cilium: disable antispoofing

Update etcd-operator v0.4.1

.github/CODEOWNERS

@@ -1 +1 @@
-* @kvaps
+* @kvaps @lllamnyp

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.26.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.26.1"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: assets
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.26.0"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.26.1"
         command:
         - /usr/bin/cozystack-assets-server
         - "-dir=/cozystack/assets"

packages/apps/clickhouse/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.1
+version: 0.6.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/clickhouse/templates/dashboard-resourcemap.yaml

@@ -17,3 +17,10 @@ rules:
   resourceNames:
   - {{ .Release.Name }}-credentials
   verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/apps/clickhouse/templates/workloadmonitor.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: 1
+  kind: clickhouse
+  type: clickhouse
+  selector:
+    clickhouse.altinity.com/chi: {{ $.Release.Name }}
+  version: {{ $.Chart.Version }}

packages/apps/ferretdb/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.1
+version: 0.4.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/ferretdb/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.8.0@sha256:0167887b7e32ea6d4771346c8dc68ab6fa04ff9c1c03e446d0efd3c7473f4cfb
+ghcr.io/aenix-io/cozystack/postgres-backup:0.8.0@sha256:d1f7692b6761f46f24687d885ec335330280346ae4a9ff28b3179681b36106b7

packages/apps/ferretdb/templates/dashboard-resourcemap.yaml

@@ -17,3 +17,10 @@ rules:
   resourceNames:
   - {{ .Release.Name }}-credentials
   verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/apps/ferretdb/templates/postgres.yaml

@@ -6,7 +6,13 @@ metadata:
 spec:
   instances: {{ .Values.replicas }}
   enableSuperuserAccess: true
-
+  {{- $configMap := lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling" }}
+  {{- if $configMap }}
+  {{- $rawConstraints := get $configMap.data "globalAppTopologySpreadConstraints" }}
+  {{- if $rawConstraints }}
+  {{- $rawConstraints | fromYaml | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
   minSyncReplicas: {{ .Values.quorum.minSyncReplicas }}
   maxSyncReplicas: {{ .Values.quorum.maxSyncReplicas }}
 

packages/apps/ferretdb/templates/workloadmonitor.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: 1
+  kind: ferretdb
+  type: ferretdb
+  selector:
+    app: {{ $.Release.Name }}
+  version: {{ $.Chart.Version }}

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:4625589c24dc350ea3d3cd52b3daf6ad3c5b4608cc2c7cba7f2c92bd8311148c
+ghcr.io/aenix-io/cozystack/nginx-cache:0.3.1@sha256:854b3908114de1876038eb9902577595cce93553ce89bf75ac956d22f1e8b8cc

packages/apps/kafka/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.2
+version: 0.3.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kafka/templates/dashboard-resourcemap.yaml

@@ -17,3 +17,11 @@ rules:
   resourceNames:
   - {{ .Release.Name }}-clients-ca
   verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  - {{ $.Release.Name }}-zookeeper
+  verbs: ["get", "list", "watch"]

packages/apps/kafka/templates/workloadmonitor.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: 1
+  kind: kafka
+  type: kafka
+  selector:
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+    app.kubernetes.io/name: kafka
+  version: {{ $.Chart.Version }}
+
+---
+
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-zookeeper
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: 1
+  kind: kafka
+  type: zookeeper
+  selector:
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+    app.kubernetes.io/name: zookeeper
+  version: {{ $.Chart.Version }}

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.15.1@sha256:077023fc24d466ac18f8d43fec41b9a14c0b3d32c0013e836e7448e7a1e7d661
+ghcr.io/aenix-io/cozystack/cluster-autoscaler:0.15.1@sha256:73701e37727eedaafdf9efe4baefcf0835f064ee8731219f0c0186c0d0781a5c

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.1@sha256:6f1822c583a7d21fd111838515b8d8aaad8ff02c68b0adccba86ce2127a5f6b7
+ghcr.io/aenix-io/cozystack/kubevirt-cloud-provider:0.15.1@sha256:02037bb7a75b35ca1e34924f13e7fa7b25bac2017ddbd7e9ed004c0ff368cce3

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.1@sha256:48e16401c374ab96c17e8ce3c21400f513a20b5f9b202393ac33a89bba930a04
+ghcr.io/aenix-io/cozystack/kubevirt-csi-driver:0.15.1@sha256:a86d8a4722b81e89820ead959874524c4cc86654c22ad73c421bbf717d62c3f3

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:1618317b09b071dfc9a80ff9d34d591f4f0f9ccf8d1ebe5b87b4c9e2c7388683
+ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1@sha256:6f19f3f8a68372c5b212e98a79ff132cc20641bc46fc4b8d359158945dc04043

packages/apps/mysql/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.2
+version: 0.5.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/mysql/images/mariadb-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:f685d252761adf67140e1497b91b769523c85e91f47e71f5b50636a8a086289d
+ghcr.io/aenix-io/cozystack/mariadb-backup:0.5.2@sha256:9f0b2bc5135e10b29edb2824309059f5b4c4e8b744804b2cf55381171f335675

packages/apps/mysql/templates/dashboard-resourcemap.yaml

@@ -18,3 +18,10 @@ rules:
   resourceNames:
   - {{ .Release.Name }}-credentials
   verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/apps/mysql/templates/workloadmonitor.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: 1
+  kind: mysql
+  type: mysql
+  selector:
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+  version: {{ $.Chart.Version }}

packages/apps/nats/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.4.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/nats/templates/resourcemap.yaml

@@ -17,3 +17,10 @@ rules:
   resourceNames:
   - {{ .Release.Name }}-credentials
   verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/apps/nats/templates/workloadmonitor.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: 1
+  kind: nats
+  type: nats
+  selector:
+    app.kubernetes.io/instance: {{ $.Release.Name }}-system
+  version: {{ $.Chart.Version }}

packages/apps/postgres/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.0
+version: 0.9.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/postgres/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/postgres-backup:0.8.0@sha256:0167887b7e32ea6d4771346c8dc68ab6fa04ff9c1c03e446d0efd3c7473f4cfb
+ghcr.io/aenix-io/cozystack/postgres-backup:0.8.0@sha256:d1f7692b6761f46f24687d885ec335330280346ae4a9ff28b3179681b36106b7

packages/apps/postgres/templates/db.yaml

@@ -6,7 +6,13 @@ metadata:
 spec:
   instances: {{ .Values.replicas }}
   enableSuperuserAccess: true
-
+  {{- $configMap := lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling" }}
+  {{- if $configMap }}
+  {{- $rawConstraints := get $configMap.data "globalAppTopologySpreadConstraints" }}
+  {{- if $rawConstraints }}
+  {{- $rawConstraints | fromYaml | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
   postgresql:
     parameters:
       max_wal_senders: "30"

packages/apps/rabbitmq/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.3
+version: 0.4.4
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml

@@ -20,3 +20,10 @@ rules:
   resourceNames:
   - {{ .Release.Name }}
   verbs: ["get", "list", "watch"]
+- apiGroups:
+  - cozystack.io
+  resources:
+  - workloadmonitors
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/apps/rabbitmq/templates/workloadmonitor.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: 1
+  kind: rabbitmq
+  type: rabbitmq
+  selector:
+    app.kubernetes.io/name: {{ $.Release.Name }}
+  version: {{ $.Chart.Version }}

packages/apps/versions_map

@@ -6,13 +6,15 @@ clickhouse 0.3.0 b00621e
 clickhouse 0.4.0 320fc32
 clickhouse 0.5.0 2a4768a5
 clickhouse 0.6.0 18bbdb67
-clickhouse 0.6.1 HEAD
+clickhouse 0.6.1 b7375f73
+clickhouse 0.6.2 HEAD
 ferretdb 0.1.0 4ffa8615
 ferretdb 0.1.1 5ca8823
 ferretdb 0.2.0 adaf603
 ferretdb 0.3.0 aa2f553
 ferretdb 0.4.0 def2eb0f
-ferretdb 0.4.1 HEAD
+ferretdb 0.4.1 a9555210
+ferretdb 0.4.2 HEAD
 http-cache 0.1.0 a956713
 http-cache 0.2.0 5ca8823
 http-cache 0.3.0 fab5940
@@ -24,7 +26,8 @@ kafka 0.2.2 d0758692
 kafka 0.2.3 5ca8823
 kafka 0.3.0 c07c4bbd
 kafka 0.3.1 b7375f73
-kafka 0.3.2 HEAD
+kafka 0.3.2 b75aaf17
+kafka 0.3.3 HEAD
 kubernetes 0.1.0 f642698
 kubernetes 0.2.0 7cd7de73
 kubernetes 0.3.0 7caccec1
@@ -52,12 +55,14 @@ mysql 0.3.0 5ca8823
 mysql 0.4.0 93018c4
 mysql 0.5.0 4b84798
 mysql 0.5.1 fab5940b
-mysql 0.5.2 HEAD
+mysql 0.5.2 d8a92aa3
+mysql 0.5.3 HEAD
 nats 0.1.0 5ca8823
 nats 0.2.0 c07c4bbd
 nats 0.3.0 78366f19
 nats 0.3.1 b7375f73
-nats 0.4.0 HEAD
+nats 0.4.0 da1e705a
+nats 0.4.1 HEAD
 postgres 0.1.0 f642698
 postgres 0.2.0 7cd7de73
 postgres 0.2.1 4a97e297
@@ -69,14 +74,16 @@ postgres 0.6.0 2a4768a
 postgres 0.6.2 54fd61c
 postgres 0.7.0 dc9d8bb
 postgres 0.7.1 175a65f
-postgres 0.8.0 HEAD
+postgres 0.8.0 cb7b8158
+postgres 0.9.0 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 5ca8823
 rabbitmq 0.3.0 9e33dc0
 rabbitmq 0.4.0 36d8855
 rabbitmq 0.4.1 35536bb
 rabbitmq 0.4.2 00b2834e
-rabbitmq 0.4.3 HEAD
+rabbitmq 0.4.3 d8a92aa3
+rabbitmq 0.4.4 HEAD
 redis 0.1.1 f642698
 redis 0.2.0 5ca8823
 redis 0.3.0 c07c4bbd
@@ -116,7 +123,8 @@ virtual-machine 0.6.0 0e728870
 virtual-machine 0.7.0 af58018a
 virtual-machine 0.7.1 05857b95
 virtual-machine 0.8.0 3fa4dd3
-virtual-machine 0.8.1 HEAD
+virtual-machine 0.8.1 3fa4dd3a
+virtual-machine 0.8.2 HEAD
 vm-disk 0.1.0 HEAD
 vm-instance 0.1.0 ced8e5b9
 vm-instance 0.2.0 4f767ee3

packages/apps/virtual-machine/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.1
+version: 0.8.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.8.1"
+appVersion: "0.8.2"

packages/apps/virtual-machine/Makefile

@@ -8,4 +8,4 @@ generate:
 	  && yq -i -o json ".properties.instanceProfile.optional=true | .properties.instanceProfile.enum = $${PREFERENCES}" values.schema.json
 	yq -i -o json '.properties.externalPorts.items.type = "integer"' values.schema.json
 	yq -i -o json '.properties.systemDisk.properties.image.enum = ["ubuntu", "cirros", "alpine", "fedora", "talos"]' values.schema.json
-	yq -i -o json '.properties.externalMethod.enum = ["wholeIP", "PortList"]' values.schema.json
+	yq -i -o json '.properties.externalMethod.enum = ["WholeIP", "PortList"]' values.schema.json

packages/apps/virtual-machine/values.schema.json

@@ -12,7 +12,7 @@
       "description": "specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList`",
       "default": "WholeIP",
       "enum": [
-        "wholeIP",
+        "WholeIP",
         "PortList"
       ]
     },

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/aenix-io/cozystack/cozystack:v0.26.0@sha256:8d35e540079f8f3b20a6ef69c600a082bc73c2e0d333f3c57aa593086880ef43
+  image: ghcr.io/aenix-io/cozystack/cozystack:v0.26.1@sha256:67c6eb4da3baf2208df9b2ed24cbf758a2180bb3a071ce53141c21b8d17263cf

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.26.0@sha256:8de1b87f442d4142dea6130540c6e34b1f8515cf6443a438a65a4145662648f7
+  image: ghcr.io/aenix-io/cozystack/e2e-sandbox:v0.26.1@sha256:e034c6d4232ffe6f87c24ae44100a63b1869210e484c929efac33ffcf60b18b1

packages/extra/bootbox/images/matchbox.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/matchbox:v0.26.0@sha256:5373d9c66361a7319314ed0553d402a99c8afea115e1dfee31034c3b9e3f3517
+ghcr.io/aenix-io/cozystack/matchbox:v0.26.1@sha256:f5d1e0f439f49e980888ed53a4bcc65fa97b1c4bc0df86abaa17de1a5a1f71a3

packages/extra/monitoring/Chart.yaml

@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.8.0
+version: 1.8.1

packages/extra/monitoring/dashboards.list

@@ -36,3 +36,5 @@ flux/flux-control-plane
 flux/flux-stats
 kafka/strimzi-kafka
 goldpinger/goldpinger
+clickhouse/altinity-clickhouse-operator-dashboard
+storage/linstor

packages/extra/monitoring/templates/alerta/alerta-db.yaml

@@ -5,6 +5,13 @@ metadata:
   name: alerta-db
 spec:
   instances: 2
+  {{- $configMap := lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling" }}
+  {{- if $configMap }}
+  {{- $rawConstraints := get $configMap.data "globalAppTopologySpreadConstraints" }}
+  {{- if $rawConstraints }}
+  {{- $rawConstraints | fromYaml | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
   storage:
     size: {{ required ".Values.alerta.storage is required" .Values.alerta.storage }}
     {{- with .Values.alerta.storageClassName }}

packages/extra/monitoring/templates/grafana/db.yaml

@@ -6,7 +6,13 @@ spec:
   instances: 2
   storage:
     size: {{ .Values.grafana.db.size }}
-
+  {{- $configMap := lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling" }}
+  {{- if $configMap }}
+  {{- $rawConstraints := get $configMap.data "globalAppTopologySpreadConstraints" }}
+  {{- if $rawConstraints }}
+  {{- $rawConstraints | fromYaml | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
   monitoring:
     enablePodMonitor: true
 

