/packages/system/kubeovn/charts/kube-ovn/values.yaml
-+++ b/packages/system/kubeovn/charts/kube-ovn/values.yaml
-@@ -70,10 +70,6 @@ func:
-   ENABLE_TPROXY: false
- 
- ipv4:
-  POD_CIDR: "10.16.0.0/16"
-  POD_GATEWAY: "10.16.0.1"
-  SVC_CIDR: "10.96.0.0/12"
-  JOIN_CIDR: "100.64.0.0/16"
-   PINGER_EXTERNAL_ADDRESS: "1.1.1.1"
-   PINGER_EXTERNAL_DOMAIN: "alauda.cn."
- 
--- a/packages/system/kubeovn/templates/_helpers.tpl
+++ b/packages/system/kubeovn/templates/_helpers.tpl
@@ -1,3 +0,0 @@
-{{- define "kubeovn.image" -}}
-{{ .Files.Get "images/kubeovn.tag" | trim }}@{{ index (.Files.Get "images/kubeovn.json" | fromJson) "containerimage.digest" }}
-{{- end -}}
--- a/packages/system/kubeovn/values.yaml
+++ b/packages/system/kubeovn/values.yaml
@@ -1,4 +1,12 @@
 kube-ovn:
+  global:
+    registry:
+      address: ghcr.io/kvaps
+    images:
+      kubeovn:
+        repository: test
+        tag: kube-ovn-static-v1.13.0-cozystack2
+
  namespace: cozy-kubeovn

  func:
--- a/packages/system/mariadb-operator/charts/mariadb-operator/Chart.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v0.0.28
+appVersion: v0.0.27
 description: Run and operate MariaDB in a cloud native way
 home: https://github.com/mariadb-operator/mariadb-operator
 icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb_profile.svg
@@ -16,4 +16,4 @@ maintainers:
  name: mmontes11
 name: mariadb-operator
 type: application
-version: 0.28.1
+version: 0.27.0
--- a/packages/system/mariadb-operator/charts/mariadb-operator/README.md
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/README.md
@@ -6,7 +6,7 @@
 <img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator_centered_whitebg.svg" alt="mariadb" width="100%"/>
 </p>

-![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.28.1](https://img.shields.io/badge/Version-0.28.1-informational?style=flat-square) ![AppVersion: v0.0.28](https://img.shields.io/badge/AppVersion-v0.0.28-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.27.0](https://img.shields.io/badge/Version-0.27.0-informational?style=flat-square) ![AppVersion: v0.0.27](https://img.shields.io/badge/AppVersion-v0.0.27-informational?style=flat-square)

 Run and operate MariaDB in a cloud native way

--- a/packages/system/mariadb-operator/charts/mariadb-operator/crds/crds.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/crds/crds.yaml
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/configmap.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/configmap.yaml
@@ -1,12 +1,11 @@
 apiVersion: v1
 data:
-  MARIADB_GALERA_AGENT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.28
-  MARIADB_GALERA_INIT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.28
+  MARIADB_GALERA_AGENT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
+  MARIADB_GALERA_INIT_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
  MARIADB_GALERA_LIB_PATH: /usr/lib/galera/libgalera_smm.so
-  MARIADB_OPERATOR_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.28
+  MARIADB_OPERATOR_IMAGE: ghcr.io/mariadb-operator/mariadb-operator:v0.0.27
  RELATED_IMAGE_EXPORTER: prom/mysqld-exporter:v0.15.1
-  RELATED_IMAGE_EXPORTER_MAXSCALE: mariadb/maxscale-prometheus-exporter-ubi:latest
-  RELATED_IMAGE_MARIADB: mariadb:10.11.7
+  RELATED_IMAGE_MARIADB: mariadb:11.2.2
  RELATED_IMAGE_MAXSCALE: mariadb/maxscale:23.08
 kind: ConfigMap
 metadata:
--- a/packages/system/mariadb-operator/charts/mariadb-operator/templates/rbac.yaml
+++ b/packages/system/mariadb-operator/charts/mariadb-operator/templates/rbac.yaml
@@ -48,7 +48,6 @@ rules:
  - configmaps
  verbs:
  - create
-  - delete
  - get
  - list
  - patch
@@ -88,7 +87,6 @@ rules:
  - persistentvolumeclaims
  verbs:
  - create
-  - deletecollection
  - list
  - patch
  - watch
@@ -101,6 +99,12 @@ rules:
  - get
  - list
  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pvcs
+  verbs:
+  - list
 - apiGroups:
  - ""
  resources:
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Andrei Kvapil	c97aa9d5c6	fix default values	2024-05-09 10:32:49 +02:00
Andrei Kvapil	b4ceb6afa9	fix monitoring schema generation	2024-05-08 21:11:26 +02:00
Andrei Kvapil	62cc5dc69d	Merge branch 'origin/main' into openapi-schema-generation	2024-05-08 21:10:47 +02:00
Andrei Kvapil	e4387b7611	Merge branch 'main' into openapi-schema-generation	2024-05-08 13:46:37 +02:00
Andrei Kvapil	b8cb56fbd1	Prepare release v0.4.0	2024-05-03 23:10:10 +02:00
Andrei Kvapil	f25bbd5e74	Add schema generation and remove default values Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2024-04-26 16:34:17 +02:00