mirror of
https://github.com/cozystack/cozystack.git
synced 2026-03-04 22:18:54 +00:00
Compare commits
1 Commits
release-1.
...
feat/node-
| Author | SHA1 | Date | |
|---|---|---|---|
|
ba823b0c06 |
2
.github/CODEOWNERS
vendored
2
.github/CODEOWNERS
vendored
@@ -1 +1 @@
|
||||
* @kvaps @lllamnyp @lexfrei @androndo @IvanHunters @sircthulhu
|
||||
* @kvaps @lllamnyp @lexfrei @androndo @IvanHunters
|
||||
|
||||
19
Makefile
19
Makefile
@@ -1,4 +1,4 @@
|
||||
.PHONY: manifests assets unit-tests helm-unit-tests
|
||||
.PHONY: manifests assets unit-tests helm-unit-tests verify-crds
|
||||
|
||||
include hack/common-envs.mk
|
||||
|
||||
@@ -38,21 +38,24 @@ build: build-deps
|
||||
|
||||
manifests:
|
||||
mkdir -p _out/assets
|
||||
cat internal/crdinstall/manifests/*.yaml > _out/assets/cozystack-crds.yaml
|
||||
cat packages/core/installer/crds/*.yaml > _out/assets/cozystack-crds.yaml
|
||||
# Talos variant (default)
|
||||
helm template installer packages/core/installer -n cozy-system \
|
||||
--show-only templates/cozystack-operator.yaml \
|
||||
-s templates/cozystack-operator.yaml \
|
||||
-s templates/packagesource.yaml \
|
||||
> _out/assets/cozystack-operator-talos.yaml
|
||||
# Generic Kubernetes variant (k3s, kubeadm, RKE2)
|
||||
helm template installer packages/core/installer -n cozy-system \
|
||||
--set cozystackOperator.variant=generic \
|
||||
--set cozystack.apiServerHost=REPLACE_ME \
|
||||
--show-only templates/cozystack-operator.yaml \
|
||||
-s templates/cozystack-operator.yaml \
|
||||
-s templates/packagesource.yaml \
|
||||
> _out/assets/cozystack-operator-generic.yaml
|
||||
# Hosted variant (managed Kubernetes)
|
||||
helm template installer packages/core/installer -n cozy-system \
|
||||
--set cozystackOperator.variant=hosted \
|
||||
--show-only templates/cozystack-operator.yaml \
|
||||
-s templates/cozystack-operator.yaml \
|
||||
-s templates/packagesource.yaml \
|
||||
> _out/assets/cozystack-operator-hosted.yaml
|
||||
|
||||
cozypkg:
|
||||
@@ -77,7 +80,11 @@ test:
|
||||
make -C packages/core/testing apply
|
||||
make -C packages/core/testing test
|
||||
|
||||
unit-tests: helm-unit-tests
|
||||
verify-crds:
|
||||
@diff --recursive packages/core/installer/crds/ internal/crdinstall/manifests/ --exclude='.*' \
|
||||
|| (echo "ERROR: CRD manifests out of sync. Run 'make generate' to fix." && exit 1)
|
||||
|
||||
unit-tests: helm-unit-tests verify-crds
|
||||
|
||||
helm-unit-tests:
|
||||
hack/helm-unit-tests.sh
|
||||
|
||||
@@ -108,7 +108,7 @@ func main() {
|
||||
flag.StringVar(&telemetryInterval, "telemetry-interval", "15m",
|
||||
"Interval between telemetry data collection (e.g. 15m, 1h)")
|
||||
flag.StringVar(&platformSourceURL, "platform-source-url", "", "Platform source URL (oci:// or https://). If specified, generates OCIRepository or GitRepository resource.")
|
||||
flag.StringVar(&platformSourceName, "platform-source-name", "cozystack-platform", "Name for the generated platform source resource and PackageSource")
|
||||
flag.StringVar(&platformSourceName, "platform-source-name", "cozystack-packages", "Name for the generated platform source resource (default: cozystack-packages)")
|
||||
flag.StringVar(&platformSourceRef, "platform-source-ref", "", "Reference specification as key=value pairs (e.g., 'branch=main' or 'digest=sha256:...,tag=v1.0'). For OCI: digest, semver, semverFilter, tag. For Git: branch, tag, semver, name, commit.")
|
||||
flag.StringVar(&cozyValuesSecretName, "cozy-values-secret-name", "cozystack-values", "The name of the secret containing cluster-wide configuration values.")
|
||||
flag.StringVar(&cozyValuesSecretNamespace, "cozy-values-secret-namespace", "cozy-system", "The namespace of the secret containing cluster-wide configuration values.")
|
||||
@@ -224,29 +224,6 @@ func main() {
|
||||
}
|
||||
}
|
||||
|
||||
// Create platform PackageSource when CRDs are managed by the operator and
|
||||
// a platform source URL is configured. Without a URL there is no Flux source
|
||||
// resource to reference, so creating a PackageSource would leave a dangling SourceRef.
|
||||
if installCRDs && platformSourceURL != "" {
|
||||
sourceRefKind := "OCIRepository"
|
||||
sourceType, _, err := parsePlatformSourceURL(platformSourceURL)
|
||||
if err != nil {
|
||||
setupLog.Error(err, "failed to parse platform source URL for PackageSource")
|
||||
os.Exit(1)
|
||||
}
|
||||
if sourceType == "git" {
|
||||
sourceRefKind = "GitRepository"
|
||||
}
|
||||
setupLog.Info("Creating platform PackageSource", "platformSourceName", platformSourceName)
|
||||
psCtx, psCancel := context.WithTimeout(mgrCtx, 2*time.Minute)
|
||||
defer psCancel()
|
||||
if err := installPlatformPackageSource(psCtx, directClient, platformSourceName, sourceRefKind); err != nil {
|
||||
setupLog.Error(err, "failed to create platform PackageSource")
|
||||
os.Exit(1)
|
||||
}
|
||||
setupLog.Info("Platform PackageSource creation completed successfully")
|
||||
}
|
||||
|
||||
// Setup PackageSource reconciler
|
||||
if err := (&operator.PackageSourceReconciler{
|
||||
Client: mgr.GetClient(),
|
||||
@@ -575,79 +552,3 @@ func generateGitRepository(name, repoURL string, refMap map[string]string) (*sou
|
||||
|
||||
return obj, nil
|
||||
}
|
||||
|
||||
// installPlatformPackageSource creates the platform PackageSource resource
|
||||
// that references the Flux source resource (OCIRepository or GitRepository).
|
||||
//
|
||||
// The variant list is intentionally hardcoded here. These are platform-defined
|
||||
// deployment profiles (not user-extensible), matching what was previously in
|
||||
// the Helm template. Changes require a new operator build and release.
|
||||
func installPlatformPackageSource(ctx context.Context, k8sClient client.Client, platformSourceName, sourceRefKind string) error {
|
||||
logger := log.FromContext(ctx)
|
||||
|
||||
packageSourceName := "cozystack." + platformSourceName
|
||||
|
||||
ps := &cozyv1alpha1.PackageSource{
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
APIVersion: cozyv1alpha1.GroupVersion.String(),
|
||||
Kind: "PackageSource",
|
||||
},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: packageSourceName,
|
||||
Annotations: map[string]string{
|
||||
"operator.cozystack.io/skip-cozystack-values": "true",
|
||||
},
|
||||
},
|
||||
Spec: cozyv1alpha1.PackageSourceSpec{
|
||||
SourceRef: &cozyv1alpha1.PackageSourceRef{
|
||||
Kind: sourceRefKind,
|
||||
Name: platformSourceName,
|
||||
Namespace: "cozy-system",
|
||||
Path: "/",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
variantData := []struct {
|
||||
name string
|
||||
valuesFiles []string
|
||||
}{
|
||||
{"default", []string{"values.yaml"}},
|
||||
{"isp-full", []string{"values.yaml", "values-isp-full.yaml"}},
|
||||
{"isp-hosted", []string{"values.yaml", "values-isp-hosted.yaml"}},
|
||||
{"isp-full-generic", []string{"values.yaml", "values-isp-full-generic.yaml"}},
|
||||
}
|
||||
|
||||
variants := make([]cozyv1alpha1.Variant, len(variantData))
|
||||
for i, v := range variantData {
|
||||
variants[i] = cozyv1alpha1.Variant{
|
||||
Name: v.name,
|
||||
Components: []cozyv1alpha1.Component{
|
||||
{
|
||||
Name: "platform",
|
||||
Path: "core/platform",
|
||||
Install: &cozyv1alpha1.ComponentInstall{
|
||||
Namespace: "cozy-system",
|
||||
ReleaseName: "cozystack-platform",
|
||||
},
|
||||
ValuesFiles: v.valuesFiles,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
ps.Spec.Variants = variants
|
||||
|
||||
logger.Info("Applying platform PackageSource", "name", packageSourceName)
|
||||
|
||||
patchOptions := &client.PatchOptions{
|
||||
FieldManager: "cozystack-operator",
|
||||
Force: func() *bool { b := true; return &b }(),
|
||||
}
|
||||
|
||||
if err := k8sClient.Patch(ctx, ps, client.Apply, patchOptions); err != nil {
|
||||
return fmt.Errorf("failed to apply PackageSource %s: %w", packageSourceName, err)
|
||||
}
|
||||
|
||||
logger.Info("Applied platform PackageSource", "name", packageSourceName)
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -1,574 +0,0 @@
|
||||
/*
|
||||
Copyright 2025 The Cozystack Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"testing"
|
||||
|
||||
cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"sigs.k8s.io/controller-runtime/pkg/client"
|
||||
"sigs.k8s.io/controller-runtime/pkg/client/fake"
|
||||
)
|
||||
|
||||
func newTestScheme() *runtime.Scheme {
|
||||
s := runtime.NewScheme()
|
||||
_ = cozyv1alpha1.AddToScheme(s)
|
||||
return s
|
||||
}
|
||||
|
||||
func TestInstallPlatformPackageSource_Creates(t *testing.T) {
|
||||
s := newTestScheme()
|
||||
k8sClient := fake.NewClientBuilder().WithScheme(s).Build()
|
||||
|
||||
err := installPlatformPackageSource(context.Background(), k8sClient, "cozystack-platform", "OCIRepository")
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
|
||||
ps := &cozyv1alpha1.PackageSource{}
|
||||
if err := k8sClient.Get(context.Background(), client.ObjectKey{Name: "cozystack.cozystack-platform"}, ps); err != nil {
|
||||
t.Fatalf("PackageSource not found: %v", err)
|
||||
}
|
||||
|
||||
// Verify name
|
||||
if ps.Name != "cozystack.cozystack-platform" {
|
||||
t.Errorf("expected name %q, got %q", "cozystack.cozystack-platform", ps.Name)
|
||||
}
|
||||
|
||||
// Verify annotation
|
||||
if ps.Annotations["operator.cozystack.io/skip-cozystack-values"] != "true" {
|
||||
t.Errorf("expected skip-cozystack-values annotation to be 'true', got %q", ps.Annotations["operator.cozystack.io/skip-cozystack-values"])
|
||||
}
|
||||
|
||||
// Verify sourceRef
|
||||
if ps.Spec.SourceRef == nil {
|
||||
t.Fatal("expected SourceRef to be set")
|
||||
}
|
||||
if ps.Spec.SourceRef.Kind != "OCIRepository" {
|
||||
t.Errorf("expected sourceRef.kind %q, got %q", "OCIRepository", ps.Spec.SourceRef.Kind)
|
||||
}
|
||||
if ps.Spec.SourceRef.Name != "cozystack-platform" {
|
||||
t.Errorf("expected sourceRef.name %q, got %q", "cozystack-platform", ps.Spec.SourceRef.Name)
|
||||
}
|
||||
if ps.Spec.SourceRef.Namespace != "cozy-system" {
|
||||
t.Errorf("expected sourceRef.namespace %q, got %q", "cozy-system", ps.Spec.SourceRef.Namespace)
|
||||
}
|
||||
if ps.Spec.SourceRef.Path != "/" {
|
||||
t.Errorf("expected sourceRef.path %q, got %q", "/", ps.Spec.SourceRef.Path)
|
||||
}
|
||||
|
||||
// Verify variants
|
||||
expectedVariants := []string{"default", "isp-full", "isp-hosted", "isp-full-generic"}
|
||||
if len(ps.Spec.Variants) != len(expectedVariants) {
|
||||
t.Fatalf("expected %d variants, got %d", len(expectedVariants), len(ps.Spec.Variants))
|
||||
}
|
||||
for i, name := range expectedVariants {
|
||||
if ps.Spec.Variants[i].Name != name {
|
||||
t.Errorf("expected variant[%d].name %q, got %q", i, name, ps.Spec.Variants[i].Name)
|
||||
}
|
||||
if len(ps.Spec.Variants[i].Components) != 1 {
|
||||
t.Errorf("expected variant[%d] to have 1 component, got %d", i, len(ps.Spec.Variants[i].Components))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestInstallPlatformPackageSource_Updates(t *testing.T) {
|
||||
s := newTestScheme()
|
||||
|
||||
existing := &cozyv1alpha1.PackageSource{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "cozystack.cozystack-platform",
|
||||
ResourceVersion: "1",
|
||||
Labels: map[string]string{
|
||||
"custom-label": "should-be-preserved",
|
||||
},
|
||||
},
|
||||
Spec: cozyv1alpha1.PackageSourceSpec{
|
||||
SourceRef: &cozyv1alpha1.PackageSourceRef{
|
||||
Kind: "OCIRepository",
|
||||
Name: "old-name",
|
||||
Namespace: "cozy-system",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
k8sClient := fake.NewClientBuilder().WithScheme(s).WithObjects(existing).Build()
|
||||
|
||||
err := installPlatformPackageSource(context.Background(), k8sClient, "cozystack-platform", "OCIRepository")
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
|
||||
ps := &cozyv1alpha1.PackageSource{}
|
||||
if err := k8sClient.Get(context.Background(), client.ObjectKey{Name: "cozystack.cozystack-platform"}, ps); err != nil {
|
||||
t.Fatalf("PackageSource not found: %v", err)
|
||||
}
|
||||
|
||||
// Verify sourceRef was updated
|
||||
if ps.Spec.SourceRef.Name != "cozystack-platform" {
|
||||
t.Errorf("expected updated sourceRef.name %q, got %q", "cozystack-platform", ps.Spec.SourceRef.Name)
|
||||
}
|
||||
|
||||
// Verify all 4 variants are present after update
|
||||
if len(ps.Spec.Variants) != 4 {
|
||||
t.Errorf("expected 4 variants after update, got %d", len(ps.Spec.Variants))
|
||||
}
|
||||
|
||||
// Verify that labels set by other controllers are preserved (SSA does not overwrite unmanaged fields)
|
||||
if ps.Labels["custom-label"] != "should-be-preserved" {
|
||||
t.Errorf("expected custom-label to be preserved, got %q", ps.Labels["custom-label"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestParsePlatformSourceURL(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
url string
|
||||
wantType string
|
||||
wantURL string
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "OCI URL",
|
||||
url: "oci://ghcr.io/cozystack/cozystack/cozystack-packages",
|
||||
wantType: "oci",
|
||||
wantURL: "oci://ghcr.io/cozystack/cozystack/cozystack-packages",
|
||||
},
|
||||
{
|
||||
name: "HTTPS URL",
|
||||
url: "https://github.com/cozystack/cozystack",
|
||||
wantType: "git",
|
||||
wantURL: "https://github.com/cozystack/cozystack",
|
||||
},
|
||||
{
|
||||
name: "SSH URL",
|
||||
url: "ssh://git@github.com/cozystack/cozystack",
|
||||
wantType: "git",
|
||||
wantURL: "ssh://git@github.com/cozystack/cozystack",
|
||||
},
|
||||
{
|
||||
name: "empty URL",
|
||||
url: "",
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "unsupported scheme",
|
||||
url: "ftp://example.com/repo",
|
||||
wantErr: true,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
sourceType, repoURL, err := parsePlatformSourceURL(tt.url)
|
||||
if tt.wantErr {
|
||||
if err == nil {
|
||||
t.Fatalf("expected error for URL %q, got nil", tt.url)
|
||||
}
|
||||
return
|
||||
}
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
if sourceType != tt.wantType {
|
||||
t.Errorf("expected type %q, got %q", tt.wantType, sourceType)
|
||||
}
|
||||
if repoURL != tt.wantURL {
|
||||
t.Errorf("expected URL %q, got %q", tt.wantURL, repoURL)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestInstallPlatformPackageSource_VariantValuesFiles(t *testing.T) {
|
||||
s := newTestScheme()
|
||||
k8sClient := fake.NewClientBuilder().WithScheme(s).Build()
|
||||
|
||||
err := installPlatformPackageSource(context.Background(), k8sClient, "cozystack-platform", "OCIRepository")
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
|
||||
ps := &cozyv1alpha1.PackageSource{}
|
||||
if err := k8sClient.Get(context.Background(), client.ObjectKey{Name: "cozystack.cozystack-platform"}, ps); err != nil {
|
||||
t.Fatalf("PackageSource not found: %v", err)
|
||||
}
|
||||
|
||||
expectedValuesFiles := map[string][]string{
|
||||
"default": {"values.yaml"},
|
||||
"isp-full": {"values.yaml", "values-isp-full.yaml"},
|
||||
"isp-hosted": {"values.yaml", "values-isp-hosted.yaml"},
|
||||
"isp-full-generic": {"values.yaml", "values-isp-full-generic.yaml"},
|
||||
}
|
||||
|
||||
for _, v := range ps.Spec.Variants {
|
||||
expected, ok := expectedValuesFiles[v.Name]
|
||||
if !ok {
|
||||
t.Errorf("unexpected variant %q", v.Name)
|
||||
continue
|
||||
}
|
||||
|
||||
if len(v.Components) != 1 {
|
||||
t.Errorf("variant %q: expected 1 component, got %d", v.Name, len(v.Components))
|
||||
continue
|
||||
}
|
||||
|
||||
comp := v.Components[0]
|
||||
if comp.Name != "platform" {
|
||||
t.Errorf("variant %q: expected component name %q, got %q", v.Name, "platform", comp.Name)
|
||||
}
|
||||
if comp.Path != "core/platform" {
|
||||
t.Errorf("variant %q: expected component path %q, got %q", v.Name, "core/platform", comp.Path)
|
||||
}
|
||||
if comp.Install == nil {
|
||||
t.Errorf("variant %q: expected Install to be set", v.Name)
|
||||
} else {
|
||||
if comp.Install.Namespace != "cozy-system" {
|
||||
t.Errorf("variant %q: expected install namespace %q, got %q", v.Name, "cozy-system", comp.Install.Namespace)
|
||||
}
|
||||
if comp.Install.ReleaseName != "cozystack-platform" {
|
||||
t.Errorf("variant %q: expected install releaseName %q, got %q", v.Name, "cozystack-platform", comp.Install.ReleaseName)
|
||||
}
|
||||
}
|
||||
|
||||
if len(comp.ValuesFiles) != len(expected) {
|
||||
t.Errorf("variant %q: expected %d valuesFiles, got %d", v.Name, len(expected), len(comp.ValuesFiles))
|
||||
continue
|
||||
}
|
||||
for i, f := range expected {
|
||||
if comp.ValuesFiles[i] != f {
|
||||
t.Errorf("variant %q: expected valuesFiles[%d] %q, got %q", v.Name, i, f, comp.ValuesFiles[i])
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestInstallPlatformPackageSource_CustomName(t *testing.T) {
|
||||
s := newTestScheme()
|
||||
k8sClient := fake.NewClientBuilder().WithScheme(s).Build()
|
||||
|
||||
err := installPlatformPackageSource(context.Background(), k8sClient, "custom-source", "OCIRepository")
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
|
||||
ps := &cozyv1alpha1.PackageSource{}
|
||||
if err := k8sClient.Get(context.Background(), client.ObjectKey{Name: "cozystack.custom-source"}, ps); err != nil {
|
||||
t.Fatalf("PackageSource not found: %v", err)
|
||||
}
|
||||
|
||||
if ps.Name != "cozystack.custom-source" {
|
||||
t.Errorf("expected name %q, got %q", "cozystack.custom-source", ps.Name)
|
||||
}
|
||||
if ps.Spec.SourceRef.Name != "custom-source" {
|
||||
t.Errorf("expected sourceRef.name %q, got %q", "custom-source", ps.Spec.SourceRef.Name)
|
||||
}
|
||||
}
|
||||
|
||||
func TestInstallPlatformPackageSource_GitRepository(t *testing.T) {
|
||||
s := newTestScheme()
|
||||
k8sClient := fake.NewClientBuilder().WithScheme(s).Build()
|
||||
|
||||
err := installPlatformPackageSource(context.Background(), k8sClient, "my-source", "GitRepository")
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
|
||||
ps := &cozyv1alpha1.PackageSource{}
|
||||
if err := k8sClient.Get(context.Background(), client.ObjectKey{Name: "cozystack.my-source"}, ps); err != nil {
|
||||
t.Fatalf("PackageSource not found: %v", err)
|
||||
}
|
||||
|
||||
if ps.Spec.SourceRef.Kind != "GitRepository" {
|
||||
t.Errorf("expected sourceRef.kind %q, got %q", "GitRepository", ps.Spec.SourceRef.Kind)
|
||||
}
|
||||
if ps.Spec.SourceRef.Name != "my-source" {
|
||||
t.Errorf("expected sourceRef.name %q, got %q", "my-source", ps.Spec.SourceRef.Name)
|
||||
}
|
||||
}
|
||||
|
||||
func TestParseRefSpec(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
input string
|
||||
want map[string]string
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "empty string",
|
||||
input: "",
|
||||
want: map[string]string{},
|
||||
},
|
||||
{
|
||||
name: "single key-value",
|
||||
input: "tag=v1.0",
|
||||
want: map[string]string{"tag": "v1.0"},
|
||||
},
|
||||
{
|
||||
name: "multiple key-values",
|
||||
input: "digest=sha256:abc123,tag=v1.0",
|
||||
want: map[string]string{"digest": "sha256:abc123", "tag": "v1.0"},
|
||||
},
|
||||
{
|
||||
name: "whitespace around pairs",
|
||||
input: " tag=v1.0 , branch=main ",
|
||||
want: map[string]string{"tag": "v1.0", "branch": "main"},
|
||||
},
|
||||
{
|
||||
name: "equals sign in value",
|
||||
input: "digest=sha256:abc=123",
|
||||
want: map[string]string{"digest": "sha256:abc=123"},
|
||||
},
|
||||
{
|
||||
name: "missing equals sign",
|
||||
input: "tag",
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "empty key",
|
||||
input: "=value",
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "empty value",
|
||||
input: "tag=",
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "trailing comma",
|
||||
input: "tag=v1.0,",
|
||||
want: map[string]string{"tag": "v1.0"},
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got, err := parseRefSpec(tt.input)
|
||||
if tt.wantErr {
|
||||
if err == nil {
|
||||
t.Fatalf("expected error for input %q, got nil", tt.input)
|
||||
}
|
||||
return
|
||||
}
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
if len(got) != len(tt.want) {
|
||||
t.Fatalf("expected %d entries, got %d: %v", len(tt.want), len(got), got)
|
||||
}
|
||||
for k, v := range tt.want {
|
||||
if got[k] != v {
|
||||
t.Errorf("expected %q=%q, got %q=%q", k, v, k, got[k])
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidateOCIRef(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
refMap map[string]string
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "valid tag",
|
||||
refMap: map[string]string{"tag": "v1.0"},
|
||||
},
|
||||
{
|
||||
name: "valid digest",
|
||||
refMap: map[string]string{"digest": "sha256:abc123def456"},
|
||||
},
|
||||
{
|
||||
name: "valid semver",
|
||||
refMap: map[string]string{"semver": ">=1.0.0"},
|
||||
},
|
||||
{
|
||||
name: "multiple valid keys",
|
||||
refMap: map[string]string{"tag": "v1.0", "digest": "sha256:abc"},
|
||||
},
|
||||
{
|
||||
name: "empty map",
|
||||
refMap: map[string]string{},
|
||||
},
|
||||
{
|
||||
name: "invalid key",
|
||||
refMap: map[string]string{"branch": "main"},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "invalid digest format",
|
||||
refMap: map[string]string{"digest": "md5:abc"},
|
||||
wantErr: true,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
err := validateOCIRef(tt.refMap)
|
||||
if tt.wantErr && err == nil {
|
||||
t.Fatal("expected error, got nil")
|
||||
}
|
||||
if !tt.wantErr && err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidateGitRef(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
refMap map[string]string
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "valid branch",
|
||||
refMap: map[string]string{"branch": "main"},
|
||||
},
|
||||
{
|
||||
name: "valid commit",
|
||||
refMap: map[string]string{"commit": "abc1234"},
|
||||
},
|
||||
{
|
||||
name: "valid tag and branch",
|
||||
refMap: map[string]string{"tag": "v1.0", "branch": "release"},
|
||||
},
|
||||
{
|
||||
name: "empty map",
|
||||
refMap: map[string]string{},
|
||||
},
|
||||
{
|
||||
name: "invalid key",
|
||||
refMap: map[string]string{"digest": "sha256:abc"},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "commit too short",
|
||||
refMap: map[string]string{"commit": "abc"},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "commit not hex",
|
||||
refMap: map[string]string{"commit": "zzzzzzz"},
|
||||
wantErr: true,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
err := validateGitRef(tt.refMap)
|
||||
if tt.wantErr && err == nil {
|
||||
t.Fatal("expected error, got nil")
|
||||
}
|
||||
if !tt.wantErr && err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestGenerateOCIRepository(t *testing.T) {
|
||||
refMap := map[string]string{"tag": "v1.0", "digest": "sha256:abc123"}
|
||||
obj, err := generateOCIRepository("my-repo", "oci://registry.example.com/repo", refMap)
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
|
||||
if obj.Name != "my-repo" {
|
||||
t.Errorf("expected name %q, got %q", "my-repo", obj.Name)
|
||||
}
|
||||
if obj.Namespace != "cozy-system" {
|
||||
t.Errorf("expected namespace %q, got %q", "cozy-system", obj.Namespace)
|
||||
}
|
||||
if obj.Spec.URL != "oci://registry.example.com/repo" {
|
||||
t.Errorf("expected URL %q, got %q", "oci://registry.example.com/repo", obj.Spec.URL)
|
||||
}
|
||||
if obj.Spec.Reference == nil {
|
||||
t.Fatal("expected Reference to be set")
|
||||
}
|
||||
if obj.Spec.Reference.Tag != "v1.0" {
|
||||
t.Errorf("expected tag %q, got %q", "v1.0", obj.Spec.Reference.Tag)
|
||||
}
|
||||
if obj.Spec.Reference.Digest != "sha256:abc123" {
|
||||
t.Errorf("expected digest %q, got %q", "sha256:abc123", obj.Spec.Reference.Digest)
|
||||
}
|
||||
}
|
||||
|
||||
func TestGenerateOCIRepository_NoRef(t *testing.T) {
|
||||
obj, err := generateOCIRepository("my-repo", "oci://registry.example.com/repo", map[string]string{})
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
if obj.Spec.Reference != nil {
|
||||
t.Error("expected Reference to be nil for empty refMap")
|
||||
}
|
||||
}
|
||||
|
||||
func TestGenerateOCIRepository_InvalidRef(t *testing.T) {
|
||||
_, err := generateOCIRepository("my-repo", "oci://registry.example.com/repo", map[string]string{"branch": "main"})
|
||||
if err == nil {
|
||||
t.Fatal("expected error for invalid OCI ref key, got nil")
|
||||
}
|
||||
}
|
||||
|
||||
func TestGenerateGitRepository(t *testing.T) {
|
||||
refMap := map[string]string{"branch": "main", "commit": "abc1234def5678"}
|
||||
obj, err := generateGitRepository("my-repo", "https://github.com/user/repo", refMap)
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
|
||||
if obj.Name != "my-repo" {
|
||||
t.Errorf("expected name %q, got %q", "my-repo", obj.Name)
|
||||
}
|
||||
if obj.Namespace != "cozy-system" {
|
||||
t.Errorf("expected namespace %q, got %q", "cozy-system", obj.Namespace)
|
||||
}
|
||||
if obj.Spec.URL != "https://github.com/user/repo" {
|
||||
t.Errorf("expected URL %q, got %q", "https://github.com/user/repo", obj.Spec.URL)
|
||||
}
|
||||
if obj.Spec.Reference == nil {
|
||||
t.Fatal("expected Reference to be set")
|
||||
}
|
||||
if obj.Spec.Reference.Branch != "main" {
|
||||
t.Errorf("expected branch %q, got %q", "main", obj.Spec.Reference.Branch)
|
||||
}
|
||||
if obj.Spec.Reference.Commit != "abc1234def5678" {
|
||||
t.Errorf("expected commit %q, got %q", "abc1234def5678", obj.Spec.Reference.Commit)
|
||||
}
|
||||
}
|
||||
|
||||
func TestGenerateGitRepository_NoRef(t *testing.T) {
|
||||
obj, err := generateGitRepository("my-repo", "https://github.com/user/repo", map[string]string{})
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
if obj.Spec.Reference != nil {
|
||||
t.Error("expected Reference to be nil for empty refMap")
|
||||
}
|
||||
}
|
||||
|
||||
func TestGenerateGitRepository_InvalidRef(t *testing.T) {
|
||||
_, err := generateGitRepository("my-repo", "https://github.com/user/repo", map[string]string{"digest": "sha256:abc"})
|
||||
if err == nil {
|
||||
t.Fatal("expected error for invalid Git ref key, got nil")
|
||||
}
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
<!--
|
||||
https://github.com/cozystack/cozystack/releases/tag/v0.40.5
|
||||
-->
|
||||
|
||||
## Improvements
|
||||
|
||||
* **[dashboard] Improve dashboard session params**: Improved session parameter handling in the dashboard for better user experience and more reliable session management ([**@lllamnyp**](https://github.com/lllamnyp) in #1913, #1919).
