ingress webhook

testing ingress nginx built-in webhook instead of certmanager one

Makefile

@@ -20,6 +20,7 @@ build: build-deps
 	make -C packages/system/kubeovn image
 	make -C packages/system/kubeovn-webhook image
 	make -C packages/system/dashboard image
+	make -C packages/system/metallb image
 	make -C packages/system/kamaji image
 	make -C packages/system/bucket image
 	make -C packages/core/testing image

hack/e2e.sh

@@ -334,8 +334,8 @@ if ! kubectl wait --timeout=2m --for=condition=ready -n tenant-root hr monitorin
   kubectl wait --timeout=2m --for=condition=ready -n tenant-root hr monitoring
 fi
 
-kubectl patch -n tenant-root ingresses.apps.cozystack.io ingress --type=merge -p '{"spec":{
-  "dashboard": true
+kubectl patch -n cozy-system cm cozystack --type=merge -p '{"data":{
+  "expose-services": "api,dashboard,cdi-uploadproxy,vm-exportproxy,keycloak"
 }}'
 
 # Wait for nginx-ingress-controller

packages/apps/clickhouse/Makefile

@@ -7,8 +7,10 @@ generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
 
 image:
-	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/clickhouse-backup \
+	docker buildx build images/clickhouse-backup \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/clickhouse-backup:$(call settag,$(CLICKHOUSE_BACKUP_TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/clickhouse-backup:latest \
 		--cache-to type=inline \

packages/apps/http-cache/Makefile

@@ -6,8 +6,10 @@ include ../../../scripts/package.mk
 image: image-nginx
 
 image-nginx:
-	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/nginx-cache \
+	docker buildx build images/nginx-cache \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/nginx-cache:$(call settag,$(NGINX_CACHE_TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/nginx-cache:latest \
 		--cache-to type=inline \

packages/apps/http-cache/images/nginx-cache/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:22.04 as stage
+FROM ubuntu:22.04 AS stage
 
 ARG NGINX_VERSION=1.25.3
 ARG IP2LOCATION_C_VERSION=8.6.1
@@ -9,11 +9,15 @@ ARG FIFTYONEDEGREES_NGINX_VERSION=3.2.21.1
 ARG NGINX_CACHE_PURGE_VERSION=2.5.3
 ARG NGINX_VTS_VERSION=0.2.2
 
+ARG TARGETOS
+ARG TARGETARCH
+
 # Install required packages for development
-RUN apt-get update -q \
- && apt-get install -yq \
+RUN apt update -q \
+ && apt install -yq --no-install-recommends \
+    ca-certificates \
     unzip \
-    autoconf \
+    automake \
     build-essential \
     libtool \
     libpcre3 \
@@ -68,7 +72,7 @@ RUN checkinstall \
   --default \
   --pkgname=ip2location-c \
   --pkgversion=${IP2LOCATION_C_VERSION} \
-  --pkgarch=amd64 \
+  --pkgarch=${TARGETARCH} \
   --pkggroup=lib \
   --pkgsource="https://github.com/chrislim2888/IP2Location-C-Library" \
   --maintainer="Eduard Generalov <eduard@generalov.net>" \
@@ -97,7 +101,7 @@ RUN checkinstall \
   --default \
   --pkgname=ip2proxy-c \
   --pkgversion=${IP2PROXY_C_VERSION} \
-  --pkgarch=amd64 \
+  --pkgarch=${TARGETARCH} \
   --pkggroup=lib \
   --pkgsource="https://github.com/ip2location/ip2proxy-c" \
   --maintainer="Eduard Generalov <eduard@generalov.net>" \
@@ -144,7 +148,7 @@ RUN checkinstall \
   --default \
   --pkgname=nginx \
   --pkgversion=$VERS \
-  --pkgarch=amd64 \
+  --pkgarch=${TARGETARCH} \
   --pkggroup=web \
   --provides=nginx \
   --requires=ip2location-c,ip2proxy-c,libssl3,libc-bin,libc6,libzstd1,libpcre++0v5,libpcre16-3,libpcre2-8-0,libpcre3,libpcre32-3,libpcrecpp0v5,libmaxminddb0 \
@@ -165,10 +169,9 @@ COPY nginx-reloader.sh /usr/bin/nginx-reloader.sh
 RUN set -x \
  && groupadd --system --gid 101 nginx \
  && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
- && apt update \
- && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates inotify-tools \
- && apt -y install /packages/*.deb \
- && apt-get clean \
+ && apt update -q \
+ && apt install -yq --no-install-recommends --no-install-suggests gnupg1 ca-certificates inotify-tools \
+ && apt install -y /packages/*.deb \
  && rm -rf /var/lib/apt/lists/* \
  && mkdir -p /var/lib/nginx /var/log/nginx \
  && ln -sf /dev/stdout /var/log/nginx/access.log \

packages/apps/kubernetes/Chart.yaml

@@ -22,4 +22,4 @@ version: 0.20.0
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 1.31.0
+appVersion: 1.32.4

packages/apps/kubernetes/Makefile

@@ -14,8 +14,10 @@ generate:
 image: image-ubuntu-container-disk image-kubevirt-cloud-provider image-kubevirt-csi-driver image-cluster-autoscaler
 
 image-ubuntu-container-disk:
-	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/ubuntu-container-disk \
+	docker buildx build images/ubuntu-container-disk \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--build-arg KUBERNETES_VERSION=${KUBERNETES_VERSION} \
 		--tag $(REGISTRY)/ubuntu-container-disk:$(call settag,$(KUBERNETES_VERSION)) \
 		--tag $(REGISTRY)/ubuntu-container-disk:$(call settag,$(KUBERNETES_VERSION)-$(TAG)) \
@@ -30,8 +32,10 @@ image-ubuntu-container-disk:
 	rm -f images/ubuntu-container-disk.json
 
 image-kubevirt-cloud-provider:
-	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/kubevirt-cloud-provider \
+	docker buildx build images/kubevirt-cloud-provider \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/kubevirt-cloud-provider:$(call settag,$(KUBERNETES_PKG_TAG)) \
 		--tag $(REGISTRY)/kubevirt-cloud-provider:$(call settag,$(KUBERNETES_PKG_TAG)-$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/kubevirt-cloud-provider:latest \
@@ -45,8 +49,10 @@ image-kubevirt-cloud-provider:
 	rm -f images/kubevirt-cloud-provider.json
 
 image-kubevirt-csi-driver:
-	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/kubevirt-csi-driver \
+	docker buildx build images/kubevirt-csi-driver \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/kubevirt-csi-driver:$(call settag,$(KUBERNETES_PKG_TAG)) \
 		--tag $(REGISTRY)/kubevirt-csi-driver:$(call settag,$(KUBERNETES_PKG_TAG)-$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/kubevirt-csi-driver:latest \
@@ -61,8 +67,10 @@ image-kubevirt-csi-driver:
 
 
 image-cluster-autoscaler:
-	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/cluster-autoscaler \
+	docker buildx build images/cluster-autoscaler \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/cluster-autoscaler:$(call settag,$(KUBERNETES_PKG_TAG)) \
 		--tag $(REGISTRY)/cluster-autoscaler:$(call settag,$(KUBERNETES_PKG_TAG)-$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/cluster-autoscaler:latest \

packages/apps/kubernetes/images/cluster-autoscaler/Dockerfile

@@ -1,7 +1,14 @@
 # Source: https://raw.githubusercontent.com/kubernetes/autoscaler/refs/heads/master/cluster-autoscaler/Dockerfile.amd64
 ARG builder_image=docker.io/library/golang:1.23.4
-ARG BASEIMAGE=gcr.io/distroless/static:nonroot-amd64
+ARG BASEIMAGE=gcr.io/distroless/static:nonroot-${TARGETARCH}
+
 FROM ${builder_image} AS builder
+
+ARG TARGETOS
+ARG TARGETARCH
+ENV GOOS=$TARGETOS
+ENV GOARCH=$TARGETARCH
+
 RUN git clone https://github.com/kubernetes/autoscaler /src/autoscaler \
  && cd /src/autoscaler/cluster-autoscaler \
  && git checkout cluster-autoscaler-1.32.0
@@ -14,6 +21,8 @@ RUN make build
 FROM $BASEIMAGE
 LABEL maintainer="Marcin Wielgus <mwielgus@google.com>"
 
-COPY --from=builder /src/autoscaler/cluster-autoscaler/cluster-autoscaler-amd64 /cluster-autoscaler
+ARG TARGETARCH
+
+COPY --from=builder /src/autoscaler/cluster-autoscaler/cluster-autoscaler-${TARGETARCH} /cluster-autoscaler
 WORKDIR /
 CMD ["/cluster-autoscaler"]

packages/apps/kubernetes/images/kubevirt-cloud-provider/Dockerfile

@@ -1,5 +1,10 @@
 # Source: https://github.com/kubevirt/cloud-provider-kubevirt/blob/main/build/images/kubevirt-cloud-controller-manager/Dockerfile
-FROM --platform=linux/amd64 golang:1.20.6 AS builder
+FROM golang:1.20.6 AS builder
+
+ARG TARGETOS
+ARG TARGETARCH
+ENV GOOS=$TARGETOS
+ENV GOARCH=$TARGETARCH
 
 RUN git clone https://github.com/kubevirt/cloud-provider-kubevirt /go/src/kubevirt.io/cloud-provider-kubevirt \
  && cd /go/src/kubevirt.io/cloud-provider-kubevirt \
@@ -14,7 +19,7 @@ RUN go get 'k8s.io/endpointslice/util@v0.28' 'k8s.io/apiserver@v0.28'
 RUN go mod tidy
 RUN go mod vendor
 
-RUN	CGO_ENABLED=0 GOOS=linux go build -mod=vendor -ldflags="-s -w" -o bin/kubevirt-cloud-controller-manager ./cmd/kubevirt-cloud-controller-manager
+RUN CGO_ENABLED=0 go build -mod=vendor -ldflags="-s -w" -o bin/kubevirt-cloud-controller-manager ./cmd/kubevirt-cloud-controller-manager
 
 FROM registry.access.redhat.com/ubi9/ubi-micro
 COPY --from=builder /go/src/kubevirt.io/cloud-provider-kubevirt/bin/kubevirt-cloud-controller-manager /bin/kubevirt-cloud-controller-manager

packages/apps/kubernetes/images/kubevirt-csi-driver/Dockerfile

@@ -5,6 +5,11 @@ RUN git clone https://github.com/kubevirt/csi-driver /src/kubevirt-csi-driver \
  && cd /src/kubevirt-csi-driver \
  && git checkout 35836e0c8b68d9916d29a838ea60cdd3fc6199cf
 
+ARG TARGETOS
+ARG TARGETARCH
+ENV GOOS=$TARGETOS
+ENV GOARCH=$TARGETARCH
+
 WORKDIR /src/kubevirt-csi-driver
 RUN make build
 

packages/apps/kubernetes/images/ubuntu-container-disk/Dockerfile

@@ -1,5 +1,5 @@
 # TODO: Here we use ubuntu:22.04, as guestfish has some network issues running in ubuntu:24.04
-FROM ubuntu:22.04 as guestfish
+FROM ubuntu:22.04 AS guestfish
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN apt-get update \
@@ -8,15 +8,17 @@ RUN apt-get update \
      linux-image-generic \
      wget \
      make \
-     bash-completion \
- && apt-get clean
+     bash-completion
 
 WORKDIR /build
 
-FROM guestfish as builder
+FROM guestfish AS builder
+
+ARG TARGETOS
+ARG TARGETARCH
 
 # noble is a code name for the Ubuntu 24.04 LTS release
-RUN wget -O image.img https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img --show-progress --output-file /dev/stdout --progress=dot:giga 2>/dev/null
+RUN wget -O image.img https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-${TARGETARCH}.img --show-progress --output-file /dev/stdout --progress=dot:giga 2>/dev/null
 
