[kubernetes] Fixed k8s<1.32 creation (#2209)

<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does

This PR adds version specific ubuntu base images to fix errors when base
image has new deb packages of kubeadm and kubelet installed, but at
runtime it was downgraded by replacing just binaries. Now update by
replacing binaries works as intended - latest patch version of minor
version used.

Core issue was in kubeadm<1.32 expecting conntrack binary in its
preflight checks but it was not found. It happened because kubelet deb
package dropped conntrack dependency since 1.32 (actually it absent in
1.31.14 too).
So now status of supported tenant k8s versions is:
- 1.30 - works because kubelet package provided conntrack, also
conntrack preflight check ignored (see 1.31).
- 1.31 - works because conntrack preflight check ignored (for some
reason kubelet 1.31.14 did't provide conntrack dependency, unlike
1.31.13 did).
- \>=1.32 - works because conntrack preflight check removed from
`kubeadm init` entirely.

Conntrack preflight check ignoring is legit for tenant kubernetes
clusters because until 1.32 it was used in kube-proxy but cozystack k8s
approach doesn't use kube-proxy (replaced with cilium).

Issue with conntrack may be mitigated with only `ignorePreflightErrors`,
but I think proper base image build will help to avoid similar bugs in
future.

### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
[kubernetes] Fixed tenant k8s older than 1.32 creation by adding version specific ubuntu base images
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **New Features**
* Added multi-version Kubernetes support with version-specific container
images.
* Enhanced compatibility with newer Kubernetes releases, including
version 1.31.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

packages/apps/harbor/templates/httproute.yaml

@@ -1,75 +0,0 @@
-{{- $gatewayAPI := (index .Values._cluster "gateway-api") | default "false" }}
-{{- $clusterIssuer := (index .Values._cluster "issuer-name") | default "letsencrypt-prod" }}
-{{- $gateway := .Values._namespace.gateway | default "" }}
-{{- $host := .Values._namespace.host }}
-{{- $harborHost := .Values.host | default (printf "%s.%s" .Release.Name $host) }}
-
-{{- if and (eq $gatewayAPI "true") (ne $gateway "") }}
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: Gateway
-metadata:
-  name: {{ .Release.Name }}-harbor
-  annotations:
-    cert-manager.io/cluster-issuer: {{ $clusterIssuer }}
-spec:
-  gatewayClassName: cilium
-  infrastructure:
-    labels:
-      cozystack.io/gateway: {{ $gateway }}
-  listeners:
-  - name: http
-    protocol: HTTP
-    port: 80
-    hostname: {{ $harborHost | quote }}
-    allowedRoutes:
-      namespaces:
-        from: Same
-  - name: https
-    protocol: HTTPS
-    port: 443
-    hostname: {{ $harborHost | quote }}
-    tls:
-      mode: Terminate
-      certificateRefs:
-      - name: {{ .Release.Name }}-harbor-gateway-tls
-    allowedRoutes:
-      namespaces:
-        from: Same
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: {{ .Release.Name }}-harbor-redirect-to-https
-spec:
-  parentRefs:
-  - name: {{ .Release.Name }}-harbor
-    sectionName: http
-  hostnames:
-  - {{ $harborHost | quote }}
-  rules:
-  - filters:
-    - type: RequestRedirect
-      requestRedirect:
-        scheme: https
-        statusCode: 301
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: {{ .Release.Name }}-harbor
-spec:
-  parentRefs:
-  - name: {{ .Release.Name }}-harbor
-    sectionName: https
-  hostnames:
-  - {{ $harborHost | quote }}
-  rules:
-  - matches:
-    - path:
-        type: PathPrefix
-        value: /
-    backendRefs:
-    - name: {{ .Release.Name }}
-      port: 80
-{{- end }}

packages/apps/kubernetes/Makefile

@@ -1,4 +1,4 @@
-KUBERNETES_VERSION = v1.35
+KUBERNETES_VERSIONS = $(shell awk -F'"' '{print $$2}' files/versions.yaml)
 KUBERNETES_PKG_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
 
 include ../../../hack/common-envs.mk
@@ -15,17 +15,19 @@ update:
 image: image-ubuntu-container-disk image-kubevirt-cloud-provider image-kubevirt-csi-driver image-cluster-autoscaler
 
 image-ubuntu-container-disk:
-	docker buildx build images/ubuntu-container-disk \
-		--build-arg KUBERNETES_VERSION=${KUBERNETES_VERSION} \
-		--tag $(REGISTRY)/ubuntu-container-disk:$(call settag,$(KUBERNETES_VERSION)) \
-		--tag $(REGISTRY)/ubuntu-container-disk:$(call settag,$(KUBERNETES_VERSION)-$(TAG)) \
-		--cache-from type=registry,ref=$(REGISTRY)/ubuntu-container-disk:latest \
-		--cache-to type=inline \
-		--metadata-file images/ubuntu-container-disk.json \
-		$(BUILDX_ARGS)
-	echo "$(REGISTRY)/ubuntu-container-disk:$(call settag,$(KUBERNETES_VERSION))@$$(yq e '."containerimage.digest"' images/ubuntu-container-disk.json -o json -r)" \
-		> images/ubuntu-container-disk.tag
-	rm -f images/ubuntu-container-disk.json
+	$(foreach ver,$(KUBERNETES_VERSIONS), \
+		docker buildx build images/ubuntu-container-disk \
+			--build-arg KUBERNETES_VERSION=$(ver) \
+			--tag $(REGISTRY)/ubuntu-container-disk:$(call settag,$(ver)) \
+			--tag $(REGISTRY)/ubuntu-container-disk:$(call settag,$(ver)-$(TAG)) \
+			--cache-from type=registry,ref=$(REGISTRY)/ubuntu-container-disk:$(call settag,$(ver)) \
+			--cache-to type=inline \
+			--metadata-file images/ubuntu-container-disk-$(ver).json \
+			$(BUILDX_ARGS) && \
+		echo "$(REGISTRY)/ubuntu-container-disk:$(call settag,$(ver))@$$(yq e '."containerimage.digest"' images/ubuntu-container-disk-$(ver).json -o json -r)" \
+			> images/ubuntu-container-disk-$(ver).tag && \
+		rm -f images/ubuntu-container-disk-$(ver).json; \
+	)
 
 image-kubevirt-cloud-provider:
 	docker buildx build images/kubevirt-cloud-provider \

packages/apps/kubernetes/images/ubuntu-container-disk-v1.30.tag

@@ -0,0 +1 @@
+ttl.sh/rjfkdsjflsk/ubuntu-container-disk:v1.30@sha256:8c2276f68beb67edf5bf76d6c97b271dd9303b336e1d5850ae2b91a590c9bb57

packages/apps/kubernetes/images/ubuntu-container-disk-v1.31.tag

@@ -0,0 +1 @@
+ttl.sh/rjfkdsjflsk/ubuntu-container-disk:v1.31@sha256:2b631cd227bc9b1bae16de033830e756cd6590b512dc0d2b13367ee626f3e4ca