|
||||
|
||||
## Dependencies
|
||||
|
||||
* **Update cozyhr to v1.6.1**: Updated cozyhr to v1.6.1, which fixes a critical bug causing helm-controller v0.37.0+ to unexpectedly uninstall HelmReleases after cozyhr apply by correcting history snapshot fields for helm-controller compatibility ([**@kvaps**](https://github.com/kvaps) in cozystack/cozyhr#10).
|
||||
|
||||
---
|
||||
|
||||
**Full Changelog**: [v0.40.4...v0.40.5](https://github.com/cozystack/cozystack/compare/v0.40.4...v0.40.5)
|
||||
@@ -1,11 +0,0 @@
|
||||
<!--
|
||||
https://github.com/cozystack/cozystack/releases/tag/v0.40.6
|
||||
-->
|
||||
|
||||
## Fixes
|
||||
|
||||
* **[kubernetes] Fix manifests for kubernetes deployment**: Fixed incorrect manifests that prevented proper Kubernetes deployment, restoring correct application behavior ([**@IvanHunters**](https://github.com/IvanHunters) in #1943, #1944).
|
||||
|
||||
---
|
||||
|
||||
**Full Changelog**: [v0.40.5...v0.40.6](https://github.com/cozystack/cozystack/compare/v0.40.5...v0.40.6)
|
||||
@@ -1,11 +0,0 @@
|
||||
<!--
|
||||
https://github.com/cozystack/cozystack/releases/tag/v0.40.7
|
||||
-->
|
||||
|
||||
## Security
|
||||
|
||||
* **[dashboard] Verify JWT token**: Added JWT token verification to the dashboard, ensuring that authentication tokens are properly validated before granting access. This prevents unauthorized access through forged or expired tokens ([**@lllamnyp**](https://github.com/lllamnyp) in #1980, #1984).
|
||||
|
||||
---
|
||||
|
||||
**Full Changelog**: [v0.40.6...v0.40.7](https://github.com/cozystack/cozystack/compare/v0.40.6...v0.40.7)
|
||||
@@ -1,11 +0,0 @@
|
||||
<!--
|
||||
https://github.com/cozystack/cozystack/releases/tag/v0.41.4
|
||||
-->
|
||||
|
||||
## Dependencies
|
||||
|
||||
* **Update cozyhr to v1.6.1**: Updated cozyhr to v1.6.1, which fixes a critical bug causing helm-controller v0.37.0+ to unexpectedly uninstall HelmReleases after cozyhr apply by correcting history snapshot fields for helm-controller compatibility ([**@kvaps**](https://github.com/kvaps) in cozystack/cozyhr#10).
|
||||
|
||||
---
|
||||
|
||||
**Full Changelog**: [v0.41.3...v0.41.4](https://github.com/cozystack/cozystack/compare/v0.41.3...v0.41.4)
|
||||
@@ -1,21 +0,0 @@
|
||||
<!--
|
||||
https://github.com/cozystack/cozystack/releases/tag/v0.41.5
|
||||
-->
|
||||
|
||||
## Features and Improvements
|
||||
|
||||
* **[dashboard] Add "Edit" button to all resources**: Added an "Edit" button across all resource views in the dashboard, allowing users to modify resource configurations directly from the UI ([**@sircthulhu**](https://github.com/sircthulhu) in #1928, #1931).
|
||||
|
||||
* **[dashboard] Add resource quota usage to tenant details page**: Added resource quota usage display to the tenant details page, giving administrators visibility into how much of allocated resources each tenant is consuming ([**@sircthulhu**](https://github.com/sircthulhu) in #1929, #1932).
|
||||
|
||||
* **[branding] Separate values for keycloak**: Separated Keycloak branding values into dedicated configuration, allowing more granular customization of Keycloak appearance without affecting other branding settings ([**@nbykov0**](https://github.com/nbykov0) in #1946).
|
||||
|
||||
* **Add instance profile label to workload monitor**: Added instance profile metadata labels to the workload monitor, enabling better resource tracking and monitoring by instance profile type ([**@matthieu-robin**](https://github.com/matthieu-robin) in #1954, #1957).
|
||||
|
||||
## Fixes
|
||||
|
||||
* **[kubernetes] Fix manifests for kubernetes deployment**: Fixed incorrect manifests that prevented proper Kubernetes deployment, restoring correct application behavior ([**@IvanHunters**](https://github.com/IvanHunters) in #1943, #1945).
|
||||
|
||||
---
|
||||
|
||||
**Full Changelog**: [v0.41.4...v0.41.5](https://github.com/cozystack/cozystack/compare/v0.41.4...v0.41.5)
|
||||
@@ -1,17 +0,0 @@
|
||||
<!--
|
||||
https://github.com/cozystack/cozystack/releases/tag/v0.41.6
|
||||
-->
|
||||
|
||||
## Improvements
|
||||
|
||||
* **[vm] Allow changing field external after creation**: Users can now modify the external network field on virtual machines after initial creation, providing more flexibility in VM networking configuration without requiring recreation ([**@sircthulhu**](https://github.com/sircthulhu) in #1956, #1962).
|
||||
|
||||
* **[branding] Separate values for keycloak**: Separated Keycloak branding values into dedicated configuration for more granular customization of Keycloak appearance ([**@nbykov0**](https://github.com/nbykov0) in #1947, #1963).
|
||||
|
||||
## Fixes
|
||||
|
||||
* **[kubernetes] Fix coredns serviceaccount to match kubernetes bootstrap RBAC**: Configured the CoreDNS chart to create a `kube-dns` ServiceAccount matching the Kubernetes bootstrap ClusterRoleBinding, fixing RBAC errors (`Failed to watch`) when CoreDNS pods restart ([**@mattia-eleuteri**](https://github.com/mattia-eleuteri) in #1958, #1978).
|
||||
|
||||
---
|
||||
|
||||
**Full Changelog**: [v0.41.5...v0.41.6](https://github.com/cozystack/cozystack/compare/v0.41.5...v0.41.6)
|
||||
@@ -1,15 +0,0 @@
|
||||
<!--
|
||||
https://github.com/cozystack/cozystack/releases/tag/v0.41.7
|
||||
-->
|
||||
|
||||
## Security
|
||||
|
||||
* **[dashboard] Verify JWT token**: Added JWT token verification to the dashboard, ensuring that authentication tokens are properly validated before granting access. This prevents unauthorized access through forged or expired tokens ([**@lllamnyp**](https://github.com/lllamnyp) in #1980, #1983).
|
||||
|
||||
## Fixes
|
||||
|
||||
* **[postgres-operator] Correct PromQL syntax in CNPGClusterOffline alert**: Fixed incorrect PromQL syntax in the `CNPGClusterOffline` alert rule for CloudNativePG, ensuring the alert fires correctly when all instances of a PostgreSQL cluster are offline ([**@mattia-eleuteri**](https://github.com/mattia-eleuteri) in #1981, #1989).
|
||||
|
||||
---
|
||||
|
||||
**Full Changelog**: [v0.41.6...v0.41.7](https://github.com/cozystack/cozystack/compare/v0.41.6...v0.41.7)
|
||||
@@ -1,17 +0,0 @@
|
||||
<!--
|
||||
https://github.com/cozystack/cozystack/releases/tag/v0.41.8
|
||||
-->
|
||||
|
||||
## Features and Improvements
|
||||
|
||||
* **[kubernetes] Auto-enable Gateway API support in cert-manager**: cert-manager now automatically enables `enableGatewayAPI` when the Gateway API addon is active in the Kubernetes application. Users no longer need to manually configure this setting, and the option can still be overridden via `valuesOverride` ([**@kvaps**](https://github.com/kvaps) in #1997, #2012).
|
||||
|
||||
* **[vm] Allow switching between instancetype and custom resources**: Users can now switch virtual machines between instancetype-based and custom resource configurations after creation. The upgrade hook atomically patches VM resources, providing more flexibility in adjusting VM sizing without recreation ([**@sircthulhu**](https://github.com/sircthulhu) in #2008, #2013).
|
||||
|
||||
## Fixes
|
||||
|
||||
* **[dashboard] Add startupProbe to prevent container restarts on slow hardware**: Added `startupProbe` to both `bff` and `web` containers in the dashboard deployment. On slow hardware, kubelet was killing containers because the `livenessProbe` only allowed ~33 seconds for startup. The `startupProbe` gives containers up to 60 seconds to start before `livenessProbe` kicks in ([**@kvaps**](https://github.com/kvaps) in #1996, #2014).
|
||||
|
||||
---
|
||||
|
||||
**Full Changelog**: [v0.41.7...v0.41.8](https://github.com/cozystack/cozystack/compare/v0.41.7...v0.41.8)
|
||||
@@ -1,15 +0,0 @@
|
||||
<!--
|
||||
https://github.com/cozystack/cozystack/releases/tag/v0.41.9
|
||||
-->
|
||||
|
||||
## Fixes
|
||||
|
||||
* **[cozystack-basics] Deny resourcequotas deletion for tenant admin**: Prevented tenant administrators from deleting resource quotas, ensuring that resource limits set by platform administrators cannot be bypassed by tenant-level users ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2076).
|
||||
|
||||
## Dependencies
|
||||
|
||||
* **Update Kube-OVN to v1.15.3**: Updated Kube-OVN CNI to v1.15.3 with latest bug fixes and improvements ([**@kvaps**](https://github.com/kvaps)).
|
||||
|
||||
---
|
||||
|
||||
**Full Changelog**: [v0.41.8...v0.41.9](https://github.com/cozystack/cozystack/compare/v0.41.8...v0.41.9)
|
||||
@@ -1,65 +0,0 @@
|
||||
<!--
|
||||
https://github.com/cozystack/cozystack/releases/tag/v1.0.0-rc.1
|
||||
-->
|
||||
|
||||
> **⚠️ Release Candidate Warning**: This is a release candidate intended for final validation before the stable v1.0.0 release. Breaking changes are not expected at this stage, but please test thoroughly before deploying to production.
|
||||
|
||||
## Features and Improvements
|
||||
|
||||
* **[harbor] Add managed Harbor container registry**: Added Harbor v2.14.2 as a managed tenant-level container registry service. The application uses CloudNativePG for PostgreSQL, the Redis operator for caching, and S3 via COSI BucketClaim (from SeaweedFS) for registry image storage. Auto-generated admin credentials are persisted across upgrades, TLS is handled by cert-manager, and Trivy vulnerability scanner is included. Users can now deploy a fully managed, production-ready OCI container registry within their tenant ([**@lexfrei**](https://github.com/lexfrei) in #2058).
|
||||
|
||||
* **[kubernetes] Update supported Kubernetes versions to v1.30–v1.35**: Updated the tenant Kubernetes version matrix to v1.30, v1.31, v1.32, v1.33, v1.34, and v1.35 (now the default). EOL versions v1.28 and v1.29 are removed. Kamaji is updated to edge-26.2.4 with full Kubernetes 1.35 support, and the CAPI Kamaji provider is updated to v0.16.0. A compatibility patch ensures kubelets older than v1.35 are not broken by Kamaji injecting 1.35-specific kubelet fields ([**@lexfrei**](https://github.com/lexfrei) in #2073).
|
||||
|
||||
* **[platform] Make cluster issuer name and ACME solver configurable**: Added `publishing.certificates.solver` (`http01` or `dns01`) and `publishing.certificates.issuerName` (default: `letsencrypt-prod`) parameters to the platform chart. This allows operators to point all ingress TLS annotations at any ClusterIssuer — custom ACME, self-signed, or internal CA — without modifying individual package templates. See the Breaking Changes section for the rename from the previous `issuerType` field ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2077).
|
||||
|
||||
* **[dashboard] VMInstance dropdowns for disks and instanceType**: The VM instance creation form now renders API-backed dropdowns for the `instanceType` field (populated from `VirtualMachineClusterInstancetype` cluster resources) and for disk `name` fields (populated from `VMDisk` resources in the same namespace). Default values are read from the ApplicationDefinition's OpenAPI schema. This eliminates manual lookups and reduces misconfiguration when attaching disks or selecting VM instance types ([**@sircthulhu**](https://github.com/sircthulhu) in #2071).
|
||||
|
||||
* **[installer] Remove CRDs from Helm chart, delegate lifecycle to operator**: The `cozy-installer` Helm chart no longer ships CRDs in its `crds/` directory. CRD lifecycle is now fully managed by the Cozystack operator via the `--install-crds` flag, which applies embedded CRD manifests on every startup using server-side apply. The platform PackageSource is also created by the operator instead of a Helm template. This ensures CRDs and the PackageSource are always up to date after each operator restart, eliminating stale CRDs from Helm's install-only behavior ([**@lexfrei**](https://github.com/lexfrei) in #2074).
|
||||
|
||||
## Fixes
|
||||
|
||||
* **[kubevirt] Update KubeVirt to v1.6.4 and CDI to v1.64.0, fix VM pod initialization**: Updated KubeVirt operator to v1.6.4 and CDI operator to v1.64.0, including live migration of existing VMs during the upgrade. Additionally, disabled serial console logging globally via the KubeVirt CR to prevent a known v1.6.x issue ([upstream #15989](https://github.com/kubevirt/kubevirt/issues/15989)) where the `guest-console-log` init container blocked virt-launcher pods from starting, causing all VMs to get stuck in `PodInitializing` state ([**@nbykov0**](https://github.com/nbykov0) in #1833; [**@kvaps**](https://github.com/kvaps) in 7dfb819).
|
||||
|
||||
* **[linstor] Fix DRBD+LUKS+STORAGE resource creation failure**: All newly created encrypted volumes were failing because the DRBD `.res` file was never written due to a missing `setExists(true)` call in the `LuksLayer`. Applied the upstream `skip-adjust-when-device-inaccessible` patch ([LINBIT/linstor-server#477](https://github.com/LINBIT/linstor-server/pull/477)) which fixes the root cause and also prevents unnecessary lsblk calls when devices are not yet physically present ([**@kvaps**](https://github.com/kvaps) in #2072).
|
||||
|
||||
* **[system] Fix monitoring-agents FQDN resolution for tenant workload clusters**: Monitoring agents (`vmagent`, `fluent-bit`) in tenant workload clusters were failing to deliver metrics and logs because service addresses used short DNS names without the cluster domain suffix. Fixed by appending the configured cluster domain from `_cluster.cluster-domain` (with fallback to `cluster.local`) to all vmagent remoteWrite URLs and fluent-bit output hosts ([**@IvanHunters**](https://github.com/IvanHunters) in #2075).
|
||||
|
||||
* **[cozystack-basics] Preserve existing HelmRelease values during reconciliations**: Fixed a data-loss bug where changes made to the `tenant-root` HelmRelease were silently dropped on the next forced or upgrade reconciliation of the `cozystack-basics` HelmRelease. The reconciler now merges new configuration with existing values instead of overwriting them ([**@sircthulhu**](https://github.com/sircthulhu) in #2068).
|
||||
|
||||
* **[cozystack-basics] Deny resourcequotas deletion for tenant admin**: Fixed the `cozy:tenant:admin:base` ClusterRole to explicitly deny deletion of `ResourceQuota` objects for tenant admins and superadmins, preventing accidental removal of tenant resource limits ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2076).
|
||||
|
||||
## Breaking Changes & Upgrade Notes
|
||||
|
||||
* **[platform] Certificate issuer configuration parameters renamed**: The `publishing.certificates.issuerType` field is renamed to `publishing.certificates.solver`, and the value `cloudflare` is renamed to `dns01` to align with standard ACME terminology. A new `publishing.certificates.issuerName` field (default: `letsencrypt-prod`) is introduced to allow pointing all ingresses at a custom ClusterIssuer. Migration 32 is included and automatically converts existing configurations during upgrade — no manual action is required ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in #2077).
|
||||
|
||||
## Documentation
|
||||
|
||||
* **[website] Migrate ConfigMap references to Platform Package in v1 documentation**: Updated the entire v1 documentation tree to replace legacy ConfigMap-based configuration references with the new Platform Package API, ensuring guides are consistent with the v1 configuration model ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#426).
|
||||
|
||||
* **[website] Add generic Kubernetes deployment guide for v1**: Added a new installation guide covering Cozystack deployment on any generic Kubernetes cluster, expanding the set of supported deployment targets beyond provider-specific guides ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#408).
|
||||
|
||||
* **[website] Refactor resource planning documentation**: Improved the resource planning guide with a clearer structure and more comprehensive coverage of planning considerations for Cozystack deployments ([**@IvanStukov**](https://github.com/IvanStukov) in cozystack/website#423).
|
||||
|
||||
* **[website] Add ServiceAccount API access documentation and update FAQ**: Added a new article documenting ServiceAccount API access token configuration and updated the FAQ to include related troubleshooting guidance ([**@IvanStukov**](https://github.com/IvanStukov) in cozystack/website#421).
|
||||
|
||||
* **[website] Update networking-mesh allowed-location-ips example**: Replaced provider-specific CLI usage with standard `kubectl` commands in the multi-location networking guide's `allowed-location-ips` example, making the documentation more universally applicable ([**@kvaps**](https://github.com/kvaps) in cozystack/website#425).
|
||||
|
||||
## Contributors
|
||||
|
||||
We'd like to thank all contributors who made this release possible:
|
||||
|
||||
* [**@IvanHunters**](https://github.com/IvanHunters)
|
||||
* [**@IvanStukov**](https://github.com/IvanStukov)
|
||||
* [**@kvaps**](https://github.com/kvaps)
|
||||
* [**@lexfrei**](https://github.com/lexfrei)
|
||||
* [**@myasnikovdaniil**](https://github.com/myasnikovdaniil)
|
||||
* [**@nbykov0**](https://github.com/nbykov0)
|
||||
* [**@sircthulhu**](https://github.com/sircthulhu)
|
||||
|
||||
### New Contributors
|
||||
|
||||
We're excited to welcome our first-time contributors:
|
||||
|
||||
* [**@myasnikovdaniil**](https://github.com/myasnikovdaniil) - First contribution!
|
||||
|
||||
**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.0-beta.6...v1.0.0-rc.1
|
||||
@@ -1,57 +0,0 @@
|
||||
<!--
|
||||
https://github.com/cozystack/cozystack/releases/tag/v1.0.0-rc.2
|
||||
-->
|
||||
|
||||
> **⚠️ Release Candidate Warning**: This is a release candidate intended for final validation before the stable v1.0.0 release. Breaking changes are not expected at this stage, but please test thoroughly before deploying to production.
|
||||
|
||||
## Features and Improvements
|
||||
|
||||
* **[keycloak] Allow custom Ingress hostname via values**: Added an `ingress.host` field to the cozy-keycloak chart values, allowing operators to override the default `keycloak.<root-host>` Ingress hostname. The custom hostname is applied to both the Ingress resource and the `KC_HOSTNAME` environment variable in the StatefulSet. When left empty, the original behavior is preserved (fully backward compatible) ([**@sircthulhu**](https://github.com/sircthulhu) in #2101).
|
||||
|
||||
## Fixes
|
||||
|
||||
* **[platform] Fix upgrade issues in migrations, etcd timeout, and migration script**: Fixed multiple upgrade failures discovered during v0.41.1 → v1.0 upgrade testing. Migration 26 now uses the `cozystack.io/ui=true` label (always present on v0.41.1) instead of the new label that depends on migration 22 having run, and adds robust Helm secret deletion with fallback and verification. Migrations 28 and 29 wrap `grep` calls to prevent `pipefail` exits and fix the reconcile annotation to use RFC3339 format. Migration 27 now skips missing CRDs and adds a name-pattern fallback for Helm secret deletion. The etcd HelmRelease timeout is increased from 10m to 30m to accommodate TLS cert rotation hooks. The `migrate-to-version-1.0.sh` script gains the missing `bundle-disable`, `bundle-enable`, `expose-ingress`, and `expose-services` field mappings ([**@kvaps**](https://github.com/kvaps) in #2096).
|
||||
|
||||
* **[platform] Fix orphaned -rd HelmReleases after application renames**: After the `ferretdb→mongodb`, `mysql→mariadb`, and `virtual-machine→vm-disk+vm-instance` renames, the system-level `-rd` HelmReleases in `cozy-system` (`ferretdb-rd`, `mysql-rd`, `virtual-machine-rd`) were left orphaned, referencing ExternalArtifacts that no longer exist and causing persistent reconciliation failures. Migrations 28 and 29 are updated to remove these resources, and migration 33 is added as a safety net for clusters that already passed those migrations ([**@kvaps**](https://github.com/kvaps) in #2102).
|
||||
|
||||
* **[monitoring-agents] Fix FQDN resolution regression in tenant workload clusters**: The fix introduced in #2075 used `_cluster.cluster-domain` references in `values.yaml`, but `_cluster` values are not accessible from Helm subchart contexts — meaning fluent-bit received empty hostnames and failed to forward logs. This PR replaces the `_cluster` references with a new `global.clusterDomain` variable (empty by default for management clusters, set to the cluster domain for tenant clusters), which is correctly shared with all subcharts ([**@kvaps**](https://github.com/kvaps) in #2086).
|
||||
|
||||
* **[dashboard] Fix legacy templating and cluster identifier in sidebar links**: Standardized the cluster identifier used across dashboard menu links, administration links, and API request paths, resolving incorrect or broken link targets for the Backups and External IPs sidebar sections ([**@androndo**](https://github.com/androndo) in #2093).
|
||||
|
||||
* **[dashboard] Fix backupjobs creation form and sidebar backup category identifier**: Fixed the backup job creation form configuration, adding the required Name, Namespace, Plan Name, Application, and Backup Class fields. Fixed the sidebar backup category identifier that was causing incorrect navigation ([**@androndo**](https://github.com/androndo) in #2103).
|
||||
|
||||
## Documentation
|
||||
|
||||
* **[website] Add Helm chart development principles guide**: Added a new developer guide section documenting Cozystack's four core Helm chart principles: easy upstream updates, local-first artifacts, local dev/test workflow, and no external dependencies ([**@kvaps**](https://github.com/kvaps) in cozystack/website#418).
|
||||
|
||||
* **[website] Add network architecture overview**: Added comprehensive network architecture documentation covering the multi-layered networking stack — MetalLB (L2/BGP), Cilium eBPF (kube-proxy replacement), Kube-OVN (centralized IPAM), and tenant isolation with identity-based eBPF policies — with Mermaid diagrams for all major traffic flows ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#422).