 ARG KUBERNETES_VERSION
 
@@ -29,19 +31,21 @@ RUN qemu-img resize image.img 5G \
  && guestfish --remote command "resize2fs /dev/sda1" \
 # docker repo
  && guestfish --remote sh "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" \
- && guestfish --remote sh 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list' \
+ && guestfish --remote sh 'echo "deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list' \
 # kubernetes repo
  && guestfish --remote sh "curl -fsSL https://pkgs.k8s.io/core:/stable:/${KUBERNETES_VERSION}/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" \
  && guestfish --remote sh "echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/${KUBERNETES_VERSION}/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list" \
+ && guestfish --remote command "apt-get check -q" \
 # install containerd
- && guestfish --remote command "apt-get update -y" \
- && guestfish --remote command "apt-get install -y containerd.io" \
+ && guestfish --remote command "apt-get update -q" \
+ && guestfish --remote command "apt-get install -yq containerd.io" \
 # configure containerd
  && guestfish --remote command "mkdir -p /etc/containerd" \
  && guestfish --remote sh "containerd config default | tee /etc/containerd/config.toml" \
  && guestfish --remote command "sed -i '/SystemdCgroup/ s/=.*/= true/' /etc/containerd/config.toml" \
+ && guestfish --remote command "containerd config dump >/dev/null" \
 # install kubernetes
- && guestfish --remote command "apt-get install -y kubelet kubeadm" \
+ && guestfish --remote command "apt-get install -yq kubelet kubeadm" \
 # clean apt cache
  && guestfish --remote sh 'apt-get clean && rm -rf /var/lib/apt/lists/*' \
 # write system configuration

packages/apps/kubernetes/templates/cluster.yaml

@@ -150,14 +150,14 @@ spec:
     ingress:
       extraAnnotations:
         nginx.ingress.kubernetes.io/ssl-passthrough: "true"
-      hostname: {{ .Values.host | default (printf "%s.%s" .Release.Name $host) }}
+      hostname: {{ .Values.host | default (printf "%s.%s" .Release.Name $host) }}:443
       className: "{{ $ingress }}"
   deployment:
     podAdditionalMetadata:
       labels:
         policy.cozystack.io/allow-to-etcd: "true"
   replicas: 2
-  version: 1.30.1
+  version: {{ $.Chart.AppVersion }}
 ---
 apiVersion: cozystack.io/v1alpha1
 kind: WorkloadMonitor
@@ -283,7 +283,7 @@ spec:
         kind: KubevirtMachineTemplate
         name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }}
         namespace: {{ $.Release.Namespace }}
-      version: v1.32.3
+      version: v{{ $.Chart.AppVersion }}
 ---
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: MachineHealthCheck

packages/apps/mysql/Makefile

@@ -7,8 +7,10 @@ generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
 
 image:
-	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/mariadb-backup \
+	docker buildx build images/mariadb-backup \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/mariadb-backup:$(call settag,$(MARIADB_BACKUP_TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/mariadb-backup:latest \
 		--cache-to type=inline \

packages/apps/postgres/Makefile

@@ -7,8 +7,10 @@ generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
 
 image:
-	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/postgres-backup \
+	docker buildx build images/postgres-backup \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/postgres-backup:$(call settag,$(POSTGRES_BACKUP_TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/postgres-backup:latest \
 		--cache-to type=inline \

packages/core/installer/images/talos/profiles/initramfs.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.5
+version: v1.10.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.5
+    imageRef: ghcr.io/siderolabs/installer:v1.10.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250311
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250410
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250311
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250410
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250311
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250410
     - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250311
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.5
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.5
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250410
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.1-v1.10.1
 output:
   kind: initramfs
   imageOptions: {}

packages/core/installer/images/talos/profiles/installer.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.5
+version: v1.10.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.5
+    imageRef: ghcr.io/siderolabs/installer:v1.10.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250311
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250410
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250311
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250410
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250311
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250410
     - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250311
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.5
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.5
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250410
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.1-v1.10.1
 output:
   kind: installer
   imageOptions: {}

packages/core/installer/images/talos/profiles/iso.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.5
+version: v1.10.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.5
+    imageRef: ghcr.io/siderolabs/installer:v1.10.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250311
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250410
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250311
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250410
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250311
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250410
     - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250311
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.5
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.5
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250410
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.1-v1.10.1
 output:
   kind: iso
   imageOptions: {}

packages/core/installer/images/talos/profiles/kernel.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.5
+version: v1.10.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.5
+    imageRef: ghcr.io/siderolabs/installer:v1.10.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250311
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250410
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250311
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250410
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250311
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250410
     - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250311
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.5
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.5
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250410
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.1-v1.10.1
 output:
   kind: kernel
   imageOptions: {}

packages/core/installer/images/talos/profiles/metal.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.9.5
+version: v1.10.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.5
+    imageRef: ghcr.io/siderolabs/installer:v1.10.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250311
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250410
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250311
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250410
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250311
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250410
     - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250311
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.5
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.5
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250410
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.1-v1.10.1
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/installer/images/talos/profiles/nocloud.yaml

@@ -3,24 +3,24 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.9.5
+version: v1.10.1
 input:
   kernel:
     path: /usr/install/amd64/vmlinuz
   initramfs:
     path: /usr/install/amd64/initramfs.xz
   baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.9.5
+    imageRef: ghcr.io/siderolabs/installer:v1.10.1
   systemExtensions:
-    - imageRef: ghcr.io/siderolabs/amd-ucode:20250311
+    - imageRef: ghcr.io/siderolabs/amd-ucode:20250410
     - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
-    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250311
+    - imageRef: ghcr.io/siderolabs/bnx2-bnx2x:20250410
     - imageRef: ghcr.io/siderolabs/i915-ucode:20241110
-    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250311
+    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20250410
     - imageRef: ghcr.io/siderolabs/intel-ucode:20250211
-    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250311
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.5
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.7-v1.9.5
+    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20250410
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.13-v1.10.1
+    - imageRef: ghcr.io/siderolabs/zfs:2.3.1-v1.10.1
 output:
   kind: image
   imageOptions: { diskSize: 1306525696, diskFormat: raw }

packages/core/platform/bundles/paas-full.yaml

@@ -260,72 +260,15 @@ releases:
   releaseName: dashboard
   chart: cozy-dashboard
   namespace: cozy-dashboard
-  dependsOn: [cilium,kubeovn,keycloak-configure]
   values:
-    kubeapps:
-    {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
-    {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
-      redis:
-        master:
-          podAnnotations:
-            {{- range $index, $repo := . }}
-            {{- with (($repo.status).artifact).revision }}
-            repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
-            {{- end }}
-            {{- end }}
-    {{- end }}
-    {{- end }}
-      frontend:
-        resourcesPreset: "none"
-      dashboard:
-        resourcesPreset: "none"
-        {{- $cozystackBranding:= lookup "v1" "ConfigMap" "cozy-system" "cozystack-branding" }}
-        {{- $branding := dig "data" "branding" "" $cozystackBranding }}
-        {{- if $branding }}
-        customLocale:
-          "Kubeapps": {{ $branding }}
-        {{- end }}
-        customStyle: |
-          {{- $logoImage := dig "data" "logo" "" $cozystackBranding }}
-          {{- if $logoImage }}
-          .kubeapps-logo {
-            background-image: {{ $logoImage }}
-          }
-          {{- end }}
-          #serviceaccount-selector {
-            display: none;
-          }
-          .login-moreinfo {
-            display: none;
-          }
-          a[href="#/docs"] {
-            display: none;
-          }
-          .login-group .clr-form-control .clr-control-label {
-            display: none;
-          }
-          .appview-separator div.appview-first-row div.center {
-            display: none;
-          }
-          .appview-separator div.appview-first-row section[aria-labelledby="app-secrets"] {
-            display: none;
-          }
-          .appview-first-row section[aria-labelledby="access-urls-title"] {
-            width: 100%;
-          }
-  {{- $dashboardKCconfig := lookup "v1" "ConfigMap" "cozy-dashboard" "kubeapps-auth-config" }}
-  {{- $dashboardKCValues := dig "data" "values.yaml" "" $dashboardKCconfig }}
-  {{- if $dashboardKCValues }}
-  valuesFrom:
-  - kind: ConfigMap
-    name: kubeapps-auth-config
-    valuesKey: values.yaml
-  {{- end }}
-
+    {{- $dashboardKCconfig := lookup "v1" "ConfigMap" "cozy-dashboard" "kubeapps-auth-config" }}
+    {{- $dashboardKCValues := dig "data" "values.yaml" "" $dashboardKCconfig | fromYaml }}
+    {{- toYaml (deepCopy $dashboardKCValues | mergeOverwrite (fromYaml (include "cozystack.defaultDashboardValues" .))) | nindent 4 }}
+  dependsOn:
+  - cilium
+  - kubeovn
   {{- if eq $oidcEnabled "true" }}
-  dependsOn: [keycloak-configure]
-  {{- else }}
-  dependsOn: []
+  - keycloak-configure
   {{- end }}
 
 - name: kamaji

packages/core/platform/bundles/paas-hosted.yaml

@@ -155,66 +155,9 @@ releases:
   chart: cozy-dashboard
   namespace: cozy-dashboard
   values:
-    kubeapps:
-    {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
-    {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
-      redis:
-        master:
-          podAnnotations:
-            {{- range $index, $repo := . }}
-            {{- with (($repo.status).artifact).revision }}
-            repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
-            {{- end }}
-            {{- end }}
-    {{- end }}
-    {{- end }}
-      frontend:
-        resourcesPreset: "none"
-      dashboard:
-        resourcesPreset: "none"
-        {{- $cozystackBranding:= lookup "v1" "ConfigMap" "cozy-system" "cozystack-branding" }}
-        {{- $branding := dig "data" "branding" "" $cozystackBranding }}
-        {{- if $branding }}
-        customLocale:
-          "Kubeapps": {{ $branding }}
-        {{- end }}
-        customStyle: |
-          {{- $logoImage := dig "data" "logo" "" $cozystackBranding }}
-          {{- if $logoImage }}
-          .kubeapps-logo {
-            background-image: {{ $logoImage }}
-          }
-          {{- end }}
-          #serviceaccount-selector {
-            display: none;
-          }
-          .login-moreinfo {
-            display: none;
-          }
-          a[href="#/docs"] {
-            display: none;
-          }
-          .login-group .clr-form-control .clr-control-label {
-            display: none;
-          }
-          .appview-separator div.appview-first-row div.center {
-            display: none;
-          }
-          .appview-separator div.appview-first-row section[aria-labelledby="app-secrets"] {
-            display: none;
-          }
-          .appview-first-row section[aria-labelledby="access-urls-title"] {
-            width: 100%;
-          }
-  {{- $dashboardKCconfig := lookup "v1" "ConfigMap" "cozy-dashboard" "kubeapps-auth-config" }}
-  {{- $dashboardKCValues := dig "data" "values.yaml" "" $dashboardKCconfig }}
-  {{- if $dashboardKCValues }}
-  valuesFrom:
-  - kind: ConfigMap
-    name: kubeapps-auth-config
-    valuesKey: values.yaml
-  {{- end }}
-
+    {{- $dashboardKCconfig := lookup "v1" "ConfigMap" "cozy-dashboard" "kubeapps-auth-config" }}
+    {{- $dashboardKCValues := dig "data" "values.yaml" (dict) $dashboardKCconfig }}
+    {{- toYaml (deepCopy $dashboardKCValues | mergeOverwrite (fromYaml (include "cozystack.defaultDashboardValues" .))) | nindent 4 }}
   {{- if eq $oidcEnabled "true" }}
   dependsOn: [keycloak-configure]
   {{- else }}

