Merge pull request #642 from aenix-io/release-0.25.3

Prepare release v0.25.3

Makefile

@@ -36,6 +36,7 @@ assets:
 	make -C packages/core/installer/ assets
 
 test:
+	test -f _out/assets/nocloud-amd64.raw.xz || make -C packages/core/installer talos-nocloud
 	make -C packages/core/testing apply
 	make -C packages/core/testing test
 	make -C packages/core/testing test-applications

hack/download-dashboards.sh

@@ -21,7 +21,7 @@ fix_d8() {
 }
 
 swap_pvc_overview() {
- jq '(.panels[] | select(.title=="PVC Detailed") | .panels[] | select(.title=="Overview")) as $a | del(.panels[] | select(.title=="PVC Detailed").panels[] | select(.title=="Overview")) | ( (.panels[] | select(.title=="PVC Detailed"))) as $b | del( .panels[] | select(.title=="PVC Detailed")) | (.panels[.panels|length]=($a|.gridPos.y=$b.gridPos.y)) | (.panels[.panels|length]=($b|.gridPos.y=$a.gridPos.y))' 
+ jq '(.panels[] | select(.title=="PVC Detailed") | .panels[] | select(.title=="Overview")) as $a | del(.panels[] | select(.title=="PVC Detailed").panels[] | select(.title=="Overview")) | ( (.panels[] | select(.title=="PVC Detailed"))) as $b | del( .panels[] | select(.title=="PVC Detailed")) | (.panels[.panels|length]=($a|.gridPos.y=$b.gridPos.y)) | (.panels[.panels|length]=($b|.gridPos.y=$a.gridPos.y))'
 }
 
 deprectaed_remove_faq() {
@@ -68,7 +68,7 @@ modules/402-ingress-nginx/monitoring/grafana-dashboards/ingress-nginx/namespace/
 modules/402-ingress-nginx/monitoring/grafana-dashboards/ingress-nginx/vhost/vhost_detail.json
 modules/402-ingress-nginx/monitoring/grafana-dashboards/ingress-nginx/vhost/vhosts.json
 modules/340-monitoring-kubernetes-control-plane/monitoring/grafana-dashboards/kubernetes-cluster/control-plane-status.json
-modules/340-monitoring-kubernetes-control-plane/monitoring/grafana-dashboards/kubernetes-cluster/kube-etcd3.json                #TODO
+modules/340-monitoring-kubernetes-control-plane/monitoring/grafana-dashboards/kubernetes-cluster/kube-etcd.json                #TODO
 modules/340-monitoring-kubernetes-control-plane/monitoring/grafana-dashboards/kubernetes-cluster/deprecated-resources.json
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//kubernetes-cluster/nodes/ntp.json                              #TODO
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//kubernetes-cluster/nodes/nodes.json
@@ -78,6 +78,9 @@ modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//main/pod.json
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//main/namespace/namespaces.json
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//main/namespace/namespace.json
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//main/capacity-planning/capacity-planning.json
+modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//flux/flux-control-plane.json
+modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//flux/flux-stats.json
+modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//kafka/strimzi-kafka.json
 EOT
 
 
@@ -109,4 +112,3 @@ done <<\EOT
 	https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-namespaces.json
 	https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-pods.json
 EOT
-

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.24.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.25.3"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: assets
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.24.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.25.3"
         command:
         - /usr/bin/cozystack-assets-server
         - "-dir=/cozystack/assets"

packages/apps/ferretdb/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.8.0@sha256:6a8ec7e7052f2d02ec5457d7cbac6ee52b3ed93a883988a192d1394fc7c88117
+ghcr.io/aenix-io/cozystack/postgres-backup:0.8.0@sha256:71cdf8bdab3d6f27edeec0ab33ddd8c7b56675a4f2d7bbf4d3e09b70ecb43375

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:b311eb8eb0c50a2707a6aef06a34a33c3ca40f2041eb30e73dd338ea3d11f33e
+ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:4c79017b6663f894812d8c3d4f9e03ef44e4d4032ad8bb91945c92c7cce6a0b0

packages/apps/kafka/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.1
+version: 0.3.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kafka/templates/kafka.yaml

@@ -57,6 +57,12 @@ spec:
         class: {{ . }}
         {{- end }}
         deleteClaim: true
+    metricsConfig:
+      type: jmxPrometheusExporter
+      valueFrom:
+        configMapKeyRef:
+          name: {{ .Release.Name }}-metrics
+          key: kafka-metrics-config.yml
   zookeeper:
     replicas: {{ .Values.zookeeper.replicas }}
     storage:
@@ -68,6 +74,12 @@ spec:
       class: {{ . }}
       {{- end }}
       deleteClaim: false
+    metricsConfig:
+      type: jmxPrometheusExporter
+      valueFrom:
+        configMapKeyRef:
+          name: {{ .Release.Name }}-metrics
+          key: kafka-metrics-config.yml
   entityOperator:
     topicOperator: {}
     userOperator: {}

packages/apps/kafka/templates/metrics-configmap.yaml

@@ -0,0 +1,198 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ .Release.Name }}-metrics
+data:
+  kafka-metrics-config.yml: |
+    # See https://github.com/prometheus/jmx_exporter for more info about JMX Prometheus Exporter metrics
+    lowercaseOutputName: true
+    rules:
+    # Special cases and very specific rules
+    - pattern: kafka.server<type=(.+), name=(.+), clientId=(.+), topic=(.+), partition=(.*)><>Value
+      name: kafka_server_$1_$2
+      type: GAUGE
+      labels:
+        clientId: "$3"
+        topic: "$4"
+        partition: "$5"
+    - pattern: kafka.server<type=(.+), name=(.+), clientId=(.+), brokerHost=(.+), brokerPort=(.+)><>Value
+      name: kafka_server_$1_$2
+      type: GAUGE
+      labels:
+        clientId: "$3"
+        broker: "$4:$5"
+    - pattern: kafka.server<type=(.+), cipher=(.+), protocol=(.+), listener=(.+), networkProcessor=(.+)><>connections
+      name: kafka_server_$1_connections_tls_info
+      type: GAUGE
+      labels:
+        cipher: "$2"
+        protocol: "$3"
+        listener: "$4"
+        networkProcessor: "$5"
+    - pattern: kafka.server<type=(.+), clientSoftwareName=(.+), clientSoftwareVersion=(.+), listener=(.+), networkProcessor=(.+)><>connections
+      name: kafka_server_$1_connections_software
+      type: GAUGE
+      labels:
+        clientSoftwareName: "$2"
+        clientSoftwareVersion: "$3"
+        listener: "$4"
+        networkProcessor: "$5"
+    - pattern: "kafka.server<type=(.+), listener=(.+), networkProcessor=(.+)><>(.+-total):"
+      name: kafka_server_$1_$4
+      type: COUNTER
+      labels:
+        listener: "$2"
+        networkProcessor: "$3"
+    - pattern: "kafka.server<type=(.+), listener=(.+), networkProcessor=(.+)><>(.+):"
+      name: kafka_server_$1_$4
+      type: GAUGE
+      labels:
+        listener: "$2"
+        networkProcessor: "$3"
+    - pattern: kafka.server<type=(.+), listener=(.+), networkProcessor=(.+)><>(.+-total)
+      name: kafka_server_$1_$4
+      type: COUNTER
+      labels:
+        listener: "$2"
+        networkProcessor: "$3"
+    - pattern: kafka.server<type=(.+), listener=(.+), networkProcessor=(.+)><>(.+)
+      name: kafka_server_$1_$4
+      type: GAUGE
+      labels:
+        listener: "$2"
+        networkProcessor: "$3"
+    # Some percent metrics use MeanRate attribute
+    # Ex) kafka.server<type=(KafkaRequestHandlerPool), name=(RequestHandlerAvgIdlePercent)><>MeanRate
+    - pattern: kafka.(\w+)<type=(.+), name=(.+)Percent\w*><>MeanRate
+      name: kafka_$1_$2_$3_percent
+      type: GAUGE
+    # Generic gauges for percents
+    - pattern: kafka.(\w+)<type=(.+), name=(.+)Percent\w*><>Value
+      name: kafka_$1_$2_$3_percent
+      type: GAUGE
+    - pattern: kafka.(\w+)<type=(.+), name=(.+)Percent\w*, (.+)=(.+)><>Value
+      name: kafka_$1_$2_$3_percent
+      type: GAUGE
+      labels:
+        "$4": "$5"
+    # Generic per-second counters with 0-2 key/value pairs
+    - pattern: kafka.(\w+)<type=(.+), name=(.+)PerSec\w*, (.+)=(.+), (.+)=(.+)><>Count
+      name: kafka_$1_$2_$3_total
+      type: COUNTER
+      labels:
+        "$4": "$5"
+        "$6": "$7"
+    - pattern: kafka.(\w+)<type=(.+), name=(.+)PerSec\w*, (.+)=(.+)><>Count
+      name: kafka_$1_$2_$3_total
+      type: COUNTER
+      labels:
+        "$4": "$5"
+    - pattern: kafka.(\w+)<type=(.+), name=(.+)PerSec\w*><>Count
+      name: kafka_$1_$2_$3_total
+      type: COUNTER
+    # Generic gauges with 0-2 key/value pairs
+    - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.+), (.+)=(.+)><>Value
+      name: kafka_$1_$2_$3
+      type: GAUGE
+      labels:
+        "$4": "$5"
+        "$6": "$7"
+    - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.+)><>Value
+      name: kafka_$1_$2_$3
+      type: GAUGE
+      labels:
+        "$4": "$5"
+    - pattern: kafka.(\w+)<type=(.+), name=(.+)><>Value
+      name: kafka_$1_$2_$3
+      type: GAUGE
+    # Emulate Prometheus 'Summary' metrics for the exported 'Histogram's.
+    # Note that these are missing the '_sum' metric!
+    - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.+), (.+)=(.+)><>Count
+      name: kafka_$1_$2_$3_count
+      type: COUNTER
+      labels:
+        "$4": "$5"
+        "$6": "$7"
+    - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.*), (.+)=(.+)><>(\d+)thPercentile
+      name: kafka_$1_$2_$3
+      type: GAUGE
+      labels:
+        "$4": "$5"
+        "$6": "$7"
+        quantile: "0.$8"
+    - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.+)><>Count
+      name: kafka_$1_$2_$3_count
+      type: COUNTER
+      labels:
+        "$4": "$5"
+    - pattern: kafka.(\w+)<type=(.+), name=(.+), (.+)=(.*)><>(\d+)thPercentile
+      name: kafka_$1_$2_$3
+      type: GAUGE
+      labels:
+        "$4": "$5"
+        quantile: "0.$6"
+    - pattern: kafka.(\w+)<type=(.+), name=(.+)><>Count
+      name: kafka_$1_$2_$3_count
+      type: COUNTER
+    - pattern: kafka.(\w+)<type=(.+), name=(.+)><>(\d+)thPercentile
+      name: kafka_$1_$2_$3
+      type: GAUGE
+      labels:
+        quantile: "0.$4"
+    # KRaft overall related metrics
+    # distinguish between always increasing COUNTER (total and max) and variable GAUGE (all others) metrics
+    - pattern: "kafka.server<type=raft-metrics><>(.+-total|.+-max):"
+      name: kafka_server_raftmetrics_$1
+      type: COUNTER
+    - pattern: "kafka.server<type=raft-metrics><>(current-state): (.+)"
+      name: kafka_server_raftmetrics_$1
+      value: 1
+      type: UNTYPED
+      labels:
+        $1: "$2"
+    - pattern: "kafka.server<type=raft-metrics><>(.+):"
+      name: kafka_server_raftmetrics_$1
+      type: GAUGE
+    # KRaft "low level" channels related metrics
+    # distinguish between always increasing COUNTER (total and max) and variable GAUGE (all others) metrics
+    - pattern: "kafka.server<type=raft-channel-metrics><>(.+-total|.+-max):"
+      name: kafka_server_raftchannelmetrics_$1
+      type: COUNTER
+    - pattern: "kafka.server<type=raft-channel-metrics><>(.+):"
+      name: kafka_server_raftchannelmetrics_$1
+      type: GAUGE
+    # Broker metrics related to fetching metadata topic records in KRaft mode
+    - pattern: "kafka.server<type=broker-metadata-metrics><>(.+):"
+      name: kafka_server_brokermetadatametrics_$1
+      type: GAUGE
+  zookeeper-metrics-config.yml: |
+    # See https://github.com/prometheus/jmx_exporter for more info about JMX Prometheus Exporter metrics
+    lowercaseOutputName: true
+    rules:
+    # replicated Zookeeper
+    - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+)><>(\\w+)"
+      name: "zookeeper_$2"
+      type: GAUGE
+    - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+)><>(\\w+)"
+      name: "zookeeper_$3"
+      type: GAUGE
+      labels:
+        replicaId: "$2"
+    - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+), name2=(\\w+)><>(Packets\\w+)"
+      name: "zookeeper_$4"
+      type: COUNTER
+      labels:
+        replicaId: "$2"
+        memberType: "$3"
+    - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+), name2=(\\w+)><>(\\w+)"
+      name: "zookeeper_$4"
+      type: GAUGE
+      labels:
+        replicaId: "$2"
+        memberType: "$3"
+    - pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+), name2=(\\w+), name3=(\\w+)><>(\\w+)"
+      name: "zookeeper_$4_$5"
+      type: GAUGE
+      labels:
+        replicaId: "$2"
+        memberType: "$3"

packages/apps/kafka/templates/podscrape.yaml

@@ -0,0 +1,40 @@
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMPodScrape
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  podMetricsEndpoints:
+    - port: tcp-prometheus
+      scheme: http
+      relabelConfigs:
+      - separator: ;
+        regex: __meta_kubernetes_pod_label_(strimzi_io_.+)
+        replacement: $1
+        action: labelmap
+      - sourceLabels: [__meta_kubernetes_namespace]
+        separator: ;
+        regex: (.*)
+        targetLabel: namespace
+        replacement: $1
+        action: replace
+      - sourceLabels: [__meta_kubernetes_pod_name]
+        separator: ;
+        regex: (.*)
+        targetLabel: pod
+        replacement: $1
+        action: replace
+      - sourceLabels: [__meta_kubernetes_pod_node_name]
+        separator: ;
+        regex: (.*)
+        targetLabel: node
+        replacement: $1
+        action: replace
+      - sourceLabels: [__meta_kubernetes_pod_host_ip]
+        separator: ;
+        regex: (.*)
+        targetLabel: node_ip
+        replacement: $1
+        action: replace
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: {{ .Release.Name }}

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.15.0@sha256:73701e37727eedaafdf9efe4baefcf0835f064ee8731219f0c0186c0d0781a5c
+ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.15.0@sha256:fa37449761fefd2e04385be505cb669b0f1efcddc2f1ba42c4fcd38af4ea4361