|
||||
|
||||
* **[website] Update documentation to use jsonpatch for service exposure**: Improved `kubectl patch` commands throughout installation and configuration guides to use JSON Patch `add` operations for extending arrays instead of replacing them wholesale, making the documented commands safer and more precise ([**@sircthulhu**](https://github.com/sircthulhu) in cozystack/website#427).
|
||||
|
||||
* **[website] Update certificates section in Platform Package documentation**: Updated the certificate configuration documentation to reflect the new `solver` and `issuerName` fields introduced in v1.0.0-rc.1, replacing the legacy `issuerType` references ([**@myasnikovdaniil**](https://github.com/myasnikovdaniil) in cozystack/website#429).
|
||||
|
||||
* **[website] Add tenant Kubernetes cluster log querying guide**: Added documentation for querying logs from tenant Kubernetes clusters in Grafana using VictoriaLogs labels (`tenant`, `kubernetes_namespace_name`, `kubernetes_pod_name`), including the `monitoringAgents` addon prerequisite and step-by-step filtering examples ([**@IvanHunters**](https://github.com/IvanHunters) in cozystack/website#430).
|
||||
|
||||
* **[website] Replace non-idempotent commands with idempotent alternatives**: Updated `helm install` to `helm upgrade --install`, `kubectl create -f` to `kubectl apply -f`, and `kubectl create ns` to the dry-run+apply pattern across all installation and deployment guides so commands can be safely re-run ([**@lexfrei**](https://github.com/lexfrei) in cozystack/website#431).
|
||||
|
||||
* **[website] Fix broken documentation links with `.md` suffix**: Fixed incorrect internal links with `.md` suffix across virtualization guides for both v0 and v1 documentation, standardizing link text to "Developer Guide" ([**@cheese**](https://github.com/cheese) in cozystack/website#432).
|
||||
|
||||
## Contributors
|
||||
|
||||
We'd like to thank all contributors who made this release possible:
|
||||
|
||||
* [**@androndo**](https://github.com/androndo)
|
||||
* [**@cheese**](https://github.com/cheese)
|
||||
* [**@IvanHunters**](https://github.com/IvanHunters)
|
||||
* [**@kvaps**](https://github.com/kvaps)
|
||||
* [**@lexfrei**](https://github.com/lexfrei)
|
||||
* [**@myasnikovdaniil**](https://github.com/myasnikovdaniil)
|
||||
* [**@sircthulhu**](https://github.com/sircthulhu)
|
||||
|
||||
### New Contributors
|
||||
|
||||
We're excited to welcome our first-time contributors:
|
||||
|
||||
* [**@cheese**](https://github.com/cheese) - First contribution!
|
||||
|
||||
**Full Changelog**: https://github.com/cozystack/cozystack/compare/v1.0.0-rc.1...v1.0.0-rc.2
|
||||
356
docs/proposals/affinity-class.md
Normal file
356
docs/proposals/affinity-class.md
Normal file
@@ -0,0 +1,356 @@
|
||||
# AffinityClass: Named Placement Classes for CozyStack Applications (Draft)
|
||||
|
||||
## Concept
|
||||
|
||||
Similar to StorageClass in Kubernetes, a new resource **AffinityClass** is introduced — a named abstraction over scheduling constraints. When creating an Application, the user selects an AffinityClass by name without knowing the details of the cluster topology.
|
||||
|
||||
```
|
||||
StorageClass → "which disk" → PV provisioning
|
||||
AffinityClass → "where to place" → Pod scheduling
|
||||
```
|
||||
|
||||
## Design
|
||||
|
||||
### 1. AffinityClass CRD
|
||||
|
||||
A cluster-scoped resource created by the platform administrator:
|
||||
|
||||
```yaml
|
||||
apiVersion: cozystack.io/v1alpha1
|
||||
kind: AffinityClass
|
||||
metadata:
|
||||
name: dc1
|
||||
spec:
|
||||
# nodeSelector that MUST be present on every pod of the application.
|
||||
# Used for validation by the lineage webhook.
|
||||
nodeSelector:
|
||||
topology.kubernetes.io/zone: dc1
|
||||
```
|
||||
|
||||
```yaml
|
||||
apiVersion: cozystack.io/v1alpha1
|
||||
kind: AffinityClass
|
||||
metadata:
|
||||
name: dc2
|
||||
spec:
|
||||
nodeSelector:
|
||||
topology.kubernetes.io/zone: dc2
|
||||
```
|
||||
|
||||
```yaml
|
||||
apiVersion: cozystack.io/v1alpha1
|
||||
kind: AffinityClass
|
||||
metadata:
|
||||
name: gpu
|
||||
spec:
|
||||
nodeSelector:
|
||||
node.kubernetes.io/gpu: "true"
|
||||
```
|
||||
|
||||
An AffinityClass contains a `nodeSelector` — a set of key=value pairs that must be present in `pod.spec.nodeSelector` on every pod of the application. This is a contract: the chart is responsible for setting these selectors, the webhook is responsible for verifying them.
|
||||
|
||||
### 2. Tenant: Restricting Available Classes
|
||||
|
||||
Tenant gets `allowedAffinityClasses` and `defaultAffinityClass` fields:
|
||||
|
||||
```yaml
|
||||
apiVersion: apps.cozystack.io/v1alpha1
|
||||
kind: Tenant
|
||||
metadata:
|
||||
name: acme
|
||||
namespace: tenant-root
|
||||
spec:
|
||||
defaultAffinityClass: dc1 # default class for applications
|
||||
allowedAffinityClasses: # which classes are allowed
|
||||
- dc1
|
||||
- dc2
|
||||
etcd: false
|
||||
ingress: true
|
||||
monitoring: false
|
||||
```
|
||||
|
||||
These values are propagated to the `cozystack-values` Secret in the child namespace:
|
||||
|
||||
```yaml
|
||||
# Secret cozystack-values in namespace tenant-acme
|
||||
stringData:
|
||||
values.yaml: |
|
||||
_cluster:
|
||||
# ... existing cluster config
|
||||
_namespace:
|
||||
# ... existing namespace config
|
||||
defaultAffinityClass: dc1
|
||||
allowedAffinityClasses:
|
||||
- dc1
|
||||
- dc2
|
||||
```
|
||||
|
||||
### 3. Application: Selecting a Class
|
||||
|
||||
Each application can specify an `affinityClass`. If not specified, the `defaultAffinityClass` from the tenant is used:
|
||||
|
||||
```yaml
|
||||
apiVersion: apps.cozystack.io/v1alpha1
|
||||
kind: Postgres
|
||||
metadata:
|
||||
name: main-db
|
||||
namespace: tenant-acme
|
||||
spec:
|
||||
affinityClass: dc1 # explicit selection
|
||||
replicas: 3
|
||||
```
|
||||
|
||||
```yaml
|
||||
apiVersion: apps.cozystack.io/v1alpha1
|
||||
kind: Redis
|
||||
metadata:
|
||||
name: cache
|
||||
namespace: tenant-acme
|
||||
spec:
|
||||
# affinityClass not specified → uses tenant's defaultAffinityClass (dc1)
|
||||
replicas: 2
|
||||
```
|
||||
|
||||
### 4. How affinityClass Reaches the HelmRelease
|
||||
|
||||
When creating an Application, the API server (`pkg/registry/apps/application/rest.go`):
|
||||
|
||||
1. Extracts `affinityClass` from `spec` (or uses the default from `cozystack-values`)
|
||||
2. Records `affinityClass` as a **label on the HelmRelease**:
|
||||
```
|
||||
apps.cozystack.io/affinity-class: dc1
|
||||
```
|
||||
3. Resolves AffinityClass to `nodeSelector` and passes it into HelmRelease values as `_scheduling`:
|
||||
```yaml
|
||||
_scheduling:
|
||||
affinityClass: dc1
|
||||
nodeSelector:
|
||||
topology.kubernetes.io/zone: dc1
|
||||
```
|
||||
|
||||
### 5. How Charts Apply Scheduling
|
||||
|
||||
A helper is added to `cozy-lib`:
|
||||
|
||||
```yaml
|
||||
{{- define "cozy-lib.scheduling.nodeSelector" -}}
|
||||
{{- if .Values._scheduling }}
|
||||
{{- if .Values._scheduling.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- .Values._scheduling.nodeSelector | toYaml | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
```
|
||||
|
||||
Each app chart uses the helper when rendering Pod/StatefulSet/Deployment specs:
|
||||
|
||||
```yaml
|
||||
# packages/apps/postgres/templates/db.yaml
|
||||
spec:
|
||||
instances: {{ .Values.replicas }}
|
||||
{{- include "cozy-lib.scheduling.nodeSelector" . | nindent 2 }}
|
||||
```
|
||||
|
||||
```yaml
|
||||
# packages/apps/redis/templates/redis.yaml
|
||||
spec:
|
||||
replicas: {{ .Values.replicas }}
|
||||
template:
|
||||
spec:
|
||||
{{- include "cozy-lib.scheduling.nodeSelector" . | nindent 6 }}
|
||||
```
|
||||
|
||||
Charts **must** apply `_scheduling.nodeSelector`. If they don't, pods will be rejected by the webhook.
|
||||
|
||||
---
|
||||
|
||||
## Validation via Lineage Webhook
|
||||
|
||||
### Why Validation, Not Mutation
|
||||
|
||||
Mutation (injecting nodeSelector into a pod) creates problems:
|
||||
- Requires merging with existing pod nodeSelector/affinity — complex logic with edge cases
|
||||
- Operators (CNPG, Strimzi) may overwrite nodeSelector on pod restart
|
||||
- Hidden behavior: pod is created with one spec but actually runs with another
|
||||
|
||||
Validation is simpler and more reliable:
|
||||
- Webhook checks: "does this pod **have** the required nodeSelector?"
|
||||
- If not, the pod is **rejected** with a clear error message
|
||||
- The chart and operator are responsible for setting the correct spec
|
||||
|
||||
### What Already Exists in the Lineage Webhook
|
||||
|
||||
The lineage webhook (`internal/lineagecontrollerwebhook/webhook.go`) on every Pod creation:
|
||||
|
||||
1. Decodes the Pod
|
||||
2. Walks the ownership graph (`lineage.WalkOwnershipGraph`) — finds the **owning HelmRelease**
|
||||
3. Extracts labels from the HelmRelease: `apps.cozystack.io/application.kind`, `.group`, `.name`
|
||||
4. Applies these labels to the Pod
|
||||
|
||||
**Key point:** the webhook already knows which HelmRelease owns each Pod.
|
||||
|
||||
### What Is Added
|
||||
|
||||
After computing lineage labels, a validation step is added:
|
||||
|
||||
```
|
||||
Handle(pod):
|
||||
1. [existing] computeLabels(pod) → finds owning HelmRelease
|
||||
2. [existing] applyLabels(pod, labels) → mutates labels
|
||||
3. [NEW] validateAffinity(pod, hr) → checks nodeSelector
|
||||
4. Return patch or Denied
|
||||
```
|
||||
|
||||
The `validateAffinity` logic:
|
||||
|
||||
```go
|
||||
func (h *LineageControllerWebhook) validateAffinity(
|
||||
ctx context.Context,
|
||||
pod *unstructured.Unstructured,
|
||||
hr *helmv2.HelmRelease,
|
||||
) *admission.Response {
|
||||
// 1. Extract affinityClass from HelmRelease label
|
||||
affinityClassName, ok := hr.Labels["apps.cozystack.io/affinity-class"]
|
||||
if !ok {
|
||||
return nil // no affinityClass — no validation needed
|
||||
}
|
||||
|
||||
// 2. Look up AffinityClass from cache
|
||||
affinityClass, ok := h.affinityClassMap[affinityClassName]
|
||||
if !ok {
|
||||
resp := admission.Denied(fmt.Sprintf(
|
||||
"AffinityClass %q not found", affinityClassName))
|
||||
return &resp
|
||||
}
|
||||
|
||||
// 3. Check pod's nodeSelector
|
||||
podNodeSelector := extractNodeSelector(pod) // from pod.spec.nodeSelector
|
||||
for key, expected := range affinityClass.Spec.NodeSelector {
|
||||
actual, exists := podNodeSelector[key]
|
||||
if !exists || actual != expected {
|
||||
resp := admission.Denied(fmt.Sprintf(
|
||||
"pod %s/%s belongs to application with AffinityClass %q "+
|
||||
"but missing required nodeSelector %s=%s",
|
||||
pod.GetNamespace(), pod.GetName(),
|
||||
affinityClassName, key, expected))
|
||||
return &resp
|
||||
}
|
||||
}
|
||||
|
||||
return nil // validation passed
|
||||
}
|
||||
```
|
||||
|
||||
### AffinityClass Caching
|
||||
|
||||
The lineage webhook controller already caches ApplicationDefinitions (`runtimeConfig.appCRDMap`). An AffinityClass cache is added in the same way:
|
||||
|
||||
```go
|
||||
type runtimeConfig struct {
|
||||
appCRDMap map[appRef]*cozyv1alpha1.ApplicationDefinition
|
||||
affinityClassMap map[string]*cozyv1alpha1.AffinityClass // NEW
|
||||
}
|
||||
```
|
||||
|
||||
The controller adds a watch on AffinityClass:
|
||||
|
||||
```go
|
||||
func (c *LineageControllerWebhook) SetupWithManagerAsController(mgr ctrl.Manager) error {
|
||||
return ctrl.NewControllerManagedBy(mgr).
|
||||
For(&cozyv1alpha1.ApplicationDefinition{}).
|
||||
Watches(&cozyv1alpha1.AffinityClass{}, &handler.EnqueueRequestForObject{}).
|
||||
Complete(c)
|
||||
}
|
||||
```
|
||||
|
||||
When an AffinityClass changes, the cache is rebuilt.
|
||||
|
||||
---
|
||||
|
||||
## End-to-End Flow
|
||||
|
||||
```
|
||||
1. Admin creates AffinityClass "dc1" (nodeSelector: zone=dc1)
|
||||
|
||||
2. Admin creates Tenant "acme" (defaultAffinityClass: dc1, allowed: [dc1, dc2])
|
||||
→ namespace tenant-acme
|
||||
→ cozystack-values Secret with defaultAffinityClass
|
||||
|
||||
3. User creates Postgres "main-db" (affinityClass: dc1)
|
||||
→ API server checks: dc1 ∈ allowedAffinityClasses? ✓
|
||||
→ API server resolves AffinityClass → nodeSelector
|
||||
→ HelmRelease is created with:
|
||||
- label: apps.cozystack.io/affinity-class=dc1
|
||||
- values: _scheduling.nodeSelector.topology.kubernetes.io/zone=dc1
|
||||
|
||||
4. FluxCD deploys HelmRelease → Helm renders the chart
|
||||
→ Chart uses cozy-lib helper
|
||||
→ CNPG Cluster is created with nodeSelector: {zone: dc1}
|
||||
|
||||
5. CNPG operator creates Pod
|
||||
→ Pod has nodeSelector: {zone: dc1}
|
||||
|
||||
6. Lineage webhook intercepts the Pod:
|
||||
a. WalkOwnershipGraph → finds HelmRelease "main-db"
|
||||
b. HelmRelease label → affinityClass=dc1
|
||||
c. AffinityClass "dc1" → nodeSelector: {zone: dc1}
|
||||
d. Checks: pod.spec.nodeSelector contains zone=dc1? ✓
|
||||
e. Admits Pod (+ standard lineage labels)
|
||||
|
||||
7. Scheduler places the Pod on a node in dc1
|
||||
```
|
||||
|
||||
### Error Scenario (chart forgot to apply nodeSelector):
|
||||
|
||||
```
|
||||
5. CNPG operator creates Pod WITHOUT nodeSelector
|
||||
|
||||
6. Lineage webhook:
|
||||
d. Checks: pod.spec.nodeSelector contains zone=dc1? ✗
|
||||
e. REJECTS Pod:
|
||||
"pod main-db-1 belongs to application with AffinityClass dc1
|
||||
but missing required nodeSelector topology.kubernetes.io/zone=dc1"
|
||||
|
||||
7. Pod is not created. CNPG operator sees the error and retries.
|
||||
→ Chart developer gets a signal that the chart does not support scheduling.
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Code Changes
|
||||
|
||||
### New Files
|
||||
|
||||
| File | Description |
|
||||
|------------------------------------------------------|-------------------------|
|
||||
| `api/v1alpha1/affinityclass_types.go` | AffinityClass CRD types |
|
||||
| `config/crd/bases/cozystack.io_affinityclasses.yaml` | CRD manifest |
|
||||
|
||||
### Modified Files
|
||||
|
||||
| File | Change |
|
||||
|-------------------------------------------------------|-------------------------------------------------------------------|
|
||||
| `internal/lineagecontrollerwebhook/webhook.go` | Add `validateAffinity()` to `Handle()` |
|
||||
| `internal/lineagecontrollerwebhook/config.go` | Add `affinityClassMap` to `runtimeConfig` |
|
||||
| `internal/lineagecontrollerwebhook/controller.go` | Add watch on AffinityClass |
|
||||
| `pkg/registry/apps/application/rest.go` | On Create/Update: resolve affinityClass, pass to values and label |
|
||||
| `packages/apps/tenant/values.yaml` | Add `defaultAffinityClass`, `allowedAffinityClasses` |
|
||||
| `packages/apps/tenant/templates/namespace.yaml` | Propagate to cozystack-values |
|
||||
| `packages/system/tenant-rd/cozyrds/tenant.yaml` | Extend OpenAPI schema |
|
||||
| `packages/library/cozy-lib/templates/_cozyconfig.tpl` | Add `cozy-lib.scheduling.nodeSelector` helper |
|
||||
| `packages/apps/*/templates/*.yaml` | Each app chart: add helper usage |
|
||||
|
||||
---
|
||||
|
||||
## Open Questions
|
||||
|
||||
1. **AffinityClass outside Tenants**: Should AffinityClass work for applications outside tenant namespaces (system namespace)? Or only for tenant workloads?
|
||||
|
||||
2. **affinityClass validation on Application creation**: The API server should verify that the specified affinityClass exists and is included in the tenant's `allowedAffinityClasses`. Where should this be done — in the REST handler (`rest.go`) or in a separate validating webhook?
|
||||
|
||||
3. **Soft mode (warn vs deny)**: Is a mode needed where the webhook issues a warning instead of rejecting? This would simplify gradual adoption while not all charts support `_scheduling`.
|
||||
|
||||
4. **affinityClass inheritance**: If a child Tenant does not specify `defaultAffinityClass`, should it be inherited from the parent? The current `cozystack-values` architecture supports this inheritance natively.
|
||||
|
||||
5. **Multiple nodeSelectors**: Is OR-logic support needed (pod can be in dc1 OR dc2)? With `nodeSelector` this is impossible — AffinityClass would need to be extended to `nodeAffinity`. However, validation becomes significantly more complex.
|
||||
@@ -86,18 +86,14 @@ EOF
|
||||
yq -i ".clusters[0].cluster.server = \"https://localhost:${port}\"" "tenantkubeconfig-${test_name}"
|
||||
|
||||
|
||||
# Kill any stale port-forward on this port from a previous retry
|
||||
pkill -f "port-forward.*${port}:" 2>/dev/null || true
|
||||
sleep 1
|
||||
|
||||
# Set up port forwarding to the Kubernetes API server
|
||||
# Set up port forwarding to the Kubernetes API server for a 200 second timeout
|
||||
bash -c 'timeout 500s kubectl port-forward service/kubernetes-'"${test_name}"' -n tenant-test '"${port}"':6443 > /dev/null 2>&1 &'
|
||||
# Verify the Kubernetes version matches what we expect (retry for up to 20 seconds)
|
||||
timeout 20 sh -ec 'until kubectl --kubeconfig tenantkubeconfig-'"${test_name}"' version 2>/dev/null | grep -Fq "Server Version: ${k8s_version}"; do sleep 5; done'
|
||||
|
||||
# Wait for at least 2 nodes to join (timeout after 8 minutes)
|
||||
timeout 8m bash -c '
|
||||
until [ "$(kubectl --kubeconfig tenantkubeconfig-'"${test_name}"' get nodes -o jsonpath="{.items[*].metadata.name}" | wc -w)" -ge 2 ]; do
|
||||
# Wait for the nodes to be ready (timeout after 2 minutes)
|
||||
timeout 3m bash -c '
|
||||
until [ "$(kubectl --kubeconfig tenantkubeconfig-'"${test_name}"' get nodes -o jsonpath="{.items[*].metadata.name}" | wc -w)" -eq 2 ]; do
|
||||
sleep 2
|
||||
done
|
||||
'
|
||||
|
||||
@@ -8,7 +8,7 @@
|
||||
}
|
||||
|
||||
@test "Install Cozystack" {
|
||||
# Install cozy-installer chart (operator installs CRDs on startup via --install-crds)
|
||||
# Install cozy-installer chart (CRDs from crds/ are applied automatically)
|
||||
helm upgrade installer packages/core/installer \
|
||||
--install \
|
||||
--namespace cozy-system \
|
||||
@@ -19,14 +19,6 @@
|
||||
# Verify the operator deployment is available
|
||||
kubectl wait deployment/cozystack-operator -n cozy-system --timeout=1m --for=condition=Available
|
||||
|
||||
# Wait for operator to install CRDs (happens at startup before reconcile loop).
|
||||
# kubectl wait fails immediately if the CRD does not exist yet, so poll until it appears first.
|
||||
timeout 120 sh -ec 'until kubectl wait crd/packages.cozystack.io --for=condition=Established --timeout=10s 2>/dev/null; do sleep 2; done'
|
||||
timeout 120 sh -ec 'until kubectl wait crd/packagesources.cozystack.io --for=condition=Established --timeout=10s 2>/dev/null; do sleep 2; done'
|
||||
|
||||
# Wait for operator to create the platform PackageSource
|
||||
timeout 120 sh -ec 'until kubectl get packagesource cozystack.cozystack-platform >/dev/null 2>&1; do sleep 2; done'
|
||||
|
||||
# Create platform Package with isp-full variant
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: cozystack.io/v1alpha1
|
||||
|
||||
@@ -32,54 +32,6 @@ if ! kubectl get namespace "$NAMESPACE" &> /dev/null; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Step 0: Annotate critical resources to prevent Helm from deleting them
|
||||
echo "Step 0: Protect critical resources from Helm deletion"
|
||||
echo ""
|
||||
echo "The following resources will be annotated with helm.sh/resource-policy=keep"
|
||||
echo "to prevent Helm from deleting them when the installer release is removed:"
|
||||
echo " - Namespace: $NAMESPACE"
|
||||
echo " - ConfigMap: $NAMESPACE/cozystack-version"
|
||||
echo ""
|
||||
read -p "Do you want to annotate these resources? (y/N) " -n 1 -r
|
||||
echo ""
|
||||
|
||||
if [[ $REPLY =~ ^[Yy]$ ]]; then
|
||||
echo "Annotating namespace $NAMESPACE..."
|
||||
kubectl annotate namespace "$NAMESPACE" helm.sh/resource-policy=keep --overwrite
|
||||
echo "Annotating ConfigMap cozystack-version..."
|
||||
kubectl annotate configmap -n "$NAMESPACE" cozystack-version helm.sh/resource-policy=keep --overwrite 2>/dev/null || echo " ConfigMap cozystack-version not found, skipping."
|
||||
echo ""
|
||||
echo "Resources annotated successfully."
|
||||
else
|
||||
echo "WARNING: Skipping annotation. If you remove the Helm installer release,"
|
||||
echo "the namespace and its contents may be deleted!"
|
||||
fi
|
||||
echo ""
|
||||
|
||||
# Step 1: Check for cozy-proxy HelmRelease with conflicting releaseName
|
||||
# In v0.41.x, cozy-proxy was incorrectly configured with releaseName "cozystack",
|
||||
# which conflicts with the installer helm release name. If not suspended, cozy-proxy
|
||||
# HelmRelease will overwrite the installer release and delete cozystack-operator.
|
||||
COZY_PROXY_RELEASE_NAME=$(kubectl get hr -n "$NAMESPACE" cozy-proxy -o jsonpath='{.spec.releaseName}' 2>/dev/null || true)
|
||||
if [ "$COZY_PROXY_RELEASE_NAME" = "cozystack" ]; then
|
||||
echo "WARNING: HelmRelease cozy-proxy has releaseName 'cozystack', which conflicts"
|
||||
echo "with the installer release. It must be suspended before proceeding, otherwise"
|
||||
echo "it will overwrite the installer and delete cozystack-operator."
|
||||
echo ""
|
||||
read -p "Suspend HelmRelease cozy-proxy? (y/N) " -n 1 -r
|
||||
echo ""
|
||||
if [[ $REPLY =~ ^[Yy]$ ]]; then
|
||||
kubectl -n "$NAMESPACE" patch hr cozy-proxy --type=merge --field-manager=flux-client-side-apply -p '{"spec":{"suspend":true}}'
|
||||
echo "HelmRelease cozy-proxy suspended."
|
||||
else
|
||||
echo "ERROR: Cannot proceed with conflicting cozy-proxy HelmRelease active."
|
||||
echo "Please suspend it manually:"
|
||||
echo " kubectl -n $NAMESPACE patch hr cozy-proxy --type=merge -p '{\"spec\":{\"suspend\":true}}'"
|
||||
exit 1
|
||||
fi
|
||||
echo ""
|
||||
fi
|
||||
|
||||
# Read ConfigMap cozystack
|
||||
echo "Reading ConfigMap cozystack..."