packages/core/platform/templates/_helpers.tpl

@@ -16,3 +16,57 @@ Get IP-addresses of master nodes
 {{- end -}}
 {{ join "," $ips }}
 {{- end -}}
+
+{{- define "cozystack.defaultDashboardValues" -}}
+kubeapps:
+{{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
+{{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }}
+  redis:
+    master:
+      podAnnotations:
+        {{- range $index, $repo := . }}
+        {{- with (($repo.status).artifact).revision }}
+        repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
+        {{- end }}
+        {{- end }}
+{{- end }}
+{{- end }}
+  frontend:
+    resourcesPreset: "none"
+  dashboard:
+    resourcesPreset: "none"
+    {{- $cozystackBranding:= lookup "v1" "ConfigMap" "cozy-system" "cozystack-branding" }}
+    {{- $branding := dig "data" "branding" "" $cozystackBranding }}
+    {{- if $branding }}
+    customLocale:
+      "Kubeapps": {{ $branding }}
+    {{- end }}
+    customStyle: |
+      {{- $logoImage := dig "data" "logo" "" $cozystackBranding }}
+      {{- if $logoImage }}
+      .kubeapps-logo {
+        background-image: {{ $logoImage }}
+      }
+      {{- end }}
+      #serviceaccount-selector {
+        display: none;
+      }
+      .login-moreinfo {
+        display: none;
+      }
+      a[href="#/docs"] {
+        display: none;
+      }
+      .login-group .clr-form-control .clr-control-label {
+        display: none;
+      }
+      .appview-separator div.appview-first-row div.center {
+        display: none;
+      }
+      .appview-separator div.appview-first-row section[aria-labelledby="app-secrets"] {
+        display: none;
+      }
+      .appview-first-row section[aria-labelledby="access-urls-title"] {
+        width: 100%;
+      }
+{{- end }}

packages/core/platform/templates/helmreleases.yaml

@@ -72,17 +72,6 @@ spec:
     {{- toYaml . | nindent 4}}
   {{- end }}
 
-  {{- if $x.valuesFrom }}
-  valuesFrom:
-  {{- range $source := $x.valuesFrom }}
-  - kind: {{ $source.kind }}
-    name: {{ $source.name }}
-    {{- if $source.valuesKey }}
-    valuesKey: {{ $source.valuesKey }}
-    {{- end }}
-  {{- end }}
-  {{- end }}
-
   {{- with $x.dependsOn }}
   dependsOn:
   {{-   range $dep := . }}

packages/core/testing/Makefile

@@ -17,6 +17,8 @@ image: image-e2e-sandbox
 image-e2e-sandbox:
 	docker buildx build -f images/e2e-sandbox/Dockerfile ../../.. \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/e2e-sandbox:$(call settag,$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/e2e-sandbox:latest \
 		--cache-to type=inline \

packages/core/testing/images/e2e-sandbox/Dockerfile

@@ -4,14 +4,16 @@ ARG KUBECTL_VERSION=1.32.0
 ARG TALOSCTL_VERSION=1.9.5
 ARG HELM_VERSION=3.16.4
 
-RUN apt-get update
-RUN apt-get -y install genisoimage qemu-kvm qemu-utils iproute2 iptables wget xz-utils netcat curl jq make git
-RUN curl -LO "https://github.com/siderolabs/talos/releases/download/v${TALOSCTL_VERSION}/talosctl-linux-amd64" \
- && chmod +x talosctl-linux-amd64 \
- && mv talosctl-linux-amd64 /usr/local/bin/talosctl
-RUN curl -LO "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl" \
- && chmod +x kubectl \
- && mv kubectl /usr/local/bin/kubectl
-RUN curl -sSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash -s - --version "v${HELM_VERSION}"
-RUN wget https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64 -O /usr/local/bin/yq && chmod +x /usr/local/bin/yq
-RUN curl -s https://fluxcd.io/install.sh | bash
+ARG TARGETOS
+ARG TARGETARCH
+
+RUN apt update -q
+RUN apt install -yq --no-install-recommends genisoimage ca-certificates qemu-kvm qemu-utils iproute2 iptables wget xz-utils netcat curl jq make git
+RUN curl -sSL "https://github.com/siderolabs/talos/releases/download/v${TALOSCTL_VERSION}/talosctl-${TARGETOS}-${TARGETARCH}" -o /usr/local/bin/talosctl \
+ && chmod +x /usr/local/bin/talosctl
+RUN curl -sSL "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl" -o /usr/local/bin/kubectl \
+ && chmod +x /usr/local/bin/kubectl
+RUN curl -sSL "https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3" | bash -s - --version "v${HELM_VERSION}"
+RUN curl -sSL "https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_${TARGETOS}_${TARGETARCH}" -o /usr/local/bin/yq \
+ && chmod +x /usr/local/bin/yq
+RUN curl -sSL "https://fluxcd.io/install.sh" | bash

packages/extra/ingress/Chart.yaml

@@ -3,4 +3,4 @@ name: ingress
 description: NGINX Ingress Controller
 icon: /logos/ingress-nginx.svg
 type: application
-version: 1.5.1
+version: 1.6.0

packages/extra/ingress/README.md

@@ -4,13 +4,10 @@
 
 ### Common parameters
 
-| Name              | Description                                                       | Value   |
-| ----------------- | ----------------------------------------------------------------- | ------- |
-| `replicas`        | Number of ingress-nginx replicas                                  | `2`     |
-| `externalIPs`     | List of externalIPs for service.                                  | `[]`    |
-| `whitelist`       | List of client networks                                           | `[]`    |
-| `clouflareProxy`  | Restoring original visitor IPs when Cloudflare proxied is enabled | `false` |
-| `dashboard`       | Should ingress serve Cozystack service dashboard                  | `false` |
-| `cdiUploadProxy`  | Should ingress serve CDI upload proxy                             | `false` |
-| `virtExportProxy` | Should ingress serve KubeVirt export proxy                        | `false` |
+| Name             | Description                                                       | Value   |
+| ---------------- | ----------------------------------------------------------------- | ------- |
+| `replicas`       | Number of ingress-nginx replicas                                  | `2`     |
+| `externalIPs`    | List of externalIPs for service.                                  | `[]`    |
+| `whitelist`      | List of client networks                                           | `[]`    |
+| `clouflareProxy` | Restoring original visitor IPs when Cloudflare proxied is enabled | `false` |
 

packages/extra/ingress/templates/cdi-uploadproxy.yaml

@@ -1,37 +0,0 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
-{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
-
-{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
-{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
-
-{{- if .Values.cdiUploadProxy }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  annotations:
-    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    {{- if eq $issuerType "cloudflare" }} 
-    {{- else }}
-    acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}
-    {{- end }}
-  name: cdi-uploadproxy-{{ .Release.Namespace }}
-  namespace: cozy-kubevirt-cdi
-spec:
-  ingressClassName: {{ .Release.Namespace }}
-  rules:
-  - host: cdi-uploadproxy.{{ $host }}
-    http:
-      paths:
-      - backend:
-          service:
-            name: cdi-uploadproxy
-            port:
-              number: 443
-        path: /
-        pathType: Prefix
-  tls:
-  - hosts:
-    - cdi-uploadproxy.{{ $host }}
-    secretName: cdi-uploadproxy-{{ .Release.Namespace }}-tls
-{{- end }}

packages/extra/ingress/templates/nginx-ingress.yaml

@@ -1,3 +1,6 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $exposeIngress := index $cozyConfig.data "expose-ingress" | default "tenant-root" }}
+{{- $exposeExternalIPs := (index $cozyConfig.data "expose-external-ips") | default "" }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -31,9 +34,9 @@ spec:
           enabled: false
         {{- end }}
         service:
-          {{- if .Values.externalIPs }}
+          {{- if and (eq $exposeIngress .Release.Namespace) $exposeExternalIPs }}
           externalIPs:
-            {{- toYaml .Values.externalIPs | nindent 12 }}
+            {{- toYaml (splitList "," $exposeExternalIPs) | nindent 12 }}
           type: ClusterIP
           externalTrafficPolicy: Cluster
           {{- else }}

packages/extra/ingress/values.schema.json

@@ -25,21 +25,6 @@
             "type": "boolean",
             "description": "Restoring original visitor IPs when Cloudflare proxied is enabled",
             "default": false
-        },
-        "dashboard": {
-            "type": "boolean",
-            "description": "Should ingress serve Cozystack service dashboard",
-            "default": false
-        },
-        "cdiUploadProxy": {
-            "type": "boolean",
-            "description": "Should ingress serve CDI upload proxy",
-            "default": false
-        },
-        "virtExportProxy": {
-            "type": "boolean",
-            "description": "Should ingress serve KubeVirt export proxy",
-            "default": false
         }
     }
 }

packages/extra/ingress/values.yaml

@@ -4,17 +4,6 @@
 ##
 replicas: 2
 
-## @param externalIPs [array] List of externalIPs for service.
-## Optional. If not specified will use LoadBalancer service by default.
-## 
-## e.g:
-## externalIPs:
-##   - "11.22.33.44"
-##   - "11.22.33.45"
-##   - "11.22.33.46"
-##
-externalIPs: []
-
 ## @param whitelist List of client networks
 ## Example:
 ## whitelist:
@@ -24,12 +13,3 @@ whitelist: []
 
 ## @param clouflareProxy Restoring original visitor IPs when Cloudflare proxied is enabled
 clouflareProxy: false
-
-## @param dashboard Should ingress serve Cozystack service dashboard
-dashboard: false
-
-## @param cdiUploadProxy Should ingress serve CDI upload proxy
-cdiUploadProxy: false
-
-## @param virtExportProxy Should ingress serve KubeVirt export proxy
-virtExportProxy: false

packages/extra/ingress/vm-exportproxy.yaml

@@ -1,37 +0,0 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
-{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
-
-{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
-{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
-
-{{- if .Values.virtExportProxy }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  annotations:
-    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    {{- if eq $issuerType "cloudflare" }} 
-    {{- else }}
-    acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}
-    {{- end }}
-  name: virt-exportproxy-{{ .Release.Namespace }}
-  namespace: cozy-kubevirt
-spec:
-  ingressClassName: {{ .Release.Namespace }}
-  rules:
-  - host: virt-exportproxy.{{ $host }}
-    http:
-      paths:
-      - backend:
-          service:
-            name: virt-exportproxy
-            port:
-              number: 443
-        path: /
-        pathType: ImplementationSpecific
-  tls:
-  - hosts:
-    virt-exportproxy.{{ $host }}
-    secretName: virt-exportproxy-{{ .Release.Namespace }}-tls
-{{- end }}

packages/extra/monitoring/Makefile

@@ -13,8 +13,10 @@ generate:
 	rm -f values.schema.json.tmp
 
 image:
-	docker buildx build --platform linux/amd64 images/grafana \
+	docker buildx build images/grafana \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/grafana:$(call settag,$(GRAFANA_TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/grafana:latest \
 		--cache-to type=inline \

packages/extra/versions_map

@@ -19,7 +19,7 @@ ingress 1.2.0 28fca4ef
 ingress 1.3.0 fde4bcfa
 ingress 1.4.0 fd240701
 ingress 1.5.0 93bdf411
-ingress 1.5.1 HEAD
+ingress 1.6.0 HEAD
 monitoring 1.0.0 d7cfa53c
 monitoring 1.1.0 25221fdc
 monitoring 1.2.0 f81be075

packages/system/bucket/Makefile

@@ -6,14 +6,15 @@ include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
 
 update:
-	rm -rf charts
-	helm pull oci://ghcr.io/aenix-io/charts/etcd-operator --untar --untardir charts
+	@echo Nothing to update
 
 image: image-s3manager
 
 image-s3manager:
-	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/s3manager \
+	docker buildx build images/s3manager \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/s3manager:$(call settag,$(S3MANAGER_TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/s3manager:latest \
 		--cache-to type=inline \

packages/system/bucket/images/s3manager/Dockerfile

@@ -1,11 +1,15 @@
 # Source: https://github.com/cloudlena/s3manager/blob/main/Dockerfile
 