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.0@sha256:22302ca96a146617636bda107991825f6fcdb4599d360ab392aca1c00ed81a94
+ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.0@sha256:5f1ab06264c09f3dc7bfc43db0b6e68235ac44f83e8a5277dfb74fe6902d6dca

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.0@sha256:1318c7612391186b2a5d96c6fed2d13bd8fb2f6c13770e29e5d5abc517d9c138
+ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.0@sha256:7b206eb9c1b44cead6e0e4931c569612fa8034f026d845469ebd2d2ef46b85ab

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:e4d153f11a545276cd299e893c28bf21c64eefa64ea25dbba3a0b40df0e3dbe9
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:b882ff398d297824dbf73dee948cfa684cb18006b91bd152e1f03ed22d7190fa

packages/apps/mysql/images/mariadb-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:4bbfbb397bd7ecea45507ca47989c51429c4a24f40853ac92583e5b5b352fbea
+ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:5994e3f7a57054e3cebc532fa29a90edc9a97befe8993cec011e3e726c83e9bd

packages/apps/postgres/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.8.0@sha256:6a8ec7e7052f2d02ec5457d7cbac6ee52b3ed93a883988a192d1394fc7c88117
+ghcr.io/aenix-io/cozystack/postgres-backup:0.8.0@sha256:71cdf8bdab3d6f27edeec0ab33ddd8c7b56675a4f2d7bbf4d3e09b70ecb43375

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.6.7
+version: 1.7.0

packages/apps/tenant/templates/info.yaml

@@ -0,0 +1,27 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }}
+{{- if $oidcEnabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: info
+  namespace: {{ include "tenant.name" . }}
+  annotations:
+    helm.sh/resource-policy: keep
+  labels:
+    cozystack.io/ui: "true"
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  chart:
+    spec:
+      chart: info
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-extra
+        namespace: cozy-public
+      version: "*"
+  interval: 1m0s
+  timeout: 5m0s
+{{- end }}

packages/apps/tenant/templates/tenant.yaml

@@ -34,7 +34,11 @@ rules:
 - apiGroups: ["apps.cozystack.io"]
   resources: ['*']
   verbs: ['*']
-
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -103,6 +107,11 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+    - cozystack.io
+    resources:
+    - workloadmonitors
+    verbs: ["get", "list", "watch"]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -175,6 +184,11 @@ rules:
     verbs:
     - get
     - list
+  - apiGroups:
+    - cozystack.io
+    resources:
+    - workloadmonitors
+    verbs: ["get", "list", "watch"]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -258,6 +272,7 @@ rules:
     - virtualmachines
     - vmdisks
     - vminstances
+    - infos
     verbs:
     - get
     - list
@@ -266,6 +281,11 @@ rules:
     - update
     - patch
     - delete
+  - apiGroups:
+    - cozystack.io
+    resources:
+    - workloadmonitors
+    verbs: ["get", "list", "watch"]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -334,6 +354,11 @@ rules:
     - '*'
     verbs:
     - '*'
+  - apiGroups:
+    - cozystack.io
+    resources:
+    - workloadmonitors
+    verbs: ["get", "list", "watch"]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

packages/apps/versions_map

@@ -23,7 +23,8 @@ kafka 0.2.1 3ac17018
 kafka 0.2.2 d0758692
 kafka 0.2.3 5ca8823
 kafka 0.3.0 c07c4bbd
-kafka 0.3.1 HEAD
+kafka 0.3.1 b7375f73
+kafka 0.3.2 HEAD
 kubernetes 0.1.0 f642698
 kubernetes 0.2.0 7cd7de73
 kubernetes 0.3.0 7caccec1
@@ -100,7 +101,9 @@ tenant 1.6.3 2057bb96
 tenant 1.6.4 3c9e50a4
 tenant 1.6.5 f1e11451
 tenant 1.6.6 d4634797
-tenant 1.6.7 HEAD
+tenant 1.6.7 06afcf27
+tenant 1.6.8 4cc48e6f
+tenant 1.7.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823
@@ -109,13 +112,17 @@ virtual-machine 0.4.0 4746d51
 virtual-machine 0.5.0 cad9cde
 virtual-machine 0.6.0 0e728870
 virtual-machine 0.7.0 af58018a
-virtual-machine 0.7.1 HEAD
+virtual-machine 0.7.1 05857b95
+virtual-machine 0.8.0 3fa4dd3
+virtual-machine 0.8.1 HEAD
 vm-disk 0.1.0 HEAD
 vm-instance 0.1.0 ced8e5b9
 vm-instance 0.2.0 4f767ee3
 vm-instance 0.3.0 0e728870
 vm-instance 0.4.0 af58018a
-vm-instance 0.4.1 HEAD
+vm-instance 0.4.1 05857b95
+vm-instance 0.5.0 3fa4dd3
+vm-instance 0.5.1 HEAD
 vpn 0.1.0 f642698
 vpn 0.2.0 7151424
 vpn 0.3.0 a2bcf100

packages/apps/virtual-machine/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.1
+version: 0.8.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.7.1"
+appVersion: "0.8.1"

packages/apps/virtual-machine/Makefile

@@ -8,3 +8,4 @@ generate:
 	  && yq -i -o json ".properties.instanceProfile.optional=true | .properties.instanceProfile.enum = $${PREFERENCES}" values.schema.json
 	yq -i -o json '.properties.externalPorts.items.type = "integer"' values.schema.json
 	yq -i -o json '.properties.systemDisk.properties.image.enum = ["ubuntu", "cirros", "alpine", "fedora", "talos"]' values.schema.json
+	yq -i -o json '.properties.externalMethod.enum = ["wholeIP", "PortList"]' values.schema.json

packages/apps/virtual-machine/README.md

@@ -39,6 +39,7 @@ virtctl ssh <user>@<vm>
 | Name                      | Description                                                                                                | Value            |
 | ------------------------- | ---------------------------------------------------------------------------------------------------------- | ---------------- |
 | `external`                | Enable external access from outside the cluster                                                            | `false`          |
+| `externalMethod`          | specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList` | `WholeIP`        |
 | `externalPorts`           | Specify ports to forward from outside the cluster                                                          | `[]`             |
 | `running`                 | Determines if the virtual machine should be running                                                        | `true`           |
 | `instanceType`            | Virtual Machine instance type                                                                              | `u1.medium`      |

packages/apps/virtual-machine/templates/service.yaml

@@ -6,16 +6,24 @@ metadata:
   name: {{ include "virtual-machine.fullname" . }}
   labels:
     {{- include "virtual-machine.labels" . | nindent 4 }}
+  {{- if eq .Values.externalMethod "WholeIP" }}
+  annotations:
+    networking.cozystack.io/wholeIP: "true"
+  {{- end }}
 spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   externalTrafficPolicy: Local
   allocateLoadBalancerNodePorts: false
   selector:
-    {{- include "virtual-machine.labels" . | nindent 4 }}
+    {{- include "virtual-machine.selectorLabels" . | nindent 4 }}
   ports:
+    {{- if eq .Values.externalMethod "WholeIP" }}
+    - port: 65535
+    {{- else }}
     {{- range .Values.externalPorts }}
     - name: port-{{ . }}
       port: {{ . }}
       targetPort: {{ . }}
     {{- end }}
+    {{- end }}
 {{- end }}

packages/apps/virtual-machine/values.schema.json

@@ -7,6 +7,15 @@
       "description": "Enable external access from outside the cluster",
       "default": false
     },
+    "externalMethod": {
+      "type": "string",
+      "description": "specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList`",
+      "default": "WholeIP",
+      "enum": [
+        "wholeIP",
+        "PortList"
+      ]
+    },
     "externalPorts": {
       "type": "array",
       "description": "Specify ports to forward from outside the cluster",

packages/apps/virtual-machine/values.yaml

@@ -1,8 +1,10 @@
 ## @section Common parameters
 
 ## @param external Enable external access from outside the cluster
+## @param externalMethod specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList`
 ## @param externalPorts [array] Specify ports to forward from outside the cluster
 external: false
+externalMethod: WholeIP
 externalPorts:
 - 22
 

packages/apps/vm-instance/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.1
+version: 0.5.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.4.1"
+appVersion: "0.5.1"

packages/apps/vm-instance/Makefile

@@ -8,3 +8,4 @@ generate:
 	PREFERENCES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/preferences.yaml | yq 'split(" ") | . + [""]' -o json) \
 	  && yq -i -o json ".properties.instanceProfile.optional=true | .properties.instanceProfile.enum = $${PREFERENCES}" values.schema.json
 	yq -i -o json '.properties.externalPorts.items.type = "integer"' values.schema.json
+	yq -i -o json '.properties.externalMethod.enum = ["WholeIP", "PortList"]' values.schema.json

packages/apps/vm-instance/README.md

@@ -36,18 +36,19 @@ virtctl ssh <user>@<vm>
 
 ### Common parameters
 
-| Name               | Description                                                                        | Value            |
-| ------------------ | ---------------------------------------------------------------------------------- | ---------------- |
-| `external`         | Enable external access from outside the cluster                                    | `false`          |
-| `externalPorts`    | Specify ports to forward from outside the cluster                                  | `[]`             |
-| `running`          | Determines if the virtual machine should be running                                | `true`           |
-| `instanceType`     | Virtual Machine instance type                                                      | `u1.medium`      |
-| `instanceProfile`  | Virtual Machine prefferences profile                                               | `ubuntu`         |
-| `disks`            | List of disks to attach                                                            | `[]`             |
-| `resources.cpu`    | The number of CPU cores allocated to the virtual machine                           | `""`             |
-| `resources.memory` | The amount of memory allocated to the virtual machine                              | `""`             |
-| `sshKeys`          | List of SSH public keys for authentication. Can be a single key or a list of keys. | `[]`             |
-| `cloudInit`        | cloud-init user data config. See cloud-init documentation for more details.        | `#cloud-config
+| Name               | Description                                                                                                | Value            |
+| ------------------ | ---------------------------------------------------------------------------------------------------------- | ---------------- |
+| `external`         | Enable external access from outside the cluster                                                            | `false`          |
+| `externalMethod`   | specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList` | `WholeIP`        |
+| `externalPorts`    | Specify ports to forward from outside the cluster                                                          | `[]`             |
+| `running`          | Determines if the virtual machine should be running                                                        | `true`           |
+| `instanceType`     | Virtual Machine instance type                                                                              | `u1.medium`      |
+| `instanceProfile`  | Virtual Machine prefferences profile                                                                       | `ubuntu`         |
+| `disks`            | List of disks to attach                                                                                    | `[]`             |
+| `resources.cpu`    | The number of CPU cores allocated to the virtual machine                                                   | `""`             |
+| `resources.memory` | The amount of memory allocated to the virtual machine                                                      | `""`             |
+| `sshKeys`          | List of SSH public keys for authentication. Can be a single key or a list of keys.                         | `[]`             |
+| `cloudInit`        | cloud-init user data config. See cloud-init documentation for more details.                                | `#cloud-config
 ` |
 
 ## U Series

packages/apps/vm-instance/templates/service.yaml

@@ -6,16 +6,24 @@ metadata:
   name: {{ include "virtual-machine.fullname" . }}
   labels:
     {{- include "virtual-machine.labels" . | nindent 4 }}
+  {{- if eq .Values.externalMethod "WholeIP" }}
+  annotations:
+    networking.cozystack.io/wholeIP: "true"
+  {{- end }}
 spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   externalTrafficPolicy: Local
   allocateLoadBalancerNodePorts: false
   selector:
-    {{- include "virtual-machine.labels" . | nindent 4 }}
+    {{- include "virtual-machine.selectorLabels" . | nindent 4 }}
   ports:
+    {{- if eq .Values.externalMethod "WholeIP" }}
+    - port: 65535
+    {{- else }}
     {{- range .Values.externalPorts }}
     - name: port-{{ . }}
       port: {{ . }}
       targetPort: {{ . }}
     {{- end }}
+    {{- end }}
 {{- end }}

packages/apps/vm-instance/templates/vm.yaml

@@ -12,7 +12,7 @@ metadata:
   labels:
     {{- include "virtual-machine.labels" . | nindent 4 }}
 spec:
-  running: {{ .Values.running | default "true" }}
+  running: {{ .Values.running }}
   {{- with .Values.instanceType }}
   instancetype:
     kind: VirtualMachineClusterInstancetype

packages/apps/vm-instance/values.schema.json

@@ -7,6 +7,15 @@
       "description": "Enable external access from outside the cluster",
       "default": false
     },
+    "externalMethod": {
+      "type": "string",
+      "description": "specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList`",
+      "default": "WholeIP",
+      "enum": [
+        "WholeIP",
+        "PortList"
+      ]
+    },
     "externalPorts": {
       "type": "array",
       "description": "Specify ports to forward from outside the cluster",

packages/apps/vm-instance/values.yaml

@@ -1,8 +1,10 @@
 ## @section Common parameters
 
 ## @param external Enable external access from outside the cluster
+## @param externalMethod specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList`
 ## @param externalPorts [array] Specify ports to forward from outside the cluster
 external: false
+externalMethod: WholeIP
 externalPorts:
 - 22
 

packages/core/builder/values.yaml

@@ -1,3 +1,3 @@
 talos:
   imager:
-    image: ghcr.io/siderolabs/imager:v1.9.2
+    image: ghcr.io/siderolabs/imager:v1.9.3

packages/core/installer/Makefile

@@ -30,7 +30,7 @@ image-cozystack: run-builder
 		--provenance false \
 		--tag $(REGISTRY)/cozystack:$(call settag,$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/cozystack:latest \
-		--platform linux/amd64,linux/arm64 \
+		--platform linux/amd64 \
 		--cache-to type=inline \
 		--metadata-file images/cozystack.json \
 		--push=$(PUSH) \
@@ -43,7 +43,7 @@ image-talos: run-builder
 	test -f ../../../_out/assets/installer-amd64.tar || make talos-installer
 	skopeo copy docker-archive:../../../_out/assets/installer-amd64.tar docker://$(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
 
-image-matchbox:  run-builder
+image-matchbox: run-builder
 	test -f ../../../_out/assets/kernel-amd64 || make talos-kernel
 	test -f ../../../_out/assets/initramfs-metal-amd64.xz || make talos-initramfs
 	docker buildx build -f images/matchbox/Dockerfile ../../.. \

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.2
+version: v1.9.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.2
+    imageRef: ghcr.io/siderolabs/installer:v1.9.3
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250109
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.3
 output:
   kind: initramfs
   imageOptions: {}

packages/core/installer/images/talos/profiles/installer.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.2
+version: v1.9.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.2
+    imageRef: ghcr.io/siderolabs/installer:v1.9.3
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250109
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.3
 output:
   kind: installer
   imageOptions: {}

packages/core/installer/images/talos/profiles/iso.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.2
+version: v1.9.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.2
+    imageRef: ghcr.io/siderolabs/installer:v1.9.3
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250109
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.3
 output:
   kind: iso
   imageOptions: {}