|
||||
COZYSTACK_CM=$(kubectl get configmap -n "$NAMESPACE" cozystack -o json 2>/dev/null || echo "{}")
|
||||
@@ -100,43 +52,6 @@ OIDC_ENABLED=$(echo "$COZYSTACK_CM" | jq -r '.data["oidc-enabled"] // "false"')
|
||||
KEYCLOAK_REDIRECTS=$(echo "$COZYSTACK_CM" | jq -r '.data["extra-keycloak-redirect-uri-for-dashboard"] // ""' )
|
||||
TELEMETRY_ENABLED=$(echo "$COZYSTACK_CM" | jq -r '.data["telemetry-enabled"] // "true"')
|
||||
BUNDLE_NAME=$(echo "$COZYSTACK_CM" | jq -r '.data["bundle-name"] // "paas-full"')
|
||||
BUNDLE_DISABLE=$(echo "$COZYSTACK_CM" | jq -r '.data["bundle-disable"] // ""')
|
||||
BUNDLE_ENABLE=$(echo "$COZYSTACK_CM" | jq -r '.data["bundle-enable"] // ""')
|
||||
EXPOSE_INGRESS=$(echo "$COZYSTACK_CM" | jq -r '.data["expose-ingress"] // "tenant-root"')
|
||||
EXPOSE_SERVICES=$(echo "$COZYSTACK_CM" | jq -r '.data["expose-services"] // ""')
|
||||
|
||||
# Certificate issuer configuration (old undocumented field: clusterissuer)
|
||||
OLD_CLUSTER_ISSUER=$(echo "$COZYSTACK_CM" | jq -r '.data["clusterissuer"] // ""')
|
||||
|
||||
# Convert old clusterissuer value to new solver/issuerName fields
|
||||
SOLVER=""
|
||||
ISSUER_NAME=""
|
||||
case "$OLD_CLUSTER_ISSUER" in
|
||||
cloudflare)
|
||||
SOLVER="dns01"
|
||||
ISSUER_NAME="letsencrypt-prod"
|
||||
;;
|
||||
http01)
|
||||
SOLVER="http01"
|
||||
ISSUER_NAME="letsencrypt-prod"
|
||||
;;
|
||||
"")
|
||||
# Field not set; omit from Package so chart defaults apply
|
||||
;;
|
||||
*)
|
||||
# Unrecognised value — treat as custom ClusterIssuer name with no solver override
|
||||
ISSUER_NAME="$OLD_CLUSTER_ISSUER"
|
||||
;;
|
||||
esac
|
||||
|
||||
# Build certificates YAML block (empty string when no override needed)
|
||||
if [ -n "$SOLVER" ] || [ -n "$ISSUER_NAME" ]; then
|
||||
CERTIFICATES_SECTION=" certificates:
|
||||
solver: \"${SOLVER}\"
|
||||
issuerName: \"${ISSUER_NAME}\""
|
||||
else
|
||||
CERTIFICATES_SECTION=""
|
||||
fi
|
||||
|
||||
# Network configuration
|
||||
POD_CIDR=$(echo "$COZYSTACK_CM" | jq -r '.data["ipv4-pod-cidr"] // "10.244.0.0/16"')
|
||||
@@ -151,24 +66,21 @@ else
|
||||
EXTERNAL_IPS=$(echo "$EXTERNAL_IPS" | sed 's/,/\n/g' | awk 'BEGIN{print}{print " - "$0}')
|
||||
fi
|
||||
|
||||
# Convert comma-separated lists to YAML arrays
|
||||
if [ -z "$BUNDLE_DISABLE" ]; then
|
||||
DISABLED_PACKAGES="[]"
|
||||
else
|
||||
DISABLED_PACKAGES=$(echo "$BUNDLE_DISABLE" | sed 's/,/\n/g' | awk 'BEGIN{print}{print " - "$0}')
|
||||
fi
|
||||
|
||||
if [ -z "$BUNDLE_ENABLE" ]; then
|
||||
ENABLED_PACKAGES="[]"
|
||||
else
|
||||
ENABLED_PACKAGES=$(echo "$BUNDLE_ENABLE" | sed 's/,/\n/g' | awk 'BEGIN{print}{print " - "$0}')
|
||||
fi
|
||||
|
||||
if [ -z "$EXPOSE_SERVICES" ]; then
|
||||
EXPOSED_SERVICES_YAML="[]"
|
||||
else
|
||||
EXPOSED_SERVICES_YAML=$(echo "$EXPOSE_SERVICES" | sed 's/,/\n/g' | awk 'BEGIN{print}{print " - "$0}')
|
||||
fi
|
||||
# Determine bundle type
|
||||
case "$BUNDLE_NAME" in
|
||||
paas-full|distro-full)
|
||||
SYSTEM_ENABLED="true"
|
||||
SYSTEM_TYPE="full"
|
||||
;;
|
||||
paas-hosted|distro-hosted)
|
||||
SYSTEM_ENABLED="false"
|
||||
SYSTEM_TYPE="hosted"
|
||||
;;
|
||||
*)
|
||||
SYSTEM_ENABLED="false"
|
||||
SYSTEM_TYPE="hosted"
|
||||
;;
|
||||
esac
|
||||
|
||||
# Update bundle naming
|
||||
BUNDLE_NAME=$(echo "$BUNDLE_NAME" | sed 's/paas/isp/')
|
||||
@@ -196,8 +108,8 @@ echo " Root Host: $ROOT_HOST"
|
||||
echo " API Server Endpoint: $API_SERVER_ENDPOINT"
|
||||
echo " OIDC Enabled: $OIDC_ENABLED"
|
||||
echo " Bundle Name: $BUNDLE_NAME"
|
||||
echo " Certificate Solver: ${SOLVER:-http01 (default)}"
|
||||
echo " Issuer Name: ${ISSUER_NAME:-letsencrypt-prod (default)}"
|
||||
echo " System Enabled: $SYSTEM_ENABLED"
|
||||
echo " System Type: $SYSTEM_TYPE"
|
||||
echo ""
|
||||
|
||||
# Generate Package YAML
|
||||
@@ -213,8 +125,15 @@ spec:
|
||||
platform:
|
||||
values:
|
||||
bundles:
|
||||
disabledPackages: $DISABLED_PACKAGES
|
||||
enabledPackages: $ENABLED_PACKAGES
|
||||
system:
|
||||
enabled: $SYSTEM_ENABLED
|
||||
type: "$SYSTEM_TYPE"
|
||||
iaas:
|
||||
enabled: true
|
||||
paas:
|
||||
enabled: true
|
||||
naas:
|
||||
enabled: true
|
||||
networking:
|
||||
clusterDomain: "$CLUSTER_DOMAIN"
|
||||
podCIDR: "$POD_CIDR"
|
||||
@@ -223,11 +142,8 @@ spec:
|
||||
joinCIDR: "$JOIN_CIDR"
|
||||
publishing:
|
||||
host: "$ROOT_HOST"
|
||||
ingressName: "$EXPOSE_INGRESS"
|
||||
exposedServices: $EXPOSED_SERVICES_YAML
|
||||
apiServerEndpoint: "$API_SERVER_ENDPOINT"
|
||||
externalIPs: $EXTERNAL_IPS
|
||||
${CERTIFICATES_SECTION}
|
||||
authentication:
|
||||
oidc:
|
||||
enabled: $OIDC_ENABLED
|
||||
|
||||
@@ -24,7 +24,8 @@ API_KNOWN_VIOLATIONS_DIR="${API_KNOWN_VIOLATIONS_DIR:-"${SCRIPT_ROOT}/api/api-ru
|
||||
UPDATE_API_KNOWN_VIOLATIONS="${UPDATE_API_KNOWN_VIOLATIONS:-true}"
|
||||
CONTROLLER_GEN="go run sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.4"
|
||||
TMPDIR=$(mktemp -d)
|
||||
OPERATOR_CRDDIR=internal/crdinstall/manifests
|
||||
OPERATOR_CRDDIR=packages/core/installer/crds
|
||||
OPERATOR_EMBEDDIR=internal/crdinstall/manifests
|
||||
COZY_CONTROLLER_CRDDIR=packages/system/cozystack-controller/definitions
|
||||
COZY_RD_CRDDIR=packages/system/application-definition-crd/definition
|
||||
BACKUPS_CORE_CRDDIR=packages/system/backup-controller/definitions
|
||||
@@ -73,6 +74,9 @@ $CONTROLLER_GEN rbac:roleName=manager-role crd paths="./api/..." output:crd:arti
|
||||
mv ${TMPDIR}/cozystack.io_packages.yaml ${OPERATOR_CRDDIR}/cozystack.io_packages.yaml
|
||||
mv ${TMPDIR}/cozystack.io_packagesources.yaml ${OPERATOR_CRDDIR}/cozystack.io_packagesources.yaml
|
||||
|
||||
cp ${OPERATOR_CRDDIR}/cozystack.io_packages.yaml ${OPERATOR_EMBEDDIR}/cozystack.io_packages.yaml
|
||||
cp ${OPERATOR_CRDDIR}/cozystack.io_packagesources.yaml ${OPERATOR_EMBEDDIR}/cozystack.io_packagesources.yaml
|
||||
|
||||
mv ${TMPDIR}/cozystack.io_applicationdefinitions.yaml \
|
||||
${COZY_RD_CRDDIR}/cozystack.io_applicationdefinitions.yaml
|
||||
|
||||
|
||||
@@ -156,7 +156,7 @@ menuItems = append(menuItems, map[string]any{
|
||||
map[string]any{
|
||||
"key": "{plural}",
|
||||
"label": "{ResourceLabel}",
|
||||
"link": "/openapi-ui/{cluster}/{namespace}/api-table/{group}/{version}/{plural}",
|
||||
"link": "/openapi-ui/{clusterName}/{namespace}/api-table/{group}/{version}/{plural}",
|
||||
},
|
||||
},
|
||||
}),
|
||||
@@ -174,7 +174,7 @@ menuItems = append(menuItems, map[string]any{
|
||||
|
||||
**Important Notes**:
|
||||
- The sidebar tag (`{lowercase-kind}-sidebar`) must match what the Factory uses
|
||||
- The link format: `/openapi-ui/{cluster}/{namespace}/api-table/{group}/{version}/{plural}`
|
||||
- The link format: `/openapi-ui/{clusterName}/{namespace}/api-table/{group}/{version}/{plural}`
|
||||
- All sidebars share the same `keysAndTags` and `menuItems`, so changes affect all sidebar instances
|
||||
|
||||
### Step 4: Verify Integration
|
||||
|
||||
@@ -46,11 +46,8 @@ func (m *Manager) ensureCustomFormsOverride(ctx context.Context, crd *cozyv1alph
|
||||
}
|
||||
}
|
||||
|
||||
// Parse OpenAPI schema once for reuse
|
||||
l := log.FromContext(ctx)
|
||||
openAPIProps := parseOpenAPIProperties(crd.Spec.Application.OpenAPISchema)
|
||||
|
||||
// Build schema with multilineString for string fields without enum
|
||||
l := log.FromContext(ctx)
|
||||
schema, err := buildMultilineStringSchema(crd.Spec.Application.OpenAPISchema)
|
||||
if err != nil {
|
||||
// If schema parsing fails, log the error and use an empty schema
|
||||
@@ -58,9 +55,6 @@ func (m *Manager) ensureCustomFormsOverride(ctx context.Context, crd *cozyv1alph
|
||||
schema = map[string]any{}
|
||||
}
|
||||
|
||||
// Override specific fields with API-backed dropdowns (listInput type)
|
||||
applyListInputOverrides(schema, kind, openAPIProps)
|
||||
|
||||
spec := map[string]any{
|
||||
"customizationId": customizationID,
|
||||
"hidden": hidden,
|
||||
@@ -182,102 +176,6 @@ func buildMultilineStringSchema(openAPISchema string) (map[string]any, error) {
|
||||
return schema, nil
|
||||
}
|
||||
|
||||
// applyListInputOverrides injects listInput type overrides into the schema
|
||||
// for fields that should be rendered as API-backed dropdowns in the dashboard.
|
||||
// openAPIProps are the parsed top-level properties from the OpenAPI schema.
|
||||
func applyListInputOverrides(schema map[string]any, kind string, openAPIProps map[string]any) {
|
||||
switch kind {
|
||||
case "VMInstance":
|
||||
specProps := ensureSchemaPath(schema, "spec")
|
||||
field := map[string]any{
|
||||
"type": "listInput",
|
||||
"customProps": map[string]any{
|
||||
"valueUri": "/api/clusters/{cluster}/k8s/apis/instancetype.kubevirt.io/v1beta1/virtualmachineclusterinstancetypes",
|
||||
"keysToValue": []any{"metadata", "name"},
|
||||
"keysToLabel": []any{"metadata", "name"},
|
||||
"allowEmpty": true,
|
||||
},
|
||||
}
|
||||
if prop, _ := openAPIProps["instanceType"].(map[string]any); prop != nil {
|
||||
if def := prop["default"]; def != nil {
|
||||
field["default"] = def
|
||||
}
|
||||
}
|
||||
specProps["instanceType"] = field
|
||||
|
||||
// Override disks[].name to be an API-backed dropdown listing VMDisk resources
|
||||
disksItemProps := ensureArrayItemProps(specProps, "disks")
|
||||
disksItemProps["name"] = map[string]any{
|
||||
"type": "listInput",
|
||||
"customProps": map[string]any{
|
||||
"valueUri": "/api/clusters/{cluster}/k8s/apis/apps.cozystack.io/v1alpha1/namespaces/{namespace}/vmdisks",
|
||||
"keysToValue": []any{"metadata", "name"},
|
||||
"keysToLabel": []any{"metadata", "name"},
|
||||
},
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// ensureArrayItemProps ensures that parentProps[fieldName].items.properties exists
|
||||
// and returns the items properties map. Used for overriding fields inside array items.
|
||||
func ensureArrayItemProps(parentProps map[string]any, fieldName string) map[string]any {
|
||||
field, ok := parentProps[fieldName].(map[string]any)
|
||||
if !ok {
|
||||
field = map[string]any{}
|
||||
parentProps[fieldName] = field
|
||||
}
|
||||
items, ok := field["items"].(map[string]any)
|
||||
if !ok {
|
||||
items = map[string]any{}
|
||||
field["items"] = items
|
||||
}
|
||||
props, ok := items["properties"].(map[string]any)
|
||||
if !ok {
|
||||
props = map[string]any{}
|
||||
items["properties"] = props
|
||||
}
|
||||
return props
|
||||
}
|
||||
|
||||
// parseOpenAPIProperties parses the top-level properties from an OpenAPI schema JSON string.
|
||||
func parseOpenAPIProperties(openAPISchema string) map[string]any {
|
||||
if openAPISchema == "" {
|
||||
return nil
|
||||
}
|
||||
var root map[string]any
|
||||
if err := json.Unmarshal([]byte(openAPISchema), &root); err != nil {
|
||||
return nil
|
||||
}
|
||||
props, _ := root["properties"].(map[string]any)
|
||||
return props
|
||||
}
|
||||
|
||||
// ensureSchemaPath ensures the nested properties structure exists in a schema
|
||||
// and returns the innermost properties map.
|
||||
// e.g. ensureSchemaPath(schema, "spec") returns schema["properties"]["spec"]["properties"]
|
||||
func ensureSchemaPath(schema map[string]any, segments ...string) map[string]any {
|
||||
current := schema
|
||||
for _, seg := range segments {
|
||||
props, ok := current["properties"].(map[string]any)
|
||||
if !ok {
|
||||
props = map[string]any{}
|
||||
current["properties"] = props
|
||||
}
|
||||
child, ok := props[seg].(map[string]any)
|
||||
if !ok {
|
||||
child = map[string]any{}
|
||||
props[seg] = child
|
||||
}
|
||||
current = child
|
||||
}
|
||||
props, ok := current["properties"].(map[string]any)
|
||||
if !ok {
|
||||
props = map[string]any{}
|
||||
current["properties"] = props
|
||||
}
|
||||
return props
|
||||
}
|
||||
|
||||
// processSpecProperties recursively processes spec properties and adds multilineString type
|
||||
// for string fields without enum
|
||||
func processSpecProperties(props map[string]any, schemaProps map[string]any) {
|
||||
|
||||
@@ -169,235 +169,3 @@ func TestBuildMultilineStringSchemaInvalidJSON(t *testing.T) {
|
||||
t.Errorf("Expected nil schema for invalid JSON, got %v", schema)
|
||||
}
|
||||
}
|
||||
|
||||
func TestApplyListInputOverrides_VMInstance(t *testing.T) {
|
||||
openAPIProps := map[string]any{
|
||||
"instanceType": map[string]any{"type": "string", "default": "u1.medium"},
|
||||
}
|
||||
|
||||
schema := map[string]any{}
|
||||
applyListInputOverrides(schema, "VMInstance", openAPIProps)
|
||||
|
||||
specProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)
|
||||
instanceType, ok := specProps["instanceType"].(map[string]any)
|
||||
if !ok {
|
||||
t.Fatal("instanceType not found in schema.properties.spec.properties")
|
||||
}
|
||||
|
||||
if instanceType["type"] != "listInput" {
|
||||
t.Errorf("expected type listInput, got %v", instanceType["type"])
|
||||
}
|
||||
|
||||
if instanceType["default"] != "u1.medium" {
|
||||
t.Errorf("expected default u1.medium, got %v", instanceType["default"])
|
||||
}
|
||||
|
||||
customProps, ok := instanceType["customProps"].(map[string]any)
|
||||
if !ok {
|
||||
t.Fatal("customProps not found")
|
||||
}
|
||||
|
||||
expectedURI := "/api/clusters/{cluster}/k8s/apis/instancetype.kubevirt.io/v1beta1/virtualmachineclusterinstancetypes"
|
||||
if customProps["valueUri"] != expectedURI {
|
||||
t.Errorf("expected valueUri %s, got %v", expectedURI, customProps["valueUri"])
|
||||
}
|
||||
|
||||
if customProps["allowEmpty"] != true {
|
||||
t.Errorf("expected allowEmpty true, got %v", customProps["allowEmpty"])
|
||||
}
|
||||
|
||||
// Check disks[].name is a listInput
|
||||
disks, ok := specProps["disks"].(map[string]any)
|
||||
if !ok {
|
||||
t.Fatal("disks not found in schema.properties.spec.properties")
|
||||
}
|
||||
items, ok := disks["items"].(map[string]any)
|
||||
if !ok {
|
||||
t.Fatal("disks.items not found")
|
||||
}
|
||||
itemProps, ok := items["properties"].(map[string]any)
|
||||
if !ok {
|
||||
t.Fatal("disks.items.properties not found")
|
||||
}
|
||||
diskName, ok := itemProps["name"].(map[string]any)
|
||||
if !ok {
|
||||
t.Fatal("disks.items.properties.name not found")
|
||||
}
|
||||
if diskName["type"] != "listInput" {
|
||||
t.Errorf("expected disks name type listInput, got %v", diskName["type"])
|
||||
}
|
||||
diskCustomProps, ok := diskName["customProps"].(map[string]any)
|
||||
if !ok {
|
||||
t.Fatal("disks name customProps not found")
|
||||
}
|
||||
expectedDiskURI := "/api/clusters/{cluster}/k8s/apis/apps.cozystack.io/v1alpha1/namespaces/{namespace}/vmdisks"
|
||||
if diskCustomProps["valueUri"] != expectedDiskURI {
|
||||
t.Errorf("expected disks valueUri %s, got %v", expectedDiskURI, diskCustomProps["valueUri"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestApplyListInputOverrides_UnknownKind(t *testing.T) {
|
||||
schema := map[string]any{}
|
||||
applyListInputOverrides(schema, "SomeOtherKind", map[string]any{})
|
||||
|
||||
if len(schema) != 0 {
|
||||
t.Errorf("expected empty schema for unknown kind, got %v", schema)
|
||||
}
|
||||
}
|
||||
|
||||
func TestApplyListInputOverrides_NoDefault(t *testing.T) {
|
||||
openAPIProps := map[string]any{
|
||||
"instanceType": map[string]any{"type": "string"},
|
||||
}
|
||||
|
||||
schema := map[string]any{}
|
||||
applyListInputOverrides(schema, "VMInstance", openAPIProps)
|
||||
|
||||
specProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)
|
||||
instanceType := specProps["instanceType"].(map[string]any)
|
||||
|
||||
if _, exists := instanceType["default"]; exists {
|
||||
t.Errorf("expected no default key, got %v", instanceType["default"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestApplyListInputOverrides_MergesWithExistingSchema(t *testing.T) {
|
||||
openAPIProps := map[string]any{
|
||||
"instanceType": map[string]any{"type": "string", "default": "u1.medium"},
|
||||
}
|
||||
|
||||
// Simulate schema that already has spec.properties from buildMultilineStringSchema
|
||||
schema := map[string]any{
|
||||
"properties": map[string]any{
|
||||
"spec": map[string]any{
|
||||
"properties": map[string]any{
|
||||
"otherField": map[string]any{"type": "multilineString"},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
applyListInputOverrides(schema, "VMInstance", openAPIProps)
|
||||
|
||||
specProps := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)
|
||||
|
||||
// instanceType should be added
|
||||
if _, ok := specProps["instanceType"].(map[string]any); !ok {
|
||||
t.Fatal("instanceType not found after override")
|
||||
}
|
||||
|
||||
// otherField should be preserved
|
||||
otherField, ok := specProps["otherField"].(map[string]any)
|
||||
if !ok {
|
||||
t.Fatal("otherField was lost after override")
|
||||
}
|
||||
if otherField["type"] != "multilineString" {
|
||||
t.Errorf("otherField type changed, got %v", otherField["type"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestParseOpenAPIProperties(t *testing.T) {
|
||||
t.Run("extracts properties", func(t *testing.T) {
|
||||
props := parseOpenAPIProperties(`{"type":"object","properties":{"instanceType":{"type":"string","default":"u1.medium"}}}`)
|
||||
field, _ := props["instanceType"].(map[string]any)
|
||||
if field["default"] != "u1.medium" {
|
||||
t.Errorf("expected default u1.medium, got %v", field["default"])
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("empty string", func(t *testing.T) {
|
||||
if props := parseOpenAPIProperties(""); props != nil {
|
||||
t.Errorf("expected nil, got %v", props)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("invalid JSON", func(t *testing.T) {
|
||||
if props := parseOpenAPIProperties("{bad"); props != nil {
|
||||
t.Errorf("expected nil, got %v", props)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("no properties key", func(t *testing.T) {
|
||||
if props := parseOpenAPIProperties(`{"type":"object"}`); props != nil {
|
||||
t.Errorf("expected nil, got %v", props)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
func TestEnsureSchemaPath(t *testing.T) {
|
||||
t.Run("creates path from empty schema", func(t *testing.T) {
|
||||
schema := map[string]any{}
|
||||
props := ensureSchemaPath(schema, "spec")
|
||||
|
||||
props["field"] = "value"
|
||||
|
||||
// Verify structure: schema.properties.spec.properties.field
|
||||
got := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)["field"]
|
||||
if got != "value" {
|
||||
t.Errorf("expected value, got %v", got)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("preserves existing nested properties", func(t *testing.T) {
|
||||
schema := map[string]any{
|
||||
"properties": map[string]any{
|
||||
"spec": map[string]any{
|
||||
"properties": map[string]any{
|
||||
"existing": "keep",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
props := ensureSchemaPath(schema, "spec")
|
||||
|
||||
if props["existing"] != "keep" {
|
||||
t.Errorf("existing property lost, got %v", props["existing"])
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("multi-level path", func(t *testing.T) {
|
||||
schema := map[string]any{}
|
||||
props := ensureSchemaPath(schema, "spec", "nested")
|
||||
|
||||
props["deep"] = true
|
||||
|
||||
got := schema["properties"].(map[string]any)["spec"].(map[string]any)["properties"].(map[string]any)["nested"].(map[string]any)["properties"].(map[string]any)["deep"]
|
||||
if got != true {
|
||||
t.Errorf("expected true, got %v", got)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
func TestEnsureArrayItemProps(t *testing.T) {
|
||||
t.Run("creates from empty parent", func(t *testing.T) {
|
||||
parent := map[string]any{}
|
||||
props := ensureArrayItemProps(parent, "disks")
|
||||
|
||||
props["name"] = map[string]any{"type": "listInput"}
|
||||
|
||||
got := parent["disks"].(map[string]any)["items"].(map[string]any)["properties"].(map[string]any)["name"].(map[string]any)["type"]
|
||||
if got != "listInput" {
|
||||
t.Errorf("expected listInput, got %v", got)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("preserves existing item properties", func(t *testing.T) {
|
||||
parent := map[string]any{
|
||||
"disks": map[string]any{
|
||||
"items": map[string]any{
|
||||
"properties": map[string]any{
|
||||
"bus": map[string]any{"type": "string"},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
props := ensureArrayItemProps(parent, "disks")
|
||||
props["name"] = map[string]any{"type": "listInput"}
|
||||
|
||||
if props["bus"].(map[string]any)["type"] != "string" {
|
||||
t.Error("existing bus property was lost")
|
||||
}
|
||||
if props["name"].(map[string]any)["type"] != "listInput" {
|
||||
t.Error("name property was not added")
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
@@ -582,14 +582,15 @@ type factoryFlags struct {
|
||||
Secrets bool
|
||||
}
|
||||
|
||||
// factoryFeatureFlags determines which tabs to show based on whether the
|
||||
// ApplicationDefinition has non-empty Include resource selectors.
|
||||
// Workloads tab is always shown.
|
||||
// factoryFeatureFlags tries several conventional locations so you can evolve the API
|
||||
// without breaking the controller. Defaults are false (hidden).