 FROM docker.io/library/golang:1 AS builder
+
+ARG TARGETOS
+ARG TARGETARCH
+
 WORKDIR /usr/src/app
 RUN wget -O- https://github.com/cloudlena/s3manager/archive/9a7c8e446b422f8973b8c461990f39fdafee9c27.tar.gz | tar -xzf- --strip 1
 ADD cozystack.patch /
 RUN git apply /cozystack.patch
-RUN CGO_ENABLED=0 go build -ldflags="-s -w" -a -installsuffix cgo -o bin/s3manager
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -ldflags="-s -w" -a -installsuffix cgo -o bin/s3manager
 
 FROM docker.io/library/alpine:latest
 WORKDIR /usr/src/app

packages/system/bucket/values.yaml

@@ -1 +1 @@
-bucketName: ""
+bucketName: "cozystack"

packages/system/capi-operator/Makefile

@@ -1,11 +1,11 @@
 export NAME=capi-operator
 export NAMESPACE=cozy-cluster-api
+export REPO_NAME=capi-operator
+export REPO_URL=https://kubernetes-sigs.github.io/cluster-api-operator
+export CHART_NAME=cluster-api-operator 
+export CHART_VERSION=^0.19
 
 include ../../../scripts/package.mk
 
-update:
-	rm -rf charts
-	helm repo add capi-operator https://kubernetes-sigs.github.io/cluster-api-operator
-	helm repo update capi-operator
-	helm pull capi-operator/cluster-api-operator --untar --untardir charts
-	rm -rf charts/cluster-api-operator/charts
+update: clean capi-operator-update
+	rm -rf charts/cluster-api-operator/charts/

packages/system/capi-providers/templates/providers.yaml

@@ -5,7 +5,7 @@ metadata:
   name: cluster-api
 spec:
   # https://github.com/kubernetes-sigs/cluster-api
-  version: v1.10.0
+  version: v1.10.1
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
 kind: ControlPlaneProvider
@@ -13,7 +13,7 @@ metadata:
   name: kamaji
 spec:
   # https://github.com/clastix/cluster-api-control-plane-provider-kamaji
-  version: v0.14.2
+  version: v0.15.1
   deployment:
     containers:
     - name: manager
@@ -31,7 +31,7 @@ metadata:
   name: kubeadm
 spec:
   # https://github.com/kubernetes-sigs/cluster-api
-  version: v1.10.0
+  version: v1.10.1
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
 kind: InfrastructureProvider

packages/system/cilium/Makefile

@@ -18,6 +18,8 @@ update:
 image:
 	docker buildx build images/cilium \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/cilium:$(call settag,$(CILIUM_TAG)) \
 		--tag $(REGISTRY)/cilium:$(call settag,$(CILIUM_TAG)-$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/cilium:latest \

packages/system/cozystack-api/Makefile

@@ -9,6 +9,8 @@ image: image-cozystack-api
 image-cozystack-api:
 	docker buildx build -f images/cozystack-api/Dockerfile ../../.. \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/cozystack-api:$(call settag,$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/cozystack-api:latest \
 		--cache-to type=inline \

packages/system/cozystack-api/images/cozystack-api/Dockerfile

@@ -1,16 +1,19 @@
-FROM golang:1.23-alpine as builder
+FROM golang:1.23-alpine AS builder
+
+ARG TARGETOS
+ARG TARGETARCH
 
 WORKDIR /workspace
 
 COPY go.mod go.sum ./
-RUN go mod download
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go mod download
 
 COPY api api/
 COPY pkg pkg/
 COPY cmd cmd/
 COPY internal internal/
 
-RUN CGO_ENABLED=0 go build -ldflags="-extldflags=-static" -o /cozystack-api cmd/cozystack-api/main.go
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -ldflags="-extldflags=-static" -o /cozystack-api cmd/cozystack-api/main.go
 
 FROM scratch
 

packages/system/cozystack-api/templates/api-ingress.yaml

@@ -0,0 +1,28 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $host := index $cozyConfig.data "root-host" }}
+{{- $exposeServices := splitList "," ((index $cozyConfig.data "expose-services") | default "") }}
+{{- $exposeIngress := index $cozyConfig.data "expose-ingress" | default "tenant-root" }}
+
+{{- if and (has "api" $exposeServices) }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+  name: kubernetes
+  namespace: default
+spec:
+  ingressClassName: {{ $exposeIngress }}
+  rules:
+  - host: api.{{ $host }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: kubernetes
+            port:
+              number: 443
+        path: /
+        pathType: Prefix
+{{- end }}

packages/system/cozystack-controller/images/cozystack-controller/Dockerfile

@@ -1,16 +1,19 @@
-FROM golang:1.23-alpine as builder
+FROM golang:1.23-alpine AS builder
+
+ARG TARGETOS
+ARG TARGETARCH
 
 WORKDIR /workspace
 
 COPY go.mod go.sum ./
-RUN go mod download
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go mod download
 
 COPY api api/
 COPY pkg pkg/
 COPY cmd cmd/
 COPY internal internal/
 
-RUN CGO_ENABLED=0 go build -ldflags="-extldflags=-static" -o /cozystack-controller cmd/cozystack-controller/main.go
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -ldflags="-extldflags=-static" -o /cozystack-controller cmd/cozystack-controller/main.go
 
 FROM scratch
 

packages/system/dashboard/Makefile

@@ -17,7 +17,8 @@ update-chart:
 	patch --no-backup-if-mismatch charts/kubeapps/templates/frontend/configmap.yaml < patches/logos.patch
 
 update-dockerfiles:
-	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/vmware-tanzu/kubeapps  | awk -F'[/^]' 'END{print $$3}') && \
+	@echo Update dockerfiles manually
+	#tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/vmware-tanzu/kubeapps  | awk -F'[/^]' 'END{print $$3}') && \
 	wget https://github.com/vmware-tanzu/kubeapps/raw/$${tag}/cmd/kubeapps-apis/Dockerfile -O images/kubeapps-apis/Dockerfile && \
 	patch --no-backup-if-mismatch images/kubeapps-apis/Dockerfile < images/kubeapps-apis/dockerfile.diff && \
 	node_image=$$(wget -O- https://github.com/vmware-tanzu/kubeapps/raw/main/dashboard/Dockerfile | awk '/FROM bitnami\/node/ {print $$2}') && \
@@ -28,6 +29,8 @@ update-dockerfiles:
 image-dashboard: update-version
 	docker buildx build images/dashboard \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/dashboard:$(call settag,$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/dashboard:latest \
 		--cache-to type=inline \
@@ -48,6 +51,8 @@ image-dashboard: update-version
 image-kubeapps-apis: update-version
 	docker buildx build images/kubeapps-apis \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/kubeapps-apis:$(call settag,$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/kubeapps-apis:latest \
 		--cache-to type=inline \

packages/system/dashboard/images/kubeapps-apis/Dockerfile

@@ -3,7 +3,7 @@
 
 # syntax = docker/dockerfile:1
 
-FROM alpine as source
+FROM alpine AS source
 ARG COMMIT_REF=dd02680d796c962b8dcc4e5ea70960a846c1acdc
 RUN apk add --no-cache patch
 WORKDIR /source
@@ -12,8 +12,9 @@ RUN wget -O- https://github.com/cozystack/kubeapps/archive/${COMMIT_REF}.tar.gz
 FROM bitnami/golang:1.23.4 AS builder
 WORKDIR /go/src/github.com/vmware-tanzu/kubeapps
 COPY --from=source /source/go.mod /source/go.sum ./
-ARG VERSION="devel"
+ARG TARGETOS
 ARG TARGETARCH
+ARG VERSION="devel"
 
 # If true, run golangci-lint to detect issues
 ARG lint
@@ -29,10 +30,12 @@ ARG GRPC_HEALTH_PROBE_VERSION="0.4.34"
 
 # Install lint tools
 RUN if [ ! -z ${lint:-} ]; then \
-    go install github.com/golangci/golangci-lint/cmd/golangci-lint@v$GOLANGCILINT_VERSION; \
+    GOOS=$TARGETOS GOARCH=$TARGETARCH go install github.com/golangci/golangci-lint/cmd/golangci-lint@v$GOLANGCILINT_VERSION; \
     fi
 
-RUN curl -sSL "https://github.com/bufbuild/buf/releases/download/v$BUF_VERSION/buf-Linux-x86_64" -o "/tmp/buf" && chmod +x "/tmp/buf"
+RUN if [ $TARGETARCH = 'amd64' ]; then BUF_ARCH='x86_64'; elif [ $TARGETARCH = 'arm64' ]; then BUF_ARCH='aarch64'; fi && \
+    if [ $TARGETOS = 'linux' ]; then BUF_PLATFORM='Linux'; fi && \
+    curl -sSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-${BUF_PLATFORM}-${BUF_ARCH}" -o "/tmp/buf" && chmod +x "/tmp/buf"
 
 # TODO: Remove and instead use built-in gRPC container probes once we're supporting >= 1.24 only. https://kubernetes.io/blog/2022/05/13/grpc-probes-now-in-beta/
 RUN curl -sSL "https://github.com/grpc-ecosystem/grpc-health-probe/releases/download/v${GRPC_HEALTH_PROBE_VERSION}/grpc_health_probe-linux-${TARGETARCH}" -o "/bin/grpc_health_probe" && chmod +x "/bin/grpc_health_probe"
@@ -41,7 +44,7 @@ RUN curl -sSL "https://github.com/grpc-ecosystem/grpc-health-probe/releases/down
 # https://github.com/golang/go/issues/27719#issuecomment-514747274
 RUN --mount=type=cache,target=/go/pkg/mod  \
     --mount=type=cache,target=/root/.cache/go-build \
-    GOPROXY="https://proxy.golang.org,direct" go mod download
+    GOOS=$TARGETOS GOARCH=$TARGETARCH GOPROXY="https://proxy.golang.org,direct" go mod download
 
 # We don't copy the pkg and cmd directories until here so the above layers can
 # be reused.
@@ -60,7 +63,7 @@ RUN /tmp/buf lint ./cmd/kubeapps-apis
 # Build the main grpc server
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
-    GOPROXY="https://proxy.golang.org,direct" \
+    GOOS=$TARGETOS GOARCH=$TARGETARCH GOPROXY="https://proxy.golang.org,direct" \
     go build \
     -ldflags "-X github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/cmd.version=$VERSION" \
     ./cmd/kubeapps-apis
@@ -68,7 +71,7 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 ## Build 'fluxv2' plugin, version 'v1alpha1'
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
-    GOPROXY="https://proxy.golang.org,direct" \
+    GOOS=$TARGETOS GOARCH=$TARGETARCH GOPROXY="https://proxy.golang.org,direct" \
     go build \
     -ldflags "-X github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/cmd.version=$VERSION" \
     -o /fluxv2-packages-v1alpha1-plugin.so -buildmode=plugin \
@@ -77,7 +80,7 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 ## Build 'helm' plugin, version 'v1alpha1'
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
-    GOPROXY="https://proxy.golang.org,direct" \
+    GOOS=$TARGETOS GOARCH=$TARGETARCH GOPROXY="https://proxy.golang.org,direct" \
     go build \
     -ldflags "-X github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/cmd.version=$VERSION" \
     -o /helm-packages-v1alpha1-plugin.so -buildmode=plugin \
@@ -86,7 +89,7 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 ## Build 'resources' plugin, version 'v1alpha1'
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
-    GOPROXY="https://proxy.golang.org,direct" \
+    GOOS=$TARGETOS GOARCH=$TARGETARCH GOPROXY="https://proxy.golang.org,direct" \
     go build \
     -ldflags "-X github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/cmd.version=$VERSION" \
     -o /resources-v1alpha1-plugin.so -buildmode=plugin \

packages/system/dashboard/templates/dashboard-ingress.yaml

@@ -1,19 +1,10 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
+{{- $host := index $cozyConfig.data "root-host" }}
+{{- $exposeServices := splitList "," ((index $cozyConfig.data "expose-services") | default "") }}
+{{- $exposeIngress := index $cozyConfig.data "expose-ingress" | default "tenant-root" }}
 