packages/apps/kubernetes/images/ubuntu-container-disk-v1.32.tag

@@ -0,0 +1 @@
+ttl.sh/rjfkdsjflsk/ubuntu-container-disk:v1.32@sha256:600d6ce7df4eaa8cc79c7d6d1b01ecac43e7696beb84eafce752d9210a16455f

packages/apps/kubernetes/images/ubuntu-container-disk-v1.33.tag

@@ -0,0 +1 @@
+ttl.sh/rjfkdsjflsk/ubuntu-container-disk:v1.33@sha256:243e55d6f2887a4f6ce8526de52fd083b7b88194d5c7f3eaa51b87efb557ac88

packages/apps/kubernetes/images/ubuntu-container-disk-v1.34.tag

@@ -0,0 +1 @@
+ttl.sh/rjfkdsjflsk/ubuntu-container-disk:v1.34@sha256:ad8377d5644ba51729dc69dff4c9f6b4a48957075d054a58c61a45d0bb41f6af

packages/apps/kubernetes/images/ubuntu-container-disk-v1.35.tag

@@ -0,0 +1 @@
+ttl.sh/rjfkdsjflsk/ubuntu-container-disk:v1.35@sha256:1c2f2430383a9b9882358c60c194465c1b6092b4aa77536a0343cf74155c0067

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +0,0 @@
-ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.35@sha256:39f626c802dd84f95720ffb54fcd80dfb8a58ac280498870d0a1aa30d4252f94

packages/apps/kubernetes/templates/cluster.yaml

@@ -74,7 +74,7 @@ spec:
           volumes:
           - name: system
             containerDisk:
-              image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}"
+              image: "{{ $.Files.Get (printf "images/ubuntu-container-disk-%s.tag" $.Values.version) | trim }}"
           - name: ephemeral
             emptyDisk:
               capacity: {{ .group.ephemeralStorage | default "20Gi" }}
@@ -249,6 +249,9 @@ spec:
       joinConfiguration:
         nodeRegistration:
           kubeletExtraArgs: {}
+          # Ignore this for 1.31
+          ignorePreflightErrors:
+          - FileExisting-conntrack
         discovery:
           bootstrapToken:
             apiServerEndpoint: {{ $.Release.Name }}.{{ $.Release.Namespace }}.svc:6443

packages/apps/tenant/README.md

@@ -80,7 +80,6 @@ tenant-u1
 | `etcd`           | Deploy own Etcd cluster.                                                                                                   | `bool`                | `false` |
 | `monitoring`     | Deploy own Monitoring Stack.                                                                                               | `bool`                | `false` |
 | `ingress`        | Deploy own Ingress Controller.                                                                                             | `bool`                | `false` |
-| `gateway`        | Deploy own Gateway API gateway (separate LB for this tenant).                                                              | `bool`                | `false` |
 | `seaweedfs`      | Deploy own SeaweedFS.                                                                                                      | `bool`                | `false` |
 | `resourceQuotas` | Define resource quotas for the tenant.                                                                                     | `map[string]quantity` | `{}`    |
 

packages/apps/tenant/templates/namespace.yaml

@@ -29,11 +29,6 @@
 {{- $ingress = $tenantName }}
 {{- end }}
 
-{{- $gateway := $parentNamespace.gateway | default "" }}
-{{- if .Values.gateway }}
-{{- $gateway = $tenantName }}
-{{- end }}
-
 {{- $monitoring := $parentNamespace.monitoring | default "" }}
 {{- if .Values.monitoring }}
 {{- $monitoring = $tenantName }}
@@ -60,7 +55,6 @@ metadata:
     {{/* Labels for network policies */}}
     namespace.cozystack.io/etcd: {{ $etcd | quote }}
     namespace.cozystack.io/ingress: {{ $ingress | quote }}
-    namespace.cozystack.io/gateway: {{ $gateway | quote }}
     namespace.cozystack.io/monitoring: {{ $monitoring | quote }}
     namespace.cozystack.io/seaweedfs: {{ $seaweedfs | quote }}
     namespace.cozystack.io/host: {{ $computedHost | quote }}
@@ -89,7 +83,6 @@ stringData:
     _namespace:
       etcd: {{ $etcd | quote }}
       ingress: {{ $ingress | quote }}
-      gateway: {{ $gateway | quote }}
       monitoring: {{ $monitoring | quote }}
       seaweedfs: {{ $seaweedfs | quote }}
       host: {{ $computedHost | quote }}

packages/apps/tenant/values.schema.json

@@ -7,11 +7,6 @@
       "type": "boolean",
       "default": false
     },
-    "gateway": {
-      "description": "Deploy own Gateway API gateway (separate LB for this tenant).",
-      "type": "boolean",
-      "default": false
-    },
     "host": {
       "description": "The hostname used to access tenant services (defaults to using the tenant name as a subdomain for its parent tenant host).",
       "type": "string",

packages/apps/tenant/values.yaml

@@ -14,9 +14,6 @@ monitoring: false
 ## @param {bool} ingress - Deploy own Ingress Controller.
 ingress: false
 
-## @param {bool} gateway - Deploy own Gateway API gateway (separate LB for this tenant).
-gateway: false
-
 ## @param {bool} seaweedfs - Deploy own SeaweedFS.
 seaweedfs: false
 

packages/core/platform/sources/cozystack-gateway.yaml

@@ -1,22 +0,0 @@
----
-apiVersion: cozystack.io/v1alpha1
-kind: PackageSource
-metadata:
-  name: cozystack.cozystack-gateway
-spec:
-  sourceRef:
-    kind: OCIRepository
-    name: cozystack-packages
-    namespace: cozy-system
-    path: /
-  variants:
-  - name: default
-    dependsOn:
-    - cozystack.networking
-    - cozystack.cert-manager
-    components:
-    - name: cozystack-gateway
-      path: system/cozystack-gateway
-      install:
-        namespace: cozy-gateway
-        releaseName: cozystack-gateway

packages/core/platform/sources/cozystack-scheduler.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: PackageSource
+metadata:
+  name: cozystack.cozystack-scheduler
+spec:
+  sourceRef:
+    kind: OCIRepository
+    name: cozystack-packages
+    namespace: cozy-system
+    path: /
+  variants:
+  - name: default
+    components:
+    - name: cozystack-scheduler
+      path: system/cozystack-scheduler
+      install:
+        namespace: kube-system
+        releaseName: cozystack-scheduler