packages/extra/monitoring/templates/vm/vmcluster.yaml

@@ -10,27 +10,26 @@ spec:
   vminsert:
     replicaCount: 2
     resources:
-      {{- if and (hasKey . "vminsert") (hasKey .vminsert "resources") }}
-      {{- toYaml .vminsert.resources | nindent 6 }}
-      {{- else }}
       limits:
-        memory: 1000Mi
+        {{- with . | dig "vminsert" "resources" "limits" "cpu" nil }}
+        cpu: {{ . | quote }}
+        {{- end }}
+        memory: {{ . | dig "vminsert" "resources" "limits" "memory" "1000Mi" }}
       requests:
-        cpu: 100m
-        memory: 500Mi
-      {{- end }}
+        cpu: {{ . | dig "vminsert" "resources" "requests" "cpu" "500m" }}
+        memory: {{ . | dig "vminsert" "resources" "requests" "memory" "500Mi" }}
   vmselect:
     replicaCount: 2
     resources:
-      {{- if and (hasKey . "vmselect") (hasKey .vmselect "resources") }}
-      {{- toYaml .vmselect.resources | nindent 6 }}
-      {{- else }}
       limits:
-        memory: 1000Mi
+        # if we don't set the cpu limit, victoriametrics-operator will set 500m here, which is ridiculous small
+        # see internal/config/config.go in victoriametrics-operator
+        # 2 vcpu is the bare minimum for **single** Grafana user
+        cpu: {{ . | dig "vmselect" "resources" "limits" "cpu" "2000m" }}
+        memory: {{ . | dig "vmselect" "resources" "limits" "memory" "1000Mi" }}
       requests:
-        cpu: 100m
-        memory: 500Mi
-      {{- end }}
+        cpu: {{ . | dig "vmselect" "resources" "requests" "cpu" "500m" }}
+        memory: {{ . | dig "vmselect" "resources" "requests" "memory" "500Mi" }}
     extraArgs:
       search.maxUniqueTimeseries: "600000"
       vmalert.proxyURL: http://vmalert-{{ .name }}.{{ $.Release.Namespace }}.svc:8080
@@ -48,15 +47,14 @@ spec:
   vmstorage:
     replicaCount: 2
     resources:
-      {{- if and (hasKey . "vmstorage") (hasKey .vmstorage "resources") }}
-      {{- toYaml .vmstorage.resources | nindent 6 }}
-      {{- else }}
       limits:
-        memory: 2048Mi
+        {{- with . | dig "vmstorage" "resources" "limits" "cpu" nil }}
+        cpu: {{ . | quote }}
+        {{- end }}
+        memory: {{ . | dig "vmstorage" "resources" "limits" "memory" "2048Mi" }}
       requests:
-        cpu: 100m
-        memory: 500Mi
-      {{- end }}
+        cpu: {{ . | dig "vmstorage" "resources" "requests" "cpu" "100m" }}
+        memory: {{ . | dig "vmstorage" "resources" "requests" "memory" "500Mi" }}
     storage:
       volumeClaimTemplate:
         spec:

packages/extra/versions_map

@@ -28,7 +28,8 @@ monitoring 1.5.4 d4634797
 monitoring 1.6.0 cb7b8158
 monitoring 1.6.1 3bb97596
 monitoring 1.7.0 749110aa
-monitoring 1.8.0 HEAD
+monitoring 1.8.0 80b4c151
+monitoring 1.8.1 HEAD
 seaweedfs 0.1.0 5ca8823
 seaweedfs 0.2.0 9e33dc0
 seaweedfs 0.2.1 249bf35

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:90489380ee0108188801978afc4d2a4fd837e0e46efef6b45e6640d1dfea6a63
+ghcr.io/aenix-io/cozystack/s3manager:v0.5.0@sha256:efd4a57f1b4b74871181d676dddfcac95c3a3a1e7cc244e21647c6114a0e6438

packages/system/capi-operator/charts/cluster-api-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 0.11.0
+appVersion: 0.17.0
 description: Cluster API Operator
 name: cluster-api-operator
 type: application
-version: 0.11.0
+version: 0.17.0

packages/system/capi-operator/charts/cluster-api-operator/templates/addon.yaml

@@ -26,7 +26,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
     "argocd.argoproj.io/sync-wave": "1"
   name: {{ $addonNamespace }}
@@ -37,7 +37,7 @@ metadata:
   name: {{ $addonName }}
   namespace: {{ $addonNamespace }}
   annotations:
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
     "argocd.argoproj.io/sync-wave": "2"
 {{- if or $addonVersion $.Values.secretName }}

packages/system/capi-operator/charts/cluster-api-operator/templates/bootstrap.yaml

@@ -26,7 +26,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
   name: {{ $bootstrapNamespace }}
 ---
@@ -36,7 +36,7 @@ metadata:
   name: {{ $bootstrapName }}
   namespace: {{ $bootstrapNamespace }}
   annotations:
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
 {{- if or $bootstrapVersion $.Values.configSecret.name }}
 spec:

packages/system/capi-operator/charts/cluster-api-operator/templates/control-plane.yaml

@@ -26,7 +26,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
   name: {{ $controlPlaneNamespace }}
 ---
@@ -36,14 +36,27 @@ metadata:
   name: {{ $controlPlaneName }}
   namespace: {{ $controlPlaneNamespace }}
   annotations:
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
-{{- if or $controlPlaneVersion $.Values.configSecret.name }}
+{{- if or $controlPlaneVersion $.Values.configSecret.name $.Values.manager }}
 spec:
 {{- end}}
 {{- if $controlPlaneVersion }}
   version: {{ $controlPlaneVersion }}
 {{- end }}
+{{- if $.Values.manager }}
+{{- if hasKey $.Values.manager.featureGates $controlPlaneName }}
+  manager:
+{{- range $key, $value := $.Values.manager.featureGates }}
+  {{- if eq $key $controlPlaneName }}
+    featureGates:
+    {{- range $k, $v := $value }}
+      {{ $k }}: {{ $v }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
 {{- if $.Values.configSecret.name }}
   configSecret:
     name: {{ $.Values.configSecret.name }}

packages/system/capi-operator/charts/cluster-api-operator/templates/core-conditions.yaml

@@ -6,7 +6,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
   name: capi-system
 ---
@@ -16,7 +16,7 @@ metadata:
   name: cluster-api
   namespace: capi-system
   annotations:
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
 {{- with .Values.configSecret }}
 spec:

packages/system/capi-operator/charts/cluster-api-operator/templates/core.yaml

@@ -25,7 +25,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
   name: {{ $coreNamespace }}
 ---
@@ -35,10 +35,10 @@ metadata:
   name: {{ $coreName }}
   namespace: {{ $coreNamespace }}
   annotations:
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
     "argocd.argoproj.io/sync-wave": "2"
-{{- if or $coreVersion $.Values.configSecret.name }}
+{{- if or $coreVersion $.Values.configSecret.name $.Values.manager }}
 spec:
 {{- end}}
 {{- if $coreVersion }}

packages/system/capi-operator/charts/cluster-api-operator/templates/deployment.yaml