-{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
-{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
-
-{{- $tenantRoot := dict }}
-{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2" }}
-{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" "tenant-root" "tenant-root" }}
-{{- end }}
-{{- if and $tenantRoot $tenantRoot.spec $tenantRoot.spec.values $tenantRoot.spec.values.host }}
-{{- $host = $tenantRoot.spec.values.host }}
-{{- else }}
-{{- end }}
-
-{{- if .Values.dashboard }}
+{{- if and (has "dashboard" $exposeServices) }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -21,16 +12,16 @@ metadata:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     {{- if eq $issuerType "cloudflare" }}
     {{- else }}
-    acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}
+    acme.cert-manager.io/http01-ingress-class: {{ $exposeIngress }}
+    {{- end }}
     nginx.ingress.kubernetes.io/proxy-body-size: 100m
     nginx.ingress.kubernetes.io/proxy-buffer-size: 100m
     nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
     nginx.ingress.kubernetes.io/client-max-body-size: 100m
-    {{- end }}
-  name: dashboard-{{ .Release.Namespace }}
+  name: dashboard
   namespace: cozy-dashboard
 spec:
-  ingressClassName: {{ .Release.Namespace }}
+  ingressClassName: {{ $exposeIngress }}
   rules:
   - host: dashboard.{{ $host }}
     http:
@@ -45,5 +36,5 @@ spec:
   tls:
   - hosts:
     - dashboard.{{ $host }}
-    secretName: dashboard-{{ .Release.Namespace }}-tls
+    secretName: dashboard-tls
 {{- end }}

packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml

@@ -8,7 +8,7 @@ annotations:
     - name: Upstream Project
       url: https://github.com/controlplaneio-fluxcd/flux-operator
 apiVersion: v2
-appVersion: v0.19.0
+appVersion: v0.20.0
 description: 'A Helm chart for deploying the Flux Operator. '
 home: https://github.com/controlplaneio-fluxcd
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
@@ -25,4 +25,4 @@ sources:
 - https://github.com/controlplaneio-fluxcd/flux-operator
 - https://github.com/controlplaneio-fluxcd/charts
 type: application
-version: 0.19.0
+version: 0.20.0

packages/system/fluxcd-operator/charts/flux-operator/README.md

@@ -1,6 +1,6 @@
 # flux-operator
 
-![Version: 0.19.0](https://img.shields.io/badge/Version-0.19.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.19.0](https://img.shields.io/badge/AppVersion-v0.19.0-informational?style=flat-square)
+![Version: 0.20.0](https://img.shields.io/badge/Version-0.20.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.20.0](https://img.shields.io/badge/AppVersion-v0.20.0-informational?style=flat-square)
 
 The [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator) provides a
 declarative API for the installation and upgrade of CNCF [Flux](https://fluxcd.io) and the

packages/system/fluxcd/charts/flux-instance/Chart.yaml

@@ -8,7 +8,7 @@ annotations:
     - name: Upstream Project
       url: https://github.com/controlplaneio-fluxcd/flux-operator
 apiVersion: v2
-appVersion: v0.19.0
+appVersion: v0.20.0
 description: 'A Helm chart for deploying a Flux instance managed by Flux Operator. '
 home: https://github.com/controlplaneio-fluxcd
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
@@ -25,4 +25,4 @@ sources:
 - https://github.com/controlplaneio-fluxcd/flux-operator
 - https://github.com/controlplaneio-fluxcd/charts
 type: application
-version: 0.19.0
+version: 0.20.0

packages/system/fluxcd/charts/flux-instance/README.md

@@ -1,6 +1,6 @@
 # flux-instance
 
-![Version: 0.19.0](https://img.shields.io/badge/Version-0.19.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.19.0](https://img.shields.io/badge/AppVersion-v0.19.0-informational?style=flat-square)
+![Version: 0.20.0](https://img.shields.io/badge/Version-0.20.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.20.0](https://img.shields.io/badge/AppVersion-v0.20.0-informational?style=flat-square)
 
 This chart is a thin wrapper around the `FluxInstance` custom resource, which is
 used by the [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator)

packages/system/fluxcd/values.yaml

@@ -4,6 +4,7 @@ flux-instance:
       networkPolicy: true
       domain: cozy.local # -- default value is overriden in patches
     distribution:
+      artifact: ""
       version: 2.5.x
       registry: ghcr.io/fluxcd
     components:

packages/system/ingress-nginx/values.yaml

@@ -10,8 +10,9 @@ ingress-nginx:
     allowSnippetAnnotations: true
     replicaCount: 2
     admissionWebhooks:
+      enabled: true
       certManager:
-        enabled: true
+        enabled: false
     metrics:
       enabled: true
     extraContainers:

packages/system/kamaji/Makefile

@@ -14,6 +14,8 @@ update:
 image:
 	docker buildx build images/kamaji \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/kamaji:$(call settag,$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/kamaji:latest \
 		--cache-to type=inline \

packages/system/kamaji/charts/kamaji/crds/kamaji.clastix.io_datastores.yaml

@@ -120,6 +120,9 @@ spec:
                     - PostgreSQL
                     - NATS
                   type: string
+                  x-kubernetes-validations:
+                    - message: Datastore driver is immutable
+                      rule: self == oldSelf
                 endpoints:
                   description: |-
                     List of the endpoints to connect to the shared datastore.
@@ -263,6 +266,21 @@ spec:
                 - driver
                 - endpoints
               type: object
+              x-kubernetes-validations:
+                - message: certificateAuthority privateKey must have secretReference or content when driver is etcd
+                  rule: '(self.driver == "etcd") ? (self.tlsConfig != null && (has(self.tlsConfig.certificateAuthority.privateKey.secretReference) || has(self.tlsConfig.certificateAuthority.privateKey.content))) : true'
+                - message: clientCertificate must have secretReference or content when driver is etcd
+                  rule: '(self.driver == "etcd") ? (self.tlsConfig != null && (has(self.tlsConfig.clientCertificate.certificate.secretReference) || has(self.tlsConfig.clientCertificate.certificate.content))) : true'
+                - message: clientCertificate privateKey must have secretReference or content when driver is etcd
+                  rule: '(self.driver == "etcd") ? (self.tlsConfig != null && (has(self.tlsConfig.clientCertificate.privateKey.secretReference) || has(self.tlsConfig.clientCertificate.privateKey.content))) : true'
+                - message: When driver is not etcd and tlsConfig exists, clientCertificate must be null or contain valid content
+                  rule: '(self.driver != "etcd" && has(self.tlsConfig) && has(self.tlsConfig.clientCertificate)) ? (((has(self.tlsConfig.clientCertificate.certificate.secretReference) || has(self.tlsConfig.clientCertificate.certificate.content)))) : true'
+                - message: When driver is not etcd and basicAuth exists, username must have secretReference or content
+                  rule: '(self.driver != "etcd" && has(self.basicAuth)) ? ((has(self.basicAuth.username.secretReference) || has(self.basicAuth.username.content))) : true'
+                - message: When driver is not etcd and basicAuth exists, password must have secretReference or content
+                  rule: '(self.driver != "etcd" && has(self.basicAuth)) ? ((has(self.basicAuth.password.secretReference) || has(self.basicAuth.password.content))) : true'
+                - message: When driver is not etcd, either tlsConfig or basicAuth must be provided
+                  rule: '(self.driver != "etcd") ? (has(self.tlsConfig) || has(self.basicAuth)) : true'
             status:
               description: DataStoreStatus defines the observed state of DataStore.
               properties:

packages/system/kamaji/charts/kamaji/crds/kamaji.clastix.io_tenantcontrolplanes.yaml

@@ -427,7 +427,7 @@ spec:
                                   Values defined by an Env with a duplicate key will take precedence.
                                   Cannot be updated.
                                 items:
-                                  description: EnvFromSource represents the source of a set of ConfigMaps
+                                  description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                                   properties:
                                     configMapRef:
                                       description: The ConfigMap to select from
@@ -447,7 +447,7 @@ spec:
                                       type: object
                                       x-kubernetes-map-type: atomic
                                     prefix:
-                                      description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                      description: Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.
                                       type: string
                                     secretRef:
                                       description: The Secret to select from
@@ -696,6 +696,12 @@ spec:
                                           - port
                                         type: object
                                     type: object
+                                  stopSignal:
+                                    description: |-
+                                      StopSignal defines which signal will be sent to a container when it is being stopped.
+                                      If not specified, the default is defined by the container runtime in use.
+                                      StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                    type: string
                                 type: object
                               livenessProbe:
                                 description: |-
@@ -1792,7 +1798,7 @@ spec:
                                   Values defined by an Env with a duplicate key will take precedence.
                                   Cannot be updated.
                                 items:
-                                  description: EnvFromSource represents the source of a set of ConfigMaps
+                                  description: EnvFromSource represents the source of a set of ConfigMaps or Secrets
                                   properties:
                                     configMapRef:
                                       description: The ConfigMap to select from
@@ -1812,7 +1818,7 @@ spec:
                                       type: object
                                       x-kubernetes-map-type: atomic
                                     prefix:
-                                      description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+                                      description: Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER.
                                       type: string
                                     secretRef:
                                       description: The Secret to select from
@@ -2061,6 +2067,12 @@ spec:
                                           - port
                                         type: object
                                     type: object
+                                  stopSignal:
+                                    description: |-
+                                      StopSignal defines which signal will be sent to a container when it is being stopped.
+                                      If not specified, the default is defined by the container runtime in use.
+                                      StopSignal can only be set for Pods with a non-empty .spec.os.name
+                                    type: string
                                 type: object
                               livenessProbe:
                                 description: |-
@@ -4087,7 +4099,7 @@ spec:
                                   The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
                                   The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
                                   The volume will be mounted read-only (ro) and non-executable files (noexec).
-                                  Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+                                  Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
                                   The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
                                 properties:
                                   pullPolicy:
@@ -5173,7 +5185,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                               Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -5188,7 +5199,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                               Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -5349,7 +5359,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                           Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -5364,7 +5373,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                           Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -5518,7 +5526,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                               Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -5533,7 +5540,6 @@ spec:
                                               pod labels will be ignored. The default value is empty.
                                               The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                               Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                              This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                             items:
                                               type: string
                                             type: array
@@ -5694,7 +5700,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                           Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -5709,7 +5714,6 @@ spec:
                                           pod labels will be ignored. The default value is empty.
                                           The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                           Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                          This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                         items:
                                           type: string
                                         type: array
@@ -6339,7 +6343,6 @@ spec:
                                   - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
 
                                   If this value is nil, the behavior is equivalent to the Honor policy.
-                                  This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
                                 type: string
                               nodeTaintsPolicy:
                                 description: |-
@@ -6350,7 +6353,6 @@ spec:
                                   - Ignore: node taints are ignored. All nodes are included.
 