packages/core/platform/sources/networking.yaml

@@ -15,12 +15,6 @@ spec:
   - name: cilium
     dependsOn: []
     components:
-    - name: gateway-api-crds
-      path: system/gateway-api-crds
-      install:
-        namespace: cozy-gateway-api-crds
-        releaseName: gateway-api-crds
-        dependsOn: []
     - name: cilium
       path: system/cilium
       valuesFiles:
@@ -30,8 +24,7 @@ spec:
         privileged: true
         namespace: cozy-cilium
         releaseName: cilium
-        dependsOn:
-        - gateway-api-crds
+        dependsOn: []
     - name: cilium-networkpolicy
       path: system/cilium-networkpolicy
       install:
@@ -43,12 +36,6 @@ spec:
   - name: cilium-kilo
     dependsOn: []
     components:
-    - name: gateway-api-crds
-      path: system/gateway-api-crds
-      install:
-        namespace: cozy-gateway-api-crds
-        releaseName: gateway-api-crds
-        dependsOn: []
     - name: cilium
       path: system/cilium
       valuesFiles:
@@ -59,8 +46,7 @@ spec:
         privileged: true
         namespace: cozy-cilium
         releaseName: cilium
-        dependsOn:
-        - gateway-api-crds
+        dependsOn: []
     - name: kilo
       path: system/kilo
       valuesFiles:
@@ -76,12 +62,6 @@ spec:
   - name: cilium-generic
     dependsOn: []
     components:
-    - name: gateway-api-crds
-      path: system/gateway-api-crds
-      install:
-        namespace: cozy-gateway-api-crds
-        releaseName: gateway-api-crds
-        dependsOn: []
     - name: cilium
       path: system/cilium
       valuesFiles:
@@ -90,8 +70,7 @@ spec:
         privileged: true
         namespace: cozy-cilium
         releaseName: cilium
-        dependsOn:
-        - gateway-api-crds
+        dependsOn: []
     - name: cilium-networkpolicy
       path: system/cilium-networkpolicy
       install:
@@ -103,12 +82,6 @@ spec:
   - name: kubeovn-cilium
     dependsOn: []
     components:
-    - name: gateway-api-crds
-      path: system/gateway-api-crds
-      install:
-        namespace: cozy-gateway-api-crds
-        releaseName: gateway-api-crds
-        dependsOn: []
     - name: cilium
       path: system/cilium
       valuesFiles:
@@ -119,8 +92,7 @@ spec:
         privileged: true
         namespace: cozy-cilium
         releaseName: cilium
-        dependsOn:
-        - gateway-api-crds
+        dependsOn: []
     - name: cilium-networkpolicy
       path: system/cilium-networkpolicy
       install:
@@ -141,12 +113,6 @@ spec:
   - name: kubeovn-cilium-generic
     dependsOn: []
     components:
-    - name: gateway-api-crds
-      path: system/gateway-api-crds
-      install:
-        namespace: cozy-gateway-api-crds
-        releaseName: gateway-api-crds
-        dependsOn: []
     - name: cilium
       path: system/cilium
       valuesFiles:
@@ -156,8 +122,7 @@ spec:
         privileged: true
         namespace: cozy-cilium
         releaseName: cilium
-        dependsOn:
-        - gateway-api-crds
+        dependsOn: []
     - name: cilium-networkpolicy
       path: system/cilium-networkpolicy
       install:

packages/core/platform/templates/apps.yaml

@@ -39,13 +39,6 @@ stringData:
       scheduling:
         {{- . | toYaml | nindent 8 }}
       {{- end }}
-      gateway-api: {{ .Values.gateway.gatewayAPI | quote }}
-      gateway-name: {{ .Values.gateway.name | quote }}
-      gateway-namespace: {{ .Values.gateway.namespace | quote }}
-      {{- with .Values.publishing.hostnames }}
-      hostnames:
-        {{- . | toYaml | nindent 8 }}
-      {{- end }}
       {{- with $kubeRootCa.data }}
       kube-root-ca: {{ index . "ca.crt" | b64enc | quote }}
       {{- end }}

packages/core/platform/templates/bundles/system.yaml

@@ -16,14 +16,10 @@
 {{- $kubeovnValues := dict "kube-ovn" $kubeovnDict -}}
 {{- $_ := set $networkingComponents "kubeovn" (dict "values" $kubeovnValues) -}}
 {{- /* For Talos (isp-full): use KubePrism endpoint and disable cgroup autoMount */ -}}
-{{- $ciliumDict := dict
+{{- $ciliumValues := dict "cilium" (dict
   "k8sServiceHost" "localhost"
   "k8sServicePort" "7445"
-  "cgroup" (dict "autoMount" (dict "enabled" false)) -}}
-{{- if .Values.gateway.gatewayAPI -}}
-{{- $_ := set $ciliumDict "gatewayAPI" (dict "enabled" true) -}}
-{{- end -}}
-{{- $ciliumValues := dict "cilium" $ciliumDict -}}
+  "cgroup" (dict "autoMount" (dict "enabled" false))) -}}
 {{- $_ := set $networkingComponents "cilium" (dict "values" $ciliumValues) -}}
 {{- end -}}
 {{include "cozystack.platform.package" (list "cozystack.networking" "kubeovn-cilium" $ $networkingComponents) }}
@@ -87,14 +83,10 @@
 {{- $kubeovnValues := dict "kube-ovn" $kubeovnDict -}}
 {{- $_ := set $networkingComponents "kubeovn" (dict "values" $kubeovnValues) -}}
 {{- /* Cilium configuration - for generic k8s, always enable cgroup autoMount */ -}}
-{{- $ciliumDict := dict
+{{- $ciliumValues := dict "cilium" (dict
   "k8sServiceHost" $apiHost
   "k8sServicePort" $apiPort
-  "cgroup" (dict "autoMount" (dict "enabled" true)) -}}
-{{- if .Values.gateway.gatewayAPI -}}
-{{- $_ := set $ciliumDict "gatewayAPI" (dict "enabled" true) -}}
-{{- end -}}
-{{- $ciliumValues := dict "cilium" $ciliumDict -}}
+  "cgroup" (dict "autoMount" (dict "enabled" true))) -}}
 {{- $_ := set $networkingComponents "cilium" (dict "values" $ciliumValues) -}}
 {{- end -}}
 {{- /* Use kubeovn-cilium-generic variant (no values-talos.yaml) */ -}}
@@ -126,15 +118,7 @@
 {{- end }}
 