@@ -47,6 +47,8 @@ spec:
       {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      serviceAccountName: capi-operator-manager
+      automountServiceAccountToken: true
       {{- with .Values.securityContext }}
       securityContext:
       {{- toYaml . | nindent 8 }}
@@ -63,15 +65,15 @@ spec:
         {{- if .Values.healthAddr }}
         - --health-addr={{ .Values.healthAddr }}
         {{- end }}
-        {{- if .Values.metricsBindAddr }}
-        - --metrics-bind-addr={{ .Values.metricsBindAddr }}
-        {{- end }}
         {{- if .Values.diagnosticsAddress }}
         - --diagnostics-address={{ .Values.diagnosticsAddress }}
         {{- end }}
         {{- if .Values.insecureDiagnostics }}
         - --insecure-diagnostics={{ .Values.insecureDiagnostics }}
         {{- end }}
+        {{- if .Values.watchConfigSecret }}
+        - --watch-configsecret
+        {{- end }}
         {{- with .Values.leaderElection }}
         - --leader-elect={{ .enabled }}
         {{- if .leaseDuration }}
@@ -95,9 +97,15 @@ spec:
         - containerPort: 9443
           name: webhook-server
           protocol: TCP
-        - containerPort: {{ ( split ":" $.Values.metricsBindAddr)._1 | int }}
+          {{- if $.Values.diagnosticsAddress }}
+          {{- $diagnosticsPort := $.Values.diagnosticsAddress }}
+          {{- if contains ":" $diagnosticsPort -}}
+          {{ $diagnosticsPort = ( split ":" $.Values.diagnosticsAddress)._1 | int }}
+          {{- end }}
+        - containerPort: {{ $diagnosticsPort | int }}
           name: metrics
           protocol: TCP
+          {{- end }}
         {{- with .Values.resources.manager }}
         resources:
         {{- toYaml . | nindent 12 }}
@@ -114,6 +122,31 @@ spec:
         volumeMounts:
         {{- toYaml . | nindent 12 }}
         {{- end }}
+        terminationMessagePolicy: FallbackToLogsOnError
+        {{- $healthAddr := $.Values.healthAddr }}
+        {{- if contains ":" $healthAddr -}}
+        {{ $healthAddr = ( split ":" $.Values.healthAddr)._1 | int }}
+        {{- end }}
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: {{ $healthAddr | default 9440 }}
+            scheme: HTTP
+          initialDelaySeconds: 15
+          periodSeconds: 20
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /readyz
+            port: {{ $healthAddr | default 9440 }}
+            scheme: HTTP
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
       terminationGracePeriodSeconds: 10
       {{- with .Values.volumes }}
       volumes:

packages/system/capi-operator/charts/cluster-api-operator/templates/infra-conditions.yaml

@@ -7,7 +7,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
     "argocd.argoproj.io/sync-wave": "1"
   name: capi-kubeadm-bootstrap-system
@@ -18,7 +18,7 @@ metadata:
   name: kubeadm
   namespace: capi-kubeadm-bootstrap-system
   annotations:
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
     "argocd.argoproj.io/sync-wave": "2"
 {{- with .Values.configSecret }}
@@ -37,7 +37,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
     "argocd.argoproj.io/sync-wave": "1"
   name: capi-kubeadm-control-plane-system
@@ -48,11 +48,20 @@ metadata:
   name: kubeadm
   namespace: capi-kubeadm-control-plane-system
   annotations:
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
     "argocd.argoproj.io/sync-wave": "2"
 {{- with .Values.configSecret }}
 spec:
+{{- if $.Values.manager }}
+  manager:
+{{- if and $.Values.manager.featureGates $.Values.manager.featureGates.kubeadm }}
+    featureGates:
+    {{- range $key, $value := $.Values.manager.featureGates.kubeadm }}
+      {{ $key }}: {{ $value }}
+    {{- end }}
+{{- end }}
+{{- end }}
   configSecret:
     name: {{ .name }}
     {{- if .namespace }}

packages/system/capi-operator/charts/cluster-api-operator/templates/infra.yaml

@@ -26,7 +26,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
     "argocd.argoproj.io/sync-wave": "1"
   name: {{ $infrastructureNamespace }}
@@ -37,10 +37,10 @@ metadata:
   name: {{ $infrastructureName }}
   namespace: {{ $infrastructureNamespace }}
   annotations:
-    "helm.sh/hook": "post-install"
+    "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
     "argocd.argoproj.io/sync-wave": "2"
-{{- if or $infrastructureVersion $.Values.configSecret.name $.Values.manager }}
+{{- if or $infrastructureVersion $.Values.configSecret.name $.Values.manager $.Values.additionalDeployments }}
 spec:
 {{- end }}
 {{- if $infrastructureVersion }}
@@ -59,6 +59,16 @@ spec:
 {{- end }}
 {{- end }}
 {{- end }}
+{{- if and (kindIs "map" $.Values.fetchConfig) (hasKey $.Values.fetchConfig $infrastructureName) }}
+{{- range $key, $value := $.Values.fetchConfig }}
+  {{- if eq $key $infrastructureName }}
+  fetchConfig:
+    {{- range $k, $v := $value }}
+      {{ $k }}: {{ $v }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
 {{- if $.Values.configSecret.name }}
   configSecret:
     name: {{ $.Values.configSecret.name }}
@@ -66,5 +76,8 @@ spec:
     namespace: {{ $.Values.configSecret.namespace }}
     {{- end }}
 {{- end }}
+{{- if $.Values.additionalDeployments }}
+  additionalDeployments: {{ toYaml $.Values.additionalDeployments | nindent 4 }}
+{{- end }}
 {{- end }}
 {{- end }}