                                   If this value is nil, the behavior is equivalent to the Ignore policy.
-                                  This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
                                 type: string
                               topologyKey:
                                 description: |-
@@ -7071,7 +7073,7 @@ spec:
                       description: KubernetesDeploymentStatus defines the status for the Tenant Control Plane Deployment in the management cluster.
                       properties:
                         availableReplicas:
-                          description: Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
+                          description: Total number of available non-terminating pods (ready for at least minReadySeconds) targeted by this deployment.
                           format: int32
                           type: integer
                         collisionCount:
@@ -7129,16 +7131,24 @@ spec:
                           format: int64
                           type: integer
                         readyReplicas:
-                          description: readyReplicas is the number of pods targeted by this Deployment with a Ready Condition.
+                          description: Total number of non-terminating pods targeted by this Deployment with a Ready Condition.
                           format: int32
                           type: integer
                         replicas:
-                          description: Total number of non-terminated pods targeted by this deployment (their labels match the selector).
+                          description: Total number of non-terminating pods targeted by this deployment (their labels match the selector).
                           format: int32
                           type: integer
                         selector:
                           description: Selector is the label selector used to group the Tenant Control Plane Pods used by the scale subresource.
                           type: string
+                        terminatingReplicas:
+                          description: |-
+                            Total number of terminating pods targeted by this deployment. Terminating pods have a non-null
+                            .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.
+
+                            This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+                          format: int32
+                          type: integer
                         unavailableReplicas:
                           description: |-
                             Total number of unavailable pods targeted by this deployment. This is the total number of
@@ -7147,7 +7157,7 @@ spec:
                           format: int32
                           type: integer
                         updatedReplicas:
-                          description: Total number of non-terminated pods targeted by this deployment that have the desired template spec.
+                          description: Total number of non-terminating pods targeted by this deployment that have the desired template spec.
                           format: int32
                           type: integer
                       required:
@@ -7379,6 +7389,7 @@ spec:
                             - Migrating
                             - Ready
                             - NotReady
+                            - Sleeping
                           type: string
                         version:
                           description: Version is the running Kubernetes version of the Tenant Control Plane.

packages/system/kamaji/charts/kamaji/templates/controller.yaml

@@ -19,10 +19,6 @@ spec:
       labels:
         {{- include "kamaji.selectorLabels" . | nindent 8 }}
     spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       serviceAccountName: {{ include "kamaji.serviceAccountName" . }}

packages/system/kamaji/charts/kamaji/templates/rbac.yaml

@@ -9,6 +9,10 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   namespace: {{ .Release.Namespace }}
+{{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

packages/system/kamaji/images/kamaji/Dockerfile

@@ -1,8 +1,9 @@
 # Build the manager binary
-FROM golang:1.23 as builder
+FROM golang:1.24 as builder
 
 ARG VERSION=edge-25.3.2
-ARG TARGETOS TARGETARCH
+ARG TARGETOS
+ARG TARGETARCH
 
 WORKDIR /workspace
 
@@ -11,7 +12,7 @@ RUN curl -sSL https://github.com/clastix/kamaji/archive/refs/tags/${VERSION}.tar
 COPY patches /patches
 RUN git apply /patches/*.diff
 
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build \
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build \
     -ldflags "-X github.com/clastix/kamaji/internal.GitRepo=$GIT_REPO -X github.com/clastix/kamaji/internal.GitTag=$GIT_LAST_TAG -X github.com/clastix/kamaji/internal.GitCommit=$GIT_HEAD_COMMIT -X github.com/clastix/kamaji/internal.GitDirty=$GIT_MODIFIED -X github.com/clastix/kamaji/internal.BuildTime=$BUILD_DATE" \
     -a -o kamaji main.go
 
@@ -22,4 +23,4 @@ WORKDIR /
 COPY --from=builder /workspace/kamaji .
 USER 65532:65532
 
-ENTRYPOINT ["/kamaji"]
+ENTRYPOINT ["/kamaji"]

packages/system/kamaji/values.yaml

@@ -3,7 +3,7 @@ kamaji:
     deploy: false
   image:
     pullPolicy: IfNotPresent
-    tag: v0.31.0-rc.1@sha256:3ae6f1b2e42dcb9dcfbf8213029eb731197ccdbf27fdc30539d975caf32184d4
+    tag: latest@sha256:f6a33408df8d3c4223005392bcd8bae9d8c02fd73e2540bbaa911dedb7880ea8
     repository: ghcr.io/cozystack/cozystack/kamaji
   resources:
     limits:

packages/system/keycloak-configure/templates/configure-kk.yaml

@@ -4,15 +4,6 @@
 {{- $rootSaConfigMap := lookup "v1" "ConfigMap" "kube-system" "kube-root-ca.crt" }}
 {{- $k8sCa := index $rootSaConfigMap.data "ca.crt" | b64enc }}
 
-{{- $tenantRoot := dict }}
-{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2" }}
-{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" "tenant-root" "tenant-root" }}
-{{- end }}
-{{- if and $tenantRoot $tenantRoot.spec $tenantRoot.spec.values $tenantRoot.spec.values.host }}
-{{- $host = $tenantRoot.spec.values.host }}
-{{- else }}
-{{- end }}
-
 {{- $existingK8sSecret := lookup "v1" "Secret" .Release.Namespace "k8s-client" }}
 {{- $existingKubeappsSecret := lookup "v1" "Secret" .Release.Namespace "kubeapps-client" }}
 {{- $existingAuthConfig := lookup "v1" "Secret" "cozy-dashboard" "kubeapps-auth-config" }}

packages/system/keycloak/templates/ingress.yaml

@@ -1,18 +1,7 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $host := index $cozyConfig.data "root-host" }}
 {{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
-
-{{- $rootns := lookup "v1" "Namespace" "" "tenant-root" }}
-{{- $ingress := index $rootns.metadata.annotations "namespace.cozystack.io/ingress" }}
-
-{{- $tenantRoot := dict }}
-{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2" }}
-{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" "tenant-root" "tenant-root" }}
-{{- end }}
-{{- if and $tenantRoot $tenantRoot.spec $tenantRoot.spec.values $tenantRoot.spec.values.host }}
-{{- $host = $tenantRoot.spec.values.host }}
-{{- else }}
-{{- end }}
+{{- $exposeIngress := index $cozyConfig.data "expose-ingress" | default "tenant-root" }}
 
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -21,13 +10,13 @@ metadata:
   {{- with .Values.ingress.annotations }}
   annotations:
     {{- if ne $issuerType "cloudflare" }}
-    acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
+    acme.cert-manager.io/http01-ingress-class: {{ $exposeIngress }}
     {{- end }}
     cert-manager.io/cluster-issuer: letsencrypt-prod
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  ingressClassName: {{ $ingress }}
+  ingressClassName: {{ $exposeIngress }}
   tls:
   - hosts:
       - keycloak.{{ $host }}

packages/system/keycloak/templates/sts.yaml

@@ -7,15 +7,6 @@
   {{- $password = index $existingPassword.data "password" | b64dec }}
 {{- end }}
 
-{{- $tenantRoot := dict }}
-{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2" }}
-{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" "tenant-root" "tenant-root" }}
-{{- end }}
-{{- if and $tenantRoot $tenantRoot.spec $tenantRoot.spec.values $tenantRoot.spec.values.host }}
-{{- $host = $tenantRoot.spec.values.host }}
-{{- else }}
-{{- end }}
-
 apiVersion: v1
 kind: Secret
 metadata:

packages/system/kubeovn-webhook/Makefile

@@ -7,6 +7,8 @@ include ../../../scripts/package.mk
 image:
 	docker buildx build images/kubeovn-webhook \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/kubeovn-webhook:$(call settag,$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/kubeovn-webhook:latest \
 		--cache-to type=inline \

packages/system/kubeovn-webhook/images/kubeovn-webhook/Dockerfile

@@ -1,11 +1,14 @@
-FROM golang:1.23 as builder
+FROM golang:1.23 AS builder
+
+ARG TARGETOS
+ARG TARGETARCH
 
 WORKDIR /app
 COPY go.mod go.sum ./
-RUN go mod download
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go mod download
 
 COPY . .
-RUN CGO_ENABLED=0 GOOS=linux go build -o webhook .
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -o webhook .
 
 FROM alpine:3.21.3
 WORKDIR /app

packages/system/kubeovn/Makefile

@@ -19,6 +19,8 @@ update:
 image:
 	docker buildx build images/kubeovn \
 		--provenance false \
+		--builder=$(BUILDER) \
+		--platform=$(PLATFORM) \
 		--tag $(REGISTRY)/kubeovn:$(call settag,$(KUBEOVN_TAG)) \
 		--tag $(REGISTRY)/kubeovn:$(call settag,$(KUBEOVN_TAG)-$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/kubeovn:latest \

packages/system/kubevirt-cdi/templates/cdi-uploadproxy-ingress.yaml

@@ -0,0 +1,29 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $host := index $cozyConfig.data "root-host" }}
+{{- $exposeServices := splitList "," ((index $cozyConfig.data "expose-services") | default "") }}
+{{- $exposeIngress := index $cozyConfig.data "expose-ingress" | default "tenant-root" }}
+
+
+{{- if and (has "cdi-uploadproxy" $exposeServices) }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+  name: cdi-uploadproxy
+  namespace: cozy-kubevirt-cdi
+spec:
+  ingressClassName: {{ $exposeIngress }}
+  rules:
+  - host: cdi-uploadproxy.{{ $host }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: cdi-uploadproxy
+            port:
+              number: 443
+        path: /
+        pathType: Prefix
+{{- end }}

packages/system/kubevirt/templates/vm-exportproxy-ingress.yaml

@@ -0,0 +1,28 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $host := index $cozyConfig.data "root-host" }}
+{{- $exposeServices := splitList "," ((index $cozyConfig.data "expose-services") | default "") }}
+{{- $exposeIngress := index $cozyConfig.data "expose-ingress" | default "tenant-root" }}
+
+{{- if and (has "vm-exportproxy" $exposeServices) }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+  name: vm-exportproxy
+  namespace: cozy-kubevirt
+spec:
+  ingressClassName: {{ $exposeIngress }}
+  rules:
+  - host: vm-exportproxy.{{ $host }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: vm-exportproxy
+            port:
+              number: 443
+        path: /
+        pathType: ImplementationSpecific
+{{- end }}

packages/system/metallb/Makefile

@@ -1,6 +1,7 @@
 export NAME=metallb
 export NAMESPACE=cozy-$(NAME)
 
+include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
 
 update:
@@ -9,3 +10,25 @@ update:
 	helm repo update metallb
 	helm pull metallb/metallb --untar --untardir charts
 	rm -rf charts/metallb/charts/frr-k8s
+
+image-controller image-speaker:
+	$(eval TARGET := $(subst image-,,$@))
+	$(eval VERSION := $(shell yq '.appVersion' charts/metallb/Chart.yaml))
+	docker buildx build images/metallb \
+		--provenance false \
+		--target $(TARGET) \
+		--build-arg VERSION=$(VERSION) \
+		--tag $(REGISTRY)/metallb-$(TARGET):$(VERSION) \
+		--cache-from type=registry,ref=$(REGISTRY)/metallb-$(TARGET):latest \
+		--cache-to type=inline \
+		--metadata-file images/$(TARGET).json \
+		--push=$(PUSH) \
+		--label "org.opencontainers.image.source=https://github.com/cozystack/cozystack"
+		--load=1
+	REPOSITORY="$(REGISTRY)/metallb-$(TARGET)" \
+		yq -i '.metallb.$(TARGET).image.repository = strenv(REPOSITORY)' values.yaml
+	TAG=$(VERSION)@$$(yq e '."containerimage.digest"' images/$(TARGET).json -o json -r) \
+		yq -i '.metallb.$(TARGET).image.tag = strenv(TAG)' values.yaml
+	rm -f images/$(TARGET).json
+
+image: image-controller image-speaker

packages/system/metallb/charts/metallb/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: crds
   repository: ""
-  version: 0.14.8
+  version: 0.14.9
 - name: frr-k8s
   repository: https://metallb.github.io/frr-k8s
-  version: 0.0.14
-digest: sha256:8dff488902a5b504a491bbd1a9ab0983a877ff214e163ed74106c73c939a9aa3
-generated: "2024-07-23T15:22:40.589621+03:00"
+  version: 0.0.16
+digest: sha256:20d9a53af12c82d35168e7524ae337341b2c7cb43e2169545185f750a718466e
+generated: "2024-12-17T15:39:32.082324414+01:00"

packages/system/metallb/charts/metallb/Chart.yaml

@@ -1,14 +1,14 @@
 apiVersion: v2
-appVersion: v0.14.8
+appVersion: v0.14.9
 dependencies:
 - condition: crds.enabled
   name: crds
   repository: ""
-  version: 0.14.8
+  version: 0.14.9
 - condition: frrk8s.enabled
   name: frr-k8s
   repository: https://metallb.github.io/frr-k8s
-  version: 0.0.14
+  version: 0.0.16
 description: A network load-balancer implementation for Kubernetes using standard
   routing protocols
 home: https://metallb.universe.tf
@@ -18,4 +18,4 @@ name: metallb
 sources:
 - https://github.com/metallb/metallb
 type: application
-version: 0.14.8
+version: 0.14.9

packages/system/metallb/charts/metallb/README.md

@@ -17,7 +17,7 @@ Kubernetes: `>= 1.19.0-0`
 | Repository | Name | Version |
 |------------|------|---------|
 |  | crds | 0.0.0 |
-| https://metallb.github.io/frr-k8s | frr-k8s | 0.0.14 |
+| https://metallb.github.io/frr-k8s | frr-k8s | 0.0.16 |
 