|
||||
func factoryFeatureFlags(crd *cozyv1alpha1.ApplicationDefinition) factoryFlags {
|
||||
return factoryFlags{
|
||||
Workloads: true,
|
||||
Ingresses: len(crd.Spec.Ingresses.Include) > 0,
|
||||
Services: len(crd.Spec.Services.Include) > 0,
|
||||
Secrets: len(crd.Spec.Secrets.Include) > 0,
|
||||
}
|
||||
var f factoryFlags
|
||||
|
||||
f.Workloads = true
|
||||
f.Ingresses = true
|
||||
f.Services = true
|
||||
f.Secrets = true
|
||||
|
||||
return f
|
||||
}
|
||||
|
||||
@@ -299,6 +299,10 @@ func (m *Manager) buildExpectedResourceSet(crds []cozyv1alpha1.ApplicationDefini
|
||||
|
||||
// Add other stock sidebars that are created for each CRD
|
||||
stockSidebars := []string{
|
||||
"stock-instance-api-form",
|
||||
"stock-instance-api-table",
|
||||
"stock-instance-builtin-form",
|
||||
"stock-instance-builtin-table",
|
||||
"stock-project-factory-marketplace",
|
||||
"stock-project-factory-workloadmonitor-details",
|
||||
"stock-project-api-form",
|
||||
@@ -307,10 +311,6 @@ func (m *Manager) buildExpectedResourceSet(crds []cozyv1alpha1.ApplicationDefini
|
||||
"stock-project-builtin-table",
|
||||
"stock-project-crd-form",
|
||||
"stock-project-crd-table",
|
||||
"stock-instance-api-form",
|
||||
"stock-instance-api-table",
|
||||
"stock-instance-builtin-form",
|
||||
"stock-instance-builtin-table",
|
||||
}
|
||||
for _, sidebarID := range stockSidebars {
|
||||
expected["Sidebar"][sidebarID] = true
|
||||
|
||||
@@ -17,7 +17,8 @@ import (
|
||||
|
||||
// ensureSidebar creates/updates multiple Sidebar resources that share the same menu:
|
||||
// - The "details" sidebar tied to the current kind (stock-project-factory-<kind>-details)
|
||||
// - The stock-project sidebars: api-form, api-table, builtin-form, builtin-table, crd-form, crd-table
|
||||
// - The stock-instance sidebars: api-form, api-table, builtin-form, builtin-table
|
||||
// - The stock-project sidebars: api-form, api-table, builtin-form, builtin-table, crd-form, crd-table
|
||||
//
|
||||
// Menu rules:
|
||||
// - The first section is "Marketplace" with two hardcoded entries:
|
||||
@@ -175,23 +176,23 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
|
||||
|
||||
// Add hardcoded Backups section
|
||||
menuItems = append(menuItems, map[string]any{
|
||||
"key": "backups-category",
|
||||
"key": "backups",
|
||||
"label": "Backups",
|
||||
"children": []any{
|
||||
map[string]any{
|
||||
"key": "plans",
|
||||
"label": "Plans",
|
||||
"link": "/openapi-ui/{cluster}/{namespace}/api-table/backups.cozystack.io/v1alpha1/plans",
|
||||
"link": "/openapi-ui/{clusterName}/{namespace}/api-table/backups.cozystack.io/v1alpha1/plans",
|
||||
},
|
||||
map[string]any{
|
||||
"key": "backupjobs",
|
||||
"label": "BackupJobs",
|
||||
"link": "/openapi-ui/{cluster}/{namespace}/api-table/backups.cozystack.io/v1alpha1/backupjobs",
|
||||
"link": "/openapi-ui/{clusterName}/{namespace}/api-table/backups.cozystack.io/v1alpha1/backupjobs",
|
||||
},
|
||||
map[string]any{
|
||||
"key": "backups",
|
||||
"label": "Backups",
|
||||
"link": "/openapi-ui/{cluster}/{namespace}/api-table/backups.cozystack.io/v1alpha1/backups",
|
||||
"link": "/openapi-ui/{clusterName}/{namespace}/api-table/backups.cozystack.io/v1alpha1/backups",
|
||||
},
|
||||
},
|
||||
})
|
||||
@@ -214,7 +215,7 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
|
||||
map[string]any{
|
||||
"key": "loadbalancer-services",
|
||||
"label": "External IPs",
|
||||
"link": "/openapi-ui/{cluster}/{namespace}/factory/external-ips",
|
||||
"link": "/openapi-ui/{clusterName}/{namespace}/factory/external-ips",
|
||||
},
|
||||
map[string]any{
|
||||
"key": "tenants",
|
||||
@@ -227,7 +228,13 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
|
||||
// 6) Prepare the list of Sidebar IDs to upsert with the SAME content
|
||||
// Create sidebars for ALL CRDs with dashboard config
|
||||
targetIDs := []string{
|
||||
// stock-project sidebars (namespace-level, full menu)
|
||||
// stock-instance sidebars
|
||||
"stock-instance-api-form",
|
||||
"stock-instance-api-table",
|
||||
"stock-instance-builtin-form",
|
||||
"stock-instance-builtin-table",
|
||||
|
||||
// stock-project sidebars
|
||||
"stock-project-factory-marketplace",
|
||||
"stock-project-factory-workloadmonitor-details",
|
||||
"stock-project-factory-kube-service-details",
|
||||
@@ -243,11 +250,6 @@ func (m *Manager) ensureSidebar(ctx context.Context, crd *cozyv1alpha1.Applicati
|
||||
"stock-project-builtin-table",
|
||||
"stock-project-crd-form",
|
||||
"stock-project-crd-table",
|
||||
// stock-instance sidebars (namespace-level pages after namespace is selected)
|
||||
"stock-instance-api-form",
|
||||
"stock-instance-api-table",
|
||||
"stock-instance-builtin-form",
|
||||
"stock-instance-builtin-table",
|
||||
}
|
||||
|
||||
// Add details sidebars for all CRDs with dashboard config
|
||||
|
||||
@@ -505,7 +505,7 @@ func CreateAllCustomFormsOverrides() []*dashboardv1alpha1.CustomFormsOverride {
|
||||
createFormItem("spec.applicationRef.name", "Application Name", "text"),
|
||||
createFormItemWithAPI("spec.backupClassName", "Backup Class", "select", map[string]any{
|
||||
"api": map[string]any{
|
||||
"fetchUrl": "/api/clusters/{cluster}/k8s/apis/backups.cozystack.io/v1alpha1/backupclasses",
|
||||
"fetchUrl": "/api/clusters/{clusterName}/k8s/apis/backups.cozystack.io/v1alpha1/backupclasses",
|
||||
"pathToItems": []any{"items"},
|
||||
"pathToValue": []any{"metadata", "name"},
|
||||
"pathToLabel": []any{"metadata", "name"},
|
||||
@@ -516,27 +516,6 @@ func CreateAllCustomFormsOverrides() []*dashboardv1alpha1.CustomFormsOverride {
|
||||
createFormItem("spec.schedule.cron", "Schedule Cron", "text"),
|
||||
},
|
||||
}),
|
||||
|
||||
// BackupJobs form override - backups.cozystack.io/v1alpha1
|
||||
createCustomFormsOverride("default-/backups.cozystack.io/v1alpha1/backupjobs", map[string]any{
|
||||
"formItems": []any{
|
||||
createFormItem("metadata.name", "Name", "text"),
|
||||
createFormItem("metadata.namespace", "Namespace", "text"),
|
||||
createFormItem("spec.planRef.name", "Plan Name (optional)", "text"),
|
||||
createFormItem("spec.applicationRef.apiGroup", "Application API Group", "text"),
|
||||
createFormItem("spec.applicationRef.kind", "Application Kind", "text"),
|
||||
createFormItem("spec.applicationRef.name", "Application Name", "text"),
|
||||
createFormItemWithAPI("spec.backupClassName", "Backup Class", "select", map[string]any{
|
||||
"api": map[string]any{
|
||||
"fetchUrl": "/api/clusters/{cluster}/k8s/apis/backups.cozystack.io/v1alpha1/backupclasses",
|
||||
"pathToItems": []any{"items"},
|
||||
"pathToValue": []any{"metadata", "name"},
|
||||
"pathToLabel": []any{"metadata", "name"},
|
||||
"clusterNameVar": "clusterName",
|
||||
},
|
||||
}),
|
||||
},
|
||||
}),
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -1,8 +1,7 @@
|
||||
{{- $ingress := .Values._namespace.ingress }}
|
||||
{{- $host := .Values._namespace.host }}
|
||||
{{- $harborHost := .Values.host | default (printf "%s.%s" .Release.Name $host) }}
|
||||
{{- $solver := (index .Values._cluster "solver") | default "http01" }}
|
||||
{{- $clusterIssuer := (index .Values._cluster "issuer-name") | default "letsencrypt-prod" }}
|
||||
{{- $issuerType := (index .Values._cluster "clusterissuer") | default "http01" }}
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
@@ -14,10 +13,10 @@ metadata:
|
||||
nginx.ingress.kubernetes.io/proxy-send-timeout: "900"
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
|
||||
{{- if eq $solver "http01" }}
|
||||
{{- if ne $issuerType "cloudflare" }}
|
||||
acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
|
||||
{{- end }}
|
||||
cert-manager.io/cluster-issuer: {{ $clusterIssuer }}
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
spec:
|
||||
ingressClassName: {{ $ingress }}
|
||||
tls:
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
KUBERNETES_VERSION = v1.35
|
||||
KUBERNETES_VERSION = v1.33
|
||||
KUBERNETES_PKG_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
|
||||
|
||||
include ../../../hack/common-envs.mk
|
||||
|
||||
@@ -104,7 +104,7 @@ See the reference for components utilized in this service:
|
||||
| `nodeGroups[name].resources.memory` | Memory (RAM) available. | `quantity` | `""` |
|
||||
| `nodeGroups[name].gpus` | List of GPUs to attach (NVIDIA driver requires at least 4 GiB RAM). | `[]object` | `[]` |
|
||||
| `nodeGroups[name].gpus[i].name` | Name of GPU, such as "nvidia.com/AD102GL_L40S". | `string` | `""` |
|
||||
| `version` | Kubernetes major.minor version to deploy | `string` | `v1.35` |
|
||||
| `version` | Kubernetes major.minor version to deploy | `string` | `v1.33` |
|
||||
| `host` | External hostname for Kubernetes cluster. Defaults to `<cluster-name>.<tenant-host>` if empty. | `string` | `""` |
|
||||
|
||||
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
# Konnectivity proxy version overrides per Kubernetes minor version.
|
||||
# When empty or absent, Kamaji auto-derives v0.{minor}.0 from the Kubernetes version.
|
||||
# Add entries here only when the auto-derived image tag does not exist in the registry.
|
||||
"v1.35": "v0.34.0"
|
||||
@@ -1,6 +1,6 @@
|
||||
"v1.35": "v1.35.1"
|
||||
"v1.34": "v1.34.4"
|
||||
"v1.33": "v1.33.8"
|
||||
"v1.32": "v1.32.12"
|
||||
"v1.33": "v1.33.0"
|
||||
"v1.32": "v1.32.10"
|
||||
"v1.31": "v1.31.14"
|
||||
"v1.30": "v1.30.14"
|
||||
"v1.29": "v1.29.15"
|
||||
"v1.28": "v1.28.15"
|
||||
|
||||
@@ -1 +1 @@
|
||||
ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:3753b735b0315bee90de54cb25cfebc63bd2cc90ad11ca4fdc0e70439abd5096
|
||||
ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:7deeee117e7eec599cb453836ca95eadd131dfc8c875dc457ef29dc1433395e0
|
||||
|
||||
@@ -1 +1 @@
|
||||
ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:434aa3b8e2a3cbf6681426b174e1c4fde23bafd12a6cccd046b5cb1749092ec4
|
||||
ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:604561e23df1b8eb25c24cf73fd93c7aaa6d1e7c56affbbda5c6f0f83424e4b1
|
||||
|
||||
@@ -1 +1 @@
|
||||
ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.35@sha256:39f626c802dd84f95720ffb54fcd80dfb8a58ac280498870d0a1aa30d4252f94
|
||||
ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.33@sha256:19ee4c76f0b3b7b40b97995ca78988ad8c82f6e9c75288d8b7b4b88a64f75d50
|
||||
|
||||
@@ -5,10 +5,3 @@
|
||||
{{- end }}
|
||||
{{- index $versionMap .Values.version }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "kubernetes.konnectivityVersion" }}
|
||||
{{- $konnVersionMap := .Files.Get "files/konnectivity-versions.yaml" | fromYaml }}
|
||||
{{- if hasKey $konnVersionMap .Values.version }}
|
||||
{{- index $konnVersionMap .Values.version }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -126,16 +126,8 @@ spec:
|
||||
dataStoreName: "{{ $etcd }}"
|
||||
addons:
|
||||
konnectivity:
|
||||
{{- $konnVersion := include "kubernetes.konnectivityVersion" $ | trim }}
|
||||
{{- if $konnVersion }}
|
||||
agent:
|
||||
version: {{ $konnVersion }}
|
||||
{{- end }}
|
||||
server:
|
||||
port: 8132
|
||||
{{- if $konnVersion }}
|
||||
version: {{ $konnVersion }}
|
||||
{{- end }}
|
||||
resources: {{- include "cozy-lib.resources.defaultingSanitize" (list .Values.controlPlane.konnectivity.server.resourcesPreset .Values.controlPlane.konnectivity.server.resources $) | nindent 10 }}
|
||||
kubelet:
|
||||
cgroupfs: systemd
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
{{- $targetTenant := .Values._namespace.monitoring }}
|
||||
{{- $clusterDomain := (index .Values._cluster "cluster-domain") | default "cozy.local" }}
|
||||
{{- if .Values.addons.monitoringAgents.enabled }}
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
@@ -50,7 +49,7 @@ spec:
|
||||
cluster: {{ .Release.Name }}
|
||||
tenant: {{ .Release.Namespace }}
|
||||
remoteWrite:
|
||||
url: http://vminsert-shortterm.{{ $targetTenant }}.svc.{{ $clusterDomain }}:8480/insert/0/prometheus
|
||||
url: http://vminsert-shortterm.{{ $targetTenant }}.svc:8480/insert/0/prometheus
|
||||
fluent-bit:
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
@@ -73,7 +72,7 @@ spec:
|
||||
[OUTPUT]
|
||||
Name http
|
||||
Match kube.*
|
||||
Host vlogs-generic.{{ $targetTenant }}.svc.{{ $clusterDomain }}
|
||||
Host vlogs-generic.{{ $targetTenant }}.svc
|
||||
port 9428
|
||||
compress gzip
|
||||
uri /insert/jsonline?_stream_fields=stream,kubernetes_pod_name,kubernetes_container_name,kubernetes_namespace_name&_msg_field=log&_time_field=date
|
||||
|
||||
@@ -621,14 +621,14 @@
|
||||
"version": {
|
||||
"description": "Kubernetes major.minor version to deploy",
|
||||
"type": "string",
|
||||
"default": "v1.35",
|
||||
"default": "v1.33",
|
||||
"enum": [
|
||||
"v1.35",
|
||||
"v1.34",
|
||||
"v1.33",
|
||||
"v1.32",
|
||||
"v1.31",
|
||||
"v1.30"
|
||||
"v1.30",
|
||||
"v1.29",
|
||||
"v1.28"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -48,15 +48,15 @@ nodeGroups:
|
||||
|
||||
##
|
||||
## @enum {string} Version
|
||||
## @value v1.35
|
||||
## @value v1.34
|
||||
## @value v1.33
|
||||
## @value v1.32
|
||||
## @value v1.31
|
||||
## @value v1.30
|
||||
## @value v1.29
|
||||
## @value v1.28
|
||||
|
||||
## @param {Version} version - Kubernetes major.minor version to deploy
|
||||
version: "v1.35"
|
||||
version: "v1.33"
|
||||
|
||||
|
||||
## @param {string} host - External hostname for Kubernetes cluster. Defaults to `<cluster-name>.<tenant-host>` if empty.
|
||||
|
||||
@@ -18,7 +18,7 @@ spec:
|
||||
name: cozystack-etcd-application-default-etcd
|
||||
namespace: cozy-system
|
||||
interval: 5m
|
||||
timeout: 30m
|
||||
timeout: 10m
|
||||
install:
|
||||
remediation:
|
||||
retries: -1
|
||||
|
||||
1
packages/core/installer/crds/.gitattributes
vendored
Normal file
1
packages/core/installer/crds/.gitattributes
vendored
Normal file
@@ -0,0 +1 @@
|
||||
*.yaml linguist-generated
|
||||
171
packages/core/installer/crds/cozystack.io_packages.yaml
generated
Normal file
171
packages/core/installer/crds/cozystack.io_packages.yaml
generated
Normal file
@@ -0,0 +1,171 @@
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.4
|
||||
name: packages.cozystack.io
|
||||
spec:
|
||||
group: cozystack.io
|
||||
names:
|
||||
kind: Package
|
||||
listKind: PackageList
|
||||
plural: packages
|
||||
shortNames:
|
||||
- pkg
|
||||
- pkgs
|
||||
singular: package
|
||||
scope: Cluster
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- description: Selected variant
|
||||
jsonPath: .spec.variant
|
||||
name: Variant
|
||||
type: string
|
||||
- description: Ready status
|
||||
jsonPath: .status.conditions[?(@.type=='Ready')].status
|
||||
name: Ready
|
||||
type: string
|
||||
- description: Ready message
|
||||
jsonPath: .status.conditions[?(@.type=='Ready')].message
|
||||
name: Status
|
||||
type: string
|
||||
name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: Package is the Schema for the packages API
|
||||
properties:
|
||||
apiVersion:
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
kind:
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: PackageSpec defines the desired state of Package
|
||||
properties:
|
||||
components:
|
||||
additionalProperties:
|
||||
description: PackageComponent defines overrides for a specific component
|
||||
properties:
|
||||
enabled:
|
||||
description: |-
|
||||
Enabled indicates whether this component should be installed
|
||||
If false, the component will be disabled even if it's defined in the PackageSource
|
||||
type: boolean
|
||||
values:
|
||||
description: |-
|
||||
Values contains Helm chart values as a JSON object
|
||||
These values will be merged with the default values from the PackageSource
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
description: |-
|
||||
Components is a map of release name to component overrides
|
||||
Allows overriding values and enabling/disabling specific components from the PackageSource
|
||||
type: object
|
||||
ignoreDependencies:
|
||||
description: |-
|
||||
IgnoreDependencies is a list of package source dependencies to ignore
|
||||
Dependencies listed here will not be installed even if they are specified in the PackageSource
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
variant:
|
||||
description: |-
|
||||
Variant is the name of the variant to use from the PackageSource
|
||||
If not specified, defaults to "default"
|
||||
type: string
|
||||
type: object
|
||||
status:
|
||||
description: PackageStatus defines the observed state of Package
|
||||
properties:
|
||||
conditions:
|
||||
description: Conditions represents the latest available observations
|
||||
of a Package's state
|
||||
items:
|
||||
description: Condition contains details for one aspect of the current
|
||||
state of this API Resource.
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: |-
|
||||
lastTransitionTime is the last time the condition transitioned from one status to another.
|
||||
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
||||
format: date-time
|
||||
type: string
|
||||
message:
|
||||
description: |-
|
||||
message is a human readable message indicating details about the transition.
|
||||
This may be an empty string.
|
||||
maxLength: 32768
|
||||
type: string
|
||||
observedGeneration:
|
||||
description: |-
|
||||
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
||||
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
||||
with respect to the current state of the instance.
|
||||
format: int64
|
||||
minimum: 0
|
||||
type: integer
|
||||
reason:
|
||||
description: |-
|
||||
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
||||
Producers of specific condition types may define expected values and meanings for this field,
|
||||
and whether the values are considered a guaranteed API.
|
||||
The value should be a CamelCase string.
|
||||
This field may not be empty.
|
||||
maxLength: 1024
|
||||
minLength: 1
|
||||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type: string
|
||||
type:
|
||||
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
||||
maxLength: 316
|
||||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||||
type: string
|
||||
required:
|
||||
- lastTransitionTime
|
||||
- message
|
||||
- reason
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
dependencies:
|
||||
additionalProperties:
|
||||
description: DependencyStatus represents the readiness status of
|
||||
a dependency
|
||||
properties:
|
||||
ready:
|
||||
description: Ready indicates whether the dependency is ready
|
||||
type: boolean
|
||||
required:
|
||||
- ready
|
||||
type: object
|
||||
description: |-
|
||||
Dependencies tracks the readiness status of each dependency
|
||||
Key is the dependency package name, value indicates if the dependency is ready
|
||||
type: object
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
250
packages/core/installer/crds/cozystack.io_packagesources.yaml
generated
Normal file
250
packages/core/installer/crds/cozystack.io_packagesources.yaml
generated
Normal file
@@ -0,0 +1,250 @@
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.4
|
||||
name: packagesources.cozystack.io
|
||||
spec:
|
||||
group: cozystack.io
|
||||
names:
|
||||
kind: PackageSource
|
||||
listKind: PackageSourceList
|
||||
plural: packagesources
|
||||
shortNames:
|
||||
- pks
|
||||
singular: packagesource
|
||||
scope: Cluster
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- description: Package variants (comma-separated)
|
||||
jsonPath: .status.variants
|
||||
name: Variants
|
||||
type: string
|
||||
- description: Ready status
|
||||
jsonPath: .status.conditions[?(@.type=='Ready')].status
|
||||
name: Ready
|
||||
type: string
|
||||
- description: Ready message
|
||||
jsonPath: .status.conditions[?(@.type=='Ready')].message
|
||||
name: Status
|
||||
type: string
|
||||
name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: PackageSource is the Schema for the packagesources API
|
||||
properties:
|
||||
apiVersion:
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
kind:
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: PackageSourceSpec defines the desired state of PackageSource
|
||||
properties:
|
||||
sourceRef:
|
||||
description: SourceRef is the source reference for the package source
|
||||
charts
|
||||
properties:
|
||||
kind:
|
||||
description: Kind of the source reference
|
||||
enum:
|
||||
- GitRepository
|
||||
- OCIRepository
|
||||
type: string
|
||||
name:
|
||||
description: Name of the source reference
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the source reference
|
||||
type: string
|
||||
path:
|
||||
description: |-
|
||||
Path is the base path where packages are located in the source.
|
||||
For GitRepository, defaults to "packages" if not specified.
|
||||
For OCIRepository, defaults to empty string (root) if not specified.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
- namespace
|
||||
type: object
|
||||
variants:
|
||||
description: |-
|
||||
Variants is a list of package source variants
|
||||
Each variant defines components, applications, dependencies, and libraries for a specific configuration
|
||||
items:
|
||||
description: Variant defines a single variant configuration
|
||||
properties:
|
||||
components:
|
||||
description: Components is a list of Helm releases to be installed
|
||||
as part of this variant
|
||||
items:
|
||||
description: Component defines a single Helm release component
|
||||
within a package source
|
||||
properties:
|
||||
install:
|
||||
description: Install defines installation parameters for
|
||||
this component
|
||||
properties:
|
||||
dependsOn:
|
||||
description: DependsOn is a list of component names
|
||||
that must be installed before this component
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespace:
|
||||
description: Namespace is the Kubernetes namespace
|
||||
where the release will be installed
|
||||
type: string
|
||||
privileged:
|
||||
description: Privileged indicates whether this release
|
||||
requires privileged access
|
||||
type: boolean
|
||||
releaseName:
|
||||
description: |-
|
||||
ReleaseName is the name of the HelmRelease resource that will be created
|
||||
If not specified, defaults to the component Name field
|
||||
type: string
|
||||
type: object
|
||||
libraries:
|
||||
description: |-
|
||||
Libraries is a list of library names that this component depends on
|
||||
These libraries must be defined at the variant level
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: Name is the unique identifier for this component
|
||||
within the package source
|
||||
type: string
|
||||
path:
|
||||
description: Path is the path to the Helm chart directory
|
||||
type: string
|
||||
valuesFiles:
|
||||
description: ValuesFiles is a list of values file names
|
||||
to use
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- name
|
||||
- path
|
||||
type: object
|
||||
type: array
|
||||
dependsOn:
|
||||
description: |-
|
||||
DependsOn is a list of package source dependencies
|
||||
For example: "cozystack.networking"
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
libraries:
|
||||
description: Libraries is a list of Helm library charts used
|
||||
by components in this variant
|
||||
items:
|
||||
description: Library defines a Helm library chart
|
||||
properties:
|
||||
name:
|
||||
description: Name is the optional name for library placed
|
||||
in charts
|
||||
type: string
|
||||
path:
|
||||
description: Path is the path to the library chart directory
|
||||
type: string
|
||||
required:
|
||||
- path
|
||||
type: object
|
||||
type: array
|
||||
name:
|
||||
description: Name is the unique identifier for this variant
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
status:
|
||||
description: PackageSourceStatus defines the observed state of PackageSource
|
||||
properties:
|
||||
conditions:
|
||||
description: Conditions represents the latest available observations
|
||||
of a PackageSource's state
|
||||
items:
|
||||
description: Condition contains details for one aspect of the current
|
||||
state of this API Resource.