packages/system/capi-operator/charts/cluster-api-operator/templates/ipam.yaml

@@ -0,0 +1,73 @@
+# IPAM providers
+{{- if .Values.ipam }}
+{{- $ipams := split ";" .Values.ipam }}
+{{- $ipamNamespace := "" }}
+{{- $ipamName := "" }}
+{{- $ipamVersion := "" }}
+{{- range $ipam := $ipams }}
+{{- $ipamArgs := split ":" $ipam }}
+{{- $ipamArgsLen := len $ipamArgs }}
+{{-  if eq $ipamArgsLen 3 }}
+  {{- $ipamNamespace = $ipamArgs._0 }}
+  {{- $ipamName = $ipamArgs._1 }}
+  {{- $ipamVersion = $ipamArgs._2 }}
+{{-  else if eq $ipamArgsLen 2 }}
+  {{- $ipamNamespace = print $ipamArgs._0 "-ipam-system" }}
+  {{- $ipamName = $ipamArgs._0 }}
+  {{- $ipamVersion = $ipamArgs._1 }}
+{{-  else if eq $ipamArgsLen 1 }}
+  {{- $ipamNamespace = print $ipamArgs._0 "-ipam-system" }}
+  {{- $ipamName = $ipamArgs._0 }}
+{{- else }}
+  {{- fail "ipam provider argument should have the following format in-cluster:v1.0.0 or mynamespace:in-cluster:v1.0.0" }}
+{{- end }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    "helm.sh/hook": "post-install,post-upgrade"
+    "helm.sh/hook-weight": "1"
+    "argocd.argoproj.io/sync-wave": "1"
+  name: {{ $ipamNamespace }}
+---
+apiVersion: operator.cluster.x-k8s.io/v1alpha2
+kind: IPAMProvider
+metadata:
+  name: {{ $ipamName }}
+  namespace: {{ $ipamNamespace }}
+  annotations:
+    "helm.sh/hook": "post-install,post-upgrade"
+    "helm.sh/hook-weight": "2"
+    "argocd.argoproj.io/sync-wave": "2"
+{{- if or $ipamVersion $.Values.configSecret.name $.Values.manager $.Values.additionalDeployments }}
+spec:
+{{- end }}
+{{- if $ipamVersion }}
+  version: {{ $ipamVersion }}
+{{- end }}
+{{- if $.Values.manager }}
+  manager:
+{{- if and (kindIs "map" $.Values.manager.featureGates) (hasKey $.Values.manager.featureGates $ipamName) }}
+{{- range $key, $value := $.Values.manager.featureGates }}
+  {{- if eq $key $ipamName }}
+    featureGates:
+    {{- range $k, $v := $value }}
+      {{ $k }}: {{ $v }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if $.Values.configSecret.name }}
+  configSecret:
+    name: {{ $.Values.configSecret.name }}
+    {{- if $.Values.configSecret.namespace }}
+    namespace: {{ $.Values.configSecret.namespace }}
+    {{- end }}
+{{- end }}
+{{- if $.Values.additionalDeployments }}
+  additionalDeployments: {{ toYaml $.Values.additionalDeployments | nindent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}

packages/system/capi-operator/charts/cluster-api-operator/values.yaml

@@ -5,8 +5,10 @@ core: ""
 bootstrap: ""
 controlPlane: ""
 infrastructure: ""
+ipam: ""
 addon: ""
 manager.featureGates: {}
+fetchConfig: {}
 # ---
 # Common configuration secret options
 configSecret: {}
@@ -19,14 +21,14 @@ leaderElection:
 image:
   manager:
     repository: registry.k8s.io/capi-operator/cluster-api-operator
-    tag: v0.11.0
+    tag: v0.17.0
     pullPolicy: IfNotPresent
 env:
   manager: []
-healthAddr: ":8081"
-metricsBindAddr: "127.0.0.1:8080"
-diagnosticsAddress: "8443"
+diagnosticsAddress: ":8443"
+healthAddr: ":9440"
 insecureDiagnostics: false
+watchConfigSecret: false
 imagePullSecrets: {}
 resources:
   manager:

packages/system/capi-providers/templates/providers.yaml

@@ -5,7 +5,7 @@ metadata:
   name: cluster-api
 spec:
   # https://github.com/kubernetes-sigs/cluster-api
-  version: v1.8.3
+  version: v1.9.5
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
 kind: ControlPlaneProvider
@@ -13,7 +13,7 @@ metadata:
   name: kamaji
 spec:
   # https://github.com/clastix/cluster-api-control-plane-provider-kamaji
-  version: v0.11.0
+  version: v0.14.1
   deployment:
     containers:
     - name: manager
@@ -28,7 +28,7 @@ metadata:
   name: kubeadm
 spec:
   # https://github.com/kubernetes-sigs/cluster-api
-  version: v1.8.3
+  version: v1.9.5
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
 kind: InfrastructureProvider

packages/system/cilium/images/cilium/Dockerfile

@@ -1,2 +1,13 @@
 ARG VERSION=v1.16.7
+FROM quay.io/cilium/cilium-builder:714cfc3420a53a154dba0df63a43bc1378bebffd@sha256:13345d46c1a5b24e3b64c46ff4b334c5bbbbf784b769f1adbb8fad094f177f03 as builder
+RUN curl -L https://github.com/cilium/cilium/archive/refs/tags/v1.16.7.tar.gz | tar --strip-components=1 -xzvf -
+
+COPY patches /patches
+RUN git apply /patches/*.diff
+
+RUN make -C bpf
+#RUN make -C daemon
+
 FROM quay.io/cilium/cilium:${VERSION}
+#COPY --from=builder /go/src/github.com/cilium/cilium/daemon/cilium-agent /usr/bin/cilium-agent
+COPY --from=builder /go/src/github.com/cilium/cilium/bpf /var/lib/cilium/bpf

packages/system/cilium/images/cilium/patches/disable-antispoofing.diff

@@ -0,0 +1,24 @@
+diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
+index 36ecfde895..39872d35c5 100644
+--- a/bpf/bpf_lxc.c
++++ b/bpf/bpf_lxc.c
+@@ -796,9 +796,6 @@ static __always_inline int __tail_handle_ipv6(struct __ctx_buff *ctx,
+ 	if (unlikely(is_icmp6_ndp(ctx, ip6, ETH_HLEN)))
+ 		return icmp6_ndp_handle(ctx, ETH_HLEN, METRIC_EGRESS, ext_err);
+ 
+-	if (unlikely(!is_valid_lxc_src_ip(ip6)))
+-		return DROP_INVALID_SIP;
+-
+ #ifdef ENABLE_PER_PACKET_LB
+ 	/* will tailcall internally or return error */
+ 	return __per_packet_lb_svc_xlate_6(ctx, ip6, ext_err);
+@@ -1361,9 +1358,6 @@ static __always_inline int __tail_handle_ipv4(struct __ctx_buff *ctx,
+ 		return DROP_FRAG_NOSUPPORT;
+ #endif
+ 
+-	if (unlikely(!is_valid_lxc_src_ipv4(ip4)))
+-		return DROP_INVALID_SIP;
+-
+ #ifdef ENABLE_MULTICAST
+ 	if (mcast_ipv4_is_igmp(ip4)) {
+ 		/* note:

packages/system/clickhouse-operator/values.yaml

@@ -1,4 +1,6 @@
 altinity-clickhouse-operator:
+  serviceMonitor:
+    enabled: true
   configs:
     files:
       config.yaml:

packages/system/cozy-proxy/charts/cozy-proxy/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: cozy-proxy
 description: A simple kube-proxy addon for 1:1 NAT services in Kubernetes using an NFT backend
 type: application
-version: 0.1.2
-appVersion: 0.1.2
+version: 0.1.3
+appVersion: 0.1.3

packages/system/cozy-proxy/charts/cozy-proxy/templates/daemonset.yaml

@@ -25,3 +25,5 @@ spec:
             privileged: true
             capabilities:
               add: ["NET_ADMIN"]
+      tolerations:
+      - operator: Exists

packages/system/cozy-proxy/charts/cozy-proxy/values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: ghcr.io/aenix-io/cozystack/cozy-proxy
-  tag: v0.1.2
+  tag: v0.1.3
   pullPolicy: IfNotPresent
 
 daemonset:

packages/system/cozystack-api/values.yaml

@@ -1,2 +1,2 @@
 cozystackAPI:
-  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.26.0@sha256:11e455081a7898da92dc6611204c25eba7614567cc0665a26c5425db4b94192e
+  image: ghcr.io/aenix-io/cozystack/cozystack-api:v0.26.1@sha256:d4f2ad6e8e7b7578337c2c78649e95fcf658f2d8a242bcf6629be21c431f66e7