 ## Values
 
@@ -79,17 +79,17 @@ Kubernetes: `>= 1.19.0-0`
 | prometheus.podMonitor.relabelings | list | `[]` |  |
 | prometheus.prometheusRule.additionalLabels | object | `{}` |  |
 | prometheus.prometheusRule.addressPoolExhausted.enabled | bool | `true` |  |
-| prometheus.prometheusRule.addressPoolExhausted.labels.severity | string | `"alert"` |  |
+| prometheus.prometheusRule.addressPoolExhausted.labels.severity | string | `"critical"` |  |
 | prometheus.prometheusRule.addressPoolUsage.enabled | bool | `true` |  |
 | prometheus.prometheusRule.addressPoolUsage.thresholds[0].labels.severity | string | `"warning"` |  |
 | prometheus.prometheusRule.addressPoolUsage.thresholds[0].percent | int | `75` |  |
 | prometheus.prometheusRule.addressPoolUsage.thresholds[1].labels.severity | string | `"warning"` |  |
 | prometheus.prometheusRule.addressPoolUsage.thresholds[1].percent | int | `85` |  |
-| prometheus.prometheusRule.addressPoolUsage.thresholds[2].labels.severity | string | `"alert"` |  |
+| prometheus.prometheusRule.addressPoolUsage.thresholds[2].labels.severity | string | `"critical"` |  |
 | prometheus.prometheusRule.addressPoolUsage.thresholds[2].percent | int | `95` |  |
 | prometheus.prometheusRule.annotations | object | `{}` |  |
 | prometheus.prometheusRule.bgpSessionDown.enabled | bool | `true` |  |
-| prometheus.prometheusRule.bgpSessionDown.labels.severity | string | `"alert"` |  |
+| prometheus.prometheusRule.bgpSessionDown.labels.severity | string | `"critical"` |  |
 | prometheus.prometheusRule.configNotLoaded.enabled | bool | `true` |  |
 | prometheus.prometheusRule.configNotLoaded.labels.severity | string | `"warning"` |  |
 | prometheus.prometheusRule.enabled | bool | `false` |  |

packages/system/metallb/charts/metallb/charts/crds/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v0.14.8
+appVersion: v0.14.9
 description: MetalLB CRDs
 home: https://metallb.universe.tf
 icon: https://metallb.universe.tf/images/logo/metallb-white.png
@@ -7,4 +7,4 @@ name: crds
 sources:
 - https://github.com/metallb/metallb
 type: application
-version: 0.14.8
+version: 0.14.9

packages/system/metallb/charts/metallb/charts/crds/templates/crds.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.3
   name: bfdprofiles.metallb.io
 spec:
   group: metallb.io
@@ -123,7 +123,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.3
   name: bgpadvertisements.metallb.io
 spec:
   group: metallb.io
@@ -329,7 +329,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.3
   name: bgppeers.metallb.io
 spec:
   conversion:
@@ -365,6 +365,8 @@ spec:
         - jsonPath: .spec.ebgpMultiHop
           name: Multi Hops
           type: string
+      deprecated: true
+      deprecationWarning: v1beta1 is deprecated, please use v1beta2
       name: v1beta1
       schema:
         openAPIV3Schema:
@@ -526,15 +528,26 @@ spec:
                   default: false
                   description: To set if we want to disable MP BGP that will separate IPv4 and IPv6 route exchanges into distinct BGP sessions.
                   type: boolean
+                dynamicASN:
+                  description: |-
+                    DynamicASN detects the AS number to use for the remote end of the session
+                    without explicitly setting it via the ASN field. Limited to:
+                    internal - if the neighbor's ASN is different than MyASN connection is denied.
+                    external - if the neighbor's ASN is the same as MyASN the connection is denied.
+                    ASN and DynamicASN are mutually exclusive and one of them must be specified.
+                  enum:
+                    - internal
+                    - external
+                  type: string
                 ebgpMultiHop:
                   description: To set if the BGPPeer is multi-hops away. Needed for FRR mode only.
                   type: boolean
                 enableGracefulRestart:
                   description: |-
-                    EnableGracefulRestart allows BGP peer to continue to forward data packets along
-                    known routes while the routing protocol information is being restored.
-                    This field is immutable because it requires restart of the BGP session
-                    Supported for FRR mode only.
+                    EnableGracefulRestart allows BGP peer to continue to forward data packets
+                    along known routes while the routing protocol information is being
+                    restored. This field is immutable because it requires restart of the BGP
+                    session. Supported for FRR mode only.
                   type: boolean
                   x-kubernetes-validations:
                     - message: EnableGracefulRestart cannot be changed after creation
@@ -622,7 +635,9 @@ spec:
                   type: object
                   x-kubernetes-map-type: atomic
                 peerASN:
-                  description: AS number to expect from the remote end of the session.
+                  description: |-
+                    AS number to expect from the remote end of the session.
+                    ASN and DynamicASN are mutually exclusive and one of them must be specified.
                   format: int32
                   maximum: 4294967295
                   minimum: 0
@@ -649,7 +664,6 @@ spec:
                   type: string
               required:
                 - myASN
-                - peerASN
                 - peerAddress
               type: object
             status:
@@ -665,7 +679,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.3
   name: communities.metallb.io
 spec:
   group: metallb.io
@@ -730,7 +744,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.3
   name: ipaddresspools.metallb.io
 spec:
   group: metallb.io
@@ -940,7 +954,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.3
   name: l2advertisements.metallb.io
 spec:
   group: metallb.io
@@ -1120,7 +1134,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.3
   name: servicel2statuses.metallb.io
 spec:
   group: metallb.io

packages/system/metallb/charts/metallb/templates/controller.yaml

@@ -84,7 +84,7 @@ spec:
         - name: METALLB_DEPLOYMENT
           value: {{ template "metallb.fullname" . }}-controller
         {{- end }}
-        {{- if .Values.speaker.frr.enabled }}
+        {{- if and .Values.speaker.enabled .Values.speaker.frr.enabled }}
         - name: METALLB_BGP_TYPE
           value: frr
         {{- end }}

packages/system/metallb/charts/metallb/templates/podmonitor.yaml

@@ -36,6 +36,7 @@ spec:
     relabelings:
 {{- toYaml .Values.prometheus.podMonitor.relabelings | nindent 4 }}
 {{- end }}
+{{- if .Values.speaker.enabled }}
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
@@ -74,6 +75,7 @@ spec:
     relabelings:
 {{- toYaml .Values.prometheus.podMonitor.relabelings | nindent 4 }}
 {{- end }}
+{{- end }}
 ---
 {{- if .Values.prometheus.rbacPrometheus }}
 apiVersion: rbac.authorization.k8s.io/v1

packages/system/metallb/charts/metallb/templates/prometheusrules.yaml

@@ -19,8 +19,8 @@ spec:
     {{- if .Values.prometheus.prometheusRule.staleConfig.enabled }}
     - alert: MetalLBStaleConfig
       annotations:
-        message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
-          }} has a stale config for > 1 minute'`}}
+        summary: {{`'Stale config on {{ $labels.pod }}'`}}
+        description: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod }} has a stale config for > 1 minute'`}}
       expr: metallb_k8s_client_config_stale_bool{job=~"{{ template "metallb.fullname" . }}.*"} == 1
       for: 1m
       {{- with .Values.prometheus.prometheusRule.staleConfig.labels }}
@@ -31,8 +31,8 @@ spec:
     {{- if .Values.prometheus.prometheusRule.configNotLoaded.enabled }}
     - alert: MetalLBConfigNotLoaded
       annotations:
-        message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
-          }} has not loaded for > 1 minute'`}}
+        summary: {{`'Config on {{ $labels.pod }} has not been loaded'`}}
+        description: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod }} has not loaded for > 1 minute'`}}
       expr: metallb_k8s_client_config_loaded_bool{job=~"{{ template "metallb.fullname" . }}.*"} == 0
       for: 1m
       {{- with .Values.prometheus.prometheusRule.configNotLoaded.labels }}
@@ -43,8 +43,8 @@ spec:
     {{- if .Values.prometheus.prometheusRule.addressPoolExhausted.enabled }}
     - alert: MetalLBAddressPoolExhausted
       annotations:
-        message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
-          }} has exhausted address pool {{ $labels.pool }} for > 1 minute'`}}
+        summary: {{`'Exhausted address pool on {{ $labels.pod }}'`}}
+        description: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod }} has exhausted address pool {{ $labels.pool }} for > 1 minute'`}}
       expr: metallb_allocator_addresses_in_use_total >= on(pool) metallb_allocator_addresses_total
       for: 1m
       {{- with .Values.prometheus.prometheusRule.addressPoolExhausted.labels }}
@@ -57,8 +57,8 @@ spec:
     {{- range .Values.prometheus.prometheusRule.addressPoolUsage.thresholds }}
     - alert: MetalLBAddressPoolUsage{{ .percent }}Percent
       annotations:
-        message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
-          }} has address pool {{ $labels.pool }} past `}}{{ .percent }}{{`% usage for > 1 minute'`}}
+        summary: {{`'Exhausted address pool on {{ $labels.pod }}'`}}
+        message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod }} has address pool {{ $labels.pool }} past `}}{{ .percent }}{{`% usage for > 1 minute'`}}
       expr: ( metallb_allocator_addresses_in_use_total / on(pool) metallb_allocator_addresses_total ) * 100 > {{ .percent }}
       {{- with .labels }}
       labels:
@@ -69,8 +69,8 @@ spec:
     {{- if .Values.prometheus.prometheusRule.bgpSessionDown.enabled }}
     - alert: MetalLBBGPSessionDown
       annotations:
-        message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
-          }} has BGP session {{ $labels.peer }} down for > 1 minute'`}}
+        summary:  {{`'BGP session down on {{ $labels.pod }}'`}}
+        message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod }} has BGP session {{ $labels.peer }} down for > 1 minute'`}}
       expr: metallb_bgp_session_up{job=~"{{ template "metallb.fullname" . }}.*"} == 0
       for: 1m
       {{- with .Values.prometheus.prometheusRule.bgpSessionDown.labels }}

packages/system/metallb/charts/metallb/templates/rbac.yaml

@@ -19,11 +19,11 @@ rules:
   resources: ["events"]
   verbs: ["create", "patch"]
 - apiGroups: ["admissionregistration.k8s.io"]
-  resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+  resources: ["validatingwebhookconfigurations"]
   resourceNames: ["metallb-webhook-configuration"]
   verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
 - apiGroups: ["admissionregistration.k8s.io"]
-  resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+  resources: ["validatingwebhookconfigurations"]
   verbs: ["list", "watch"]
 - apiGroups: ["apiextensions.k8s.io"]
   resources: ["customresourcedefinitions"]
@@ -41,6 +41,7 @@ rules:
   resources: ["subjectaccessreviews"]
   verbs: ["create"]
 {{- end }}
+{{- if .Values.speaker.enabled }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -72,7 +73,7 @@ rules:
 {{- if or .Values.frrk8s.enabled .Values.frrk8s.external }}
 - apiGroups: ["frrk8s.metallb.io"]
   resources: ["frrconfigurations"]
-  verbs: ["get", "list", "watch","create","update"]
+  verbs: ["get", "list", "watch","create","update","delete"]
 {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -109,6 +110,7 @@ rules:
 - apiGroups: ["metallb.io"]
   resources: ["communities"]
   verbs: ["get", "list", "watch"]
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -117,7 +119,7 @@ metadata:
   namespace: {{ .Release.Namespace | quote }}
   labels: {{- include "metallb.labels" . | nindent 4 }}
 rules:
-{{- if .Values.speaker.memberlist.enabled }}
+{{- if and .Values.speaker.enabled .Values.speaker.memberlist.enabled }}
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["create", "get", "list", "watch"]
@@ -166,6 +168,7 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: {{ template "metallb.fullname" . }}:controller
+{{- if .Values.speaker.enabled }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -195,6 +198,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: {{ include "metallb.speaker.serviceAccountName" . }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