 # Common Packages
-{{- $certManagerComponents := dict -}}
-{{- if .Values.gateway.gatewayAPI -}}
-{{- $certManagerValues := dict "cert-manager" (dict "config" (dict "enableGatewayAPI" true)) -}}
-{{- $_ := set $certManagerComponents "cert-manager" (dict "values" $certManagerValues) -}}
-{{- end -}}
-{{include "cozystack.platform.package" (list "cozystack.cert-manager" "default" $ $certManagerComponents) }}
-{{- if .Values.gateway.gatewayAPI }}
-{{include "cozystack.platform.package.default" (list "cozystack.cozystack-gateway" $) }}
-{{- end }}
+{{include "cozystack.platform.package.default" (list "cozystack.cert-manager" $) }}
 {{include "cozystack.platform.package.default" (list "cozystack.flux-plunger" $) }}
 {{include "cozystack.platform.package.default" (list "cozystack.victoria-metrics-operator" $) }}
 {{- $tenantComponents := dict -}}
@@ -164,16 +148,7 @@
 # Optional System Packages (controlled via bundles.enabledPackages)
 {{include "cozystack.platform.package.optional.default" (list "cozystack.nfs-driver" $) }}
 {{include "cozystack.platform.package.optional.default" (list "cozystack.telepresence" $) }}
-{{- $externalDnsComponents := dict -}}
-{{- if .Values.gateway.gatewayAPI -}}
-{{- $externalDnsValues := dict "external-dns" (dict "sources" (list "service" "ingress" "gateway-httproute")) -}}
-{{- $_ := set $externalDnsComponents "external-dns" (dict "values" $externalDnsValues) -}}
-{{- end -}}
-{{- $disabled := default (list) .Values.bundles.disabledPackages -}}
-{{- $enabled := default (list) .Values.bundles.enabledPackages -}}
-{{- if and (has "cozystack.external-dns" $enabled) (not (has "cozystack.external-dns" $disabled)) -}}
-{{include "cozystack.platform.package" (list "cozystack.external-dns" "default" $ $externalDnsComponents) }}
-{{- end }}
+{{include "cozystack.platform.package.optional.default" (list "cozystack.external-dns" $) }}
 {{include "cozystack.platform.package.optional.default" (list "cozystack.external-dns-application" $) }}
 {{include "cozystack.platform.package.optional.default" (list "cozystack.external-secrets-operator" $) }}
 {{- if has "cozystack.bootbox" (default (list) .Values.bundles.enabledPackages) }}
@@ -181,5 +156,6 @@
 {{include "cozystack.platform.package.default" (list "cozystack.bootbox" $) }}
 {{- end }}
 {{include "cozystack.platform.package.optional.default" (list "cozystack.hetzner-robotlb" $) }}
+{{include "cozystack.platform.package.optional.default" (list "cozystack.cozystack-scheduler" $) }}
 
 {{- end }}

packages/core/platform/values.yaml

@@ -34,16 +34,6 @@ networking:
   # Set this to comma-separated list of master node IPs to override.
   kubeovn:
     MASTER_NODES: ""
-# Gateway configuration
-# ingress and gatewayAPI can be enabled independently;
-# future work will wire gateway.ingress into ingress controller selection
-gateway:
-  ingress: true
-  gatewayAPI: false
-  # Gateway name and namespace for system-level Gateway resource
-  # Components reference this Gateway via parentRefs
-  name: cozystack
-  namespace: cozy-gateway
 # Service publishing and ingress configuration
 publishing:
   host: "example.org"
@@ -53,15 +43,6 @@ publishing:
     - dashboard
     - vm-exportproxy
     - cdi-uploadproxy
-  # Hostname overrides for system services
-  # By default, hostname = {service-name}.{host}
-  # Override individual hostnames when the convention doesn't fit
-  #
-  # Example:
-  # hostnames:
-  #   keycloak: "auth.example.org"
-  #   dashboard: "panel.example.org"
-  hostnames: {}
   apiServerEndpoint: "" # example: "https://api.example.org"
   externalIPs: []
   certificates:

packages/extra/bootbox/templates/matchbox/httproute.yaml

@@ -1,75 +0,0 @@
-{{- $gatewayAPI := (index .Values._cluster "gateway-api") | default "false" }}
-{{- $clusterIssuer := (index .Values._cluster "issuer-name") | default "letsencrypt-prod" }}
-{{- $gateway := .Values._namespace.gateway | default "" }}
-{{- $host := .Values._namespace.host }}
-{{- $bootboxHost := printf "bootbox.%s" (.Values.host | default $host) }}
-
-{{- if and (eq $gatewayAPI "true") (ne $gateway "") }}
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: Gateway
-metadata:
-  name: bootbox
-  annotations:
-    cert-manager.io/cluster-issuer: {{ $clusterIssuer }}
-spec:
-  gatewayClassName: cilium
-  infrastructure:
-    labels:
-      cozystack.io/gateway: {{ $gateway }}
-  listeners:
-  - name: http
-    protocol: HTTP
-    port: 80
-    hostname: {{ $bootboxHost | quote }}
-    allowedRoutes:
-      namespaces:
-        from: Same
-  - name: https
-    protocol: HTTPS
-    port: 443
-    hostname: {{ $bootboxHost | quote }}
-    tls:
-      mode: Terminate
-      certificateRefs:
-      - name: bootbox-gateway-tls
-    allowedRoutes:
-      namespaces:
-        from: Same
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: bootbox-redirect-to-https
-spec:
-  parentRefs:
-  - name: bootbox
-    sectionName: http
-  hostnames:
-  - {{ $bootboxHost | quote }}
-  rules:
-  - filters:
-    - type: RequestRedirect
-      requestRedirect:
-        scheme: https
-        statusCode: 301
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: bootbox
-spec:
-  parentRefs:
-  - name: bootbox
-    sectionName: https
-  hostnames:
-  - {{ $bootboxHost | quote }}
-  rules:
-  - matches:
-    - path:
-        type: PathPrefix
-        value: /
-    backendRefs:
-    - name: bootbox
-      port: 8080
-{{- end }}

packages/extra/seaweedfs/templates/tlsroute.yaml

@@ -1,41 +0,0 @@
-{{- $gatewayAPI := (index .Values._cluster "gateway-api") | default "false" }}
-{{- $gateway := .Values._namespace.gateway | default "" }}
-{{- $host := .Values._namespace.host }}
-
-{{- if and (eq $gatewayAPI "true") (ne $gateway "") (not (eq .Values.topology "Client")) (.Values.filer.grpcHost) }}
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: Gateway
-metadata:
-  name: seaweedfs-filer
-spec:
-  gatewayClassName: cilium
-  infrastructure:
-    labels:
-      cozystack.io/gateway: {{ $gateway }}
-  listeners:
-  - name: tls-passthrough
-    protocol: TLS
-    port: 443
-    hostname: {{ .Values.filer.grpcHost | default (printf "filer.%s" $host) | quote }}
-    tls:
-      mode: Passthrough
-    allowedRoutes:
-      namespaces:
-        from: Same
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: TLSRoute
-metadata:
-  name: seaweedfs-filer
-spec:
-  parentRefs:
-  - name: seaweedfs-filer
-    sectionName: tls-passthrough
-  hostnames:
-  - {{ .Values.filer.grpcHost | default (printf "filer.%s" $host) | quote }}
-  rules:
-  - backendRefs:
-    - name: {{ $.Release.Name }}-filer-external
-      port: 18888
-{{- end }}