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.2
+version: v1.9.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.2
+    imageRef: ghcr.io/siderolabs/installer:v1.9.3
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250109
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.3
 output:
   kind: kernel
   imageOptions: {}

packages/core/installer/images/talos/profiles/metal.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.2
+version: v1.9.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.2
+    imageRef: ghcr.io/siderolabs/installer:v1.9.3
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250109
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.3
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.9.2
+version: v1.9.3
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.2
+    imageRef: ghcr.io/siderolabs/installer:v1.9.3
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250109
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20241210
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250109
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250109
     - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.2
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.2
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250109
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.3
+    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.3
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.24.1@sha256:2a07ec771337e41720196311ef53b120f2925abfc389eb36bc3c785c71817abd
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.25.3@sha256:d0d3739f2ffd8edca7a143d48bc4cf7c3e4f84910fb76c340e1e8a43bf303c7c

packages/core/platform/bundles/distro-full.yaml

@@ -31,6 +31,13 @@ releases:
       autoDirectNodeRoutes: true
       routingMode: native
 
+- name: cozy-proxy
+  releaseName: cozystack
+  chart: cozy-cozy-proxy
+  namespace: cozy-system
+  optional: true
+  dependsOn: [cilium]
+
 - name: cert-manager-crds
   releaseName: cert-manager-crds
   chart: cozy-cert-manager-crds
@@ -75,6 +82,10 @@ releases:
   privileged: true
   optional: true
   dependsOn: [cilium,victoria-metrics-operator]
+  values:
+    scrapeRules:
+      etcd:
+        enabled: true
 
 - name: metallb
   releaseName: metallb

packages/core/platform/bundles/distro-hosted.yaml

@@ -58,6 +58,10 @@ releases:
   privileged: true
   optional: true
   dependsOn: [victoria-metrics-operator]
+  values:
+    scrapeRules:
+      etcd:
+        enabled: true
 
 - name: etcd-operator
   releaseName: etcd-operator

packages/core/platform/bundles/paas-full.yaml

@@ -50,6 +50,12 @@ releases:
         SVC_CIDR: "{{ index $cozyConfig.data "ipv4-svc-cidr" }}"
         JOIN_CIDR: "{{ index $cozyConfig.data "ipv4-join-cidr" }}"
 
+- name: cozy-proxy
+  releaseName: cozystack
+  chart: cozy-cozy-proxy
+  namespace: cozy-system
+  dependsOn: [cilium,kubeovn]
+
 - name: cert-manager-crds
   releaseName: cert-manager-crds
   chart: cozy-cert-manager-crds
@@ -97,6 +103,10 @@ releases:
   namespace: cozy-monitoring
   privileged: true
   dependsOn: [cilium,kubeovn,victoria-metrics-operator]
+  values:
+    scrapeRules:
+      etcd:
+        enabled: true
 
 - name: kubevirt-operator
   releaseName: kubevirt-operator
@@ -222,24 +232,67 @@ releases:
   namespace: cozy-dashboard
   dependsOn: [cilium,kubeovn,keycloak-configure]
   values:
+    kubeapps:
     {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
     {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
-    redis:
-      master:
-        podAnnotations:
-          {{- range $index, $repo := . }}
-          {{- with (($repo.status).artifact).revision }}
-          repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
+      redis:
+        master:
+          podAnnotations:
+            {{- range $index, $repo := . }}
+            {{- with (($repo.status).artifact).revision }}
+            repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
+            {{- end }}
+            {{- end }}
+    {{- end }}
+    {{- end }}
+      dashboard:
+        image:
+          registry: ghcr.io/aenix-io/cozystack
+          repository: dashboard
+          tag: v0.25.0
+          digest: "sha256:81e7b625c667bce5fc339eb97c8e115eafb82f66df4501550b3677ac53f6e234"
+        {{- $wlConfigmap := lookup "v1" "ConfigMap" "cozy-dashboard" "white-label" }}
+        {{- $locale := dig "data" "locale" "" $wlConfigmap }}
+        {{- if $locale }}
+        customLocale:
+          "Kubeapps": {{ $locale }}
+        {{- end }}
+        customStyle: |
+          {{- $logoImage := dig "data" "logo" "" $wlConfigmap }}
+          {{- if $logoImage }}
+          .kubeapps-logo {
+            background-image: {{ $logoImage }}
+          }
           {{- end }}
-          {{- end }}
-    {{- end }}
-    {{- end }}
-
-    {{- $dashboardKCconfig := lookup "v1" "ConfigMap" "cozy-dashboard" "kubeapps-auth-config" }}
-    {{- $dashboardKCValues := dig "data" "values.yaml" "" $dashboardKCconfig }}
-    {{- if $dashboardKCValues }}
-    {{- $dashboardKCValues | nindent 4 }}
-    {{- end }}
+          #serviceaccount-selector {
+            display: none;
+          }
+          .login-moreinfo {
+            display: none;
+          }
+          a[href="#/docs"] {
+            display: none;
+          }
+          .login-group .clr-form-control .clr-control-label {
+            display: none;
+          }
+          .appview-separator div.appview-first-row div.center {
+            display: none;
+          }
+          .appview-separator div.appview-first-row section[aria-labelledby="app-secrets"] {
+            display: none;
+          }
+          .appview-first-row section[aria-labelledby="access-urls-title"] {
+            width: 100%;
+          }
+  {{- $dashboardKCconfig := lookup "v1" "ConfigMap" "cozy-dashboard" "kubeapps-auth-config" }}
+  {{- $dashboardKCValues := dig "data" "values.yaml" "" $dashboardKCconfig }}
+  {{- if $dashboardKCValues }}
+  valuesFrom:
+  - kind: ConfigMap
+    name: kubeapps-auth-config
+    valuesKey: values.yaml
+  {{- end }}
 
   {{- if eq $oidcEnabled "true" }}
   dependsOn: [keycloak-configure]

packages/core/platform/bundles/paas-hosted.yaml

@@ -70,6 +70,10 @@ releases:
   namespace: cozy-monitoring
   privileged: true
   dependsOn: [victoria-metrics-operator]
+  values:
+    scrapeRules:
+      etcd:
+        enabled: true
 
 - name: etcd-operator
   releaseName: etcd-operator
@@ -151,9 +155,9 @@ releases:
   chart: cozy-dashboard
   namespace: cozy-dashboard
   values:
+    kubeapps:
     {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
     {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
-    kubeapps:
       redis:
         master:
           podAnnotations:
@@ -164,12 +168,54 @@ releases:
             {{- end }}
     {{- end }}
     {{- end }}
-
-    {{- $dashboardKCconfig := lookup "v1" "ConfigMap" "cozy-dashboard" "kubeapps-auth-config" }}
-    {{- $dashboardKCValues := dig "data" "values.yaml" "" $dashboardKCconfig }}
-    {{- if $dashboardKCValues }}
-    {{- $dashboardKCValues | nindent 4 }}
-    {{- end }}
+      dashboard:
+        image:
+          registry: ghcr.io/aenix-io/cozystack
+          repository: dashboard
+          tag: v0.25.0
+          digest: "sha256:81e7b625c667bce5fc339eb97c8e115eafb82f66df4501550b3677ac53f6e234"
+        {{- $wlConfigmap := lookup "v1" "ConfigMap" "cozy-dashboard" "white-label" }}
+        {{- $locale := dig "data" "locale" "" $wlConfigmap }}
+        {{- if $locale }}
+        customLocale:
+          "Kubeapps": {{ $locale }}
+        {{- end }}
+        customStyle: |
+          {{- $logoImage := dig "data" "logo" "" $wlConfigmap }}
+          {{- if $logoImage }}
+          .kubeapps-logo {
+            background-image: {{ $logoImage }}
+          }
+          {{- end }}
+          #serviceaccount-selector {
+            display: none;
+          }
+          .login-moreinfo {
+            display: none;
+          }
+          a[href="#/docs"] {
+            display: none;
+          }
+          .login-group .clr-form-control .clr-control-label {
+            display: none;
+          }
+          .appview-separator div.appview-first-row div.center {
+            display: none;
+          }
+          .appview-separator div.appview-first-row section[aria-labelledby="app-secrets"] {
+            display: none;
+          }
+          .appview-first-row section[aria-labelledby="access-urls-title"] {
+            width: 100%;
+          }
+  {{- $dashboardKCconfig := lookup "v1" "ConfigMap" "cozy-dashboard" "kubeapps-auth-config" }}
+  {{- $dashboardKCValues := dig "data" "values.yaml" "" $dashboardKCconfig }}
+  {{- if $dashboardKCValues }}
+  valuesFrom:
+  - kind: ConfigMap
+    name: kubeapps-auth-config
+    valuesKey: values.yaml
+  {{- end }}
 
   {{- if eq $oidcEnabled "true" }}
   dependsOn: [keycloak-configure]

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.24.1@sha256:3b4db74ce6225599fcf172a575a099e0ed365c81e62eb264bb49e38387232031
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.25.3@sha256:3c505ef20030ee4ff9412553c7ecc2077c01fb2785ff48991c404e09cd0db69f

packages/extra/bootbox/images/matchbox.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/matchbox:v0.24.1@sha256:26ce2eaae90c82e49e866ae5b18e38d6e3ac1a4b0a3b494ebe2c480a4685f143
+ghcr.io/aenix-io/cozystack/matchbox:v0.25.3@sha256:2e5c6e4530f3421f8133485d2bb092374ec10ae198a4b685aef61ff1e7fa9aff

packages/extra/etcd/Chart.yaml

@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: /logos/etcd.svg
 type: application
-version: 2.4.0
+version: 2.5.0

packages/extra/etcd/templates/etcd-cluster.yaml

@@ -40,6 +40,12 @@ spec:
       labels:
         cozystack.io/service: etcd
     spec:
+      containers:
+      - name: etcd
+        ports:
+        - name: metrics
+          containerPort: 2381
+          protocol: TCP
       topologySpreadConstraints:
       - maxSkew: 1
         topologyKey: "kubernetes.io/hostname"

packages/extra/etcd/templates/podscrape.yaml

@@ -0,0 +1,11 @@
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMPodScrape
+metadata:
+  name: etcd-pod-scrape
+spec:
+  podMetricsEndpoints:
+    - port: metrics
+      scheme: http
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: etcd

packages/extra/etcd/templates/prometheus-rules.yaml

@@ -0,0 +1,132 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: etcd-rules
+spec:
+  groups:
+  - name: etcd
+    rules:
+    - alert: etcdInsufficientMembers
+      annotations:
+        summary: "etcd cluster '{{`{{ $labels.job }}`}}': insufficient members '{{`{{ $value }}`}}'."
+      expr: |
+        sum(up{job=~".*etcd.*"} == bool 1) by (job) < ((count(up{job=~".*etcd.*"}) by (job) + 1) / 2)
+      for: 3m
+      labels:
+        severity: critical
+
+    - alert: etcdNoLeader
+      annotations:
+        summary: "etcd cluster '{{`{{ $labels.job }}`}}': member '{{`{{ $labels.instance }}`}}' has no leader."
+      expr: |
+        etcd_server_has_leader{job=~".*etcd.*"} == 0
+      for: 1m
+      labels:
+        severity: critical
+
+    - alert: etcdHighNumberOfLeaderChanges
+      annotations:
+        summary: "etcd cluster '{{`{{ $labels.job }}`}}': instance '{{`{{ $labels.instance }}`}}' has seen '{{`{{ $value }}`}}' leader changes within the last hour."
+      expr: |
+        rate(etcd_server_leader_changes_seen_total{job=~".*etcd.*"}[15m]) > 3
+      for: 15m
+      labels:
+        severity: warning
+
+    - alert: etcdHighNumberOfFailedGRPCRequests
+      annotations:
+        summary: "etcd cluster '{{`{{ $labels.job }}`}}': '{{`{{ $value }}`}}' of requests for '{{`{{ $labels.grpc_method }}`}}' failed on etcd instance '{{`{{ $labels.instance }}`}}'."
+      expr: |
+        100 * sum(rate(grpc_server_handled_total{job=~".*etcd.*", grpc_code!="OK"}[5m])) BY (job, instance, grpc_service, grpc_method)
+          /
+        sum(rate(grpc_server_handled_total{job=~".*etcd.*"}[5m])) BY (job, instance, grpc_service, grpc_method)
+          > 1
+      for: 10m
+      labels:
+        severity: warning
+
+    - alert: etcdHighNumberOfFailedGRPCRequests
+      annotations:
+        summary: "etcd cluster '{{`{{ $labels.job }}`}}': '{{`{{ $value }}`}}' of requests for '{{`{{ $labels.grpc_method }}`}}' failed on etcd instance '{{`{{ $labels.instance }}`}}'."
+      expr: |
+        100 * sum(rate(grpc_server_handled_total{job=~".*etcd.*", grpc_code!="OK"}[5m])) BY (job, instance, grpc_service, grpc_method)
+          /
+        sum(rate(grpc_server_handled_total{job=~".*etcd.*"}[5m])) BY (job, instance, grpc_service, grpc_method)
+          > 5
+      for: 5m
+      labels:
+        severity: critical
+
+    - alert: etcdGRPCRequestsSlow
+      annotations:
+        summary: "etcd cluster '{{`{{ $labels.job }}`}}': gRPC requests to '{{`{{ $labels.grpc_method }}`}}' are taking '{{`{{ $value }}`}}' on etcd instance '{{`{{ $labels.instance }}`}}'."
+      expr: |
+        histogram_quantile(0.99, sum(rate(grpc_server_handling_seconds_bucket{job=~".*etcd.*", grpc_type="unary"}[5m])) by (job, instance, grpc_service, grpc_method, le))
+        > 0.15
+      for: 10m
+      labels:
+        severity: critical
+
+    - alert: etcdMemberCommunicationSlow
+      annotations:
+        summary: "etcd cluster '{{`{{ $labels.job }}`}}': member communication with '{{`{{ $labels.To }}`}}' is taking '{{`{{ $value }}`}}' on etcd instance '{{`{{ $labels.instance }}`}}'."
+      expr: |
+        histogram_quantile(0.99, rate(etcd_network_peer_round_trip_time_seconds_bucket{job=~".*etcd.*"}[5m]))
+        > 0.15
+      for: 10m
+      labels:
+        severity: warning
+
+    - alert: etcdHighNumberOfFailedProposals
+      annotations:
+        summary: "etcd cluster '{{`{{ $labels.job }}`}}': '{{`{{ $value }}`}}' proposal failures within the last hour on etcd instance '{{`{{ $labels.instance }}`}}'."
+      expr: |
+        rate(etcd_server_proposals_failed_total{job=~".*etcd.*"}[15m]) > 5
+      for: 15m
+      labels:
+        severity: warning
+
+    - alert: etcdHighNumberOfFailedHTTPRequests
+      annotations:
+        summary: "'{{`{{ $value }}`}}' of requests for '{{`{{ $labels.method }}`}}' failed on etcd instance '{{`{{ $labels.instance }}`}}'."
+      expr: |
+        sum(rate(etcd_http_failed_total{job=~".*etcd.*", code!="404"}[5m])) BY (method) / sum(rate(etcd_http_received_total{job=~".*etcd.*"}[5m])) BY (method) > 0.01
+      for: 10m
+      labels:
+        severity: warning
+
+    - alert: etcdHighNumberOfFailedHTTPRequests
+      annotations:
+        summary: "'{{`{{ $value }}`}}' of requests for '{{`{{ $labels.method }}`}}' failed on etcd instance '{{`{{ $labels.instance }}`}}'."
+      expr: |
+        sum(rate(etcd_http_failed_total{job=~".*etcd.*", code!="404"}[5m])) BY (method) / sum(rate(etcd_http_received_total{job=~".*etcd.*"}[5m])) BY (method) > 0.05
+      for: 10m
+      labels:
+        severity: critical
+
+    - alert: etcdHTTPRequestsSlow
+      annotations:
+        summary: "etcd instance '{{`{{ $labels.instance }}`}}' HTTP requests to '{{`{{ $labels.method }}`}}' are slow."
+      expr: |
+        histogram_quantile(0.99, rate(etcd_http_successful_duration_seconds_bucket[5m]))
+        > 0.15
+      for: 10m
+      labels:
+        severity: warning
+
+    - alert: etcdMembersDown
+      annotations:
+        summary: "etcd cluster '{{`{{ $labels.job }}`}}' members are down."
+        description: 'etcd cluster "{{`{{ $labels.job }}`}}": members are down {{`{{ $value }}`}}.'
+      expr: |
+        max without (endpoint) (
+          sum without (instance, pod) (up{job=~".*etcd.*"} == bool 0)
+        or
+          count without (To) (
+            sum without (instance, pod) (rate(etcd_network_peer_sent_failures_total{job=~".*etcd.*"}[120s])) > 0.01
+          )
+        )
+        > 0
+      for: 10m
+      labels:
+        severity: critical