packages/system/metallb/charts/metallb/templates/service-accounts.yaml

@@ -13,7 +13,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 {{- end }}
-{{- if .Values.speaker.serviceAccount.create }}
+{{- if and .Values.speaker.enabled .Values.speaker.serviceAccount.create }}
 ---
 apiVersion: v1
 kind: ServiceAccount

packages/system/metallb/charts/metallb/templates/servicemonitor.yaml

@@ -1,4 +1,9 @@
+{{- if and .Values.prometheus.serviceMonitor.enabled .Values.prometheus.podMonitor.enabled }}
+{{- fail "prometheus.serviceMonitor.enabled and prometheus.podMonitor.enabled cannot both be set" }}
+{{- end }}
+
 {{- if .Values.prometheus.serviceMonitor.enabled }}
+{{- if .Values.speaker.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -89,6 +94,7 @@ spec:
 {{- end }}
   sessionAffinity: None
   type: ClusterIP
+{{- end }}
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
@@ -97,7 +103,6 @@ metadata:
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "metallb.labels" . | nindent 4 }}
-    app.kubernetes.io/component: speaker
     {{- if .Values.prometheus.serviceMonitor.controller.additionalLabels }}
 {{ toYaml .Values.prometheus.serviceMonitor.controller.additionalLabels | indent 4 }}
     {{- end }}

packages/system/metallb/charts/metallb/values.yaml

@@ -42,7 +42,7 @@ prometheus:
   # certificate to be used.
   controllerMetricsTLSSecret: ""
 
-  # prometheus doens't have the permission to scrape all namespaces so we give it permission to scrape metallb's one
+  # prometheus doesn't have the permission to scrape all namespaces so we give it permission to scrape metallb's one
   rbacPrometheus: true
 
   # the service account used by prometheus
@@ -64,7 +64,7 @@ prometheus:
     # enable support for Prometheus Operator
     enabled: false
 
-    # optional additionnal labels for podMonitors
+    # optional additional labels for podMonitors
     additionalLabels: {}
 
     # optional annotations for podMonitors
@@ -143,7 +143,7 @@ prometheus:
     # enable alertmanager alerts
     enabled: false
 
-    # optional additionnal labels for prometheusRules
+    # optional additional labels for prometheusRules
     additionalLabels: {}
 
     # optional annotations for prometheusRules
@@ -165,7 +165,7 @@ prometheus:
     addressPoolExhausted:
       enabled: true
       labels:
-        severity: alert
+        severity: critical
 
     addressPoolUsage:
       enabled: true
@@ -178,13 +178,13 @@ prometheus:
             severity: warning
         - percent: 95
           labels:
-            severity: alert
+            severity: critical
 
     # MetalLBBGPSessionDown
     bgpSessionDown:
       enabled: true
       labels:
-        severity: alert
+        severity: critical
 
     extraAlerts: []
 

packages/system/metallb/images/metallb/Dockerfile

@@ -0,0 +1,87 @@
+# syntax=docker/dockerfile:1.2
+
+FROM --platform=$BUILDPLATFORM docker.io/golang:1.22.7 AS builder
+
+ARG VERSION
+ARG GIT_COMMIT=dev
+ARG GIT_BRANCH=dev
+ARG TARGETARCH
+ARG TARGETOS
+ARG TARGETPLATFORM
+
+WORKDIR /go/go.universe.tf/metallb
+
+RUN --mount=type=cache,target=/go/pkg/mod \
+    curl -sSL https://github.com/metallb/metallb/archive/refs/tags/${VERSION}.tar.gz \
+    | tar -xzvf- --strip=1 
+
+RUN curl -sSLO https://github.com/metallb/metallb/pull/2726.diff && \
+    git apply 2726.diff
+
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go mod download -x
+
+RUN case ${TARGETPLATFORM} in \
+    "linux/arm/v6") export VARIANT="6" ;; \
+    "linux/arm/v7") export VARIANT="7" ;; \
+    *) export VARIANT="" ;; \
+    esac && \
+    CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH GOARM=$VARIANT \
+    go build -v -o /build/controller \
+    -ldflags "-X 'go.universe.tf/metallb/internal/version.gitCommit=${GIT_COMMIT}' \
+      -X 'go.universe.tf/metallb/internal/version.gitBranch=${GIT_BRANCH}'" \
+    ./controller \
+    && \
+    CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH GOARM=$VARIANT \
+    go build -v -o /build/frr-metrics \
+    -ldflags "-X 'go.universe.tf/metallb/internal/version.gitCommit=${GIT_COMMIT}' \
+      -X 'go.universe.tf/metallb/internal/version.gitBranch=${GIT_BRANCH}'" \
+    frr-tools/metrics/exporter.go \
+    && \
+    CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH GOARM=$VARIANT \
+    go build -v -o /build/cp-tool \
+    -ldflags "-X 'go.universe.tf/metallb/internal/version.gitCommit=${GIT_COMMIT}' \
+      -X 'go.universe.tf/metallb/internal/version.gitBranch=${GIT_BRANCH}'" \
+    frr-tools/cp-tool/cp-tool.go \
+    && \
+    CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH GOARM=$VARIANT \
+    go build -v -o /build/speaker \
+    -ldflags "-X 'go.universe.tf/metallb/internal/version.gitCommit=${GIT_COMMIT}' \
+      -X 'go.universe.tf/metallb/internal/version.gitBranch=${GIT_BRANCH}'" \
+    ./speaker
+
+FROM gcr.io/distroless/static:latest as controller
+
+COPY --from=builder /build/controller /controller
+
+LABEL org.opencontainers.image.authors="metallb" \
+    org.opencontainers.image.url="https://github.com/metallb/metallb" \
+    org.opencontainers.image.documentation="https://metallb.universe.tf" \
+    org.opencontainers.image.source="https://github.com/cozystack/cozystack" \
+    org.opencontainers.image.vendor="metallb" \
+    org.opencontainers.image.licenses="Apache-2.0" \
+    org.opencontainers.image.description="Metallb Controller" \
+    org.opencontainers.image.title="controller" \
+    org.opencontainers.image.base.name="gcr.io/distroless/static:latest"
+
+ENTRYPOINT ["/controller"]
+
+FROM gcr.io/distroless/static:latest as speaker
+
+COPY --from=builder /build/cp-tool /cp-tool
+COPY --from=builder /build/speaker /speaker
+COPY --from=builder /build/frr-metrics /frr-metrics
+COPY --from=builder /go/go.universe.tf/metallb/frr-tools/reloader/frr-reloader.sh /frr-reloader.sh
+
+LABEL org.opencontainers.image.authors="metallb" \
+  org.opencontainers.image.url="https://github.com/metallb/metallb" \
+  org.opencontainers.image.documentation="https://metallb.universe.tf" \
+  org.opencontainers.image.source="https://github.com/cozystack/cozystack" \
+  org.opencontainers.image.vendor="metallb" \
+  org.opencontainers.image.licenses="Apache-2.0" \
+  org.opencontainers.image.description="Metallb speaker" \
+  org.opencontainers.image.title="speaker" \
+  org.opencontainers.image.base.name="gcr.io/distroless/static:latest"
+
+ENTRYPOINT ["/speaker"]

packages/system/metallb/values.yaml

@@ -2,5 +2,12 @@ metallb:
   crds:
     enabled: true
 
-  #speaker:
-  #  tolerateMaster: false
+  controller:
+    image:
+      repository: ghcr.io/cozystack/cozystack/metallb/controller
+      tag: v0.14.9@sha256:c86418d1072d6037341d731917d11a2f281fb17559d5bb650962512f9894fd50
+
+  speaker:
+    image:
+      repository: ghcr.io/cozystack/cozystack/metallb/speaker
+      tag: v0.14.9@sha256:60fddc8fd6c125180186db31990993b4ebea5023ad410bf08ca9537a956e8279

scripts/migrations/12

@@ -0,0 +1,35 @@
+#!/bin/sh
+# Migration 12 --> 13
+
+# Copy configuration from ingress to cozystack configmap
+if kubectl get hr -n tenant-root tenant-root > /dev/null; then
+  expose_services=$(
+    kubectl get hr -n tenant-root ingress -o go-template='{{ with .spec }}{{ with .values }}{{ if .dashboard  }}dashboard,{{ end }}{{ if .cdiUploadProxy }}cdi-uploadproxy,{{ end }}{{ if .virtExportProxy }}vm-exportproxy,{{ end }}{{ end }}{{ end }}'
+  )
+  expose_services=$(echo "$expose_services" | awk '{sub(/,$/,""); print}')
+  
+  expose_external_ips=$(
+    kubectl get hr -n tenant-root ingress -o go-template='{{ with .spec }}{{ with .values }}{{ if .externalIPs  }}{{ range .externalIPs }}{{ . }},{{ end }}{{ end }}{{ end }}{{ end }}'
+  )
+  expose_external_ips=$(echo "$expose_external_ips" | awk '{sub(/,$/,""); print}')
+
+  existing_expose_external_ips=$(kubectl get cm -n cozy-system cozystack -o go-template='{{ index .data "expose-external-ips" }}')
+  existing_expose_services=$(kubectl get cm -n cozy-system cozystack -o go-template='{{ index .data "expose-services" }}')
+
+  if [ "$existing_expose_external_ips" == "<no value>" ]; then
+    kubectl patch cm -n cozy-system cozystack --type merge -p="{\"data\":{\"expose-external-ips\":\"$expose_external_ips\"}}"
+  fi
+
+  if [ "$existing_expose_services" == "<no value>" ]; then
+    kubectl patch cm -n cozy-system cozystack --type merge -p="{\"data\":{\"expose-services\":\"$expose_services\"}}"
+  fi
+
+  kubectl patch hr -n tenant-root ingress --type json -p='[{"op": "remove", "path": "/spec/values/dashboard"}]' || true
+  kubectl patch hr -n tenant-root ingress --type json -p='[{"op": "remove", "path": "/spec/values/cdiUploadProxy"}]' || true
+  kubectl patch hr -n tenant-root ingress --type json -p='[{"op": "remove", "path": "/spec/values/virtExportProxy"}]' || true
+  kubectl patch hr -n tenant-root ingress --type json -p='[{"op": "remove", "path": "/spec/values/externalIPs"}]' || true
+  kubectl patch hr -n tenant-root ingress --type merge -p='{"spec":{"chart":{"spec":{"version":"1.6.0"}}}}'
+fi
+
+# Write version to cozystack-version config
+kubectl create configmap -n cozy-system cozystack-version --from-literal=version=13 --dry-run=client -o yaml | kubectl apply -f-

scripts/package.mk

@@ -29,3 +29,11 @@ delete: check suspend ## Delete Helm release from a Kubernetes cluster
 check:
 	@if [ -z "$(NAME)" ]; then echo "env NAME is not set!" >&2; exit 1; fi
 	@if [ -z "$(NAMESPACE)" ]; then echo "env NAMESPACE is not set!" >&2; exit 1; fi
+
+clean:
+	rm -rf charts/
+
+%-update:
+	helm repo add $(REPO_NAME) $(REPO_URL)
+	helm repo update $(REPO_NAME)
+	helm pull $(REPO_NAME)/$(CHART_NAME) --untar --untardir charts --version "$(CHART_VERSION)"