packages/system/bucket/templates/httproute.yaml

@@ -1,75 +0,0 @@
-{{- $gatewayAPI := (index .Values._cluster "gateway-api") | default "false" }}
-{{- $clusterIssuer := (index .Values._cluster "issuer-name") | default "letsencrypt-prod" }}
-{{- $gateway := .Values._namespace.gateway | default "" }}
-{{- $host := .Values._namespace.host }}
-{{- $bucketHost := printf "%s.%s" .Values.bucketName $host }}
-
-{{- if and (eq $gatewayAPI "true") (ne $gateway "") }}
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: Gateway
-metadata:
-  name: {{ .Values.bucketName }}-ui
-  annotations:
-    cert-manager.io/cluster-issuer: {{ $clusterIssuer }}
-spec:
-  gatewayClassName: cilium
-  infrastructure:
-    labels:
-      cozystack.io/gateway: {{ $gateway }}
-  listeners:
-  - name: http
-    protocol: HTTP
-    port: 80
-    hostname: {{ $bucketHost | quote }}
-    allowedRoutes:
-      namespaces:
-        from: Same
-  - name: https
-    protocol: HTTPS
-    port: 443
-    hostname: {{ $bucketHost | quote }}
-    tls:
-      mode: Terminate
-      certificateRefs:
-      - name: {{ .Values.bucketName }}-ui-gateway-tls
-    allowedRoutes:
-      namespaces:
-        from: Same
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: {{ .Values.bucketName }}-ui-redirect-to-https
-spec:
-  parentRefs:
-  - name: {{ .Values.bucketName }}-ui
-    sectionName: http
-  hostnames:
-  - {{ $bucketHost | quote }}
-  rules:
-  - filters:
-    - type: RequestRedirect
-      requestRedirect:
-        scheme: https
-        statusCode: 301
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: {{ .Values.bucketName }}-ui
-spec:
-  parentRefs:
-  - name: {{ .Values.bucketName }}-ui
-    sectionName: https
-  hostnames:
-  - {{ $bucketHost | quote }}
-  rules:
-  - matches:
-    - path:
-        type: PathPrefix
-        value: /
-    backendRefs:
-    - name: {{ .Values.bucketName }}-ui
-      port: 8080
-{{- end }}

packages/system/cert-manager/values.yaml

@@ -1 +0,0 @@
-cert-manager: {}

packages/system/cozystack-api/templates/api-tlsroute.yaml

@@ -1,25 +0,0 @@
-{{- $gatewayAPI := (index .Values._cluster "gateway-api") | default "false" }}
-{{- $host := index .Values._cluster "root-host" }}
-{{- $hostnames := .Values._cluster.hostnames | default dict }}
-{{- $exposeServices := splitList "," ((index .Values._cluster "expose-services") | default "") }}
-{{- $gatewayName := (index .Values._cluster "gateway-name") | default "cozystack" }}
-{{- $gatewayNamespace := (index .Values._cluster "gateway-namespace") | default "cozy-gateway" }}
-
-{{- if and (eq $gatewayAPI "true") (has "api" $exposeServices) }}
-apiVersion: gateway.networking.k8s.io/v1
-kind: TLSRoute
-metadata:
-  name: kubernetes-api
-  namespace: default
-spec:
-  parentRefs:
-  - name: {{ $gatewayName }}
-    namespace: {{ $gatewayNamespace }}
-    sectionName: tls-passthrough-api
-  hostnames:
-  - {{ index $hostnames "api" | default (printf "api.%s" $host) | quote }}
-  rules:
-  - backendRefs:
-    - name: kubernetes
-      port: 443
-{{- end }}

packages/system/cozystack-basics/templates/cozystack-values-secret.yaml

@@ -16,6 +16,5 @@ stringData:
       host: {{ index .Values._cluster "root-host" | quote }}
       etcd: tenant-root
       ingress: tenant-root
-      gateway: tenant-root
       monitoring: tenant-root
       seaweedfs: tenant-root

packages/system/cozystack-gateway/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-name: cozy-cozystack-gateway
-version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/cozystack-gateway/templates/gateway.yaml

@@ -1,99 +0,0 @@
-{{- $rootHost := index .Values._cluster "root-host" }}
-{{- $clusterIssuer := (index .Values._cluster "issuer-name") | default "letsencrypt-prod" }}
-{{- $exposeServices := splitList "," ((index .Values._cluster "expose-services") | default "") }}
-{{- $oidcEnabled := (index .Values._cluster "oidc-enabled") | default "false" }}
-{{- $hostnames := .Values._cluster.hostnames | default dict }}
-{{- $gatewayName := (index .Values._cluster "gateway-name") | default "cozystack" }}
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: Gateway
-metadata:
-  name: {{ $gatewayName }}
-  annotations:
-    cert-manager.io/cluster-issuer: {{ $clusterIssuer }}
-spec:
-  gatewayClassName: cilium
-  infrastructure:
-    labels:
-      cozystack.io/gateway: tenant-root
-  listeners:
-  - name: http
-    protocol: HTTP
-    port: 80
-    allowedRoutes:
-      namespaces:
-        from: All
-  {{- if has "dashboard" $exposeServices }}
-  - name: https-dashboard
-    protocol: HTTPS
-    port: 443
-    hostname: {{ index $hostnames "dashboard" | default (printf "dashboard.%s" $rootHost) | quote }}
-    tls:
-      mode: Terminate
-      certificateRefs:
-      - name: gateway-dashboard-tls
-    allowedRoutes:
-      namespaces:
-        from: All
-  {{- end }}
-  {{- if eq $oidcEnabled "true" }}
-  - name: https-keycloak
-    protocol: HTTPS
-    port: 443
-    hostname: {{ index $hostnames "keycloak" | default (printf "keycloak.%s" $rootHost) | quote }}
-    tls:
-      mode: Terminate
-      certificateRefs:
-      - name: gateway-keycloak-tls
-    allowedRoutes:
-      namespaces:
-        from: All
-  {{- end }}
-  {{- if has "api" $exposeServices }}
-  - name: tls-passthrough-api
-    protocol: TLS
-    port: 443
-    hostname: {{ index $hostnames "api" | default (printf "api.%s" $rootHost) | quote }}
-    tls:
-      mode: Passthrough
-    allowedRoutes:
-      namespaces:
-        from: All
-  {{- end }}
-  {{- if has "vm-exportproxy" $exposeServices }}
-  - name: tls-passthrough-vm-exportproxy
-    protocol: TLS
-    port: 443
-    hostname: {{ index $hostnames "vm-exportproxy" | default (printf "vm-exportproxy.%s" $rootHost) | quote }}
-    tls:
-      mode: Passthrough
-    allowedRoutes:
-      namespaces:
-        from: All
-  {{- end }}
-  {{- if has "cdi-uploadproxy" $exposeServices }}
-  - name: tls-passthrough-cdi-uploadproxy
-    protocol: TLS
-    port: 443
-    hostname: {{ index $hostnames "cdi-uploadproxy" | default (printf "cdi-uploadproxy.%s" $rootHost) | quote }}
-    tls:
-      mode: Passthrough
-    allowedRoutes:
-      namespaces:
-        from: All
-  {{- end }}
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: {{ $gatewayName }}-redirect-to-https
-spec:
-  parentRefs:
-  - name: {{ $gatewayName }}
-    sectionName: http
-  rules:
-  - filters:
-    - type: RequestRedirect
-      requestRedirect:
-        scheme: https
-        statusCode: 301

packages/system/cozystack-gateway/values.yaml

@@ -1 +0,0 @@
-_cluster: {}

packages/system/cozystack-scheduler/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-cozystack-scheduler
+version: 0.1.0

packages/system/cozystack-scheduler/Makefile

@@ -0,0 +1,10 @@
+export NAME=cozystack-scheduler
+export NAMESPACE=kube-system
+
+include ../../../hack/package.mk
+
+update:
+	rm -rf crds templates values.yaml Chart.yaml
+	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/cozystack/cozystack-scheduler | awk -F'[/^]' 'END{print $$3}') && \
+	curl -sSL https://github.com/cozystack/cozystack-scheduler/archive/refs/tags/$${tag}.tar.gz | \
+	tar xzvf - --strip 2 cozystack-scheduler-$${tag#*v}/chart