packages/system/cozystack-controller/values.yaml

@@ -1,5 +1,5 @@
 cozystackController:
-  image: ghcr.io/aenix-io/cozystack/cozystack-controller:v0.26.0@sha256:d0601c3776387bc38af6706ef5b68cfc986c119a1209c28a37e5797089308f26
+  image: ghcr.io/aenix-io/cozystack/cozystack-controller:v0.26.1@sha256:186df3406dd2a75f59872ff7d11fe92b6e4ce5787f76da3bc7ad670358ea40fb
   debug: false
   disableTelemetry: false
-  cozystackVersion: "v0.26.0"
+  cozystackVersion: "v0.26.1"

packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml

@@ -76,7 +76,7 @@ data:
       "kubeappsNamespace": {{ .Release.Namespace | quote }},
       "helmGlobalNamespace": {{ include "kubeapps.helmGlobalPackagingNamespace" . | quote }},
       "carvelGlobalNamespace": {{ .Values.kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace | quote }},
-      "appVersion": "v0.26.0",
+      "appVersion": "v0.26.1",
       "authProxyEnabled": {{ .Values.authProxy.enabled }},
       "oauthLoginURI": {{ .Values.authProxy.oauthLoginURI | quote }},
       "oauthLogoutURI": {{ .Values.authProxy.oauthLogoutURI | quote }},

packages/system/dashboard/values.yaml

@@ -18,14 +18,14 @@ kubeapps:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: dashboard
-      tag: v0.26.0
-      digest: "sha256:b8c2d271040ae129345c7d8c2427cb9bbc7fb998be2d4ff47887bc3b643f6f72"
+      tag: v0.26.1
+      digest: "sha256:c1baa0d3f19201069da28a443a50f0dff1df53b2cbd2e8cfcb9201d25cd6bfc0"
   kubeappsapis:
     image:
       registry: ghcr.io/aenix-io/cozystack
       repository: kubeapps-apis
-      tag: v0.26.0
-      digest: "sha256:8364d1fc8ecdbd93fe2fe21a8619f0fde7a89ee68e5bcd6b8fb777bf73a39f5e"
+      tag: v0.26.1
+      digest: "sha256:55694bd7d7fd7948e7cac7b511635da01515dfb34f224ee9e7de7acf54cf6e81"
     pluginConfig:
       flux:
         packages:

packages/system/etcd-operator/charts/etcd-operator/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v0.4.0
+appVersion: v0.4.1
 name: etcd-operator
 type: application
-version: 0.4.0
+version: 0.4.1

packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml

@@ -73,6 +73,7 @@ rules:
     verbs:
     - get
     - list
+    - watch
   - apiGroups:
       - etcd.aenix.io
     resources:

packages/system/kamaji/charts/kamaji/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: kamaji-etcd
   repository: https://clastix.github.io/charts
-  version: 0.9.1
-digest: sha256:522ec6321e2e394bd89f88a59446b39d6871838c63583346fdca10db36f1bbdb
-generated: "2025-02-17T09:27:31.011938073+03:00"
+  version: 0.8.1
+digest: sha256:381d8ef9619c2daeea37e40c6a9772ae3e5cee80887148879db04e887d5364ad
+generated: "2024-10-25T19:28:40.880766186+02:00"

packages/system/kamaji/charts/kamaji/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v1.0.0
+appVersion: v0.0.0
 description: Kamaji is the Hosted Control Plane Manager for Kubernetes.
 home: https://github.com/clastix/kamaji
 icon: https://github.com/clastix/kamaji/raw/master/assets/logo-colored.png
@@ -17,11 +17,11 @@ name: kamaji
 sources:
 - https://github.com/clastix/kamaji
 type: application
-version: 2.0.0
+version: 0.0.0
 dependencies:
 - name: kamaji-etcd
   repository: https://clastix.github.io/charts
-  version: ">=0.7.0"
+  version: ">=0.8.1"
   condition: kamaji-etcd.deploy
 annotations:
   catalog.cattle.io/certified: partner

packages/system/kamaji/charts/kamaji/README.md

@@ -1,6 +1,6 @@
 # kamaji
 
-![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.0](https://img.shields.io/badge/AppVersion-v1.0.0-informational?style=flat-square)
+![Version: 0.0.0](https://img.shields.io/badge/Version-0.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square)
 
 Kamaji is the Hosted Control Plane Manager for Kubernetes.
 
@@ -22,7 +22,7 @@ Kubernetes: `>=1.21.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://clastix.github.io/charts | kamaji-etcd | >=0.7.0 |
+| https://clastix.github.io/charts | kamaji-etcd | >=0.8.1 |
 
 [Kamaji](https://github.com/clastix/kamaji) requires a [multi-tenant `etcd`](https://github.com/clastix/kamaji-internal/blob/master/deploy/getting-started-with-kamaji.md#setup-internal-multi-tenant-etcd) cluster.
 This Helm Chart starting from v0.1.1 provides the installation of an internal `etcd` in order to streamline the local test. If you'd like to use an externally managed etcd instance, you can specify the overrides and by setting the value `etcd.deploy=false`.
@@ -70,7 +70,7 @@ Here the values you can override:
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Kubernetes affinity rules to apply to Kamaji controller pods |
-| defaultDatastoreName | string | `"default"` | Specify the default DataStore name for the Kamaji instance. |
+| defaultDatastoreName | string | `"default"` | If specified, all the Kamaji instances with an unassigned DataStore will inherit this default value. |
 | extraArgs | list | `[]` | A list of extra arguments to add to the kamaji controller default ones |
 | fullnameOverride | string | `""` |  |
 | healthProbeBindAddress | string | `":8081"` | The address the probe endpoint binds to. (default ":8081") |

packages/system/kamaji/charts/kamaji/crds/kamaji.clastix.io_tenantcontrolplanes.yaml