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: |-
|
||||
lastTransitionTime is the last time the condition transitioned from one status to another.
|
||||
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
||||
format: date-time
|
||||
type: string
|
||||
message:
|
||||
description: |-
|
||||
message is a human readable message indicating details about the transition.
|
||||
This may be an empty string.
|
||||
maxLength: 32768
|
||||
type: string
|
||||
observedGeneration:
|
||||
description: |-
|
||||
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
||||
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
||||
with respect to the current state of the instance.
|
||||
format: int64
|
||||
minimum: 0
|
||||
type: integer
|
||||
reason:
|
||||
description: |-
|
||||
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
||||
Producers of specific condition types may define expected values and meanings for this field,
|
||||
and whether the values are considered a guaranteed API.
|
||||
The value should be a CamelCase string.
|
||||
This field may not be empty.
|
||||
maxLength: 1024
|
||||
minLength: 1
|
||||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type: string
|
||||
type:
|
||||
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
||||
maxLength: 316
|
||||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||||
type: string
|
||||
required:
|
||||
- lastTransitionTime
|
||||
- message
|
||||
- reason
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
variants:
|
||||
description: |-
|
||||
Variants is a comma-separated list of package variant names
|
||||
This field is populated by the controller based on spec.variants keys
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
@@ -1,7 +1,3 @@
|
||||
{{- $validVariants := list "talos" "generic" "hosted" -}}
|
||||
{{- if not (has .Values.cozystackOperator.variant $validVariants) -}}
|
||||
{{- fail (printf "Invalid cozystackOperator.variant %q: must be one of talos, generic, hosted" .Values.cozystackOperator.variant) -}}
|
||||
{{- end -}}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
@@ -10,8 +6,6 @@ metadata:
|
||||
labels:
|
||||
cozystack.io/system: "true"
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
annotations:
|
||||
helm.sh/resource-policy: keep
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
@@ -59,9 +53,10 @@ spec:
|
||||
args:
|
||||
- --leader-elect=true
|
||||
- --install-flux=true
|
||||
# The operator applies embedded CRDs via server-side apply on every
|
||||
# startup, ensuring they stay up to date.
|
||||
# To fully remove CRDs, delete them manually after helm uninstall.
|
||||
# CRDs are also in crds/ for initial helm install, but Helm never updates
|
||||
# them on upgrade and never deletes them on uninstall. The operator applies
|
||||
# embedded CRDs via server-side apply on every startup, ensuring they stay
|
||||
# up to date. To fully remove CRDs, delete them manually after helm uninstall.
|
||||
- --install-crds=true
|
||||
- --metrics-bind-address=0
|
||||
- --health-probe-bind-address=0
|
||||
|
||||
57
packages/core/installer/templates/packagesource.yaml
Normal file
57
packages/core/installer/templates/packagesource.yaml
Normal file
@@ -0,0 +1,57 @@
|
||||
{{- $validVariants := list "talos" "generic" "hosted" -}}
|
||||
{{- if not (has .Values.cozystackOperator.variant $validVariants) -}}
|
||||
{{- fail (printf "Invalid cozystackOperator.variant %q: must be one of talos, generic, hosted" .Values.cozystackOperator.variant) -}}
|
||||
{{- end -}}
|
||||
---
|
||||
apiVersion: cozystack.io/v1alpha1
|
||||
kind: PackageSource
|
||||
metadata:
|
||||
name: cozystack.cozystack-platform
|
||||
annotations:
|
||||
operator.cozystack.io/skip-cozystack-values: "true"
|
||||
spec:
|
||||
sourceRef:
|
||||
kind: OCIRepository
|
||||
name: cozystack-platform
|
||||
namespace: cozy-system
|
||||
path: /
|
||||
variants:
|
||||
- name: default
|
||||
components:
|
||||
- install:
|
||||
namespace: cozy-system
|
||||
releaseName: cozystack-platform
|
||||
name: platform
|
||||
path: core/platform
|
||||
valuesFiles:
|
||||
- values.yaml
|
||||
- name: isp-full
|
||||
components:
|
||||
- install:
|
||||
namespace: cozy-system
|
||||
releaseName: cozystack-platform
|
||||
name: platform
|
||||
path: core/platform
|
||||
valuesFiles:
|
||||
- values.yaml
|
||||
- values-isp-full.yaml
|
||||
- name: isp-hosted
|
||||
components:
|
||||
- install:
|
||||
namespace: cozy-system
|
||||
releaseName: cozystack-platform
|
||||
name: platform
|
||||
path: core/platform
|
||||
valuesFiles:
|
||||
- values.yaml
|
||||
- values-isp-hosted.yaml
|
||||
- name: isp-full-generic
|
||||
components:
|
||||
- install:
|
||||
namespace: cozy-system
|
||||
releaseName: cozystack-platform
|
||||
name: platform
|
||||
path: core/platform
|
||||
valuesFiles:
|
||||
- values.yaml
|
||||
- values-isp-full-generic.yaml
|
||||
@@ -1,9 +1,9 @@
|
||||
cozystackOperator:
|
||||
# Deployment variant: talos, generic, hosted
|
||||
variant: talos
|
||||
image: ghcr.io/cozystack/cozystack/cozystack-operator:v1.0.2@sha256:cf29eaa954ec75088ab9faf79dd402f63ae43cdf31325b0664ec7c35e8b09035
|
||||
image: ghcr.io/cozystack/cozystack/cozystack-operator:v1.0.0-beta.6@sha256:c7490da9c1ccb51bff4dd5657ca6a33a29ac71ad9861dfa8c72fdfc8b5765b93
|
||||
platformSourceUrl: 'oci://ghcr.io/cozystack/cozystack/cozystack-packages'
|
||||
platformSourceRef: 'digest=sha256:dd8956454160be6323e7afae32e16a460ea0373a1982496dadd831b75c571129'
|
||||
platformSourceRef: 'digest=sha256:b29b87d1a2b80452ffd4db7516a102c30c55121552dcdb237055d4124d12c55d'
|
||||
# Generic variant configuration (only used when cozystackOperator.variant=generic)
|
||||
cozystack:
|
||||
# Kubernetes API server host (IP only, no protocol/port)
|
||||
|
||||
@@ -2,7 +2,6 @@
|
||||
# Migration 26 --> 27
|
||||
# Migrate monitoring resources from extra/monitoring to system/monitoring
|
||||
# This migration re-labels resources so they become owned by monitoring-system HelmRelease
|
||||
# and deletes old helm release secrets so that helm does not diff old vs new chart manifests.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
@@ -36,39 +35,10 @@ relabel_resources() {
|
||||
done
|
||||
}
|
||||
|
||||
# Delete all helm release secrets for a given release name in a namespace.
|
||||
# Uses both label selector and name-pattern matching to ensure complete cleanup.
|
||||
delete_helm_secrets() {
|
||||
local ns="$1"
|
||||
local release="$2"
|
||||
|
||||
# Primary: delete by label selector
|
||||
kubectl delete secrets -n "$ns" -l "name=${release},owner=helm" --ignore-not-found
|
||||
|
||||
# Fallback: find and delete by name pattern (in case labels were modified)
|
||||
local remaining
|
||||
remaining=$(kubectl get secrets -n "$ns" -o name | { grep "^secret/sh\.helm\.release\.v1\.${release}\." || true; })
|
||||
if [ -n "$remaining" ]; then
|
||||
echo " Found secrets not matched by label selector, deleting by name..."
|
||||
echo "$remaining" | while IFS= read -r secret; do
|
||||
echo " Deleting $secret"
|
||||
kubectl delete -n "$ns" "$secret" --ignore-not-found
|
||||
done
|
||||
fi
|
||||
|
||||
# Verify all secrets are gone
|
||||
remaining=$(kubectl get secrets -n "$ns" -o name | { grep "^secret/sh\.helm\.release\.v1\.${release}\." || true; })
|
||||
if [ -n "$remaining" ]; then
|
||||
echo " ERROR: Failed to delete helm release secrets:"
|
||||
echo "$remaining"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Find all tenant namespaces with monitoring HelmRelease
|
||||
echo "Finding tenant namespaces with monitoring HelmRelease..."
|
||||
NAMESPACES=$(kubectl get hr --all-namespaces -l cozystack.io/ui=true --field-selector=metadata.name=monitoring \
|
||||
-o jsonpath='{range .items[*]}{.metadata.namespace}{"\n"}{end}' | sort -u)
|
||||
NAMESPACES=$(kubectl get hr --all-namespaces -l apps.cozystack.io/application.kind=Monitoring \
|
||||
-o jsonpath='{range .items[*]}{.metadata.namespace}{"\n"}{end}' 2>/dev/null | sort -u || true)
|
||||
|
||||
if [ -z "$NAMESPACES" ]; then
|
||||
echo "No monitoring HelmReleases found in tenant namespaces, skipping migration"
|
||||
@@ -96,7 +66,7 @@ for ns in $NAMESPACES; do
|
||||
# Step 1: Suspend the HelmRelease
|
||||
echo ""
|
||||
echo "Step 1: Suspending HelmRelease monitoring..."
|
||||
kubectl patch hr -n "$ns" monitoring --type=merge -p '{"spec":{"suspend":true}}'
|
||||
kubectl patch hr -n "$ns" monitoring --type=merge -p '{"spec":{"suspend":true}}' 2>/dev/null || true
|
||||
|
||||
# Wait a moment for reconciliation to stop
|
||||
sleep 2
|
||||
@@ -104,7 +74,7 @@ for ns in $NAMESPACES; do
|
||||
# Step 2: Delete helm secrets for the monitoring release
|
||||
echo ""
|
||||
echo "Step 2: Deleting helm secrets for monitoring release..."
|
||||
delete_helm_secrets "$ns" "monitoring"
|
||||
kubectl delete secrets -n "$ns" -l name=monitoring,owner=helm --ignore-not-found
|
||||
|
||||
# Step 3: Relabel resources to be owned by monitoring-system
|
||||
echo ""
|
||||
@@ -151,9 +121,7 @@ for ns in $NAMESPACES; do
|
||||
echo "Processing Cozystack resources..."
|
||||
relabel_resources "$ns" "workloadmonitors.cozystack.io"
|
||||
|
||||
# Step 4: Delete the suspended HelmRelease
|
||||
# Helm secrets are already gone, so flux finalizer will find no release to uninstall
|
||||
# and will simply remove the finalizer without deleting any resources.
|
||||
# Step 4: Delete the suspended HelmRelease (Flux won't delete resources when HR is suspended)
|
||||
echo ""
|
||||
echo "Step 4: Deleting suspended HelmRelease monitoring..."
|
||||
kubectl delete hr -n "$ns" monitoring --ignore-not-found
|
||||
|
||||
@@ -5,24 +5,10 @@ set -euo pipefail
|
||||
|
||||
# Migrate Piraeus CRDs to piraeus-operator-crds Helm release
|
||||
for crd in linstorclusters.piraeus.io linstornodeconnections.piraeus.io linstorsatelliteconfigurations.piraeus.io linstorsatellites.piraeus.io; do
|
||||
if kubectl get crd "$crd" >/dev/null 2>&1; then
|
||||
echo " Relabeling CRD $crd"
|
||||
kubectl annotate crd "$crd" meta.helm.sh/release-namespace=cozy-linstor meta.helm.sh/release-name=piraeus-operator-crds --overwrite
|
||||
kubectl label crd "$crd" app.kubernetes.io/managed-by=Helm helm.toolkit.fluxcd.io/namespace=cozy-linstor helm.toolkit.fluxcd.io/name=piraeus-operator-crds --overwrite
|
||||
else
|
||||
echo " CRD $crd not found, skipping"
|
||||
fi
|
||||
kubectl annotate crd "$crd" meta.helm.sh/release-namespace=cozy-linstor meta.helm.sh/release-name=piraeus-operator-crds --overwrite
|
||||
kubectl label crd "$crd" app.kubernetes.io/managed-by=Helm helm.toolkit.fluxcd.io/namespace=cozy-linstor helm.toolkit.fluxcd.io/name=piraeus-operator-crds --overwrite
|
||||
done
|
||||
|
||||
# Delete old piraeus-operator helm secrets (by label and by name pattern)
|
||||
kubectl delete secret -n cozy-linstor -l name=piraeus-operator,owner=helm --ignore-not-found
|
||||
remaining=$(kubectl get secrets -n cozy-linstor -o name 2>/dev/null | { grep "^secret/sh\.helm\.release\.v1\.piraeus-operator\." || true; })
|
||||
if [ -n "$remaining" ]; then
|
||||
echo " Deleting remaining piraeus-operator helm secrets by name..."
|
||||
echo "$remaining" | while IFS= read -r secret; do
|
||||
kubectl delete -n cozy-linstor "$secret" --ignore-not-found
|
||||
done
|
||||
fi
|
||||
|
||||
# Stamp version
|
||||
kubectl create configmap -n cozy-system cozystack-version \
|
||||
|
||||
@@ -348,7 +348,7 @@ PVCEOF
|
||||
# --- 3g: Clone Secrets ---
|
||||
echo " --- Clone Secrets ---"
|
||||
for secret in $(kubectl -n "$NAMESPACE" get secret -o name 2>/dev/null \
|
||||
| { grep "secret/${OLD_NAME}" || true; } | { grep -v "sh.helm.release" || true; }); do
|
||||
| grep "secret/${OLD_NAME}" | grep -v "sh.helm.release"); do
|
||||
old_secret_name="${secret#secret/}"
|
||||
new_secret_name="${NEW_NAME}${old_secret_name#${OLD_NAME}}"
|
||||
clone_resource "$NAMESPACE" "secret" "$old_secret_name" "$new_secret_name" "$OLD_NAME" "$NEW_NAME"
|
||||
@@ -357,7 +357,7 @@ PVCEOF
|
||||
# --- 3h: Clone ConfigMaps ---
|
||||
echo " --- Clone ConfigMaps ---"
|
||||
for cm in $(kubectl -n "$NAMESPACE" get configmap -o name 2>/dev/null \
|
||||
| { grep "configmap/${OLD_NAME}" || true; }); do
|
||||
| grep "configmap/${OLD_NAME}"); do
|
||||
old_cm_name="${cm#configmap/}"
|
||||
new_cm_name="${NEW_NAME}${old_cm_name#${OLD_NAME}}"
|
||||
clone_resource "$NAMESPACE" "configmap" "$old_cm_name" "$new_cm_name" "$OLD_NAME" "$NEW_NAME"
|
||||
@@ -468,13 +468,13 @@ PVCEOF
|
||||
fi
|
||||
|
||||
for secret in $(kubectl -n "$NAMESPACE" get secret -o name 2>/dev/null \
|
||||
| { grep "secret/${OLD_NAME}" || true; } | { grep -v "sh.helm.release" || true; }); do
|
||||
| grep "secret/${OLD_NAME}" | grep -v "sh.helm.release"); do
|
||||
old_secret_name="${secret#secret/}"
|
||||
delete_resource "$NAMESPACE" "secret" "$old_secret_name"
|
||||
done
|
||||
|
||||
for cm in $(kubectl -n "$NAMESPACE" get configmap -o name 2>/dev/null \
|
||||
| { grep "configmap/${OLD_NAME}" || true; }); do
|
||||
| grep "configmap/${OLD_NAME}"); do
|
||||
old_cm_name="${cm#configmap/}"
|
||||
delete_resource "$NAMESPACE" "configmap" "$old_cm_name"
|
||||
done
|
||||
@@ -611,19 +611,6 @@ done
|
||||
echo ""
|
||||
echo "=== Migration complete (${#INSTANCES[@]} instance(s)) ==="
|
||||
|
||||
# ============================================================
|
||||
# STEP 8: Clean up orphaned mysql-rd system HelmRelease
|
||||
# ============================================================
|
||||
echo ""
|
||||
echo "--- Step 8: Clean up orphaned mysql-rd HelmRelease ---"
|
||||
if kubectl -n cozy-system get hr mysql-rd --no-headers 2>/dev/null | grep -q .; then
|
||||
echo " [DELETE] hr/mysql-rd"
|
||||
kubectl -n cozy-system delete hr mysql-rd --wait=false
|
||||
else
|
||||
echo " [SKIP] hr/mysql-rd already gone"
|
||||
fi
|
||||
kubectl -n cozy-system delete secret -l "owner=helm,name=mysql-rd" --ignore-not-found
|
||||
|
||||
# Stamp version
|
||||
kubectl create configmap -n cozy-system cozystack-version \
|
||||
--from-literal=version=29 --dry-run=client -o yaml | kubectl apply -f-
|
||||
|
||||
@@ -9,6 +9,8 @@ set -euo pipefail
|
||||
OLD_PREFIX="virtual-machine"
|
||||
NEW_DISK_PREFIX="vm-disk"
|
||||
NEW_INSTANCE_PREFIX="vm-instance"
|
||||
PROTECTION_WEBHOOK_NAME="protection-webhook"
|
||||
PROTECTION_WEBHOOK_NS="protection-webhook"
|
||||
CDI_APISERVER_NS="cozy-kubevirt-cdi"
|
||||
CDI_APISERVER_DEPLOY="cdi-apiserver"
|
||||
CDI_VALIDATING_WEBHOOKS="cdi-api-datavolume-validate cdi-api-dataimportcron-validate cdi-api-populator-validate cdi-api-validate"
|
||||
@@ -86,6 +88,7 @@ echo " Total: ${#INSTANCES[@]} instance(s)"
|
||||
# STEP 2: Migrate each instance
|
||||
# ============================================================
|
||||
ALL_PV_NAMES=()
|
||||
ALL_PROTECTED_RESOURCES=()
|
||||
|
||||
for entry in "${INSTANCES[@]}"; do
|
||||
NAMESPACE="${entry%%/*}"
|
||||
@@ -312,7 +315,7 @@ PVCEOF
|
||||
# --- 2i: Clone Secrets ---
|
||||
echo " --- Clone Secrets ---"
|
||||
kubectl -n "$NAMESPACE" get secret -o name 2>/dev/null \
|
||||
| { grep "secret/${OLD_NAME}" || true; } | { grep -v "sh.helm.release" || true; } | { grep -v "values" || true; } \
|
||||
| grep "secret/${OLD_NAME}" | grep -v "sh.helm.release" | grep -v "values" \
|
||||
| while IFS= read -r secret; do
|
||||
old_secret_name="${secret#secret/}"
|
||||
suffix="${old_secret_name#${OLD_NAME}}"
|
||||
@@ -539,7 +542,7 @@ SVCEOF
|
||||
# --- 2q: Delete old resources ---
|
||||
echo " --- Delete old resources ---"
|
||||
kubectl -n "$NAMESPACE" get secret -o name 2>/dev/null \
|
||||
| { grep "secret/${OLD_NAME}" || true; } | { grep -v "sh.helm.release" || true; } | { grep -v "values" || true; } \
|
||||
| grep "secret/${OLD_NAME}" | grep -v "sh.helm.release" | grep -v "values" \
|
||||
| while IFS= read -r secret; do
|
||||
old_secret_name="${secret#secret/}"
|
||||
delete_resource "$NAMESPACE" "secret" "$old_secret_name"
|
||||
@@ -561,17 +564,71 @@ SVCEOF
|
||||
delete_resource "$NAMESPACE" "secret" "$VALUES_SECRET"
|
||||
fi
|
||||
|
||||
# Delete old service (if exists)
|
||||
# Collect protected resources for batch deletion
|
||||
if resource_exists "$NAMESPACE" "svc" "$OLD_NAME"; then
|
||||
delete_resource "$NAMESPACE" "svc" "$OLD_NAME"
|
||||
ALL_PROTECTED_RESOURCES+=("${NAMESPACE}:svc/${OLD_NAME}")
|
||||
fi
|
||||
done
|
||||
|
||||
# ============================================================
|
||||
# STEP 3: Restore PV reclaim policies
|
||||
# STEP 3: Delete protected resources (Services)
|
||||
# ============================================================
|
||||
echo ""
|
||||
echo "--- Step 3: Restore PV reclaim policies ---"
|
||||
echo "--- Step 3: Delete protected resources ---"
|
||||
|
||||
if [ ${#ALL_PROTECTED_RESOURCES[@]} -gt 0 ]; then
|
||||
WEBHOOK_EXISTS=false
|
||||
if kubectl -n "$PROTECTION_WEBHOOK_NS" get deploy "$PROTECTION_WEBHOOK_NAME" --no-headers 2>/dev/null | grep -q .; then
|
||||
WEBHOOK_EXISTS=true
|
||||
fi
|
||||
|
||||
if [ "$WEBHOOK_EXISTS" = "true" ]; then
|
||||
echo " --- Temporarily disabling protection-webhook ---"
|
||||
|
||||
WEBHOOK_REPLICAS=$(kubectl -n "$PROTECTION_WEBHOOK_NS" get deploy "$PROTECTION_WEBHOOK_NAME" \
|
||||
-o jsonpath='{.spec.replicas}' 2>/dev/null || echo "1")
|
||||
|
||||
echo " [SCALE] ${PROTECTION_WEBHOOK_NAME} -> 0 (was ${WEBHOOK_REPLICAS})"
|
||||
kubectl -n "$PROTECTION_WEBHOOK_NS" scale deploy "$PROTECTION_WEBHOOK_NAME" --replicas=0
|
||||
|
||||
echo " [PATCH] Set failurePolicy=Ignore on ValidatingWebhookConfiguration/${PROTECTION_WEBHOOK_NAME}"
|
||||
kubectl get validatingwebhookconfiguration "$PROTECTION_WEBHOOK_NAME" -o json | \
|
||||
jq '.webhooks[].failurePolicy = "Ignore"' | \
|
||||
kubectl apply -f - 2>/dev/null || true
|
||||
|
||||
echo " Waiting for webhook pods to terminate..."
|
||||
kubectl -n "$PROTECTION_WEBHOOK_NS" wait --for=delete pod \
|
||||
-l app.kubernetes.io/name=protection-webhook --timeout=60s 2>/dev/null || true
|
||||
sleep 3
|
||||
fi
|
||||
|
||||
for entry in "${ALL_PROTECTED_RESOURCES[@]}"; do
|
||||
ns="${entry%%:*}"
|
||||
res="${entry#*:}"
|
||||
echo " [DELETE] ${ns}/${res}"
|
||||
kubectl -n "$ns" delete "$res" --wait=false 2>/dev/null || true
|
||||
done
|
||||
|
||||
if [ "$WEBHOOK_EXISTS" = "true" ]; then
|
||||
echo " [PATCH] Set failurePolicy=Fail on ValidatingWebhookConfiguration/${PROTECTION_WEBHOOK_NAME}"
|
||||
kubectl get validatingwebhookconfiguration "$PROTECTION_WEBHOOK_NAME" -o json | \
|
||||
jq '.webhooks[].failurePolicy = "Fail"' | \
|
||||
kubectl apply -f - 2>/dev/null || true
|
||||
|
||||
echo " [SCALE] ${PROTECTION_WEBHOOK_NAME} -> ${WEBHOOK_REPLICAS}"
|
||||
kubectl -n "$PROTECTION_WEBHOOK_NS" scale deploy "$PROTECTION_WEBHOOK_NAME" \
|
||||
--replicas="$WEBHOOK_REPLICAS"
|
||||
echo " --- protection-webhook restored ---"
|
||||
fi
|
||||
else
|
||||
echo " [SKIP] No protected resources to delete"
|
||||
fi
|
||||
|
||||
# ============================================================
|
||||
# STEP 4: Restore PV reclaim policies
|
||||
# ============================================================
|
||||
echo ""
|
||||
echo "--- Step 4: Restore PV reclaim policies ---"
|
||||
for pv_name in "${ALL_PV_NAMES[@]}"; do
|
||||
if [ -n "$pv_name" ]; then
|
||||
current_policy=$(kubectl get pv "$pv_name" \
|
||||
@@ -586,7 +643,7 @@ for pv_name in "${ALL_PV_NAMES[@]}"; do
|
||||
done
|
||||
|
||||
# ============================================================
|
||||
# STEP 4: Temporarily disable CDI datavolume webhooks
|
||||
# STEP 5: Temporarily disable CDI datavolume webhooks
|
||||
# ============================================================
|
||||
# CDI's datavolume-validate webhook rejects DataVolume creation when a PVC
|
||||
# with the same name already exists. We must disable it so that vm-disk
|
||||
@@ -595,7 +652,7 @@ done
|
||||
# cdi-apiserver (which serves the webhooks), then delete webhook configs.
|
||||
# Both are restored after vm-disk HRs reconcile.
|
||||
echo ""
|
||||
echo "--- Step 4: Temporarily disable CDI webhooks ---"
|
||||
echo "--- Step 5: Temporarily disable CDI webhooks ---"
|
||||
|
||||
CDI_OPERATOR_REPLICAS=$(kubectl -n "$CDI_APISERVER_NS" get deploy cdi-operator \
|
||||
-o jsonpath='{.spec.replicas}' 2>/dev/null || echo "1")
|
||||
@@ -628,10 +685,10 @@ done
|
||||
sleep 2
|
||||
|
||||
# ============================================================
|
||||
# STEP 5: Unsuspend vm-disk HelmReleases first
|
||||
# STEP 6: Unsuspend vm-disk HelmReleases first
|
||||
# ============================================================
|
||||
echo ""
|
||||
echo "--- Step 5: Unsuspend vm-disk HelmReleases ---"
|
||||
echo "--- Step 6: Unsuspend vm-disk HelmReleases ---"
|
||||
for entry in "${INSTANCES[@]}"; do
|
||||
ns="${entry%%/*}"
|
||||
instance="${entry#*/}"
|
||||
@@ -648,7 +705,7 @@ for entry in "${INSTANCES[@]}"; do
|
||||
# Force immediate reconciliation
|
||||
echo " [TRIGGER] Reconcile ${ns}/hr/${disk_name}"
|
||||
kubectl -n "$ns" annotate hr "$disk_name" --overwrite \
|
||||
"reconcile.fluxcd.io/requestedAt=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" 2>/dev/null || true
|
||||
"reconcile.fluxcd.io/requestedAt=$(date +%s)" 2>/dev/null || true
|
||||
fi
|
||||
done
|
||||
|
||||
@@ -672,12 +729,12 @@ for entry in "${INSTANCES[@]}"; do
|
||||
done
|
||||
|
||||
# ============================================================
|
||||
# STEP 6: Restore CDI webhooks
|
||||
# STEP 7: Restore CDI webhooks
|
||||
# ============================================================
|
||||
# Scale cdi-operator and cdi-apiserver back up.
|
||||
# cdi-apiserver will recreate webhook configurations automatically on start.
|
||||
echo ""
|
||||
echo "--- Step 6: Restore CDI webhooks ---"
|
||||
echo "--- Step 7: Restore CDI webhooks ---"
|
||||
|
||||
echo " [SCALE] cdi-operator -> ${CDI_OPERATOR_REPLICAS}"
|
||||
kubectl -n "$CDI_APISERVER_NS" scale deploy cdi-operator \
|
||||
@@ -692,10 +749,10 @@ kubectl -n "$CDI_APISERVER_NS" rollout status deploy "$CDI_APISERVER_DEPLOY" --t
|
||||
echo " --- CDI webhooks restored ---"
|
||||
|
||||
# ============================================================
|
||||
# STEP 7: Unsuspend vm-instance HelmReleases
|
||||
# STEP 8: Unsuspend vm-instance HelmReleases
|
||||
# ============================================================
|
||||
echo ""
|
||||
echo "--- Step 7: Unsuspend vm-instance HelmReleases ---"
|
||||
echo "--- Step 8: Unsuspend vm-instance HelmReleases ---"
|
||||
for entry in "${INSTANCES[@]}"; do
|
||||
ns="${entry%%/*}"
|
||||
instance="${entry#*/}"
|
||||
@@ -715,19 +772,6 @@ done
|
||||
echo ""
|
||||
echo "=== Migration complete (${#INSTANCES[@]} instance(s)) ==="
|
||||
|
||||
# ============================================================
|
||||
# STEP 8: Clean up orphaned virtual-machine-rd system HelmRelease
|
||||
# ============================================================
|
||||
echo ""
|
||||
echo "--- Step 8: Clean up orphaned virtual-machine-rd HelmRelease ---"
|
||||
if kubectl -n cozy-system get hr virtual-machine-rd --no-headers 2>/dev/null | grep -q .; then
|
||||
echo " [DELETE] hr/virtual-machine-rd"
|
||||
kubectl -n cozy-system delete hr virtual-machine-rd --wait=false
|
||||
else
|
||||
echo " [SKIP] hr/virtual-machine-rd already gone"
|
||||
fi
|
||||
kubectl -n cozy-system delete secret -l "owner=helm,name=virtual-machine-rd" --ignore-not-found