packages/system/cozystack-scheduler/templates/clusterrole.yaml

@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cozystack-scheduler
+rules:
+  - apiGroups: ["cozystack.io"]
+    resources:
+      - schedulingclasses
+    verbs: ["get", "list", "watch"]

packages/system/cozystack-scheduler/templates/clusterrolebinding.yaml

@@ -0,0 +1,38 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cozystack-scheduler:kube-scheduler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:kube-scheduler
+subjects:
+  - kind: ServiceAccount
+    name: cozystack-scheduler
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cozystack-scheduler:volume-scheduler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:volume-scheduler
+subjects:
+  - kind: ServiceAccount
+    name: cozystack-scheduler
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cozystack-scheduler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cozystack-scheduler
+subjects:
+  - kind: ServiceAccount
+    name: cozystack-scheduler
+    namespace: {{ .Release.Namespace }}

packages/system/cozystack-scheduler/templates/configmap.yaml

@@ -0,0 +1,54 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cozystack-scheduler-config
+  namespace: {{ .Release.Namespace }}
+data:
+  scheduler-config.yaml: |
+    apiVersion: kubescheduler.config.k8s.io/v1
+    kind: KubeSchedulerConfiguration
+    leaderElection:
+      leaderElect: true
+      resourceNamespace: {{ .Release.Namespace }}
+      resourceName: cozystack-scheduler
+    profiles:
+      - schedulerName: cozystack-scheduler
+        plugins:
+          preFilter:
+            disabled:
+              - name: InterPodAffinity
+              - name: NodeAffinity
+              - name: PodTopologySpread
+            enabled:
+              - name: CozystackInterPodAffinity
+              - name: CozystackNodeAffinity
+              - name: CozystackPodTopologySpread
+              - name: CozystackSchedulingClass
+          filter:
+            disabled:
+              - name: InterPodAffinity
+              - name: NodeAffinity
+              - name: PodTopologySpread
+            enabled:
+              - name: CozystackInterPodAffinity
+              - name: CozystackNodeAffinity
+              - name: CozystackPodTopologySpread
+              - name: CozystackSchedulingClass
+          preScore:
+            disabled:
+              - name: InterPodAffinity
+              - name: NodeAffinity
+              - name: PodTopologySpread
+            enabled:
+              - name: CozystackInterPodAffinity
+              - name: CozystackNodeAffinity
+              - name: CozystackPodTopologySpread
+          score:
+            disabled:
+              - name: InterPodAffinity
+              - name: NodeAffinity
+              - name: PodTopologySpread
+            enabled:
+              - name: CozystackInterPodAffinity
+              - name: CozystackNodeAffinity
+              - name: CozystackPodTopologySpread

packages/system/cozystack-scheduler/templates/deployment.yaml

@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cozystack-scheduler
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app: cozystack-scheduler
+  template:
+    metadata:
+      labels:
+        app: cozystack-scheduler
+    spec:
+      serviceAccountName: cozystack-scheduler
+      containers:
+        - name: cozystack-scheduler
+          image: {{ .Values.image }}
+          command:
+            - /cozystack-scheduler
+            - --config=/etc/kubernetes/scheduler-config.yaml
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 10259
+              scheme: HTTPS
+            initialDelaySeconds: 15
+          volumeMounts:
+            - name: config
+              mountPath: /etc/kubernetes/scheduler-config.yaml
+              subPath: scheduler-config.yaml
+              readOnly: true
+      volumes:
+        - name: config
+          configMap:
+            name: cozystack-scheduler-config

packages/system/cozystack-scheduler/templates/rolebinding.yaml

@@ -0,0 +1,40 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cozystack-scheduler:extension-apiserver-authentication-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - kind: ServiceAccount
+    name: cozystack-scheduler
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cozystack-scheduler:leader-election
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["create", "get", "list", "update", "watch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leasecandidates"]
+    verbs: ["create", "get", "list", "update", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cozystack-scheduler:leader-election
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cozystack-scheduler:leader-election
+subjects:
+  - kind: ServiceAccount
+    name: cozystack-scheduler
+    namespace: {{ .Release.Namespace }}

packages/system/cozystack-scheduler/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cozystack-scheduler
+  namespace: {{ .Release.Namespace }}

packages/system/cozystack-scheduler/values.yaml

@@ -0,0 +1,2 @@
+image: ghcr.io/cozystack/cozystack/cozystack-scheduler:v0.1.0@sha256:5f7150c82177478467ff80628acb5a400291aff503364aa9e26fc346d79a73cf
+replicas: 1

packages/system/dashboard/templates/httproute.yaml

@@ -1,28 +0,0 @@
-{{- $gatewayAPI := (index .Values._cluster "gateway-api") | default "false" }}
-{{- $host := index .Values._cluster "root-host" }}
-{{- $hostnames := .Values._cluster.hostnames | default dict }}
-{{- $exposeServices := splitList "," ((index .Values._cluster "expose-services") | default "") }}
-{{- $gatewayName := (index .Values._cluster "gateway-name") | default "cozystack" }}
-{{- $gatewayNamespace := (index .Values._cluster "gateway-namespace") | default "cozy-gateway" }}
-
-{{- if and (eq $gatewayAPI "true") (has "dashboard" $exposeServices) }}
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: dashboard-web
-spec:
-  parentRefs:
-  - name: {{ $gatewayName }}
-    namespace: {{ $gatewayNamespace }}
-    sectionName: https-dashboard
-  hostnames:
-  - {{ index $hostnames "dashboard" | default (printf "dashboard.%s" $host) | quote }}
-  rules:
-  - matches:
-    - path:
-        type: PathPrefix
-        value: /
-    backendRefs:
-    - name: incloud-web-gatekeeper
-      port: 8000
-{{- end }}

packages/system/gateway-api-crds/Makefile

@@ -6,4 +6,4 @@ include ../../../hack/package.mk
 update:
 	rm -rf templates
 	mkdir templates
-	kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v1.5.0" > templates/crds-experimental.yaml
+	kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v1.2.0" > templates/crds-experimental.yaml

packages/system/keycloak/templates/httproute.yaml

@@ -1,30 +0,0 @@
-{{- $gatewayAPI := (index .Values._cluster "gateway-api") | default "false" }}
-{{- $host := index .Values._cluster "root-host" }}
-{{- $hostnames := .Values._cluster.hostnames | default dict }}
-{{- $gatewayName := (index .Values._cluster "gateway-name") | default "cozystack" }}
-{{- $gatewayNamespace := (index .Values._cluster "gateway-namespace") | default "cozy-gateway" }}
-{{- $keycloakHost := .Values.ingress.host | default (index $hostnames "keycloak") | default (printf "keycloak.%s" $host) }}
-
-{{- $oidcEnabled := (index .Values._cluster "oidc-enabled") | default "false" }}
-
-{{- if and (eq $gatewayAPI "true") (eq $oidcEnabled "true") }}
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: keycloak
-spec:
-  parentRefs:
-  - name: {{ $gatewayName }}
-    namespace: {{ $gatewayNamespace }}
-    sectionName: https-keycloak
-  hostnames:
-  - {{ $keycloakHost | quote }}
-  rules:
-  - matches:
-    - path:
-        type: PathPrefix
-        value: /
-    backendRefs:
-    - name: keycloak-http
-      port: 80
-{{- end }}