packages/extra/info/.helmignore

@@ -0,0 +1,2 @@
+.helmignore
+/logos

packages/extra/info/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: info
+description: Info
+icon: /logos/info.svg
+type: application
+version: 1.0.0

packages/extra/info/Makefile

@@ -0,0 +1,3 @@
+NAME=etcd
+
+include ../../../scripts/package.mk

packages/extra/info/README.md

@@ -0,0 +1,18 @@
+# Info
+
+### Kubeconfig for tenant 
+
+### Kubelogin
+
+For using kubeconfig need install kubelogin.
+
+```bash
+# Homebrew (macOS and Linux)
+brew install int128/kubelogin/kubelogin
+
+# Krew (macOS, Linux, Windows and ARM)
+kubectl krew install oidc-login
+
+# Chocolatey (Windows)
+choco install kubelogin
+```

packages/extra/info/logos/info.svg

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg fill="#000000" version="1.1" id="Capa_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" 
+	 width="800px" height="800px" viewBox="0 0 32 32" xml:space="preserve">
+<g>
+	<path d="M17.962,24.725l1.806,0.096v2.531h-7.534v-2.406l1.045-0.094c0.568-0.063,0.916-0.254,0.916-1.014v-8.801
+		c0-0.699-0.188-0.92-0.791-0.92l-1.106-0.062v-2.626h5.666L17.962,24.725L17.962,24.725z M15.747,4.648
+		c1.394,0,2.405,1.047,2.405,2.374c0,1.331-1.014,2.313-2.438,2.313c-1.454,0-2.404-0.982-2.404-2.313
+		C13.31,5.695,14.26,4.648,15.747,4.648z M16,32C7.178,32,0,24.822,0,16S7.178,0,16,0c8.82,0,16,7.178,16,16S24.82,32,16,32z M16,3
+		C8.832,3,3,8.832,3,16s5.832,13,13,13s13-5.832,13-13S23.168,3,16,3z"/>
+</g>
+</svg>

packages/extra/info/templates/dashboard-resourcemap.yaml

@@ -1,13 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ include "tenant.name" . }}-dashboard-resources
-  namespace: {{ .Release.namespace }}
+  name: info-dashboard-resources
 rules:
 - apiGroups:
   - ""
   resources:
   - secrets
   resourceNames:
-  - kubeconfig-{{ include "tenant.name" . }}
+  - kubeconfig-{{ .Release.Namespace }}
   verbs: ["get", "list", "watch"]

packages/extra/info/templates/kubeconfig.yaml

@@ -15,8 +15,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: kubeconfig-{{ include "tenant.name" . }}
-  namespace: tenant-root
+  name: kubeconfig-{{ .Release.Namespace }}
 stringData:
   kubeconfig: |
     apiVersion: v1
@@ -28,10 +27,10 @@ stringData:
     contexts:
     - context:
         cluster: cluster
-        namespace: {{ include "tenant.name" . }}
+        namespace: {{ .Release.Namespace }}
         user: keycloak
-      name: {{ include "tenant.name" . }}
-    current-context: {{ include "tenant.name" . }}
+      name: {{ .Release.Namespace }}
+    current-context: {{ .Release.Namespace }}
     users:
     - name: keycloak
       user:

packages/extra/info/values.schema.json

@@ -0,0 +1 @@
+{}

packages/extra/monitoring/dashboards.list

@@ -30,5 +30,8 @@ main/nodes
 control-plane/control-plane-status
 control-plane/deprecated-resources
 control-plane/dns-coredns
-control-plane/kube-etcd3
+control-plane/kube-etcd
 kubevirt/kubevirt-control-plane
+flux/flux-control-plane
+flux/flux-stats
+kafka/strimzi-kafka

packages/extra/versions_map

@@ -5,7 +5,9 @@ etcd 2.0.1 6fc1cc7d
 etcd 2.1.0 2b00fcf8
 etcd 2.2.0 5ca8823
 etcd 2.3.0 b908400d
-etcd 2.4.0 HEAD
+etcd 2.4.0 cb7b8158
+etcd 2.5.0 HEAD
+info 1.0.0 HEAD
 ingress 1.0.0 f642698
 ingress 1.1.0 838bee5d
 ingress 1.2.0 ced8e5b

packages/system/bootbox/Chart.yaml

@@ -1,3 +1,3 @@
 apiVersion: v2
-name: cozy-smee
+name: cozy-bootbox
 version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:ced16c5ef3869e8ffbd0e880693b78ac47bdf310efcdb3e66ece6b22aaa5a75f
+ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:e50aecd2158490cb383cef28b8b066aef847782cd826b161fccd91c928fcb500

packages/system/capi-providers/templates/providers.yaml

@@ -14,6 +14,13 @@ metadata:
 spec:
   # https://github.com/clastix/cluster-api-control-plane-provider-kamaji
   version: v0.11.0
+  deployment:
+    containers:
+    - name: manager
+      resources:
+        limits:
+          cpu: 1024m
+          memory: 1024Mi
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
 kind: BootstrapProvider

packages/system/cilium/charts/cilium/Chart.yaml

@@ -79,7 +79,7 @@ annotations:
     Pod IP Pool\n  description: |\n    CiliumPodIPPool defines an IP pool that can
     be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n"
 apiVersion: v2
-appVersion: 1.16.5
+appVersion: 1.16.6
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
@@ -95,4 +95,4 @@ kubeVersion: '>= 1.21.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.16.5
+version: 1.16.6

packages/system/cilium/charts/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.16.5](https://img.shields.io/badge/Version-1.16.5-informational?style=flat-square) ![AppVersion: 1.16.5](https://img.shields.io/badge/AppVersion-1.16.5-informational?style=flat-square)
+![Version: 1.16.6](https://img.shields.io/badge/Version-1.16.6-informational?style=flat-square) ![AppVersion: 1.16.6](https://img.shields.io/badge/AppVersion-1.16.6-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -83,7 +83,7 @@ contributors across the globe, there is almost always someone available to help.
 | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
 | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true |
 | authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. |
-| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:d75b758a4fea99ffff4db799e16f853bbde8643671b5b72464a8ba94cbe3dbe3","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server |
+| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:71b79694b71639e633452f57fd9de40595d524de308349218d9a6a144b40be02","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server |
 | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into |
 | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration |
 | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations |
@@ -182,7 +182,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
 | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.5","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.16.6","useDigest":true}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
@@ -353,7 +353,7 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:709c08ade3d17d52da4ca2af33f431360ec26268d288d9a6cd1d98acc9a1dced","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:a69dfe0e54b24b0ff747385c8feeae0612cfbcae97bfcc8ee42a773bb3f69c88","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.30.9-1737073743-40a016d11c0d863b772961ed0168eea6fe6b10a5","useDigest":true}` | Envoy container image. |
 | envoy.initialFetchTimeoutSeconds | int | `30` | Time in seconds after which the initial fetch on an xDS stream is considered timed out |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
@@ -485,7 +485,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.5","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.16.6","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -591,7 +591,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.5","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.6","useDigest":true}` | Agent container image. |
 | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -718,7 +718,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.hostNetwork | bool | `true` | HostNetwork setting |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0","awsDigest":"sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476","azureDigest":"sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9","genericDigest":"sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.5","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9","awsDigest":"sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d","azureDigest":"sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd","genericDigest":"sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.16.6","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -768,7 +768,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.5","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.16.6","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |

packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json

@@ -1,471 +0,0 @@
-{
-  "node": {
-    "id": "host~127.0.0.1~no-id~localdomain",
-    "cluster": "ingress-cluster"
-  },
-  "staticResources": {
-    "listeners": [
-      {{- if .Values.envoy.prometheus.enabled }}
-      {
-        "name": "envoy-prometheus-metrics-listener",
-        "address": {
-          "socket_address": {
-            "address": "0.0.0.0",
-            "port_value": {{ .Values.envoy.prometheus.port }}
-          }
-        },
-        "filter_chains": [
-          {
-            "filters": [
-              {
-                "name": "envoy.filters.network.http_connection_manager",
-                "typed_config": {
-                  "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
-                  "stat_prefix": "envoy-prometheus-metrics-listener",
-                  "route_config": {
-                    "virtual_hosts": [
-                      {
-                        "name": "prometheus_metrics_route",
-                        "domains": [
-                          "*"
-                        ],
-                        "routes": [
-                          {
-                            "name": "prometheus_metrics_route",
-                            "match": {
-                              "prefix": "/metrics"
-                            },
-                            "route": {
-                              "cluster": "/envoy-admin",
-                              "prefix_rewrite": "/stats/prometheus"
-                            }
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  "http_filters": [
-                    {
-                      "name": "envoy.filters.http.router",
-                      "typed_config": {
-                        "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
-                      }
-                    }
-                  ],
-                  "internal_address_config": {
-                    "cidr_ranges": [
-                      {
-                        "address_prefix": "10.0.0.0",
-                        "prefix_len": 8
-                      },
-                      {
-                        "address_prefix": "172.16.0.0",
-                        "prefix_len": 12
-                      },
-                      {
-                        "address_prefix": "192.168.0.0",
-                        "prefix_len": 16
-                      },
-                      {
-                        "address_prefix": "127.0.0.1",
-                        "prefix_len": 32
-                      },
-                      {
-                        "address_prefix": "::1",
-                        "prefix_len": 128
-                      }
-                    ]
-                  },
-                  "stream_idle_timeout": "0s"
-                }
-              }
-            ]
-          }
-        ]
-      },
-      {{- end }}
-      {{- if and .Values.envoy.debug.admin.enabled }}
-      {
-        "name": "envoy-admin-listener",
-        "address": {
-          "socket_address": {
-            "address": {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }},
-            "port_value": {{ .Values.envoy.debug.admin.port }}
-          }
-        },
-        {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }}
-        "additional_addresses": [
-          {
-            "address": {
-              "socket_address": {
-                "address": "::1",
-                "port_value": {{ .Values.envoy.debug.admin.port }}
-              }
-            }
-          }
-        ],
-        {{- end }}
-        "filter_chains": [
-          {
-            "filters": [
-              {
-                "name": "envoy.filters.network.http_connection_manager",
-                "typed_config": {
-                  "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
-                  "stat_prefix": "envoy-admin-listener",
-                  "route_config": {
-                    "virtual_hosts": [
-                      {
-                        "name": "admin_route",
-                        "domains": [
-                          "*"
-                        ],
-                        "routes": [
-                          {
-                            "name": "admin_route",
-                            "match": {
-                              "prefix": "/"
-                            },
-                            "route": {
-                              "cluster": "/envoy-admin",
-                              "prefix_rewrite": "/"
-                            }
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  "http_filters": [
-                    {
-                      "name": "envoy.filters.http.router",
-                      "typed_config": {
-                        "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
-                      }
-                    }
-                  ],
-                  "internal_address_config": {
-                    "cidr_ranges": [
-                      {
-                        "address_prefix": "10.0.0.0",
-                        "prefix_len": 8
-                      },
-                      {
-                        "address_prefix": "172.16.0.0",
-                        "prefix_len": 12
-                      },
-                      {
-                        "address_prefix": "192.168.0.0",
-                        "prefix_len": 16
-                      },
-                      {
-                        "address_prefix": "127.0.0.1",
-                        "prefix_len": 32
-                      },
-                      {
-                        "address_prefix": "::1",
-                        "prefix_len": 128
-                      }
-                    ]
-                  },
-                  "stream_idle_timeout": "0s"
-                }
-              }
-            ]
-          }
-        ]
-      },
-      {{- end }}
-      {
-        "name": "envoy-health-listener",
-        "address": {
-          "socket_address": {
-            "address": {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }},
-            "port_value": {{ .Values.envoy.healthPort }}
-          }
-        },
-        {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }}
-        "additional_addresses": [
-          {
-            "address": {
-              "socket_address": {
-                "address": "::1",
-                "port_value": {{ .Values.envoy.healthPort }}
-              }
-            }
-          }
-        ],
-        {{- end }}
-        "filter_chains": [
-          {
-            "filters": [
-              {
-                "name": "envoy.filters.network.http_connection_manager",
-                "typed_config": {
-                  "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
-                  "stat_prefix": "envoy-health-listener",
-                  "route_config": {
-                    "virtual_hosts": [
-                      {
-                        "name": "health",
-                        "domains": [
-                          "*"
-                        ],
-                        "routes": [
-                          {
-                            "name": "health",
-                            "match": {
-                              "prefix": "/healthz"
-                            },
-                            "route": {
-                              "cluster": "/envoy-admin",
-                              "prefix_rewrite": "/ready"
-                            }
-                          }
-                        ]
-                      }
-                    ]
-                  },
-                  "http_filters": [
-                    {
-                      "name": "envoy.filters.http.router",
-                      "typed_config": {
-                        "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
-                      }
-                    }
-                  ],
-                  "internal_address_config": {
-                    "cidr_ranges": [
-                      {
-                        "address_prefix": "10.0.0.0",
-                        "prefix_len": 8
-                      },
-                      {
-                        "address_prefix": "172.16.0.0",
-                        "prefix_len": 12
-                      },
-                      {
-                        "address_prefix": "192.168.0.0",
-                        "prefix_len": 16
-                      },
-                      {
-                        "address_prefix": "127.0.0.1",
-                        "prefix_len": 32
-                      },
-                      {
-                        "address_prefix": "::1",
-                        "prefix_len": 128
-                      }
-                    ]
-                  },
-                  "stream_idle_timeout": "0s"
-                }
-              }
-            ]
-          }
-        ]
-      }
-    ],
-    "clusters": [
-      {
-        "name": "ingress-cluster",
-        "type": "ORIGINAL_DST",
-        "connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s",
-        "lbPolicy": "CLUSTER_PROVIDED",
-        "typedExtensionProtocolOptions": {
-          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
-            "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
-            "commonHttpProtocolOptions": {
-              "idleTimeout": "{{ .Values.envoy.idleTimeoutDurationSeconds }}s",
-              "maxConnectionDuration": "{{ .Values.envoy.maxConnectionDurationSeconds }}s",
-              "maxRequestsPerConnection": {{ .Values.envoy.maxRequestsPerConnection }}
-            },
-            "useDownstreamProtocolConfig": {}
-          }
-        },
-        "cleanupInterval": "{{ .Values.envoy.connectTimeoutSeconds }}.500s"
-      },
-      {
-        "name": "egress-cluster-tls",
-        "type": "ORIGINAL_DST",
-        "connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s",
-        "lbPolicy": "CLUSTER_PROVIDED",
-        "typedExtensionProtocolOptions": {
-          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
-            "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
-            "commonHttpProtocolOptions": {
-              "idleTimeout": "{{ .Values.envoy.idleTimeoutDurationSeconds }}s",
-              "maxConnectionDuration": "{{ .Values.envoy.maxConnectionDurationSeconds }}s",
-              "maxRequestsPerConnection": {{ .Values.envoy.maxRequestsPerConnection }}
-            },
-            "upstreamHttpProtocolOptions": {},
-            "useDownstreamProtocolConfig": {}
-          }
-        },
-        "cleanupInterval": "{{ .Values.envoy.connectTimeoutSeconds }}.500s",
-        "transportSocket": {
-          "name": "cilium.tls_wrapper",
-          "typedConfig": {
-            "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
-          }
-        }
-      },
-      {
-        "name": "egress-cluster",
-        "type": "ORIGINAL_DST",
-        "connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s",
-        "lbPolicy": "CLUSTER_PROVIDED",
-        "typedExtensionProtocolOptions": {
-          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
-            "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
-            "commonHttpProtocolOptions": {
-              "idleTimeout": "{{ .Values.envoy.idleTimeoutDurationSeconds }}s",
-              "maxConnectionDuration": "{{ .Values.envoy.maxConnectionDurationSeconds }}s",
-              "maxRequestsPerConnection": {{ .Values.envoy.maxRequestsPerConnection }}
-            },
-            "useDownstreamProtocolConfig": {}
-          }
-        },
-        "cleanupInterval": "{{ .Values.envoy.connectTimeoutSeconds }}.500s"
-      },
-      {
-        "name": "ingress-cluster-tls",
-        "type": "ORIGINAL_DST",
-        "connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s",
-        "lbPolicy": "CLUSTER_PROVIDED",
-        "typedExtensionProtocolOptions": {
-          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
-            "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
-            "commonHttpProtocolOptions": {
-              "idleTimeout": "{{ .Values.envoy.idleTimeoutDurationSeconds }}s",
-              "maxConnectionDuration": "{{ .Values.envoy.maxConnectionDurationSeconds }}s",
-              "maxRequestsPerConnection": {{ .Values.envoy.maxRequestsPerConnection }}
-            },
-            "upstreamHttpProtocolOptions": {},
-            "useDownstreamProtocolConfig": {}
-          }
-        },
-        "cleanupInterval": "{{ .Values.envoy.connectTimeoutSeconds }}.500s",
-        "transportSocket": {
-          "name": "cilium.tls_wrapper",
-          "typedConfig": {
-            "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
-          }
-        }
-      },
-      {
-        "name": "xds-grpc-cilium",
-        "type": "STATIC",
-        "connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s",
-        "loadAssignment": {
-          "clusterName": "xds-grpc-cilium",
-          "endpoints": [
-            {
-              "lbEndpoints": [
-                {
-                  "endpoint": {
-                    "address": {
-                      "pipe": {
-                        "path": "/var/run/cilium/envoy/sockets/xds.sock"
-                      }
-                    }
-                  }
-                }
-              ]
-            }
-          ]
-        },
-        "typedExtensionProtocolOptions": {
-          "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
-            "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
-            "explicitHttpConfig": {
-              "http2ProtocolOptions": {}
-            }
-          }
-        }
-      },
-      {
-        "name": "/envoy-admin",
-        "type": "STATIC",
-        "connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s",
-        "loadAssignment": {
-          "clusterName": "/envoy-admin",
-          "endpoints": [
-            {
-              "lbEndpoints": [
-                {
-                  "endpoint": {
-                    "address": {
-                      "pipe": {
-                        "path": "/var/run/cilium/envoy/sockets/admin.sock"
-                      }
-                    }
-                  }
-                }
-              ]
-            }
-          ]
-        }
-      }
-    ]
-  },
-  "dynamicResources": {
-    "ldsConfig": {
-      "initialFetchTimeout": "{{ .Values.envoy.initialFetchTimeoutSeconds }}s",
-      "apiConfigSource": {
-        "apiType": "GRPC",
-        "transportApiVersion": "V3",
-        "grpcServices": [
-          {
-            "envoyGrpc": {
-              "clusterName": "xds-grpc-cilium"
-            }
-          }
-        ],
-        "setNodeOnFirstMessageOnly": true
-      },
-      "resourceApiVersion": "V3"
-    },
-    "cdsConfig": {
-      "initialFetchTimeout": "{{ .Values.envoy.initialFetchTimeoutSeconds }}s",
-      "apiConfigSource": {
-        "apiType": "GRPC",
-        "transportApiVersion": "V3",
-        "grpcServices": [
-          {
-            "envoyGrpc": {
-              "clusterName": "xds-grpc-cilium"
-            }
-          }
-        ],
-        "setNodeOnFirstMessageOnly": true
-      },
-      "resourceApiVersion": "V3"
-    }
-  },
-  "bootstrapExtensions": [
-    {
-      "name": "envoy.bootstrap.internal_listener",
-      "typed_config": {
-        "@type": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"
-      }
-    }
-  ],
-  "overload_manager": {
-    "resource_monitors": [
-      {
-        "name": "envoy.resource_monitors.global_downstream_max_connections",
-        "typed_config": {
-          "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig",
-          "max_active_downstream_connections": "50000"
-        }
-      }
-    ]
-  },
-  "admin": {
-    "address": {
-      "pipe": {
-        "path": "/var/run/cilium/envoy/sockets/admin.sock"
-      }
-    }
-  }
-}

packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml

@@ -0,0 +1,280 @@
+node:
+  id: "host~127.0.0.1~no-id~localdomain"
+  cluster: "ingress-cluster"
+staticResources:
+  listeners:
+  {{- if .Values.envoy.prometheus.enabled }}
+  - name: "envoy-prometheus-metrics-listener"
+    address:
+      socketAddress:
+        address: "0.0.0.0"
+        portValue: {{ .Values.envoy.prometheus.port }}
+    filterChains:
+    - filters:
+      - name: "envoy.filters.network.http_connection_manager"
+        typedConfig:
+          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
+          statPrefix: "envoy-prometheus-metrics-listener"
+          routeConfig:
+            virtualHosts:
+            - name: "prometheus_metrics_route"
+              domains:
+              - "*"
+              routes:
+              - name: "prometheus_metrics_route"
+                match:
+                  prefix: "/metrics"
+                route:
+                  cluster: "/envoy-admin"
+                  prefixRewrite: "/stats/prometheus"
+          httpFilters:
+          - name: "envoy.filters.http.router"
+            typedConfig:
+              "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+          internalAddressConfig:
+            cidrRanges:
+            {{- if .Values.ipv4.enabled }}
+            - addressPrefix: "10.0.0.0"
+              prefixLen: 8
+            - addressPrefix: "172.16.0.0"
+              prefixLen: 12
+            - addressPrefix: "192.168.0.0"
+              prefixLen: 16
+            - addressPrefix: "127.0.0.1"
+              prefixLen: 32
+            {{- end }}
+            {{- if .Values.ipv6.enabled }}
+            - addressPrefix: "::1"
+              prefixLen: 128
+            {{- end }}
+          streamIdleTimeout: "0s"
+  {{- end }}
+  {{- if and .Values.envoy.debug.admin.enabled }}
+  - name: "envoy-admin-listener"
+    address:
+      socketAddress:
+        address: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
+        portValue: {{ .Values.envoy.debug.admin.port }}
+    {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }}
+    additionalAddresses:
+    - address:
+        socketAddress:
+          address: "::1"
+          portValue: {{ .Values.envoy.debug.admin.port }}
+    {{- end }}
+    filterChains:
+    - filters:
+      - name: "envoy.filters.network.http_connection_manager"
+        typedConfig:
+          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
+          statPrefix: "envoy-admin-listener"
+          routeConfig:
+            virtual_hosts:
+            - name: "admin_route"
+              domains:
+              - "*"
+              routes:
+              - name: "admin_route"
+                match:
+                  prefix: "/"
+                route:
+                  cluster: "/envoy-admin"
+                  prefixRewrite: "/"
+          httpFilters:
+          - name: "envoy.filters.http.router"
+            typedConfig:
+              "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+          internalAddressConfig:
+            cidrRanges:
+            {{- if .Values.ipv4.enabled }}
+            - addressPrefix: "10.0.0.0"
+              prefixLen: 8
+            - addressPrefix: "172.16.0.0"
+              prefixLen: 12
+            - addressPrefix: "192.168.0.0"
+              prefixLen: 16
+            - addressPrefix: "127.0.0.1"
+              prefixLen: 32
+            {{- end }}
+            {{- if .Values.ipv6.enabled }}
+            - addressPrefix: "::1"
+              prefixLen: 128
+            {{- end }}
+          streamIdleTimeout: "0s"
+  {{- end }}
+  - name: "envoy-health-listener"
+    address:
+      socketAddress:
+        address: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
+        portValue: {{ .Values.envoy.healthPort }}
+    {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }}
+    additionalAddresses:
+    - address:
+        socketAddress:
+          address: "::1"
+          portValue: {{ .Values.envoy.healthPort }}
+    {{- end }}
+    filterChains:
+    - filters:
+      - name: "envoy.filters.network.http_connection_manager"
+        typedConfig:
+          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
+          statPrefix: "envoy-health-listener"
+          routeConfig:
+            virtual_hosts:
+            - name: "health"
+              domains:
+              - "*"
+              routes:
+              - name: "health"
+                match:
+                  prefix: "/healthz"
+                route:
+                  cluster: "/envoy-admin"
+                  prefixRewrite: "/ready"
+          httpFilters:
+          - name: "envoy.filters.http.router"
+            typedConfig:
+              "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+          internalAddressConfig:
+            cidrRanges:
+            {{- if .Values.ipv4.enabled }}
+            - addressPrefix: "10.0.0.0"
+              prefixLen: 8
+            - addressPrefix: "172.16.0.0"
+              prefixLen: 12
+            - addressPrefix: "192.168.0.0"
+              prefixLen: 16
+            - addressPrefix: "127.0.0.1"
+              prefixLen: 32
+            {{- end }}
+            {{- if .Values.ipv6.enabled }}
+            - addressPrefix: "::1"
+              prefixLen: 128
+            {{- end }}
+          streamIdleTimeout: "0s"
+  clusters:
+  - name: "ingress-cluster"
+    type: "ORIGINAL_DST"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    lbPolicy: "CLUSTER_PROVIDED"
+    typedExtensionProtocolOptions:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+        commonHttpProtocolOptions:
+          idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s"
+          maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s"
+          maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }}
+        useDownstreamProtocolConfig: {}
+    cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s"
+  - name: "egress-cluster-tls"
+    type: "ORIGINAL_DST"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    lbPolicy: "CLUSTER_PROVIDED"
+    typedExtensionProtocolOptions:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+        commonHttpProtocolOptions:
+          idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s"
+          maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s"
+          maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }}
+        upstreamHttpProtocolOptions: {}
+        useDownstreamProtocolConfig: {}
+    cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s"
+    transportSocket:
+      name: "cilium.tls_wrapper"
+      typedConfig:
+        "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
+  - name: "egress-cluster"
+    type: "ORIGINAL_DST"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    lbPolicy: "CLUSTER_PROVIDED"
+    typedExtensionProtocolOptions:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+        commonHttpProtocolOptions:
+          idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s"
+          maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s"
+          maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }}
+        useDownstreamProtocolConfig: {}
+    cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s"
+  - name: "ingress-cluster-tls"
+    type: "ORIGINAL_DST"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    lbPolicy: "CLUSTER_PROVIDED"
+    typedExtensionProtocolOptions:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+        commonHttpProtocolOptions:
+          idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s"
+          maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s"
+          maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }}
+        upstreamHttpProtocolOptions: {}
+        useDownstreamProtocolConfig: {}
+    cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s"
+    transportSocket:
+      name: "cilium.tls_wrapper"
+      typedConfig:
+        "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
+  - name: "xds-grpc-cilium"
+    type: "STATIC"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    loadAssignment:
+      clusterName: "xds-grpc-cilium"
+      endpoints:
+      - lbEndpoints:
+        - endpoint:
+            address:
+              pipe:
+                path: "/var/run/cilium/envoy/sockets/xds.sock"
+    typedExtensionProtocolOptions:
+      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+        "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+        explicitHttpConfig:
+          http2ProtocolOptions: {}
+  - name: "/envoy-admin"
+    type: "STATIC"
+    connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s"
+    loadAssignment:
+      clusterName: "/envoy-admin"
+      endpoints:
+      - lbEndpoints:
+        - endpoint:
+            address:
+              pipe:
+                path: "/var/run/cilium/envoy/sockets/admin.sock"
+dynamicResources:
+  ldsConfig:
+    initialFetchTimeout: "{{ .Values.envoy.initialFetchTimeoutSeconds }}s"
+    apiConfigSource:
+      apiType: "GRPC"
+      transportApiVersion: "V3"
+      grpcServices:
+      - envoyGrpc:
+          clusterName: "xds-grpc-cilium"
+      setNodeOnFirstMessageOnly: true
+    resourceApiVersion: "V3"
+  cdsConfig:
+    initialFetchTimeout: "{{ .Values.envoy.initialFetchTimeoutSeconds }}s"
+    apiConfigSource:
+      apiType: "GRPC"
+      transportApiVersion: "V3"
+      grpcServices:
+      - envoyGrpc:
+          clusterName: "xds-grpc-cilium"
+      setNodeOnFirstMessageOnly: true
+    resourceApiVersion: "V3"
+bootstrapExtensions:
+- name: "envoy.bootstrap.internal_listener"
+  typedConfig:
+    "@type": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"
+overloadManager:
+  resourceMonitors:
+  - name: "envoy.resource_monitors.global_downstream_max_connections"
+    typedConfig:
+      "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig"
+      max_active_downstream_connections: "50000"
+admin:
+  address:
+    pipe:
+      path: "/var/run/cilium/envoy/sockets/admin.sock"

packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml

@@ -315,13 +315,9 @@ spec:
         {{- end}}
         - name: cilium-run
           mountPath: /var/run/cilium
-        {{- /* mount the directory if socketLB.enabled is true and socketLB.terminatePodConnections is not explicitly set to false */ -}}
-        {{- if or (and (kindIs "invalid" .Values.socketLB.terminatePodConnections) .Values.socketLB.enabled)
-                  (and .Values.socketLB.enabled .Values.socketLB.terminatePodConnections)  }}
         - name: cilium-netns
           mountPath: /var/run/cilium/netns
           mountPropagation: HostToContainer
-        {{- end}}
         - name: etc-cni-netd
           mountPath: {{ .Values.cni.hostConfDirMountPath }}
         {{- if .Values.etcd.enabled }}
@@ -797,14 +793,11 @@ spec:
         hostPath:
           path: {{ .Values.daemon.runPath }}
           type: DirectoryOrCreate
-      {{- if or (and (kindIs "invalid" .Values.socketLB.terminatePodConnections) .Values.socketLB.enabled)
-                (and .Values.socketLB.enabled .Values.socketLB.terminatePodConnections)  }}
         # To exec into pod network namespaces
       - name: cilium-netns
         hostPath:
           path: /var/run/netns
           type: DirectoryOrCreate
-      {{- end }}
       {{- if .Values.bpf.autoMount.enabled }}
         # To keep state between restarts / upgrades for bpf maps
       - name: bpf-maps

packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml

@@ -513,10 +513,10 @@ data:
   subnet-ids-filter: {{ .Values.eni.subnetIDsFilter | join " " | quote }}
 {{- end }}
 {{- if .Values.eni.subnetTagsFilter }}
-  subnet-tags-filter: {{ .Values.eni.subnetTagsFilter |  join " " | quote }}
+  subnet-tags-filter: {{ .Values.eni.subnetTagsFilter |  join "," | quote }}
 {{- end }}
 {{- if .Values.eni.instanceTagsFilter }}
-  instance-tags-filter: {{ .Values.eni.instanceTagsFilter | join " " | quote }}
+  instance-tags-filter: {{ .Values.eni.instanceTagsFilter | join "," | quote }}
 {{- end }}
 {{- end }}
 {{ if .Values.eni.gcInterval }}
@@ -718,8 +718,6 @@ data:
 {{- end }}
 {{- if hasKey $socketLB "terminatePodConnections" }}
   bpf-lb-sock-terminate-pod-connections: {{ $socketLB.terminatePodConnections | quote }}
-{{- else if hasKey $socketLB "enabled" }}
-  bpf-lb-sock-terminate-pod-connections: {{ $socketLB.enabled | quote }}
 {{- end }}
 {{- if hasKey $socketLB "tracing" }}
   trace-sock: {{ $socketLB.tracing | quote }}

packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml

@@ -12,6 +12,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 data:
-{{- (tpl (.Files.Glob "files/cilium-envoy/configmap/bootstrap-config.json").AsConfig .) | nindent 2 }}
-
+  # Keep the key name as bootstrap-config.json to avoid breaking changes
+  bootstrap-config.json: |
+    {{- (tpl (.Files.Get "files/cilium-envoy/configmap/bootstrap-config.yaml") .) | fromYaml | toJson | nindent 4 }}
 {{- end }}

packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl

@@ -13,24 +13,12 @@ server {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
 
-        # CORS
-        add_header Access-Control-Allow-Methods "GET, POST, PUT, HEAD, DELETE, OPTIONS";
-        add_header Access-Control-Allow-Origin *;
-        add_header Access-Control-Max-Age 1728000;
-        add_header Access-Control-Expose-Headers content-length,grpc-status,grpc-message;
-        add_header Access-Control-Allow-Headers range,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout;
-        if ($request_method = OPTIONS) {
-            return 204;
-        }
-        # /CORS
-
         location {{ .Values.hubble.ui.baseUrl }}api {
             {{- if not (eq .Values.hubble.ui.baseUrl "/") }}
             rewrite ^{{ (trimSuffix "/" .Values.hubble.ui.baseUrl) }}(/.*)$ $1 break;
             {{- end }}
             proxy_http_version 1.1;
             proxy_pass_request_headers on;
-            proxy_hide_header Access-Control-Allow-Origin;
             {{- if eq .Values.hubble.ui.baseUrl "/" }}
             proxy_pass http://127.0.0.1:8090;
             {{- else }}

packages/system/cilium/charts/cilium/values.yaml

@@ -153,10 +153,10 @@ image:
   # @schema
   override: ~
   repository: "quay.io/cilium/cilium"
-  tag: "v1.16.5"
+  tag: "v1.16.6"
   pullPolicy: "IfNotPresent"
   # cilium-digest
-  digest: "sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d"
+  digest: "sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da"
   useDigest: true
 # -- Affinity for cilium-agent.
 affinity:
@@ -1314,9 +1314,9 @@ hubble:
       # @schema
       override: ~
       repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.16.5"
+      tag: "v1.16.6"
       # hubble-relay-digest
-      digest: "sha256:6cfae1d1afa566ba941f03d4d7e141feddd05260e5cd0a1509aba1890a45ef00"
+      digest: "sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b"
       useDigest: true
       pullPolicy: "IfNotPresent"
     # -- Specifies the resources for the hubble-relay pods
@@ -2165,9 +2165,9 @@ envoy:
     # @schema
     override: ~
     repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8"
+    tag: "v1.30.9-1737073743-40a016d11c0d863b772961ed0168eea6fe6b10a5"
     pullPolicy: "IfNotPresent"
-    digest: "sha256:709c08ade3d17d52da4ca2af33f431360ec26268d288d9a6cd1d98acc9a1dced"
+    digest: "sha256:a69dfe0e54b24b0ff747385c8feeae0612cfbcae97bfcc8ee42a773bb3f69c88"
     useDigest: true
   # -- Additional containers added to the cilium Envoy DaemonSet.
   extraContainers: []
@@ -2480,15 +2480,15 @@ operator:
     # @schema
     override: ~
     repository: "quay.io/cilium/operator"
-    tag: "v1.16.5"
+    tag: "v1.16.6"
     # operator-generic-digest
-    genericDigest: "sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039"
+    genericDigest: "sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc"
     # operator-azure-digest
-    azureDigest: "sha256:265e2b78f572c76b523f91757083ea5f0b9b73b82f2d9714e5a8fb848e4048f9"
+    azureDigest: "sha256:0a05d7aea760923897aabd715213ab11a706051673d41fab3874a37f897c1bdd"
     # operator-aws-digest
-    awsDigest: "sha256:97e1fe0c2b522583033138eb10c170919d8de49d2788ceefdcff229a92210476"
+    awsDigest: "sha256:d11ee1cfa3465defe2df7ec1c6e8a77bcaf280b44d2c61aa7496c58b29550f6d"
     # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:c0edf4c8d089e76d6565d3c57128b98bc6c73d14bb4590126ee746aeaedba5e0"
+    alibabacloudDigest: "sha256:0e3c7fbcb6bde9a247cd2dd3d25230e2859d40d2eb58aba6265a2aab216775a9"
     useDigest: true
     pullPolicy: "IfNotPresent"
     suffix: ""
@@ -2762,9 +2762,9 @@ preflight:
     # @schema
     override: ~
     repository: "quay.io/cilium/cilium"
-    tag: "v1.16.5"
+    tag: "v1.16.6"
     # cilium-digest
-    digest: "sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d"
+    digest: "sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da"
     useDigest: true
     pullPolicy: "IfNotPresent"
   # -- The priority class to use for the preflight pod.
@@ -2911,9 +2911,9 @@ clustermesh:
       # @schema
       override: ~
       repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.16.5"
+      tag: "v1.16.6"
       # clustermesh-apiserver-digest
-      digest: "sha256:37a7fdbef806b78ef63df9f1a9828fdddbf548d1f0e43b8eb10a6bdc8fa03958"
+      digest: "sha256:ab2070ea48a52a55d961b81b7b5fbac7d40a3f428be9b1b6b9071d47f194456a"
       useDigest: true
       pullPolicy: "IfNotPresent"
     # -- TCP port for the clustermesh-apiserver health API.
@@ -3412,7 +3412,7 @@ authentication:
           override: ~
           repository: "docker.io/library/busybox"
           tag: "1.36.1"
-          digest: "sha256:d75b758a4fea99ffff4db799e16f853bbde8643671b5b72464a8ba94cbe3dbe3"
+          digest: "sha256:71b79694b71639e633452f57fd9de40595d524de308349218d9a6a144b40be02"
           useDigest: true
           pullPolicy: "IfNotPresent"
         # SPIRE agent configuration

packages/system/cilium/images/cilium/Dockerfile

@@ -1,2 +1,2 @@
-ARG VERSION=v1.16.5
+ARG VERSION=v1.16.6
 FROM quay.io/cilium/cilium:${VERSION}

packages/system/cilium/values.yaml

@@ -12,7 +12,7 @@ cilium:
     mode: "kubernetes"
   image:
     repository: ghcr.io/aenix-io/cozystack/cilium
-    tag: 1.16.5
-    digest: "sha256:eae9d5531c115f8946990a731bfaaebc905b020a2957559b3c9f2ce1c655a834"
+    tag: 1.16.6
+    digest: "sha256:cf64df62897b071d5a9a005564ecbfb9124aa82a96957e329ce28a187864f113"
   envoy:
     enabled: false

packages/system/cozy-proxy/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-cozy-proxy
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/cozy-proxy/Makefile

@@ -0,0 +1,11 @@
+NAME=cozy-proxy
+NAMESPACE=cozy-system
+
+include ../../../scripts/common-envs.mk
+include ../../../scripts/package.mk
+
+update:
+	rm -rf charts
+	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/aenix-io/cozy-proxy | awk -F'[/^]' 'END{print $$3}') && \
+	curl -sSL https://github.com/aenix-io/cozy-proxy/archive/refs/tags/$${tag}.tar.gz | \
+	tar xzvf - --strip 1 cozy-proxy-$${tag#*v}/charts

packages/system/cozy-proxy/charts/cozy-proxy/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: cozy-proxy
+description: A simple kube-proxy addon for 1:1 NAT services in Kubernetes using an NFT backend
+type: application
+version: 0.1.2
+appVersion: 0.1.2

packages/system/cozy-proxy/charts/cozy-proxy/templates/_helpers.tpl

@@ -0,0 +1,24 @@
+{{- define "cozy-proxy.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "cozy-proxy.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if .Values.fullnameOverride -}}
+  {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+  {{- if eq .Release.Name $name }}
+    {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+  {{- else -}}
+    {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "cozy-proxy.labels" -}}
+helm.sh/chart: {{ include "cozy-proxy.name" . }}-{{ .Chart.Version | replace "+" "_" }}
+app.kubernetes.io/name: {{ include "cozy-proxy.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: {{ .Chart.AppVersion }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}

packages/system/cozy-proxy/charts/cozy-proxy/templates/daemonset.yaml

@@ -0,0 +1,27 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "cozy-proxy.fullname" . }}
+  labels:
+    {{- include "cozy-proxy.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ include "cozy-proxy.name" . }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "cozy-proxy.name" . }}
+      annotations:
+        {{- toYaml .Values.daemonset.podAnnotations | nindent 8 }}
+    spec:
+      serviceAccountName: {{ include "cozy-proxy.fullname" . }}
+      hostNetwork: {{ .Values.daemonset.hostNetwork }}
+      containers:
+        - name: cozy-proxy
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            privileged: true
+            capabilities:
+              add: ["NET_ADMIN"]

packages/system/cozy-proxy/charts/cozy-proxy/templates/role.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cozy-proxy.fullname" . }}
+  labels:
+    {{- include "cozy-proxy.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["services", "endpoints"]
+    verbs: ["get", "list", "watch"]
+{{- end }}

packages/system/cozy-proxy/charts/cozy-proxy/templates/rolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "cozy-proxy.fullname" . }}
+  labels:
+    {{- include "cozy-proxy.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "cozy-proxy.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "cozy-proxy.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

packages/system/cozy-proxy/charts/cozy-proxy/templates/serviceaccount.yaml

@@ -0,0 +1,8 @@
+{{- if .Values.rbac.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "cozy-proxy.fullname" . }}
+  labels:
+    {{- include "cozy-proxy.labels" . | nindent 4 }}
+{{- end }}

packages/system/cozy-proxy/charts/cozy-proxy/values.yaml

@@ -0,0 +1,12 @@
+image:
+  repository: ghcr.io/aenix-io/cozystack/cozy-proxy
+  tag: v0.1.2
+  pullPolicy: IfNotPresent
+
+daemonset:
+  hostNetwork: true
+  podAnnotations: {}
+  podLabels: {}
+
+rbac:
+  create: true

packages/system/cozy-proxy/values.yaml

@@ -0,0 +1,2 @@
+cozy-proxy:
+  fullnameOverride: cozy-proxy

packages/system/cozystack-api/templates/configmap.yaml

@@ -314,3 +314,17 @@ data:
             kind: HelmRepository
             name: cozystack-extra
             namespace: cozy-public
+    - application:
+        kind: Info
+        plural: infos
+        singular: info
+      release:
+        prefix: ""
+        labels:
+          cozystack.io/ui: "true"
+        chart:
+          name: info
+          sourceRef:
+            kind: HelmRepository
+            name: cozystack-extra
+            namespace: cozy-public