|
||||
|
||||
# Stamp version
|
||||
kubectl create configmap -n cozy-system cozystack-version \
|
||||
--from-literal=version=30 --dry-run=client -o yaml | kubectl apply -f-
|
||||
|
||||
@@ -1,92 +0,0 @@
|
||||
#!/bin/sh
|
||||
# Migration 32 --> 33
|
||||
# Convert publishing.certificates.issuerType to solver + issuerName in
|
||||
# the cozystack-platform Package resource.
|
||||
#
|
||||
# Old field (pre-refactor schema):
|
||||
# publishing.certificates.issuerType: "http01" | "cloudflare"
|
||||
# New fields:
|
||||
# publishing.certificates.solver: "http01" | "dns01"
|
||||
# publishing.certificates.issuerName: "letsencrypt-prod" (or custom)
|
||||
#
|
||||
# Conversion table:
|
||||
# cloudflare -> solver: dns01, issuerName: letsencrypt-prod
|
||||
# http01 -> solver: http01, issuerName: letsencrypt-prod
|
||||
# <custom> -> issuerName: <custom> (solver left at chart default)
|
||||
# <absent> -> no-op
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
PACKAGE_NAME="cozystack.cozystack-platform"
|
||||
|
||||
# Check if Package exists
|
||||
if ! kubectl get package "$PACKAGE_NAME" >/dev/null 2>&1; then
|
||||
echo "Package $PACKAGE_NAME not found, skipping migration"
|
||||
kubectl create configmap -n cozy-system cozystack-version \
|
||||
--from-literal=version=33 --dry-run=client -o yaml | kubectl apply -f -
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Read current issuerType value
|
||||
ISSUER_TYPE=$(kubectl get package "$PACKAGE_NAME" -o json | \
|
||||
jq -r '.spec.components.platform.values.publishing.certificates.issuerType // ""')
|
||||
|
||||
if [ -z "$ISSUER_TYPE" ]; then
|
||||
echo "No issuerType found in Package $PACKAGE_NAME, nothing to migrate"
|
||||
kubectl create configmap -n cozy-system cozystack-version \
|
||||
--from-literal=version=33 --dry-run=client -o yaml | kubectl apply -f -
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "Found issuerType: $ISSUER_TYPE"
|
||||
|
||||
# Convert old issuerType to new solver/issuerName
|
||||
SOLVER=""
|
||||
ISSUER_NAME=""
|
||||
case "$ISSUER_TYPE" in
|
||||
cloudflare)
|
||||
SOLVER="dns01"
|
||||
ISSUER_NAME="letsencrypt-prod"
|
||||
;;
|
||||
http01)
|
||||
SOLVER="http01"
|
||||
ISSUER_NAME="letsencrypt-prod"
|
||||
;;
|
||||
*)
|
||||
# Unrecognised value — treat as custom ClusterIssuer name, no solver override
|
||||
ISSUER_NAME="$ISSUER_TYPE"
|
||||
;;
|
||||
esac
|
||||
|
||||
echo "Converting to: solver=${SOLVER:-<chart default>}, issuerName=${ISSUER_NAME:-<chart default>}"
|
||||
|
||||
# Build the certificates patch:
|
||||
# - null removes issuerType (JSON merge patch semantics)
|
||||
# - solver and issuerName are included only when non-empty
|
||||
CERTS_PATCH=$(jq -n --arg solver "$SOLVER" --arg issuerName "$ISSUER_NAME" '
|
||||
{"issuerType": null}
|
||||
+ (if $solver != "" then {"solver": $solver} else {} end)
|
||||
+ (if $issuerName != "" then {"issuerName": $issuerName} else {} end)
|
||||
')
|
||||
|
||||
PATCH_JSON=$(jq -n --argjson certs "$CERTS_PATCH" '{
|
||||
"spec": {
|
||||
"components": {
|
||||
"platform": {
|
||||
"values": {
|
||||
"publishing": {
|
||||
"certificates": $certs
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}')
|
||||
|
||||
kubectl patch package "$PACKAGE_NAME" --type=merge --patch "$PATCH_JSON"
|
||||
|
||||
echo "Migration complete: issuerType=$ISSUER_TYPE -> solver=${SOLVER:-<unset>} issuerName=${ISSUER_NAME:-<unset>}"
|
||||
|
||||
# Stamp version
|
||||
kubectl create configmap -n cozy-system cozystack-version \
|
||||
--from-literal=version=33 --dry-run=client -o yaml | kubectl apply -f -
|
||||
@@ -1,30 +0,0 @@
|
||||
#!/bin/sh
|
||||
# Migration 33 --> 34
|
||||
# Clean up orphaned system -rd HelmReleases left after application renames.
|
||||
#
|
||||
# These HelmReleases reference ExternalArtifacts that no longer exist:
|
||||
# ferretdb-rd -> replaced by mongodb-rd
|
||||
# mysql-rd -> replaced by mariadb-rd (migration 28 handled user HRs only)
|
||||
# virtual-machine-rd -> replaced by vm-disk-rd + vm-instance-rd (migration 29 handled user HRs only)
|
||||
#
|
||||
# Idempotent: safe to re-run.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
echo "=== Cleaning up orphaned -rd HelmReleases ==="
|
||||
|
||||
for hr_name in ferretdb-rd mysql-rd virtual-machine-rd; do
|
||||
if kubectl -n cozy-system get hr "$hr_name" --no-headers 2>/dev/null | grep -q .; then
|
||||
echo " [DELETE] hr/${hr_name}"
|
||||
kubectl -n cozy-system delete hr "$hr_name" --wait=false
|
||||
else
|
||||
echo " [SKIP] hr/${hr_name} already gone"
|
||||
fi
|
||||
kubectl -n cozy-system delete secret -l "owner=helm,name=${hr_name}" --ignore-not-found
|
||||
done
|
||||
|
||||
echo "=== Cleanup complete ==="
|
||||
|
||||
# Stamp version
|
||||
kubectl create configmap -n cozy-system cozystack-version \
|
||||
--from-literal=version=34 --dry-run=client -o yaml | kubectl apply -f-
|
||||
@@ -24,7 +24,7 @@ if [ "$CURRENT_VERSION" -ge "$TARGET_VERSION" ]; then
|
||||
fi
|
||||
|
||||
# Run migrations sequentially from current version to target version
|
||||
for i in $(seq $CURRENT_VERSION $((TARGET_VERSION - 1))); do
|
||||
for i in $(seq $((CURRENT_VERSION + 1)) $TARGET_VERSION); do
|
||||
if [ -f "/migrations/$i" ]; then
|
||||
echo "Running migration $i"
|
||||
chmod +x /migrations/$i
|
||||
|
||||
@@ -21,8 +21,7 @@ stringData:
|
||||
_cluster:
|
||||
root-host: {{ $rootHost | quote }}
|
||||
bundle-name: {{ .Values.bundles.system.variant | quote }}
|
||||
solver: {{ .Values.publishing.certificates.solver | quote }}
|
||||
issuer-name: {{ .Values.publishing.certificates.issuerName | quote }}
|
||||
clusterissuer: {{ .Values.publishing.certificates.issuerType | quote }}
|
||||
oidc-enabled: {{ .Values.authentication.oidc.enabled | quote }}
|
||||
oidc-insecure-skip-verify: {{ .Values.authentication.oidc.insecureSkipVerify | quote }}
|
||||
extra-keycloak-redirect-uri-for-dashboard: {{ index .Values.authentication.oidc.keycloakExtraRedirectUri | quote }}
|
||||
|
||||
@@ -6,8 +6,6 @@ kind: ConfigMap
|
||||
metadata:
|
||||
name: cozystack-version
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
helm.sh/resource-policy: keep
|
||||
data:
|
||||
version: {{ .Values.migrations.targetVersion | quote }}
|
||||
{{- end }}
|
||||
|
||||
@@ -5,8 +5,8 @@ sourceRef:
|
||||
path: /
|
||||
migrations:
|
||||
enabled: false
|
||||
image: ghcr.io/cozystack/cozystack/platform-migrations:v1.0.2@sha256:d43c6f26c65edd448f586a29969ff76718338f1f1f78b24d3ad54c6c8977c748
|
||||
targetVersion: 34
|
||||
image: ghcr.io/cozystack/cozystack/platform-migrations:v1.0.0-beta.6@sha256:37c78dafcedbdad94acd9912550db0b4875897150666b8a06edfa894de99064e
|
||||
targetVersion: 32
|
||||
# Bundle deployment configuration
|
||||
bundles:
|
||||
system:
|
||||
@@ -46,8 +46,7 @@ publishing:
|
||||
apiServerEndpoint: "" # example: "https://api.example.org"
|
||||
externalIPs: []
|
||||
certificates:
|
||||
solver: http01 # "http01" or "dns01"
|
||||
issuerName: letsencrypt-prod
|
||||
issuerType: http01 # "http01" or "cloudflare"
|
||||
# Authentication configuration
|
||||
authentication:
|
||||
oidc:
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
e2e:
|
||||
image: ghcr.io/cozystack/cozystack/e2e-sandbox:v1.0.2@sha256:0eae9f519669667d60b160ebb93c127843c470ad9ca3447fceaa54604503a7ba
|
||||
image: ghcr.io/cozystack/cozystack/e2e-sandbox:v1.0.0-beta.6@sha256:09af5901abcbed2b612d2d93c163e8ad3948bc55a1d8beae714b4fb2b8f7d91d
|
||||
|
||||
@@ -1 +1 @@
|
||||
ghcr.io/cozystack/cozystack/matchbox:v1.0.2@sha256:a093fdcd86eb8d4fbff740dd0fa2f5cd87247fa46dbae14cbbd391851270f9f0
|
||||
ghcr.io/cozystack/cozystack/matchbox:v1.0.0-beta.6@sha256:212f624957447f5a932fd5d4564eb8c97694d336b7dc877a2833c1513c0d074d
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
{{- $solver := (index .Values._cluster "solver") | default "http01" }}
|
||||
{{- $clusterIssuer := (index .Values._cluster "issuer-name") | default "letsencrypt-prod" }}
|
||||
{{- $issuerType := (index .Values._cluster "clusterissuer") | default "http01" }}
|
||||
{{- $ingress := .Values._namespace.ingress }}
|
||||
{{- $host := .Values._namespace.host }}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
@@ -9,10 +8,10 @@ metadata:
|
||||
labels:
|
||||
app: bootbox
|
||||
annotations:
|
||||
{{- if eq $solver "http01" }}
|
||||
{{- if ne $issuerType "cloudflare" }}
|
||||
acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
|
||||
{{- end }}
|
||||
cert-manager.io/cluster-issuer: {{ $clusterIssuer }}
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
{{- if .Values.whitelistHTTP }}
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," (.Values.whitelist | default "0.0.0.0/32") }}"
|
||||
{{- end }}
|
||||
|
||||
@@ -1 +1 @@
|
||||
ghcr.io/cozystack/cozystack/objectstorage-sidecar:v1.0.2@sha256:2a3595cd88b30af55b2000d3ca204899beecef0012b0e0402754c3914aad1f7f
|
||||
ghcr.io/cozystack/cozystack/objectstorage-sidecar:v1.0.0-beta.6@sha256:235b194a531b70e266a10ef78d2955d19f5b659513f23d8b3cfbbc0dff7fc1c0
|
||||
|
||||
@@ -36,8 +36,6 @@
|
||||
{{- if not (eq .Values.topology "Client") }}
|
||||
{{- $ingress := .Values._namespace.ingress }}
|
||||
{{- $host := .Values._namespace.host }}
|
||||
{{- $solver := (index .Values._cluster "solver") | default "http01" }}
|
||||
{{- $clusterIssuer := (index .Values._cluster "issuer-name") | default "letsencrypt-prod" }}
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
@@ -136,10 +134,8 @@ spec:
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "0"
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
||||
{{- if eq $solver "http01" }}
|
||||
acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
|
||||
{{- end }}
|
||||
cert-manager.io/cluster-issuer: {{ $clusterIssuer }}
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
tls:
|
||||
- hosts:
|
||||
- {{ .Values.host | default (printf "s3.%s" $host) }}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
backupController:
|
||||
image: "ghcr.io/cozystack/cozystack/backup-controller:v1.0.2@sha256:ebf42dfc4c0d857cc2cb4339e556703d34d0c4086de5e7f78a771dc423da535d"
|
||||
image: "ghcr.io/cozystack/cozystack/backup-controller:v1.0.0-beta.6@sha256:365214a74ffc34a9314a62a7d4b491590051fc5486f6bae9913c0c1289983d43"
|
||||
replicas: 2
|
||||
debug: false
|
||||
metrics:
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
backupStrategyController:
|
||||
image: "ghcr.io/cozystack/cozystack/backupstrategy-controller:v1.0.2@sha256:485d9994c672776f7ce1a74243d4b3073f6575ddfdabb8587797053b43230d67"
|
||||
image: "ghcr.io/cozystack/cozystack/backupstrategy-controller:v1.0.0-beta.6@sha256:aa04ee61dce11950162606fc8db2d5cbc6f5b32ba700f790b3f1eee10d65efb1"
|
||||
replicas: 2
|
||||
debug: false
|
||||
metrics:
|
||||
|
||||
@@ -1 +1 @@
|
||||
ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:279008f87460d709e99ed25ee8a1e4568a290bb9afa0e3dd3a06d524163a132b
|
||||
ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:291427de7db54a1d19dc9c2c807bdcc664a14caa9538786f31317e8c01a4a008
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
{{- $host := .Values._namespace.host }}
|
||||
{{- $ingress := .Values._namespace.ingress }}
|
||||
{{- $solver := (index .Values._cluster "solver") | default "http01" }}
|
||||
{{- $clusterIssuer := (index .Values._cluster "issuer-name") | default "letsencrypt-prod" }}
|
||||
{{- $issuerType := (index .Values._cluster "clusterissuer") | default "http01" }}
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
@@ -14,10 +13,10 @@ metadata:
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "0"
|
||||
nginx.ingress.kubernetes.io/proxy-read-timeout: "99999"
|
||||
nginx.ingress.kubernetes.io/proxy-send-timeout: "99999"
|
||||
{{- if eq $solver "http01" }}
|
||||
{{- if ne $issuerType "cloudflare" }}
|
||||
acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
|
||||
{{- end }}
|
||||
cert-manager.io/cluster-issuer: {{ $clusterIssuer }}
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
spec:
|
||||
ingressClassName: {{ $ingress }}
|
||||
tls:
|
||||
|
||||
Binary file not shown.
File diff suppressed because it is too large
Load Diff
@@ -5,9 +5,6 @@
|
||||
# update this file only when a new major or minor version is released
|
||||
apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3
|
||||
releaseSeries:
|
||||
- major: 0
|
||||
minor: 16
|
||||
contract: v1beta1
|
||||
- major: 0
|
||||
minor: 15
|
||||
contract: v1beta1
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: v0.16.0-cp
|
||||
name: v0.15.1-cp
|
||||
labels:
|
||||
cp-components: cozy
|
||||
annotations:
|
||||
|
||||
@@ -4,7 +4,7 @@ metadata:
|
||||
name: kamaji
|
||||
spec:
|
||||
# https://github.com/clastix/cluster-api-control-plane-provider-kamaji
|
||||
version: v0.16.0-cp
|
||||
version: v0.15.1-cp
|
||||
fetchConfig:
|
||||
selector:
|
||||
matchLabels:
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{{- $solver := (index .Values._cluster "solver") | default "http01" }}
|
||||
{{- $issuerType := (index .Values._cluster "clusterissuer") | default "http01" }}
|
||||
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
@@ -10,7 +10,7 @@ spec:
|
||||
name: letsencrypt-prod
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
solvers:
|
||||
- {{- if eq $solver "dns01" }}
|
||||
- {{- if eq $issuerType "cloudflare" }}
|
||||
dns01:
|
||||
cloudflare:
|
||||
apiTokenSecretRef:
|
||||
@@ -34,7 +34,7 @@ spec:
|
||||
name: letsencrypt-stage
|
||||
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
||||
solvers:
|
||||
- {{- if eq $solver "dns01" }}
|
||||
- {{- if eq $issuerType "cloudflare" }}
|
||||
dns01:
|
||||
cloudflare:
|
||||
apiTokenSecretRef:
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
cozystackAPI:
|
||||
image: ghcr.io/cozystack/cozystack/cozystack-api:v1.0.2@sha256:3ce477e373aee817fc9746ebf33ae48ff7abc68a71cef587a2a1841e04759ea3
|
||||
image: ghcr.io/cozystack/cozystack/cozystack-api:v1.0.0-beta.6@sha256:d89cf68fb622d0dbef7db98db09d352efc93c2cce448d11f2d73dcd363e911b7
|
||||
replicas: 2
|
||||
|
||||
@@ -181,6 +181,7 @@ rules:
|
||||
- persistentvolumes
|
||||
- endpoints
|
||||
- events
|
||||
- resourcequotas
|
||||
verbs:
|
||||
- delete
|
||||
- apiGroups: ["kubevirt.io"]
|
||||
|
||||
@@ -23,6 +23,7 @@ spec:
|
||||
namespace: cozy-system
|
||||
interval: 1m0s
|
||||
timeout: 5m0s
|
||||
valuesFrom:
|
||||
- kind: Secret
|
||||
name: cozystack-values
|
||||
values:
|
||||
_cluster:
|
||||
oidc-enabled: {{ .Values.oidcEnabled | quote }}
|
||||
root-host: {{ .Values.rootHost | quote }}
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
cozystackController:
|
||||
image: ghcr.io/cozystack/cozystack/cozystack-controller:v1.0.2@sha256:c2e9c3f68124465d5b01dd8179d089689e5f130f685b92483a6a3167dd87e70f
|
||||
image: ghcr.io/cozystack/cozystack/cozystack-controller:v1.0.0-beta.6@sha256:d55a3c288934b1f69a00321bc8a94776915556b5f882fe6ac615e9de2701c61f
|
||||
debug: false
|
||||
disableTelemetry: false
|
||||
|
||||
@@ -6,7 +6,7 @@ FROM node:${NODE_VERSION}-alpine AS openapi-k8s-toolkit-builder
|
||||
RUN apk add git
|
||||
WORKDIR /src
|
||||
# release/1.4.0
|
||||
ARG COMMIT=d6b9e4ad0d1eb9d3730f7f0c664792c8dda3214d
|
||||
ARG COMMIT=c67029cc7b7495c65ee0406033576e773a73bb01
|
||||
RUN wget -O- https://github.com/PRO-Robotech/openapi-k8s-toolkit/archive/${COMMIT}.tar.gz | tar -xzvf- --strip-components=1
|
||||
|
||||
COPY openapi-k8s-toolkit/patches /patches
|
||||
|
||||
@@ -1,37 +0,0 @@
|
||||
diff --git a/src/localTypes/formExtensions.ts b/src/localTypes/formExtensions.ts
|
||||
--- a/src/localTypes/formExtensions.ts
|
||||
+++ b/src/localTypes/formExtensions.ts
|
||||
@@ -59,2 +59,4 @@
|
||||
relatedValuePath?: string
|
||||
+ allowEmpty?: boolean
|
||||
+ persistType?: 'str' | 'number' | 'arr' | 'obj'
|
||||
}
|
||||
diff --git a/src/components/molecules/BlackholeForm/molecules/FormListInput/FormListInput.tsx b/src/components/molecules/BlackholeForm/molecules/FormListInput/FormListInput.tsx
|
||||
--- a/src/components/molecules/BlackholeForm/molecules/FormListInput/FormListInput.tsx
|
||||
+++ b/src/components/molecules/BlackholeForm/molecules/FormListInput/FormListInput.tsx
|
||||
@@ -149,3 +149,10 @@
|
||||
}, [relatedPath, form, arrName, fixedName, relatedFieldValue, onValuesChangeCallBack, isTouchedPeristed])
|
||||
|
||||
+ // When allowEmpty is set, auto-persist the field so the BFF preserves empty values
|
||||
+ useEffect(() => {
|
||||
+ if (customProps.allowEmpty) {
|
||||
+ persistedControls.onPersistMark(persistName || name, customProps.persistType ?? 'str')
|
||||
+ }
|
||||
+ }, [customProps.allowEmpty, customProps.persistType, persistedControls, persistName, name])
|
||||
+
|
||||
const uri = prepareTemplate({
|
||||
@@ -267,5 +274,14 @@
|
||||
validateTrigger="onBlur"
|
||||
hasFeedback={designNewLayout ? { icons: feedbackIcons } : true}
|
||||
style={{ flex: 1 }}
|
||||
+ normalize={(value: unknown) => {
|
||||
+ if (customProps.allowEmpty && (value === undefined || value === null)) {
|
||||
+ if (customProps.persistType === 'number') return 0
|
||||
+ if (customProps.persistType === 'arr') return []
|
||||
+ if (customProps.persistType === 'obj') return {}
|
||||
+ return ''
|
||||
+ }
|
||||
+ return value
|
||||
+ }}
|
||||
>
|
||||
<Select
|
||||
@@ -1,29 +0,0 @@
|
||||
diff --git a/src/components/organisms/DynamicComponents/molecules/SecretBase64Plain/SecretBase64Plain.tsx b/src/components/organisms/DynamicComponents/molecules/SecretBase64Plain/SecretBase64Plain.tsx
|
||||
--- a/src/components/organisms/DynamicComponents/molecules/SecretBase64Plain/SecretBase64Plain.tsx
|
||||
+++ b/src/components/organisms/DynamicComponents/molecules/SecretBase64Plain/SecretBase64Plain.tsx
|
||||
@@ -145,6 +145,12 @@
|
||||
<Styled.DisabledInput
|
||||
$hidden={effectiveHidden}
|
||||
onClick={e => handleInputClick(e, effectiveHidden, value)}
|
||||
+ onCopy={e => {
|
||||
+ if (!effectiveHidden) {
|
||||
+ e.preventDefault()
|
||||
+ e.clipboardData?.setData('text/plain', value)
|
||||
+ }
|
||||
+ }}
|
||||
value={shownValue}
|
||||
readOnly
|
||||
/>
|
||||
@@ -161,6 +167,12 @@
|
||||
<Styled.DisabledInput
|
||||
$hidden={effectiveHidden}
|
||||
onClick={e => handleInputClick(e, effectiveHidden, value)}
|
||||
+ onCopy={e => {
|
||||
+ if (!effectiveHidden) {
|
||||
+ e.preventDefault()
|
||||
+ e.clipboardData?.setData('text/plain', value)
|
||||
+ }
|
||||
+ }}
|
||||
value={shownValue}
|
||||
readOnly
|
||||
/>
|
||||
@@ -1,6 +1,6 @@
|
||||
{{- $brandingConfig := .Values._cluster.branding | default dict }}
|
||||
|
||||
{{- $tenantText := "v1.0.2" }}
|
||||
{{- $tenantText := "v1.0.0-beta.6" }}
|
||||
{{- $footerText := "Cozystack" }}
|
||||
{{- $titleText := "Cozystack Dashboard" }}
|
||||
{{- $logoText := "" }}
|
||||
|
||||
@@ -1,20 +0,0 @@
|
||||
apiVersion: flowcontrol.apiserver.k8s.io/v1
|
||||
kind: FlowSchema
|
||||
metadata:
|
||||
name: cozy-dashboard-exempt
|
||||
spec:
|
||||
matchingPrecedence: 2
|
||||
priorityLevelConfiguration:
|
||||
name: exempt
|
||||
rules:
|
||||
- subjects:
|
||||
- kind: ServiceAccount
|
||||
serviceAccount:
|
||||
name: incloud-web-web
|
||||
namespace: {{ .Release.Namespace }}
|
||||
resourceRules:
|
||||
- verbs: ["*"]
|
||||
apiGroups: ["*"]
|
||||
resources: ["*"]
|
||||
namespaces: ["*"]
|
||||
clusterScope: true
|
||||
@@ -1,5 +1,4 @@
|
||||
{{- $solver := (index .Values._cluster "solver") | default "http01" }}
|
||||
{{- $clusterIssuer := (index .Values._cluster "issuer-name") | default "letsencrypt-prod" }}
|
||||
{{- $issuerType := (index .Values._cluster "clusterissuer") | default "http01" }}
|
||||
{{- $host := index .Values._cluster "root-host" }}
|
||||
{{- $exposeServices := splitList "," ((index .Values._cluster "expose-services") | default "") }}
|
||||
{{- $exposeIngress := (index .Values._cluster "expose-ingress") | default "tenant-root" }}
|
||||
@@ -9,8 +8,9 @@ apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ $clusterIssuer }}
|
||||
{{- if eq $solver "http01" }}
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
{{- if eq $issuerType "cloudflare" }}
|
||||
{{- else }}
|
||||
acme.cert-manager.io/http01-ingress-class: {{ $exposeIngress }}
|
||||
{{- end }}
|
||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||
|
||||
@@ -136,7 +136,7 @@ spec:
|
||||
- name: CUSTOMIZATION_NAVIGATION_RESOURCE_PLURAL
|
||||
value: navigations
|
||||
- name: CUSTOMIZATION_SIDEBAR_FALLBACK_ID
|
||||
value: ""
|
||||
value: stock-project-api-table
|
||||
- name: CUSTOMIZATION_BREADCRUMBS_FALLBACK_ID
|
||||
value: stock-project-api-table
|
||||
- name: INSTANCES_API_GROUP
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
openapiUI:
|
||||
image: ghcr.io/cozystack/cozystack/openapi-ui:v1.0.2@sha256:9b8b357eb49c4dfc7502047117d18559281e60e853793277f339fd73e4ab9102
|
||||
image: ghcr.io/cozystack/cozystack/openapi-ui:v1.0.0-beta.6@sha256:c333637673a9e878f6c4ed0fc96db55967bbcf94b2434d075b0f0c6fcfcf9eff
|
||||
openapiUIK8sBff:
|
||||
image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v1.0.2@sha256:c938fee904acd948800d4dc5e121c4c5cd64cb4a3160fb8d2f9dbff0e5168740
|
||||
image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v1.0.0-beta.6@sha256:1b3ea6d4c7dbbe6a8def3b2807fffdfab2ac4afc39d7a846e57dd491fa168f92
|
||||
tokenProxy:
|
||||
image: ghcr.io/cozystack/cozystack/token-proxy:v1.0.2@sha256:2e280991e07853ea48f97b0a42946afffa10d03d6a83d41099ed83e6ffc94fdc
|
||||
image: ghcr.io/cozystack/cozystack/token-proxy:v1.0.0-beta.6@sha256:2e280991e07853ea48f97b0a42946afffa10d03d6a83d41099ed83e6ffc94fdc
|
||||
|
||||
@@ -1 +1 @@
|
||||
ghcr.io/cozystack/cozystack/grafana-dashboards:v1.0.2@sha256:7a3c9af59f8d74d5a23750bbc845c7de64610dbd4d4f84011e10be037b3ce2a0
|
||||
ghcr.io/cozystack/cozystack/grafana-dashboards:v1.0.0-beta.6@sha256:7a3c9af59f8d74d5a23750bbc845c7de64610dbd4d4f84011e10be037b3ce2a0
|
||||
|
||||
@@ -1,28 +0,0 @@
|
||||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*.orig
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
||||
# Helm source files
|
||||
README.md.gotmpl
|
||||
.helmignore
|
||||
# Build tools
|
||||
Makefile
|
||||
@@ -1,39 +0,0 @@
|
||||
apiVersion: v2
|
||||
appVersion: latest
|
||||
description: Kamaji is the Hosted Control Plane Manager for Kubernetes.