packages/system/kubevirt-cdi/templates/cdi-uploadproxy-tlsroute.yaml

@@ -1,24 +0,0 @@
-{{- $gatewayAPI := (index .Values._cluster "gateway-api") | default "false" }}
-{{- $host := index .Values._cluster "root-host" }}
-{{- $hostnames := .Values._cluster.hostnames | default dict }}
-{{- $exposeServices := splitList "," ((index .Values._cluster "expose-services") | default "") }}
-{{- $gatewayName := (index .Values._cluster "gateway-name") | default "cozystack" }}
-{{- $gatewayNamespace := (index .Values._cluster "gateway-namespace") | default "cozy-gateway" }}
-
-{{- if and (eq $gatewayAPI "true") (has "cdi-uploadproxy" $exposeServices) }}
-apiVersion: gateway.networking.k8s.io/v1
-kind: TLSRoute
-metadata:
-  name: cdi-uploadproxy
-spec:
-  parentRefs:
-  - name: {{ $gatewayName }}
-    namespace: {{ $gatewayNamespace }}
-    sectionName: tls-passthrough-cdi-uploadproxy
-  hostnames:
-  - {{ index $hostnames "cdi-uploadproxy" | default (printf "cdi-uploadproxy.%s" $host) | quote }}
-  rules:
-  - backendRefs:
-    - name: cdi-uploadproxy
-      port: 443
-{{- end }}

packages/system/kubevirt/templates/vm-exportproxy-tlsroute.yaml

@@ -1,24 +0,0 @@
-{{- $gatewayAPI := (index .Values._cluster "gateway-api") | default "false" }}
-{{- $host := index .Values._cluster "root-host" }}
-{{- $hostnames := .Values._cluster.hostnames | default dict }}
-{{- $exposeServices := splitList "," ((index .Values._cluster "expose-services") | default "") }}
-{{- $gatewayName := (index .Values._cluster "gateway-name") | default "cozystack" }}
-{{- $gatewayNamespace := (index .Values._cluster "gateway-namespace") | default "cozy-gateway" }}
-
-{{- if and (eq $gatewayAPI "true") (has "vm-exportproxy" $exposeServices) }}
-apiVersion: gateway.networking.k8s.io/v1
-kind: TLSRoute
-metadata:
-  name: vm-exportproxy
-spec:
-  parentRefs:
-  - name: {{ $gatewayName }}
-    namespace: {{ $gatewayNamespace }}
-    sectionName: tls-passthrough-vm-exportproxy
-  hostnames:
-  - {{ index $hostnames "vm-exportproxy" | default (printf "vm-exportproxy.%s" $host) | quote }}
-  rules:
-  - backendRefs:
-    - name: vm-exportproxy
-      port: 443
-{{- end }}

packages/system/monitoring/templates/alerta/httproute.yaml

@@ -1,75 +0,0 @@
-{{- $gatewayAPI := (index .Values._cluster "gateway-api") | default "false" }}
-{{- $clusterIssuer := (index .Values._cluster "issuer-name") | default "letsencrypt-prod" }}
-{{- $gateway := .Values._namespace.gateway | default "" }}
-{{- $host := .Values._namespace.host }}
-{{- $alertaHost := printf "alerta.%s" (.Values.host | default $host) }}
-
-{{- if and (eq $gatewayAPI "true") (ne $gateway "") }}
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: Gateway
-metadata:
-  name: alerta
-  annotations:
-    cert-manager.io/cluster-issuer: {{ $clusterIssuer }}
-spec:
-  gatewayClassName: cilium
-  infrastructure:
-    labels:
-      cozystack.io/gateway: {{ $gateway }}
-  listeners:
-  - name: http
-    protocol: HTTP
-    port: 80
-    hostname: {{ $alertaHost | quote }}
-    allowedRoutes:
-      namespaces:
-        from: Same
-  - name: https
-    protocol: HTTPS
-    port: 443
-    hostname: {{ $alertaHost | quote }}
-    tls:
-      mode: Terminate
-      certificateRefs:
-      - name: alerta-gateway-tls
-    allowedRoutes:
-      namespaces:
-        from: Same
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: alerta-redirect-to-https
-spec:
-  parentRefs:
-  - name: alerta
-    sectionName: http
-  hostnames:
-  - {{ $alertaHost | quote }}
-  rules:
-  - filters:
-    - type: RequestRedirect
-      requestRedirect:
-        scheme: https
-        statusCode: 301
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: alerta
-spec:
-  parentRefs:
-  - name: alerta
-    sectionName: https
-  hostnames:
-  - {{ $alertaHost | quote }}
-  rules:
-  - matches:
-    - path:
-        type: PathPrefix
-        value: /
-    backendRefs:
-    - name: alerta
-      port: 80
-{{- end }}

packages/system/monitoring/templates/grafana/httproute.yaml

@@ -1,75 +0,0 @@
-{{- $gatewayAPI := (index .Values._cluster "gateway-api") | default "false" }}
-{{- $clusterIssuer := (index .Values._cluster "issuer-name") | default "letsencrypt-prod" }}
-{{- $gateway := .Values._namespace.gateway | default "" }}
-{{- $host := .Values._namespace.host }}
-{{- $grafanaHost := printf "grafana.%s" (.Values.host | default $host) }}
-
-{{- if and (eq $gatewayAPI "true") (ne $gateway "") }}
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: Gateway
-metadata:
-  name: grafana
-  annotations:
-    cert-manager.io/cluster-issuer: {{ $clusterIssuer }}
-spec:
-  gatewayClassName: cilium
-  infrastructure:
-    labels:
-      cozystack.io/gateway: {{ $gateway }}
-  listeners:
-  - name: http
-    protocol: HTTP
-    port: 80
-    hostname: {{ $grafanaHost | quote }}
-    allowedRoutes:
-      namespaces:
-        from: Same
-  - name: https
-    protocol: HTTPS
-    port: 443
-    hostname: {{ $grafanaHost | quote }}
-    tls:
-      mode: Terminate
-      certificateRefs:
-      - name: grafana-gateway-tls
-    allowedRoutes:
-      namespaces:
-        from: Same
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: grafana-redirect-to-https
-spec:
-  parentRefs:
-  - name: grafana
-    sectionName: http
-  hostnames:
-  - {{ $grafanaHost | quote }}
-  rules:
-  - filters:
-    - type: RequestRedirect
-      requestRedirect:
-        scheme: https
-        statusCode: 301
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: grafana
-spec:
-  parentRefs:
-  - name: grafana
-    sectionName: https
-  hostnames:
-  - {{ $grafanaHost | quote }}
-  rules:
-  - matches:
-    - path:
-        type: PathPrefix
-        value: /
-    backendRefs:
-    - name: grafana-service
-      port: 3000
-{{- end }}