packages/system/cozystack-api/values.yaml

@@ -1,2 +1,2 @@
 cozystackAPI:
-  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.24.1@sha256:ab6f4852be7d2be5deea8ace6f8901d8cbf41e87d219fdb805047f7a2bcbd2ed
+  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.25.3@sha256:5a37def468ce2356d933c80efa71e2eb2608b549602be2f5f07c7a63df4c79cd

packages/system/cozystack-controller/values.yaml

@@ -1,5 +1,5 @@
 cozystackController:
-  image: ghcr.io/aenix-io/cozystack/cozystack-controller:v0.24.1@sha256:e59a04c072c0c50c3174b34329830d05266f3c87a4235dc8fbd78d91be9ceb2c
+  image: ghcr.io/aenix-io/cozystack/cozystack-controller:v0.25.3@sha256:15ef459bac44b5fedadb4bef987b5236a23bfbc3066156e87e5d13b0d7d60063
   debug: false
   disableTelemetry: false
-  cozystackVersion: "v0.24.1"
+  cozystackVersion: "v0.25.3"

packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml

@@ -76,7 +76,7 @@ data:
       "kubeappsNamespace": {{ .Release.Namespace | quote }},
       "helmGlobalNamespace": {{ include "kubeapps.helmGlobalPackagingNamespace" . | quote }},
       "carvelGlobalNamespace": {{ .Values.kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace | quote }},
-      "appVersion": "v0.24.1",
+      "appVersion": "v0.25.3",
       "authProxyEnabled": {{ .Values.authProxy.enabled }},
       "oauthLoginURI": {{ .Values.authProxy.oauthLoginURI | quote }},
       "oauthLogoutURI": {{ .Values.authProxy.oauthLogoutURI | quote }},

packages/system/dashboard/images/dashboard/Dockerfile

@@ -1,7 +1,7 @@
 FROM bitnami/node:20.15.1 AS build
 WORKDIR /app
 
-ARG COMMIT_REF=dd02680d796c962b8dcc4e5ea70960a846c1acdc
+ARG COMMIT_REF=190ea544aeb0be74bb6d1aa4bb474910559e7ecd
 RUN wget -O- https://github.com/aenix-io/kubeapps/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=2 kubeapps-${COMMIT_REF}/dashboard
 
 RUN yarn install --frozen-lockfile

packages/system/dashboard/values.yaml

@@ -40,14 +40,14 @@ kubeapps:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: dashboard
-      tag: v0.24.1
-      digest: "sha256:81e7b625c667bce5fc339eb97c8e115eafb82f66df4501550b3677ac53f6e234"
+      tag: v0.25.3
+      digest: "sha256:4a5dab471c358f826920693591d153dacb81ff7d499daa19edd1f74109f12224"
   kubeappsapis:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: kubeapps-apis
-      tag: v0.24.1
-      digest: "sha256:72308ae00344d48e7ed58c5b1383874e84bcd82ac53b76857172b9ef510d53a6"
+      tag: v0.25.3
+      digest: "sha256:69e16490aff84e9084748011b7ae212679b8916cb882032436df450202aea37b"
     pluginConfig:
       flux:
         packages:
@@ -361,3 +361,17 @@ kubeapps:
                       kind: HelmRepository
                       name: cozystack-extra
                       namespace: cozy-public
+              - application:
+                  kind: Info
+                  plural: infos
+                  singular: info
+                release:
+                  prefix: ""
+                  labels:
+                    cozystack.io/ui: "true"
+                  chart:
+                    name: info
+                    sourceRef:
+                      kind: HelmRepository
+                      name: cozystack-extra
+                      namespace: cozy-public

packages/system/kafka-operator/charts/strimzi-kafka-operator/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 0.43.0
+appVersion: 0.45.0
 description: 'Strimzi: Apache Kafka running on Kubernetes'
 home: https://strimzi.io/
 icon: https://raw.githubusercontent.com/strimzi/strimzi-kafka-operator/main/documentation/logo/strimzi_logo.png
@@ -24,4 +24,4 @@ maintainers:
 name: strimzi-kafka-operator
 sources:
 - https://github.com/strimzi/strimzi-kafka-operator
-version: 0.43.0
+version: 0.45.0

packages/system/kafka-operator/charts/strimzi-kafka-operator/README.md

@@ -5,12 +5,15 @@ Strimzi provides a way to run an [Apache Kafka®](https://kafka.apache.org) clus
 See our [website](https://strimzi.io) for more details about the project.
 
 **!!! IMPORTANT !!!**
-Upgrading to Strimzi 0.32 and newer directly from Strimzi 0.22 and earlier is no longer possible.
-Please follow the [documentation](https://strimzi.io/docs/operators/latest/full/deploying.html#assembly-upgrade-str) for more details.
 
-**!!! IMPORTANT !!!**
-Strimzi 0.43.0 (and any of its patch releases) is the last Strimzi version with support for Kubernetes 1.23 and 1.24.
-From Strimzi 0.44.0 on, Strimzi will support only Kubernetes 1.25 and newer.
+* **Strimzi 0.45 is the last Strimzi version with support for ZooKeeper-based Apache Kafka clusters and MirrorMaker 1 deployments.**
+  **Please make sure to [migrate to KRaft](https://strimzi.io/docs/operators/latest/full/deploying.html#assembly-kraft-mode-str) and MirrorMaker 2 before upgrading to Strimzi 0.46 or newer.**
+* Strimzi 0.45 is the last Strimzi version to include the [Strimzi EnvVar Configuration Provider](https://github.com/strimzi/kafka-env-var-config-provider) (deprecated in Strimzi 0.38.0) and [Strimzi MirrorMaker 2 Extensions](https://github.com/strimzi/mirror-maker-2-extensions) (deprecated in Strimzi 0.28.0).
+  Please use the Apache Kafka [EnvVarConfigProvider](https://github.com/strimzi/kafka-env-var-config-provider?tab=readme-ov-file#deprecation-notice) and [Identity Replication Policy](https://github.com/strimzi/mirror-maker-2-extensions?tab=readme-ov-file#identity-replication-policy) instead.
+* From Strimzi 0.44.0 on, we support only Kubernetes 1.25 and newer.
+  Kubernetes 1.23 and 1.24 are not supported anymore.
+* Upgrading to Strimzi 0.32 and newer directly from Strimzi 0.22 and earlier is no longer possible.
+  Please follow the [documentation](https://strimzi.io/docs/operators/latest/full/deploying.html#assembly-upgrade-str) for more details.
 
 ## Introduction
 
@@ -21,14 +24,16 @@ cluster using the [Helm](https://helm.sh) package manager.
 ### Supported Features
 
 * **Manages the Kafka Cluster** - Deploys and manages all of the components of this complex application, including dependencies like Apache ZooKeeper® that are traditionally hard to administer.
-* **KRaft support** - Allows running Apache Kafka clusters in the KRaft mode (without ZooKeeper). 
+* **KRaft support** - Allows running Apache Kafka clusters in the KRaft mode (without ZooKeeper).
 * **Includes Kafka Connect** - Allows for configuration of common data sources and sinks to move data into and out of the Kafka cluster.
 * **Topic Management** - Creates and manages Kafka Topics within the cluster.
 * **User Management** - Creates and manages Kafka Users within the cluster.
 * **Connector Management** - Creates and manages Kafka Connect connectors.
-* **Includes Kafka Mirror Maker 1 and 2** - Allows for mirroring data between different Apache Kafka® clusters.
+* **Includes Kafka MirrorMaker** - Allows for mirroring data between different Apache Kafka® clusters.
 * **Includes HTTP Kafka Bridge** - Allows clients to send and receive messages through an Apache Kafka® cluster via the HTTP protocol.
 * **Includes Cruise Control** - Automates the process of balancing partitions across an Apache Kafka® cluster.
+* **Auto-rebalancing when scaling** - Automatically rebalance the Kafka cluster after a scale-up or before a scale-down.
+* **Tiered storage** - Offloads older, less critical data to a lower-cost, lower-performance storage tier, such as object storage.
 * **Prometheus monitoring** - Built-in support for monitoring using Prometheus.
 * **Grafana Dashboards** - Built-in support for loading Grafana® dashboards via the grafana_sidecar
 
@@ -60,7 +65,7 @@ Strimzi is licensed under the [Apache License, Version 2.0](https://github.com/s
 
 ## Prerequisites
 
-- Kubernetes 1.23+
+- Kubernetes 1.25+
 
 ## Installing the Chart
 
@@ -97,7 +102,7 @@ the documentation for more details.
 | `watchAnyNamespace`                         | Watch the whole Kubernetes cluster (all namespaces)                             | `false`                      |
 | `defaultImageRegistry`                      | Default image registry for all the images                                       | `quay.io`                    |
 | `defaultImageRepository`                    | Default image registry for all the images                                       | `strimzi`                    |
-| `defaultImageTag`                           | Default image tag for all the images except Kafka Bridge                        | `0.43.0`                     |
+| `defaultImageTag`                           | Default image tag for all the images except Kafka Bridge                        | `0.45.0`                     |
 | `image.registry`                            | Override default Cluster Operator image registry                                | `nil`                        |
 | `image.repository`                          | Override default Cluster Operator image repository                              | `nil`                        |
 | `image.name`                                | Cluster Operator image name                                                     | `cluster-operator`           |
@@ -161,7 +166,7 @@ the documentation for more details.
 | `kafkaBridge.image.registry`                | Override default Kafka Bridge image registry                                    | `quay.io`                    |
 | `kafkaBridge.image.repository`              | Override default Kafka Bridge image repository                                  | `strimzi`                    |
 | `kafkaBridge.image.name`                    | Kafka Bridge image name                                                         | `kafka-bridge`               |
-| `kafkaBridge.image.tag`                     | Override default Kafka Bridge image tag                                         | `0.30.0`                     |
+| `kafkaBridge.image.tag`                     | Override default Kafka Bridge image tag                                         | `0.31.1`                     |
 | `kafkaBridge.image.digest`                  | Override Kafka Bridge image tag with digest                                     | `nil`                        |
 | `kafkaExporter.image.registry`              | Override default Kafka Exporter image registry                                  | `nil`                        |
 | `kafkaExporter.image.repository`            | Override default Kafka Exporter image repository                                | `nil`                        |

packages/system/kafka-operator/charts/strimzi-kafka-operator/crds/040-Crd-kafka.yaml