@@ -66,7 +66,6 @@ spec:
             metadata:
               type: object
             spec:
-              description: TenantControlPlaneSpec defines the desired state of TenantControlPlane.
               properties:
                 addons:
                   description: Addons contain which addons are enabled
@@ -6413,10 +6412,23 @@ spec:
                   type: object
                 dataStore:
                   description: |-
-                    DataStore allows to specify a DataStore that should be used to store the Kubernetes data for the given Tenant Control Plane.
-                    This parameter is optional and acts as an override over the default one which is used by the Kamaji Operator.
-                    Migration from a different DataStore to another one is not yet supported and the reconciliation will be blocked.
+                    DataStore specifies the DataStore that should be used to store the Kubernetes data for the given Tenant Control Plane.
+                    When Kamaji runs with the default DataStore flag, all empty values will inherit the default value.
+                    By leaving it empty and running Kamaji with no default DataStore flag, it is possible to achieve automatic assignment to a specific DataStore object.
+
+                    Migration from one DataStore to another backed by the same Driver is possible. See: https://kamaji.clastix.io/guides/datastore-migration/
+                    Migration from one DataStore to another backed by a different Driver is not supported.
                   type: string
+                dataStoreSchema:
+                  description: |-
+                    DataStoreSchema allows to specify the name of the database (for relational DataStores) or the key prefix (for etcd). This
+                    value is optional and immutable. Note that Kamaji currently doesn't ensure that DataStoreSchema values are unique. It's up
+                    to the user to avoid clashes between different TenantControlPlanes. If not set upon creation, Kamaji will default the
+                    DataStoreSchema by concatenating the namespace and name of the TenantControlPlane.
+                  type: string
+                  x-kubernetes-validations:
+                    - message: changing the dataStoreSchema is not supported
+                      rule: self == oldSelf
                 kubernetes:
                   description: Kubernetes specification for tenant control plane
                   properties:
@@ -6539,15 +6551,47 @@ spec:
                       items:
                         type: string
                       type: array
+                    clusterDomain:
+                      default: cluster.local
+                      description: The default domain name used for DNS resolution within the cluster.
+                      pattern: .*\..*
+                      type: string
+                      x-kubernetes-validations:
+                        - message: changing the cluster domain is not supported
+                          rule: self == oldSelf
                     dnsServiceIPs:
-                      default:
-                        - 10.96.0.10
+                      description: |-
+                        The DNS Service for internal resolution, it must match the Service CIDR.
+                        In case of an empty value, it is automatically computed according to the Service CIDR, e.g.:
+                        Service CIDR 10.96.0.0/16, the resulting DNS Service IP will be 10.96.0.10 for IPv4,
+                        for IPv6 from the CIDR 2001:db8:abcd::/64 the resulting DNS Service IP will be 2001:db8:abcd::10.
+                      items:
+                        type: string
+                      type: array
+                    loadBalancerClass:
+                      description: |-
+                        Specify the LoadBalancer class in case of multiple load balancer implementations.
+                        Field supported only for Tenant Control Plane instances exposed using a LoadBalancer Service.
+                      minLength: 1
+                      type: string
+                      x-kubernetes-validations:
+                        - message: LoadBalancerClass is immutable
+                          rule: self == oldSelf
+                    loadBalancerSourceRanges:
+                      description: |-
+                        LoadBalancerSourceRanges restricts the IP ranges that can access
+                        the LoadBalancer type Service. This field defines a list of IP
+                        address ranges (in CIDR format) that are allowed to access the service.
+                        If left empty, the service will allow traffic from all IP ranges (0.0.0.0/0).
+                        This feature is useful for restricting access to API servers or services
+                        to specific networks for security purposes.
+                        Example: {"192.168.1.0/24", "10.0.0.0/8"}
                       items:
                         type: string
                       type: array
                     podCidr:
                       default: 10.244.0.0/16
-                      description: CIDR for Kubernetes Pods
+                      description: 'CIDR for Kubernetes Pods: if empty, defaulted to 10.244.0.0/16.'
                       type: string
                     port:
                       default: 6443
@@ -6556,13 +6600,24 @@ spec:
                       type: integer
                     serviceCidr:
                       default: 10.96.0.0/16
-                      description: Kubernetes Service
+                      description: 'CIDR for Kubernetes Services: if empty, defaulted to 10.96.0.0/16.'
                       type: string
                   type: object
               required:
                 - controlPlane
                 - kubernetes
               type: object
+              x-kubernetes-validations:
+                - message: unsetting the dataStore is not supported
+                  rule: '!has(oldSelf.dataStore) || has(self.dataStore)'
+                - message: unsetting the dataStoreSchema is not supported
+                  rule: '!has(oldSelf.dataStoreSchema) || has(self.dataStoreSchema)'
+                - message: LoadBalancer source ranges are supported only with LoadBalancer service type
+                  rule: '!has(self.networkProfile.loadBalancerSourceRanges) || (size(self.networkProfile.loadBalancerSourceRanges) == 0 || self.controlPlane.service.serviceType == ''LoadBalancer'')'
+                - message: LoadBalancerClass is supported only with LoadBalancer service type
+                  rule: '!has(self.networkProfile.loadBalancerClass) || self.controlPlane.service.serviceType == ''LoadBalancer'''
+                - message: LoadBalancerClass cannot be set or unset at runtime
+                  rule: self.controlPlane.service.serviceType != 'LoadBalancer' || (oldSelf.controlPlane.service.serviceType != 'LoadBalancer' && self.controlPlane.service.serviceType == 'LoadBalancer') || has(self.networkProfile.loadBalancerClass) == has(oldSelf.networkProfile.loadBalancerClass)
             status:
               description: TenantControlPlaneStatus defines the observed state of TenantControlPlane.
               properties:

packages/system/kamaji/charts/kamaji/templates/controller.yaml

@@ -33,8 +33,9 @@ spec:
         - --leader-elect
         - --metrics-bind-address={{ .Values.metricsBindAddress }}
         - --tmp-directory={{ .Values.temporaryDirectoryPath }}
-        {{- $datastoreName := .Values.defaultDatastoreName | required ".Values.defaultDatastoreName is required!" }}
-        - --datastore={{ $datastoreName }}
+        {{- if not (eq .Values.defaultDatastoreName "") }}
+        - --datastore={{ .Values.defaultDatastoreName }}
+        {{- end }}
         {{- if .Values.telemetry.disabled }}
         - --disable-telemetry
         {{- end }}

packages/system/kamaji/charts/kamaji/values.yaml

@@ -95,7 +95,7 @@ loggingDevel:
   # -- Development Mode defaults(encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default false)
   enable: false
 
-# -- Specify the default DataStore name for the Kamaji instance.
+# -- If specified, all the Kamaji instances with an unassigned DataStore will inherit this default value.
 defaultDatastoreName: default
 
 kamaji-etcd:

packages/system/kamaji/values.yaml

@@ -3,7 +3,7 @@ kamaji:
     deploy: false
   image:
     pullPolicy: IfNotPresent
-    tag: v0.26.0@sha256:0ae4b7f5a86a2b1657edb3e383460953eef1f98cf386302aeb1c1206d843a1fc
+    tag: v0.26.1@sha256:a0504cdab3d36d144999d9b4a8729c53c016095d6958d3cae1acf8699f2fb0b9
     repository: ghcr.io/aenix-io/cozystack/kamaji
   resources:
     limits:

packages/system/keycloak/templates/db.yaml

@@ -6,7 +6,13 @@ spec:
   instances: 2
   storage:
     size: 20Gi
-
+  {{- $configMap := lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling" }}
+  {{- if $configMap }}
+  {{- $rawConstraints := get $configMap.data "globalAppTopologySpreadConstraints" }}
+  {{- if $rawConstraints }}
+  {{- $rawConstraints | fromYaml | toYaml | nindent 2 }}
+  {{- end }}
+  {{- end }}
   monitoring:
     enablePodMonitor: true
 

packages/system/kubeovn/values.yaml

@@ -22,4 +22,4 @@ global:
   images:
     kubeovn:
       repository: kubeovn
-      tag: v1.13.2@sha256:d81c6667fbba732468d7b55183cff35f9dee2f7d661710e34a865f2a3ab901a5
+      tag: v1.13.2@sha256:d3fa76c0cc48207aef15ff27f6332a3f8570e3db77fb97720af8505b812cdf61