packages/system/tenant-rd/cozyrds/tenant.yaml

@@ -8,7 +8,7 @@ spec:
     singular: tenant
     plural: tenants
     openAPISchema: |-
-      {"title":"Chart Values","type":"object","properties":{"etcd":{"description":"Deploy own Etcd cluster.","type":"boolean","default":false},"gateway":{"description":"Deploy own Gateway API gateway (separate LB for this tenant).","type":"boolean","default":false},"host":{"description":"The hostname used to access tenant services (defaults to using the tenant name as a subdomain for its parent tenant host).","type":"string","default":""},"ingress":{"description":"Deploy own Ingress Controller.","type":"boolean","default":false},"monitoring":{"description":"Deploy own Monitoring Stack.","type":"boolean","default":false},"resourceQuotas":{"description":"Define resource quotas for the tenant.","type":"object","default":{},"additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","anyOf":[{"type":"integer"},{"type":"string"}],"x-kubernetes-int-or-string":true}},"seaweedfs":{"description":"Deploy own SeaweedFS.","type":"boolean","default":false}}}
+      {"title":"Chart Values","type":"object","properties":{"etcd":{"description":"Deploy own Etcd cluster.","type":"boolean","default":false},"host":{"description":"The hostname used to access tenant services (defaults to using the tenant name as a subdomain for its parent tenant host).","type":"string","default":""},"ingress":{"description":"Deploy own Ingress Controller.","type":"boolean","default":false},"monitoring":{"description":"Deploy own Monitoring Stack.","type":"boolean","default":false},"resourceQuotas":{"description":"Define resource quotas for the tenant.","type":"object","default":{},"additionalProperties":{"pattern":"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$","anyOf":[{"type":"integer"},{"type":"string"}],"x-kubernetes-int-or-string":true}},"seaweedfs":{"description":"Deploy own SeaweedFS.","type":"boolean","default":false}}}
   release:
     prefix: tenant-
     labels:
@@ -23,7 +23,7 @@ spec:
     plural: Tenants
     description: Separated tenant namespace
     icon: PHN2ZyB3aWR0aD0iMTQ0IiBoZWlnaHQ9IjE0NCIgdmlld0JveD0iMCAwIDE0NCAxNDQiIGZpbGw9Im5vbmUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CjxyZWN0IHdpZHRoPSIxNDQiIGhlaWdodD0iMTQ0IiByeD0iMjQiIGZpbGw9InVybCgjcGFpbnQwX2xpbmVhcl82ODdfMzQwMykiLz4KPGcgY2xpcC1wYXRoPSJ1cmwoI2NsaXAwXzY4N18zNDAzKSI+CjxwYXRoIGQ9Ik03MiAyOUM2Ni4zOTI2IDI5IDYxLjAxNDggMzEuMjM4OCA1Ny4wNDk3IDM1LjIyNEM1My4wODQ3IDM5LjIwOTEgNTAuODU3MSA0NC42MTQxIDUwLjg1NzEgNTAuMjVDNTAuODU3MSA1NS44ODU5IDUzLjA4NDcgNjEuMjkwOSA1Ny4wNDk3IDY1LjI3NkM2MS4wMTQ4IDY5LjI2MTIgNjYuMzkyNiA3MS41IDcyIDcxLjVDNzcuNjA3NCA3MS41IDgyLjk4NTIgNjkuMjYxMiA4Ni45NTAzIDY1LjI3NkM5MC45MTUzIDYxLjI5MDkgOTMuMTQyOSA1NS44ODU5IDkzLjE0MjkgNTAuMjVDOTMuMTQyOSA0NC42MTQxIDkwLjkxNTMgMzkuMjA5MSA4Ni45NTAzIDM1LjIyNEM4Mi45ODUyIDMxLjIzODggNzcuNjA3NCAyOSA3MiAyOVpNNjAuOTgyNiA4My4zMDM3QzYwLjQ1NCA4Mi41ODk4IDU5LjU5NTEgODIuMTkxNCA1OC43MTk2IDgyLjI3NDRDNDUuMzg5NyA4My43MzU0IDM1IDk1LjEwNzQgMzUgMTA4LjkwM0MzNSAxMTEuNzI2IDM3LjI3OTUgMTE0IDQwLjA3MSAxMTRIMTAzLjkyOUMxMDYuNzM3IDExNCAxMDkgMTExLjcwOSAxMDkgMTA4LjkwM0MxMDkgOTUuMTA3NCA5OC42MTAzIDgzLjc1MiA4NS4yNjM4IDgyLjI5MUM4NC4zODg0IDgyLjE5MTQgODMuNTI5NSA4Mi42MDY0IDgzLjAwMDkgODMuMzIwM0w3NC4wOTc4IDk1LjI0MDJDNzMuMDQwNiA5Ni42NTE0IDcwLjkyNjMgOTYuNjUxNCA2OS44NjkyIDk1LjI0MDJMNjAuOTY2MSA4My4zMjAzTDYwLjk4MjYgODMuMzAzN1oiIGZpbGw9ImJsYWNrIi8+CjwvZz4KPGRlZnM+CjxsaW5lYXJHcmFkaWVudCBpZD0icGFpbnQwX2xpbmVhcl82ODdfMzQwMyIgeDE9IjcyIiB5MT0iMTQ0IiB4Mj0iLTEuMjgxN2UtMDUiIHkyPSI0IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+CjxzdG9wIHN0b3AtY29sb3I9IiNDMEQ2RkYiLz4KPHN0b3Agb2Zmc2V0PSIwLjMiIHN0b3AtY29sb3I9IiNDNERBRkYiLz4KPHN0b3Agb2Zmc2V0PSIwLjY1IiBzdG9wLWNvbG9yPSIjRDNFOUZGIi8+CjxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI0U5RkZGRiIvPgo8L2xpbmVhckdyYWRpZW50Pgo8Y2xpcFBhdGggaWQ9ImNsaXAwXzY4N18zNDAzIj4KPHJlY3Qgd2lkdGg9Ijc0IiBoZWlnaHQ9Ijg1IiBmaWxsPSJ3aGl0ZSIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMzUgMjkpIi8+CjwvY2xpcFBhdGg+CjwvZGVmcz4KPC9zdmc+Cg==
-    keysOrder: [["apiVersion"], ["appVersion"], ["kind"], ["metadata"], ["metadata", "name"], ["spec", "host"], ["spec", "etcd"], ["spec", "monitoring"], ["spec", "ingress"], ["spec", "gateway"], ["spec", "seaweedfs"], ["spec", "resourceQuotas"]]
+    keysOrder: [["apiVersion"], ["appVersion"], ["kind"], ["metadata"], ["metadata", "name"], ["spec", "host"], ["spec", "etcd"], ["spec", "monitoring"], ["spec", "ingress"], ["spec", "seaweedfs"], ["spec", "resourceQuotas"]]
   secrets:
     exclude: []
     include: []