@@ -480,6 +480,18 @@ spec:
                               publishNotReadyAddresses:
                                 type: boolean
                                 description: Configures whether the service endpoints are considered "ready" even if the Pods themselves are not. Defaults to `false`. This field can not be used with `internal` listeners.
+                              hostTemplate:
+                                type: string
+                                description: "Configures the template for generating the hostnames of the individual brokers. Valid placeholders that you can use in the template are `{nodeId}` and `{nodePodName}`."
+                              advertisedHostTemplate:
+                                type: string
+                                description: "Configures the template for generating the advertised hostnames of the individual brokers. Valid placeholders that you can use in the template are `{nodeId}` and `{nodePodName}`."
+                              allocateLoadBalancerNodePorts:
+                                type: boolean
+                                description: |-
+                                  Configures whether to allocate NodePort automatically for the `Service` with type `LoadBalancer`.
+                                  This is a one to one with the `spec.allocateLoadBalancerNodePorts` configuration in the `Service` type
+                                  For `loadbalancer` listeners only.
                             description: Additional listener configuration.
                           networkPolicyPeers:
                             type: array
@@ -1561,13 +1573,32 @@ spec:
                                       readOnly:
                                         type: boolean
                                     description: PersistentVolumeClaim object to use to populate the volume.
+                                  csi:
+                                    type: object
+                                    properties:
+                                      driver:
+                                        type: string
+                                      fsType:
+                                        type: string
+                                      nodePublishSecretRef:
+                                        type: object
+                                        properties:
+                                          name:
+                                            type: string
+                                      readOnly:
+                                        type: boolean
+                                      volumeAttributes:
+                                        additionalProperties:
+                                          type: string
+                                        type: object
+                                    description: CSIVolumeSource object to use to populate the volume.
                                 oneOf:
                                   - properties:
                                       secret: {}
                                       configMap: {}
                                       emptyDir: {}
                                       persistentVolumeClaim: {}
-                                    required: []
+                                      csi: {}
                               description: Additional volumes that can be mounted to the pod.
                           description: Template for Kafka `Pods`.
                         bootstrapService:
@@ -1798,6 +1829,48 @@ spec:
                                   value:
                                     type: string
                                     description: The environment variable value.
+                                  valueFrom:
+                                    type: object
+                                    properties:
+                                      secretKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a secret.
+                                      configMapKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a config map.
+                                    oneOf:
+                                      - properties:
+                                          secretKeyRef: {}
+                                        required:
+                                          - secretKeyRef
+                                      - properties:
+                                          configMapKeyRef: {}
+                                        required:
+                                          - configMapKeyRef
+                                    description: Reference to the secret or config map property to which the environment variable is set.
+                                oneOf:
+                                  - properties:
+                                      value: {}
+                                    required:
+                                      - value
+                                  - properties:
+                                      valueFrom: {}
+                                    required:
+                                      - valueFrom
                               description: Environment variables which should be applied to the container.
                             securityContext:
                               type: object
@@ -1899,6 +1972,48 @@ spec:
                                   value:
                                     type: string
                                     description: The environment variable value.
+                                  valueFrom:
+                                    type: object
+                                    properties:
+                                      secretKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a secret.
+                                      configMapKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a config map.
+                                    oneOf:
+                                      - properties:
+                                          secretKeyRef: {}
+                                        required:
+                                          - secretKeyRef
+                                      - properties:
+                                          configMapKeyRef: {}
+                                        required:
+                                          - configMapKeyRef
+                                    description: Reference to the secret or config map property to which the environment variable is set.
+                                oneOf:
+                                  - properties:
+                                      value: {}
+                                    required:
+                                      - value
+                                  - properties:
+                                      valueFrom: {}
+                                    required:
+                                      - valueFrom
                               description: Environment variables which should be applied to the container.
                             securityContext:
                               type: object
@@ -3012,13 +3127,32 @@ spec:
                                       readOnly:
                                         type: boolean
                                     description: PersistentVolumeClaim object to use to populate the volume.
+                                  csi:
+                                    type: object
+                                    properties:
+                                      driver:
+                                        type: string
+                                      fsType:
+                                        type: string
+                                      nodePublishSecretRef:
+                                        type: object
+                                        properties:
+                                          name:
+                                            type: string
+                                      readOnly:
+                                        type: boolean
+                                      volumeAttributes:
+                                        additionalProperties:
+                                          type: string
+                                        type: object
+                                    description: CSIVolumeSource object to use to populate the volume.
                                 oneOf:
                                   - properties:
                                       secret: {}
                                       configMap: {}
                                       emptyDir: {}
                                       persistentVolumeClaim: {}
-                                    required: []
+                                      csi: {}
                               description: Additional volumes that can be mounted to the pod.
                           description: Template for ZooKeeper `Pods`.
                         clientService:
@@ -3141,6 +3275,48 @@ spec:
                                   value:
                                     type: string
                                     description: The environment variable value.
+                                  valueFrom:
+                                    type: object
+                                    properties:
+                                      secretKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a secret.
+                                      configMapKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a config map.
+                                    oneOf:
+                                      - properties:
+                                          secretKeyRef: {}
+                                        required:
+                                          - secretKeyRef
+                                      - properties:
+                                          configMapKeyRef: {}
+                                        required:
+                                          - configMapKeyRef
+                                    description: Reference to the secret or config map property to which the environment variable is set.
+                                oneOf:
+                                  - properties:
+                                      value: {}
+                                    required:
+                                      - value
+                                  - properties:
+                                      valueFrom: {}
+                                    required:
+                                      - valueFrom
                               description: Environment variables which should be applied to the container.
                             securityContext:
                               type: object
@@ -4319,13 +4495,32 @@ spec:
                                       readOnly:
                                         type: boolean
                                     description: PersistentVolumeClaim object to use to populate the volume.
+                                  csi:
+                                    type: object
+                                    properties:
+                                      driver:
+                                        type: string
+                                      fsType:
+                                        type: string
+                                      nodePublishSecretRef:
+                                        type: object
+                                        properties:
+                                          name:
+                                            type: string
+                                      readOnly:
+                                        type: boolean
+                                      volumeAttributes:
+                                        additionalProperties:
+                                          type: string
+                                        type: object
+                                    description: CSIVolumeSource object to use to populate the volume.
                                 oneOf:
                                   - properties:
                                       secret: {}
                                       configMap: {}
                                       emptyDir: {}
                                       persistentVolumeClaim: {}
-                                    required: []
+                                      csi: {}
                               description: Additional volumes that can be mounted to the pod.
                           description: Template for Entity Operator `Pods`.
                         topicOperatorContainer:
@@ -4342,6 +4537,48 @@ spec:
                                   value:
                                     type: string
                                     description: The environment variable value.
+                                  valueFrom:
+                                    type: object
+                                    properties:
+                                      secretKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a secret.
+                                      configMapKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a config map.
+                                    oneOf:
+                                      - properties:
+                                          secretKeyRef: {}
+                                        required:
+                                          - secretKeyRef
+                                      - properties:
+                                          configMapKeyRef: {}
+                                        required:
+                                          - configMapKeyRef
+                                    description: Reference to the secret or config map property to which the environment variable is set.
+                                oneOf:
+                                  - properties:
+                                      value: {}
+                                    required:
+                                      - value
+                                  - properties:
+                                      valueFrom: {}
+                                    required:
+                                      - valueFrom
                               description: Environment variables which should be applied to the container.
                             securityContext:
                               type: object
@@ -4443,6 +4680,48 @@ spec:
                                   value:
                                     type: string
                                     description: The environment variable value.
+                                  valueFrom:
+                                    type: object
+                                    properties:
+                                      secretKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a secret.
+                                      configMapKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a config map.
+                                    oneOf:
+                                      - properties:
+                                          secretKeyRef: {}
+                                        required:
+                                          - secretKeyRef
+                                      - properties:
+                                          configMapKeyRef: {}
+                                        required:
+                                          - configMapKeyRef
+                                    description: Reference to the secret or config map property to which the environment variable is set.
+                                oneOf:
+                                  - properties:
+                                      value: {}
+                                    required:
+                                      - value
+                                  - properties:
+                                      valueFrom: {}
+                                    required:
+                                      - valueFrom
                               description: Environment variables which should be applied to the container.
                             securityContext:
                               type: object
@@ -4544,6 +4823,48 @@ spec:
                                   value:
                                     type: string
                                     description: The environment variable value.
+                                  valueFrom:
+                                    type: object
+                                    properties:
+                                      secretKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a secret.
+                                      configMapKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a config map.
+                                    oneOf:
+                                      - properties:
+                                          secretKeyRef: {}
+                                        required:
+                                          - secretKeyRef
+                                      - properties:
+                                          configMapKeyRef: {}
+                                        required:
+                                          - configMapKeyRef
+                                    description: Reference to the secret or config map property to which the environment variable is set.
+                                oneOf:
+                                  - properties:
+                                      value: {}
+                                    required:
+                                      - value
+                                  - properties:
+                                      valueFrom: {}
+                                    required:
+                                      - valueFrom
                               description: Environment variables which should be applied to the container.
                             securityContext:
                               type: object
@@ -5593,13 +5914,32 @@ spec:
                                       readOnly:
                                         type: boolean
                                     description: PersistentVolumeClaim object to use to populate the volume.
+                                  csi:
+                                    type: object
+                                    properties:
+                                      driver:
+                                        type: string
+                                      fsType:
+                                        type: string
+                                      nodePublishSecretRef:
+                                        type: object
+                                        properties:
+                                          name:
+                                            type: string
+                                      readOnly:
+                                        type: boolean
+                                      volumeAttributes:
+                                        additionalProperties:
+                                          type: string
+                                        type: object
+                                    description: CSIVolumeSource object to use to populate the volume.
                                 oneOf:
                                   - properties:
                                       secret: {}
                                       configMap: {}
                                       emptyDir: {}
                                       persistentVolumeClaim: {}
-                                    required: []
+                                      csi: {}
                               description: Additional volumes that can be mounted to the pod.
                           description: Template for Cruise Control `Pods`.
                         apiService:
@@ -5671,6 +6011,48 @@ spec:
                                   value:
                                     type: string
                                     description: The environment variable value.
+                                  valueFrom:
+                                    type: object
+                                    properties:
+                                      secretKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a secret.
+                                      configMapKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a config map.
+                                    oneOf:
+                                      - properties:
+                                          secretKeyRef: {}
+                                        required:
+                                          - secretKeyRef
+                                      - properties:
+                                          configMapKeyRef: {}
+                                        required:
+                                          - configMapKeyRef
+                                    description: Reference to the secret or config map property to which the environment variable is set.
+                                oneOf:
+                                  - properties:
+                                      value: {}
+                                    required:
+                                      - value
+                                  - properties:
+                                      valueFrom: {}
+                                    required:
+                                      - valueFrom
                               description: Environment variables which should be applied to the container.
                             securityContext:
                               type: object
@@ -5772,6 +6154,48 @@ spec:
                                   value:
                                     type: string
                                     description: The environment variable value.
+                                  valueFrom:
+                                    type: object
+                                    properties:
+                                      secretKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a secret.
+                                      configMapKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a config map.
+                                    oneOf:
+                                      - properties:
+                                          secretKeyRef: {}
+                                        required:
+                                          - secretKeyRef
+                                      - properties:
+                                          configMapKeyRef: {}
+                                        required:
+                                          - configMapKeyRef
+                                    description: Reference to the secret or config map property to which the environment variable is set.
+                                oneOf:
+                                  - properties:
+                                      value: {}
+                                    required:
+                                      - value
+                                  - properties:
+                                      valueFrom: {}
+                                    required:
+                                      - valueFrom
                               description: Environment variables which should be applied to the container.
                             securityContext:
                               type: object
@@ -5984,6 +6408,27 @@ spec:
                         - type
                         - valueFrom
                       description: Configuration of the Cruise Control REST API users.
+                    autoRebalance:
+                      type: array
+                      minItems: 1
+                      items:
+                        type: object
+                        properties:
+                          mode:
+                            type: string
+                            enum:
+                              - add-brokers
+                              - remove-brokers
+                            description: "Specifies the mode for automatically rebalancing when brokers are added or removed. Supported modes are `add-brokers` and `remove-brokers`. \n"
+                          template:
+                            type: object
+                            properties:
+                              name:
+                                type: string
+                            description: Reference to the KafkaRebalance custom resource to be used as the configuration template for the auto-rebalancing on scaling when running for the corresponding mode.
+                        required:
+                          - mode
+                      description: "Auto-rebalancing on scaling related configuration listing the modes, when brokers are added or removed, with the corresponding rebalance template configurations.If this field is set, at least one mode has to be defined."
                   description: Configuration for Cruise Control deployment. Deploys a Cruise Control instance when specified.
                 jmxTrans:
                   type: object
@@ -6675,13 +7120,32 @@ spec:
                                       readOnly:
                                         type: boolean
                                     description: PersistentVolumeClaim object to use to populate the volume.
+                                  csi:
+                                    type: object
+                                    properties:
+                                      driver:
+                                        type: string
+                                      fsType:
+                                        type: string
+                                      nodePublishSecretRef:
+                                        type: object
+                                        properties:
+                                          name:
+                                            type: string
+                                      readOnly:
+                                        type: boolean
+                                      volumeAttributes:
+                                        additionalProperties:
+                                          type: string
+                                        type: object
+                                    description: CSIVolumeSource object to use to populate the volume.
                                 oneOf:
                                   - properties:
                                       secret: {}
                                       configMap: {}
                                       emptyDir: {}
                                       persistentVolumeClaim: {}
-                                    required: []
+                                      csi: {}
                               description: Additional volumes that can be mounted to the pod.
                           description: Template for JmxTrans `Pods`.
                         container:
@@ -6698,6 +7162,48 @@ spec:
                                   value:
                                     type: string
                                     description: The environment variable value.
+                                  valueFrom:
+                                    type: object
+                                    properties:
+                                      secretKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a secret.
+                                      configMapKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a config map.
+                                    oneOf:
+                                      - properties:
+                                          secretKeyRef: {}
+                                        required:
+                                          - secretKeyRef
+                                      - properties:
+                                          configMapKeyRef: {}
+                                        required:
+                                          - configMapKeyRef
+                                    description: Reference to the secret or config map property to which the environment variable is set.
+                                oneOf:
+                                  - properties:
+                                      value: {}
+                                    required:
+                                      - value
+                                  - properties:
+                                      valueFrom: {}
+                                    required:
+                                      - valueFrom
                               description: Environment variables which should be applied to the container.
                             securityContext:
                               type: object
@@ -7512,13 +8018,32 @@ spec:
                                       readOnly:
                                         type: boolean
                                     description: PersistentVolumeClaim object to use to populate the volume.
+                                  csi:
+                                    type: object
+                                    properties:
+                                      driver:
+                                        type: string
+                                      fsType:
+                                        type: string
+                                      nodePublishSecretRef:
+                                        type: object
+                                        properties:
+                                          name:
+                                            type: string
+                                      readOnly:
+                                        type: boolean
+                                      volumeAttributes:
+                                        additionalProperties:
+                                          type: string
+                                        type: object
+                                    description: CSIVolumeSource object to use to populate the volume.
                                 oneOf:
                                   - properties:
                                       secret: {}
                                       configMap: {}
                                       emptyDir: {}
                                       persistentVolumeClaim: {}
-                                    required: []
+                                      csi: {}
                               description: Additional volumes that can be mounted to the pod.
                           description: Template for Kafka Exporter `Pods`.
                         service:
@@ -7553,6 +8078,48 @@ spec:
                                   value:
                                     type: string
                                     description: The environment variable value.
+                                  valueFrom:
+                                    type: object
+                                    properties:
+                                      secretKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a secret.
+                                      configMapKeyRef:
+                                        type: object
+                                        properties:
+                                          key:
+                                            type: string
+                                          name:
+                                            type: string
+                                          optional:
+                                            type: boolean
+                                        description: Reference to a key in a config map.
+                                    oneOf:
+                                      - properties:
+                                          secretKeyRef: {}
+                                        required:
+                                          - secretKeyRef
+                                      - properties:
+                                          configMapKeyRef: {}
+                                        required:
+                                          - configMapKeyRef
+                                    description: Reference to the secret or config map property to which the environment variable is set.
+                                oneOf:
+                                  - properties:
+                                      value: {}
+                                    required:
+                                      - value
+                                  - properties:
+                                      valueFrom: {}
+                                    required:
+                                      - valueFrom
                               description: Environment variables which should be applied to the container.
                             securityContext:
                               type: object
@@ -7763,4 +8330,35 @@ spec:
                     - PreKRaft
                     - KRaft
                   description: "Defines where cluster metadata are stored. Possible values are: ZooKeeper if the metadata are stored in ZooKeeper; KRaftMigration if the controllers are connected to ZooKeeper, brokers are being rolled with Zookeeper migration enabled and connection information to controllers, and the metadata migration process is running; KRaftDualWriting if the metadata migration process finished and the cluster is in dual-write mode; KRaftPostMigration if the brokers are fully KRaft-based but controllers being rolled to disconnect from ZooKeeper; PreKRaft if brokers and controller are fully KRaft-based, metadata are stored in KRaft, but ZooKeeper must be deleted; KRaft if the metadata are stored in KRaft."
+                autoRebalance:
+                  type: object
+                  properties:
+                    state:
+                      type: string
+                      enum:
+                        - Idle
+                        - RebalanceOnScaleDown
+                        - RebalanceOnScaleUp
+                      description: "The current state of an auto-rebalancing operation. Possible values are: \n\n* `Idle` as the initial state when an auto-rebalancing is requested or as final state when it completes or fails.\n* `RebalanceOnScaleDown` if an auto-rebalance related to a scale-down operation is running.\n* `RebalanceOnScaleUp` if an auto-rebalance related to a scale-up operation is running."
+                    lastTransitionTime:
+                      type: string
+                      description: The timestamp of the latest auto-rebalancing state update.
+                    modes:
+                      type: array
+                      items:
+                        type: object
+                        properties:
+                          mode:
+                            type: string
+                            enum:
+                              - add-brokers
+                              - remove-brokers
+                            description: "Mode for which there is an auto-rebalancing operation in progress or queued, when brokers are added or removed. The possible modes are `add-brokers` and `remove-brokers`."
+                          brokers:
+                            type: array
+                            items:
+                              type: integer
+                            description: "List of broker IDs involved in an auto-rebalancing operation related to the current mode. \nThe list contains one of the following: \n\n* Broker IDs for a current auto-rebalance. \n* Broker IDs for a queued auto-rebalance (if a previous auto-rebalance is still in progress). \n"
+                      description: "List of modes where an auto-rebalancing operation is either running or queued. \nEach mode entry (`add-brokers` or `remove-brokers`) includes one of the following: \n\n* Broker IDs for a current auto-rebalance. \n* Broker IDs for a queued auto-rebalance (if a previous rebalance is still in progress)."
+                  description: The status of an auto-rebalancing triggered by a cluster scaling request.
               description: "The status of the Kafka and ZooKeeper clusters, and Topic Operator."