packages/system/linstor/templates/podscrape.yaml

@@ -0,0 +1,44 @@
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMPodScrape
+metadata:
+  name: linstor-satellite
+  namespace: cozy-linstor
+spec:
+  podMetricsEndpoints:
+  - port: prometheus
+    scheme: http
+    relabelConfigs:
+    - action: labeldrop
+      regex: (endpoint|namespace|pod|container)
+    - replacement: linstor-controller
+      targetLabel: job
+    - sourceLabels: [__meta_kubernetes_pod_node_name]
+      targetLabel: node
+    - targetLabel: tier
+      replacement: cluster
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: linstor-satellite
+---
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMPodScrape
+metadata:
+  name: linstor-controller
+  namespace: cozy-linstor
+spec:
+  podMetricsEndpoints:
+  - path: /metrics
+    port: api
+    scheme: http
+    relabelConfigs:
+    - action: labeldrop
+      regex: (endpoint|namespace|pod|container)
+    - replacement: linstor-satellite
+      targetLabel: job
+    - sourceLabels: [__meta_kubernetes_pod_node_name]
+      targetLabel: node
+    - targetLabel: tier
+      replacement: cluster
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: linstor-controller

packages/system/monitoring-agents/alerts/kubernetes-system-apiserver.yaml

@@ -19,7 +19,7 @@ spec:
         < 604800
       for: 5m
       labels:
-        severity: warning
+        severity: informational
         exported_instance: '{{ $labels.namespace }}/{{ $labels.pod }}'
         service: kubernetes-system-apiserver
     - alert: KubeClientCertificateExpiration
@@ -34,7 +34,7 @@ spec:
         < 86400
       for: 5m
       labels:
-        severity: critical
+        severity: informational
         exported_instance: '{{ $labels.namespace }}/{{ $labels.pod }}'
         service: kubernetes-system-apiserver
     - alert: KubeAggregatedAPIErrors

packages/system/piraeus-operator/alerts/piraeus-datastore.yaml

@@ -0,0 +1,116 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: piraeus-datastore
+spec:
+  groups:
+    - name: linstor.rules
+      rules:
+        - alert: linstorControllerOffline
+          annotations:
+            description: |
+              LINSTOR Controller is not reachable.
+          expr: up{job="linstor-controller"} == 0
+          labels:
+            severity: critical
+        - alert: linstorSatelliteErrorRate
+          annotations:
+            description: |
+              LINSTOR Satellite "{{ $labels.name }}" reports {{ $value }} errors in the last 15 minutes.
+              Use "linstor error-reports list --nodes {{ $labels.name }} --since 15minutes" to see them.
+          expr: increase(linstor_error_reports_count{module="SATELLITE"}[15m]) > 0
+          labels:
+            severity: warning
+        - alert: linstorControllerErrorRate
+          annotations:
+            description: |
+              LINSTOR Controller reports {{ $value }} errors in the last 15 minutes.
+              Use "linstor error-reports list --since 15minutes" to see them.
+          expr: increase(linstor_error_reports_count{module="CONTROLLER"}[15m]) > 0
+          labels:
+            severity: warning
+        - alert: linstorSatelliteNotOnline
+          annotations:
+            description: |
+              LINSTOR Satellite "{{ $labels.name }}" is not ONLINE.
+              Check that the Satellite is running and reachable from the LINSTOR Controller.
+          expr: linstor_node_state{nodetype="SATELLITE"} != 2
+          labels:
+            severity: critical
+        - alert: linstorStoragePoolErrors
+          annotations:
+            description: |
+              Storage pool "{{ $labels.storage_pool }}" on node "{{ $labels.node }}" ({{ $labels.driver }}={{ $labels.backing_pool }}) is reporting errors.
+          expr: linstor_storage_pool_error_count > 0
+          labels:
+            severity: critical
+        - alert: linstorStoragePoolAtCapacity
+          annotations:
+            description: |
+              Storage pool "{{ $labels.storage_pool }}" on node "{{ $labels.node }}" ({{ $labels.driver }}={{ $labels.backing_pool }}) has less than 20% free space available.
+          expr: ( linstor_storage_pool_capacity_free_bytes / linstor_storage_pool_capacity_total_bytes ) < 0.20
+          labels:
+            severity: warn
+    - name: drbd.rules
+      rules:
+        - alert: drbdReactorOffline
+          annotations:
+            description: |
+              DRBD Reactor on "{{ $labels.node }}" is not reachable.
+          expr: up{job="piraeus-datastore/linstor-satellite"} == 0
+          labels:
+            severity: critical
+        - alert: drbdConnectionNotConnected
+          annotations:
+            description: |
+              DRBD Resource "{{ $labels.name }}" on "{{ $labels.node }}" is not connected to "{{ $labels.conn_name }}": {{ $labels.drbd_connection_state }}.
+          expr: drbd_connection_state{drbd_connection_state!="Connected"} > 0
+          labels:
+            severity: warn
+        - alert: drbdDeviceNotUpToDate
+          annotations:
+            description: |
+              DRBD device "{{ $labels.name }}" on "{{ $labels.node }}" has unexpected device state "{{ $labels.drbd_device_state }}".
+          expr: drbd_device_state{drbd_device_state!~"UpToDate|Diskless"} > 0
+          labels:
+            severity: warn
+        - alert: drbdDeviceUnintentionalDiskless
+          annotations:
+            description: |
+              DRBD device "{{ $labels.name }}" on "{{ $labels.node }}" is unintenionally diskless.
+              This usually indicates IO errors reported on the backing device. Check the kernel log.
+          expr: drbd_device_unintentionaldiskless > 0
+          labels:
+            severity: warn
+        - alert: drbdDeviceWithoutQuorum
+          annotations:
+            description: |
+              DRBD device "{{ $labels.name }}" on "{{ $labels.node }}" has no quorum.
+              This usually indicates connectivity issues.
+          expr: drbd_device_quorum == 0
+          labels:
+            severity: warn
+        - alert: drbdResourceSuspended
+          annotations:
+            description: |
+              DRBD resource "{{ $labels.name }}" on "{{ $labels.node }}" has been suspended for 1m.
+          for: 1m
+          expr: drbd_resource_suspended > 0
+          labels:
+            severity: warn
+        - alert: drbdResourceResyncWithoutProgress
+          annotations:
+            description: |
+              DRBD resource "{{ $labels.name }}" on "{{ $labels.node }}" has been in Inconsistent without resync progress for 5 minutes.
+              This may indicate there is no connection to UpToDate data, or a stuck resync.
+          expr: drbd_device_state{drbd_device_state="Inconsistent"} and delta(drbd_peerdevice_outofsync_bytes[5m]) >= 0
+          labels:
+            severity: warn
+        - alert: drbdResourceWithNoUpToDateReplicas
+          annotations:
+            description: |
+              DRBD resource "{{ $labels.name }}" has no UpToDate replicas.
+          expr: sum by (name) (drbd_device_state{drbd_device_state="UpToDate"}) == 0
+          labels:
+            severity: critical

packages/system/piraeus-operator/templates/alerts.yaml

@@ -0,0 +1,7 @@
+{{- $files := .Files.Glob "alerts/*.yaml" -}}
+{{- range $path, $file := $files }}
+---
+# from: {{ $path }}
+{{ toString $file }}
+
+{{- end -}}