|
||||
home: https://github.com/clastix/kamaji
|
||||
icon: https://github.com/clastix/kamaji/raw/master/assets/logo-colored.png
|
||||
maintainers:
|
||||
- email: dario@tranchitella.eu
|
||||
name: Dario Tranchitella
|
||||
url: https://clastix.io
|
||||
- email: me@bsctl.io
|
||||
name: Adriano Pezzuto
|
||||
url: https://clastix.io
|
||||
name: kamaji-crds
|
||||
sources:
|
||||
- https://github.com/clastix/kamaji
|
||||
type: application
|
||||
version: 0.0.0+latest
|
||||
annotations:
|
||||
artifacthub.io/crds: |
|
||||
- kind: TenantControlPlane
|
||||
version: v1alpha1
|
||||
name: tenantcontrolplanes.kamaji.clastix.io
|
||||
displayName: TenantControlPlane
|
||||
description: TenantControlPlane defines the desired state for a Control Plane backed by Kamaji.
|
||||
- kind: DataStore
|
||||
version: v1alpha1
|
||||
name: datastores.kamaji.clastix.io
|
||||
displayName: DataStore
|
||||
description: DataStores is holding all the required details to communicate with a Datastore, such as etcd, MySQL, PostgreSQL, and NATS.
|
||||
artifacthub.io/links: |
|
||||
- name: CLASTIX
|
||||
url: https://clastix.io
|
||||
- name: support
|
||||
url: https://clastix.io/support
|
||||
artifacthub.io/changes: |
|
||||
- kind: changed
|
||||
description: Upgrading support to Kubernetes v1.35
|
||||
- kind: added
|
||||
description: Supporting multiple Datastore via etcd overrides
|
||||
@@ -1,9 +0,0 @@
|
||||
docs: HELMDOCS_VERSION := v1.8.1
|
||||
docs: docker
|
||||
@docker run --rm -v "$$(pwd):/helm-docs" -u $$(id -u) jnorwood/helm-docs:$(HELMDOCS_VERSION)
|
||||
|
||||
docker:
|
||||
@hash docker 2>/dev/null || {\
|
||||
echo "You need docker" &&\
|
||||
exit 1;\
|
||||
}
|
||||
@@ -1,2 +0,0 @@
|
||||
Kamaji Custom Resource Definitions have been installed properly:
|
||||
you can proceed to upgrade your Kamaji operator instance.
|
||||
@@ -1,66 +0,0 @@
|
||||
# kamaji-crds
|
||||
|
||||
  
|
||||
|
||||
Kamaji is the Hosted Control Plane Manager for Kubernetes.
|
||||
|
||||
## Maintainers
|
||||
|
||||
| Name | Email | Url |
|
||||
| ---- | ------ | --- |
|
||||
| Dario Tranchitella | <dario@tranchitella.eu> | <https://clastix.io> |
|
||||
| Adriano Pezzuto | <me@bsctl.io> | <https://clastix.io> |
|
||||
|
||||
## Source Code
|
||||
|
||||
* <https://github.com/clastix/kamaji>
|
||||
|
||||
[Kamaji](https://github.com/clastix/kamaji) Custom Resource Definitions packaged as Helm Charts.
|
||||
|
||||
## How to use this chart
|
||||
|
||||
Add `clastix` Helm repository:
|
||||
|
||||
helm repo add clastix https://clastix.github.io/charts
|
||||
|
||||
Install the Chart with the release name `kamaji-crds`:
|
||||
|
||||
helm upgrade --install --namespace kamaji-system --create-namespace kamaji-crds clastix/kamaji-crds
|
||||
|
||||
Show the status:
|
||||
|
||||
helm status kamaji-crds -n kamaji-system
|
||||
|
||||
Upgrade the Chart
|
||||
|
||||
helm upgrade kamaji-crds -n kamaji-system clastix/kamaji-crds
|
||||
|
||||
Uninstall the Chart
|
||||
|
||||
helm uninstall kamaji-crds -n kamaji-system
|
||||
|
||||
## Customize the installation
|
||||
|
||||
There are two methods for specifying overrides of values during Chart installation: `--values` and `--set`.
|
||||
|
||||
The `--values` option is the preferred method because it allows you to keep your overrides in a YAML file, rather than specifying them all on the command line. Create a copy of the YAML file `values.yaml` and add your overrides to it.
|
||||
|
||||
Specify your overrides file when you install the Chart:
|
||||
|
||||
helm upgrade kamaji-crds --install --namespace kamaji-system --create-namespace clastix/kamaji-crds --values myvalues.yaml
|
||||
|
||||
The values in your overrides file `myvalues.yaml` will override their counterparts in the Chart's values.yaml file. Any values in `values.yaml` that weren’t overridden will keep their defaults.
|
||||
|
||||
If you only need to make minor customizations, you can specify them on the command line by using the `--set` option. For example:
|
||||
|
||||
helm upgrade kamaji-crds --install --namespace kamaji-system --create-namespace clastix/kamaji-crds --set kamajiCertificateName=kamaji
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| fullnameOverride | string | `""` | Overrides the full name of the resources created by the chart. |
|
||||
| kamajiCertificateName | string | `"kamaji-serving-cert"` | The cert-manager Certificate resource name, holding the Certificate Authority for webhooks. |
|
||||
| kamajiNamespace | string | `"kamaji-system"` | The namespace where Kamaji has been installed: required to inject the Certificate Authority for cert-manager. |
|
||||
| kamajiService | string | `"kamaji-webhook-service"` | The Kamaji webhook Service name. |
|
||||
| nameOverride | string | `""` | Overrides the name of the chart for resource naming purposes. |
|
||||
@@ -1,54 +0,0 @@
|
||||
{{ template "chart.header" . }}
|
||||
{{ template "chart.deprecationWarning" . }}
|
||||
|
||||
{{ template "chart.badgesSection" . }}
|
||||
|
||||
{{ template "chart.description" . }}
|
||||
|
||||
{{ template "chart.maintainersSection" . }}
|
||||
|
||||
{{ template "chart.sourcesSection" . }}
|
||||
|
||||
{{ template "chart.requirementsSection" . }}
|
||||
|
||||
[Kamaji](https://github.com/clastix/kamaji) Custom Resource Definitions packaged as Helm Charts.
|
||||
|
||||
## How to use this chart
|
||||
|
||||
Add `clastix` Helm repository:
|
||||
|
||||
helm repo add clastix https://clastix.github.io/charts
|
||||
|
||||
Install the Chart with the release name `kamaji-crds`:
|
||||
|
||||
helm upgrade --install --namespace kamaji-system --create-namespace kamaji-crds clastix/kamaji-crds
|
||||
|
||||
Show the status:
|
||||
|
||||
helm status kamaji-crds -n kamaji-system
|
||||
|
||||
Upgrade the Chart
|
||||
|
||||
helm upgrade kamaji-crds -n kamaji-system clastix/kamaji-crds
|
||||
|
||||
Uninstall the Chart
|
||||
|
||||
helm uninstall kamaji-crds -n kamaji-system
|
||||
|
||||
## Customize the installation
|
||||
|
||||
There are two methods for specifying overrides of values during Chart installation: `--values` and `--set`.
|
||||
|
||||
The `--values` option is the preferred method because it allows you to keep your overrides in a YAML file, rather than specifying them all on the command line. Create a copy of the YAML file `values.yaml` and add your overrides to it.
|
||||
|
||||
Specify your overrides file when you install the Chart:
|
||||
|
||||
helm upgrade kamaji-crds --install --namespace kamaji-system --create-namespace clastix/kamaji-crds --values myvalues.yaml
|
||||
|
||||
The values in your overrides file `myvalues.yaml` will override their counterparts in the Chart's values.yaml file. Any values in `values.yaml` that weren’t overridden will keep their defaults.
|
||||
|
||||
If you only need to make minor customizations, you can specify them on the command line by using the `--set` option. For example:
|
||||
|
||||
helm upgrade kamaji-crds --install --namespace kamaji-system --create-namespace clastix/kamaji-crds --set kamajiCertificateName=kamaji
|
||||
|
||||
{{ template "chart.valuesSection" . }}
|
||||
@@ -1,11 +0,0 @@
|
||||
spec:
|
||||
conversion:
|
||||
strategy: Webhook
|
||||
webhook:
|
||||
clientConfig:
|
||||
service:
|
||||
name: kamaji-webhook-service
|
||||
namespace: kamaji-system
|
||||
path: /convert
|
||||
conversionReviewVersions:
|
||||
- v1
|
||||
@@ -1,292 +0,0 @@
|
||||
group: kamaji.clastix.io
|
||||
names:
|
||||
kind: DataStore
|
||||
listKind: DataStoreList
|
||||
plural: datastores
|
||||
singular: datastore
|
||||
scope: Cluster
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- description: Kamaji data store driver
|
||||
jsonPath: .spec.driver
|
||||
name: Driver
|
||||
type: string
|
||||
- description: Age
|
||||
jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: DataStore is the Schema for the datastores API.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
kind:
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: DataStoreSpec defines the desired state of DataStore.
|
||||
properties:
|
||||
basicAuth:
|
||||
description: |-
|
||||
In case of authentication enabled for the given data store, specifies the username and password pair.
|
||||
This value is optional.
|
||||
properties:
|
||||
password:
|
||||
properties:
|
||||
content:
|
||||
description: |-
|
||||
Bare content of the file, base64 encoded.
|
||||
It has precedence over the SecretReference value.
|
||||
format: byte
|
||||
type: string
|
||||
secretReference:
|
||||
properties:
|
||||
keyPath:
|
||||
description: |-
|
||||
Name of the key for the given Secret reference where the content is stored.
|
||||
This value is mandatory.
|
||||
minLength: 1
|
||||
type: string
|
||||
name:
|
||||
description: name is unique within a namespace to reference a secret resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: namespace defines the space within which the secret name must be unique.
|
||||
type: string
|
||||
required:
|
||||
- keyPath
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
username:
|
||||
properties:
|
||||
content:
|
||||
description: |-
|
||||
Bare content of the file, base64 encoded.
|
||||
It has precedence over the SecretReference value.
|
||||
format: byte
|
||||
type: string
|
||||
secretReference:
|
||||
properties:
|
||||
keyPath:
|
||||
description: |-
|
||||
Name of the key for the given Secret reference where the content is stored.
|
||||
This value is mandatory.
|
||||
minLength: 1
|
||||
type: string
|
||||
name:
|
||||
description: name is unique within a namespace to reference a secret resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: namespace defines the space within which the secret name must be unique.
|
||||
type: string
|
||||
required:
|
||||
- keyPath
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
required:
|
||||
- password
|
||||
- username
|
||||
type: object
|
||||
driver:
|
||||
description: The driver to use to connect to the shared datastore.
|
||||
enum:
|
||||
- etcd
|
||||
- MySQL
|
||||
- PostgreSQL
|
||||
- NATS
|
||||
type: string
|
||||
x-kubernetes-validations:
|
||||
- message: Datastore driver is immutable
|
||||
rule: self == oldSelf
|
||||
endpoints:
|
||||
description: |-
|
||||
List of the endpoints to connect to the shared datastore.
|
||||
No need for protocol, just bare IP/FQDN and port.
|
||||
items:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
tlsConfig:
|
||||
description: |-
|
||||
Defines the TLS/SSL configuration required to connect to the data store in a secure way.
|
||||
This value is optional.
|
||||
properties:
|
||||
certificateAuthority:
|
||||
description: |-
|
||||
Retrieve the Certificate Authority certificate and private key, such as bare content of the file, or a SecretReference.
|
||||
The key reference is required since etcd authentication is based on certificates, and Kamaji is responsible in creating this.
|
||||
properties:
|
||||
certificate:
|
||||
properties:
|
||||
content:
|
||||
description: |-
|
||||
Bare content of the file, base64 encoded.
|
||||
It has precedence over the SecretReference value.
|
||||
format: byte
|
||||
type: string
|
||||
secretReference:
|
||||
properties:
|
||||
keyPath:
|
||||
description: |-
|
||||
Name of the key for the given Secret reference where the content is stored.
|
||||
This value is mandatory.
|
||||
minLength: 1
|
||||
type: string
|
||||
name:
|
||||
description: name is unique within a namespace to reference a secret resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: namespace defines the space within which the secret name must be unique.
|
||||
type: string
|
||||
required:
|
||||
- keyPath
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
privateKey:
|
||||
properties:
|
||||
content:
|
||||
description: |-
|
||||
Bare content of the file, base64 encoded.
|
||||
It has precedence over the SecretReference value.
|
||||
format: byte
|
||||
type: string
|
||||
secretReference:
|
||||
properties:
|
||||
keyPath:
|
||||
description: |-
|
||||
Name of the key for the given Secret reference where the content is stored.
|
||||
This value is mandatory.
|
||||
minLength: 1
|
||||
type: string
|
||||
name:
|
||||
description: name is unique within a namespace to reference a secret resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: namespace defines the space within which the secret name must be unique.
|
||||
type: string
|
||||
required:
|
||||
- keyPath
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
required:
|
||||
- certificate
|
||||
type: object
|
||||
clientCertificate:
|
||||
description: Specifies the SSL/TLS key and private key pair used to connect to the data store.
|
||||
properties:
|
||||
certificate:
|
||||
properties:
|
||||
content:
|
||||
description: |-
|
||||
Bare content of the file, base64 encoded.
|
||||
It has precedence over the SecretReference value.
|
||||
format: byte
|
||||
type: string
|
||||
secretReference:
|
||||
properties:
|
||||
keyPath:
|
||||
description: |-
|
||||
Name of the key for the given Secret reference where the content is stored.
|
||||
This value is mandatory.
|
||||
minLength: 1
|
||||
type: string
|
||||
name:
|
||||
description: name is unique within a namespace to reference a secret resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: namespace defines the space within which the secret name must be unique.
|
||||
type: string
|
||||
required:
|
||||
- keyPath
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
privateKey:
|
||||
properties:
|
||||
content:
|
||||
description: |-
|
||||
Bare content of the file, base64 encoded.
|
||||
It has precedence over the SecretReference value.
|
||||
format: byte
|
||||
type: string
|
||||
secretReference:
|
||||
properties:
|
||||
keyPath:
|
||||
description: |-
|
||||
Name of the key for the given Secret reference where the content is stored.
|
||||
This value is mandatory.
|
||||
minLength: 1
|
||||
type: string
|
||||
name:
|
||||
description: name is unique within a namespace to reference a secret resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: namespace defines the space within which the secret name must be unique.
|
||||
type: string
|
||||
required:
|
||||
- keyPath
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
required:
|
||||
- certificate
|
||||
- privateKey
|
||||
type: object
|
||||
required:
|
||||
- certificateAuthority
|
||||
type: object
|
||||
required:
|
||||
- driver
|
||||
- endpoints
|
||||
type: object
|
||||
x-kubernetes-validations:
|
||||
- message: certificateAuthority privateKey must have secretReference or content when driver is etcd
|
||||
rule: '(self.driver == "etcd") ? (self.tlsConfig != null && (has(self.tlsConfig.certificateAuthority.privateKey.secretReference) || has(self.tlsConfig.certificateAuthority.privateKey.content))) : true'
|
||||
- message: clientCertificate must have secretReference or content when driver is etcd
|
||||
rule: '(self.driver == "etcd") ? (self.tlsConfig != null && (has(self.tlsConfig.clientCertificate.certificate.secretReference) || has(self.tlsConfig.clientCertificate.certificate.content))) : true'
|
||||
- message: clientCertificate privateKey must have secretReference or content when driver is etcd
|
||||
rule: '(self.driver == "etcd") ? (self.tlsConfig != null && (has(self.tlsConfig.clientCertificate.privateKey.secretReference) || has(self.tlsConfig.clientCertificate.privateKey.content))) : true'
|
||||
- message: When driver is not etcd and tlsConfig exists, clientCertificate must be null or contain valid content
|
||||
rule: '(self.driver != "etcd" && has(self.tlsConfig) && has(self.tlsConfig.clientCertificate)) ? (((has(self.tlsConfig.clientCertificate.certificate.secretReference) || has(self.tlsConfig.clientCertificate.certificate.content)))) : true'
|
||||
- message: When driver is not etcd and basicAuth exists, username must have secretReference or content
|
||||
rule: '(self.driver != "etcd" && has(self.basicAuth)) ? ((has(self.basicAuth.username.secretReference) || has(self.basicAuth.username.content))) : true'
|
||||
- message: When driver is not etcd and basicAuth exists, password must have secretReference or content
|
||||
rule: '(self.driver != "etcd" && has(self.basicAuth)) ? ((has(self.basicAuth.password.secretReference) || has(self.basicAuth.password.content))) : true'
|
||||
- message: When driver is not etcd, either tlsConfig or basicAuth must be provided
|
||||
rule: '(self.driver != "etcd") ? (has(self.tlsConfig) || has(self.basicAuth)) : true'
|
||||
status:
|
||||
description: DataStoreStatus defines the observed state of DataStore.
|
||||
properties:
|
||||
observedGeneration:
|
||||
description: ObservedGeneration represents the .metadata.generation that was last reconciled.
|
||||
format: int64
|
||||
type: integer
|
||||
usedBy:
|
||||
description: List of the Tenant Control Planes, namespaced named, using this data store.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
@@ -1,218 +0,0 @@
|
||||
group: kamaji.clastix.io
|
||||
names:
|
||||
categories:
|
||||
- kamaji
|
||||
kind: KubeconfigGenerator
|
||||
listKind: KubeconfigGeneratorList
|
||||
plural: kubeconfiggenerators
|
||||
shortNames:
|
||||
- kc
|
||||
singular: kubeconfiggenerator
|
||||
scope: Cluster
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- description: Age
|
||||
jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: KubeconfigGenerator is the Schema for the kubeconfiggenerators API.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
kind:
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
properties:
|
||||
controlPlaneEndpointFrom:
|
||||
default: admin.svc
|
||||
description: |-
|
||||
ControlPlaneEndpointFrom is the key used to extract the Tenant Control Plane endpoint that must be used by the generator.
|
||||
The targeted Secret is the `${TCP}-admin-kubeconfig` one, default to `admin.svc`.
|
||||
type: string
|
||||
groups:
|
||||
description: |-
|
||||
Groups is resolved a set of strings used to assign the x509 organisations field.
|
||||
It will be recognised by Kubernetes as user groups.
|
||||
items:
|
||||
description: |-
|
||||
CompoundValue allows defining a static, or a dynamic value.
|
||||
Options are mutually exclusive, just one should be picked up.
|
||||
properties:
|
||||
fromDefinition:
|
||||
description: |-
|
||||
FromDefinition is used to generate a dynamic value,
|
||||
it uses the dot notation to access fields from the referenced TenantControlPlane object:
|
||||
e.g.: metadata.name
|
||||
type: string
|
||||
stringValue:
|
||||
description: StringValue is a static string value.
|
||||
type: string
|
||||
type: object
|
||||
x-kubernetes-validations:
|
||||
- message: Either stringValue or fromDefinition must be set, but not both.
|
||||
rule: (has(self.stringValue) || has(self.fromDefinition)) && !(has(self.stringValue) && has(self.fromDefinition))
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: NamespaceSelector is used to filter Namespaces from which the generator should extract TenantControlPlane objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
tenantControlPlaneSelector:
|
||||
description: TenantControlPlaneSelector is used to filter the TenantControlPlane objects that should be address by the generator.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
user:
|
||||
description: User resolves to a string to identify the client, assigned to the x509 Common Name field.
|
||||
properties:
|
||||
fromDefinition:
|
||||
description: |-
|
||||
FromDefinition is used to generate a dynamic value,
|
||||
it uses the dot notation to access fields from the referenced TenantControlPlane object:
|
||||
e.g.: metadata.name
|
||||
type: string
|
||||
stringValue:
|
||||
description: StringValue is a static string value.
|
||||
type: string
|
||||
type: object
|
||||
x-kubernetes-validations:
|
||||
- message: Either stringValue or fromDefinition must be set, but not both.
|
||||
rule: (has(self.stringValue) || has(self.fromDefinition)) && !(has(self.stringValue) && has(self.fromDefinition))
|
||||
required:
|
||||
- user
|
||||
type: object
|
||||
status:
|
||||
description: KubeconfigGeneratorStatus defines the observed state of KubeconfigGenerator.
|
||||
properties:
|
||||
availableResources:
|
||||
default: 0
|
||||
description: |-
|
||||
AvailableResources is the sum of successfully generated resources.
|
||||
In case of a different value compared to Resources, check the field errors.
|
||||
type: integer
|
||||
errors:
|
||||
description: Errors is the list of failed kubeconfig generations.
|
||||
items:
|
||||
properties:
|
||||
message:
|
||||
description: Message is the error message recorded upon the last generator run.
|
||||
type: string
|
||||
resource:
|
||||
description: Resource is the Namespaced name of the errored resource.
|
||||
type: string
|
||||
required:
|
||||
- message
|
||||
- resource
|
||||
type: object
|
||||
type: array
|
||||
observedGeneration:
|
||||
description: ObservedGeneration represents the .metadata.generation that was last reconciled.
|
||||
format: int64
|
||||
type: integer
|
||||
resources:
|
||||
default: 0
|
||||
description: Resources is the sum of targeted TenantControlPlane objects.
|
||||
type: integer
|
||||
required:
|
||||
- availableResources
|
||||
- resources
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,49 +0,0 @@
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "kamaji-crds.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "kamaji.fullname" -}}
|
||||
{{- if .Values.fullnameOverride }}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride }}
|
||||
{{- if contains $name .Release.Name }}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "kamaji-crds.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create the cert-manager annotation to inject Certificate CA.
|
||||
*/}}
|
||||
{{- define "kamaji-crds.certManagerAnnotation" -}}
|
||||
{{- printf "%s/%s" (required "A valid .Values.kamajiNamespace is required" .Values.kamajiNamespace) (required "A valid .Values.kamajiCertificateName is required" .Values.kamajiCertificateName) }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "kamaji-crds.labels" -}}
|
||||
helm.sh/chart: {{ include "kamaji-crds.chart" . }}
|
||||
app.kubernetes.io/name: {{ include "kamaji-crds.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/component: "crds"
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end }}
|
||||
@@ -1,10 +0,0 @@
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from: {{ include "kamaji-crds.certManagerAnnotation" . }}
|
||||
labels:
|
||||
{{- include "kamaji-crds.labels" . | nindent 4 }}
|
||||
name: datastores.kamaji.clastix.io
|
||||
spec:
|
||||
{{ tpl (.Files.Get "hack/kamaji.clastix.io_datastores_spec.yaml") . | nindent 2}}
|
||||
@@ -1,10 +0,0 @@
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from: {{ include "kamaji-crds.certManagerAnnotation" . }}
|
||||
labels:
|
||||
{{- include "kamaji-crds.labels" . | nindent 4 }}
|
||||
name: kubeconfiggenerators.kamaji.clastix.io
|
||||
spec:
|
||||
{{ tpl (.Files.Get "hack/kamaji.clastix.io_kubeconfiggenerators_spec.yaml") . | nindent 2 }}
|
||||
@@ -1,10 +0,0 @@
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from: {{ include "kamaji-crds.certManagerAnnotation" . }}
|
||||
labels:
|
||||
{{- include "kamaji-crds.labels" . | nindent 4 }}
|
||||
name: tenantcontrolplanes.kamaji.clastix.io
|
||||
spec:
|
||||
{{ tpl (.Files.Get "hack/kamaji.clastix.io_tenantcontrolplanes_spec.yaml") . | nindent 2 }}
|
||||
@@ -1,15 +0,0 @@
|
||||
# Default values for kamaji-crds.
|
||||
# This is a YAML-formatted file.
|
||||
# Declare variables to be passed into your templates.
|
||||
|
||||
# -- Overrides the name of the chart for resource naming purposes.
|
||||
nameOverride: ""
|
||||
# -- Overrides the full name of the resources created by the chart.
|
||||
fullnameOverride: ""
|
||||
|
||||
# -- The namespace where Kamaji has been installed: required to inject the Certificate Authority for cert-manager.
|
||||
kamajiNamespace: kamaji-system
|
||||
# -- The Kamaji webhook Service name.
|
||||
kamajiService: kamaji-webhook-service
|
||||
# -- The cert-manager Certificate resource name, holding the Certificate Authority for webhooks.
|
||||
kamajiCertificateName: kamaji-serving-cert
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user