introduce token-proxy

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

.github/workflows/pull-requests.yaml

@@ -264,8 +264,7 @@ jobs:
       - uses: actions/checkout@v4
       - id: set
         run: |
-          apps=$(find hack/e2e-apps -maxdepth 1 -mindepth 1 -name '*.bats' | \
-            awk -F/ '{sub(/\..+/, "", $NF); print $NF}' | jq -R . | jq -cs .)
+          apps=$(ls hack/e2e-apps/*.bats | cut -f3 -d/ | cut -f1 -d. | jq -R | jq -cs)
           echo "matrix={\"app\":$apps}" >> "$GITHUB_OUTPUT"
 
   test_apps:

.github/workflows/tags.yaml

@@ -149,36 +149,35 @@ jobs:
           version:     ${{ steps.tag.outputs.tag }}            # A
           compare-to:  ${{ steps.latest_release.outputs.tag }} # B
 
-      # Create or reuse DRAFT GitHub Release
+      # Create or reuse draft release
       - name: Create / reuse draft release
         if: steps.check_release.outputs.skip == 'false'
         id: release
         uses: actions/github-script@v7
         with:
           script: |
-            const tag        = '${{ steps.tag.outputs.tag }}';
-            const isRc       = ${{ steps.tag.outputs.is_rc }};
-            const outdated   = '${{ steps.semver.outputs.comparison-result }}' === '<';
-            const makeLatest = outdated ? false : 'legacy';
-            const releases   = await github.rest.repos.listReleases({
+            const tag      = '${{ steps.tag.outputs.tag }}';
+            const isRc     = ${{ steps.tag.outputs.is_rc }};
+            const releases = await github.rest.repos.listReleases({
               owner: context.repo.owner,
               repo:  context.repo.repo
             });
-            let rel          = releases.data.find(r => r.tag_name === tag);
+
+            let rel = releases.data.find(r => r.tag_name === tag);
             if (!rel) {
               rel = await github.rest.repos.createRelease({
                 owner: context.repo.owner,
                 repo:  context.repo.repo,
-                tag_name:    tag,
-                name:        tag,
-                draft:       true,
-                prerelease:  isRc,
-                make_latest: makeLatest
+                tag_name:   tag,
+                name:       tag,
+                draft:      true,
+                prerelease: isRc               // no make_latest for drafts
               });
               console.log(`Draft release created for ${tag}`);
             } else {
               console.log(`Re-using existing release ${tag}`);
             }
+
             core.setOutput('upload_url', rel.upload_url);
 
       # Build + upload assets (optional)

.gitignore

@@ -77,3 +77,5 @@ fabric.properties
 
 .DS_Store
 **/.DS_Store
+
+tmp/

api/v1alpha1/cozystackresourcedefinitions_types.go

@@ -0,0 +1,89 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +kubebuilder:object:root=true
+
+// CozystackResourceDefinition is the Schema for the cozystackresourcedefinitions API
+type CozystackResourceDefinition struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec CozystackResourceDefinitionSpec `json:"spec,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// CozystackResourceDefinitionList contains a list of CozystackResourceDefinition
+type CozystackResourceDefinitionList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []CozystackResourceDefinition `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&CozystackResourceDefinition{}, &CozystackResourceDefinitionList{})
+}
+
+type CozystackResourceDefinitionSpec struct {
+	// Application configuration
+	Application CozystackResourceDefinitionApplication `json:"application"`
+	// Release configuration
+	Release CozystackResourceDefinitionRelease `json:"release"`
+}
+
+type CozystackResourceDefinitionChart struct {
+	// Name of the Helm chart
+	Name string `json:"name"`
+	// Source reference for the Helm chart
+	SourceRef SourceRef `json:"sourceRef"`
+}
+
+type SourceRef struct {
+	// Kind of the source reference
+	// +kubebuilder:default:="HelmRepository"
+	Kind string `json:"kind"`
+	// Name of the source reference
+	Name string `json:"name"`
+	// Namespace of the source reference
+	// +kubebuilder:default:="cozy-public"
+	Namespace string `json:"namespace"`
+}
+
+type CozystackResourceDefinitionApplication struct {
+	// Kind of the application, used for UI and API
+	Kind string `json:"kind"`
+	// OpenAPI schema for the application, used for API validation
+	OpenAPISchema string `json:"openAPISchema"`
+	// Plural name of the application, used for UI and API
+	Plural string `json:"plural"`
+	// Singular name of the application, used for UI and API
+	Singular string `json:"singular"`
+}
+
+type CozystackResourceDefinitionRelease struct {
+	// Helm chart configuration
+	Chart CozystackResourceDefinitionChart `json:"chart"`
+	// Labels for the release
+	Labels map[string]string `json:"labels,omitempty"`
+	// Prefix for the release name
+	Prefix string `json:"prefix"`
+}

api/v1alpha1/zz_generated.deepcopy.go

@@ -25,6 +25,135 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CozystackResourceDefinition) DeepCopyInto(out *CozystackResourceDefinition) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinition.
+func (in *CozystackResourceDefinition) DeepCopy() *CozystackResourceDefinition {
+	if in == nil {
+		return nil
+	}
+	out := new(CozystackResourceDefinition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CozystackResourceDefinition) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CozystackResourceDefinitionApplication) DeepCopyInto(out *CozystackResourceDefinitionApplication) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionApplication.
+func (in *CozystackResourceDefinitionApplication) DeepCopy() *CozystackResourceDefinitionApplication {
+	if in == nil {
+		return nil
+	}
+	out := new(CozystackResourceDefinitionApplication)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CozystackResourceDefinitionChart) DeepCopyInto(out *CozystackResourceDefinitionChart) {
+	*out = *in
+	out.SourceRef = in.SourceRef
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionChart.
+func (in *CozystackResourceDefinitionChart) DeepCopy() *CozystackResourceDefinitionChart {
+	if in == nil {
+		return nil
+	}
+	out := new(CozystackResourceDefinitionChart)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CozystackResourceDefinitionList) DeepCopyInto(out *CozystackResourceDefinitionList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CozystackResourceDefinition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionList.
+func (in *CozystackResourceDefinitionList) DeepCopy() *CozystackResourceDefinitionList {
+	if in == nil {
+		return nil
+	}
+	out := new(CozystackResourceDefinitionList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CozystackResourceDefinitionList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CozystackResourceDefinitionRelease) DeepCopyInto(out *CozystackResourceDefinitionRelease) {
+	*out = *in
+	out.Chart = in.Chart
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionRelease.
+func (in *CozystackResourceDefinitionRelease) DeepCopy() *CozystackResourceDefinitionRelease {
+	if in == nil {
+		return nil
+	}
+	out := new(CozystackResourceDefinitionRelease)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CozystackResourceDefinitionSpec) DeepCopyInto(out *CozystackResourceDefinitionSpec) {
+	*out = *in
+	out.Application = in.Application
+	in.Release.DeepCopyInto(&out.Release)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackResourceDefinitionSpec.
+func (in *CozystackResourceDefinitionSpec) DeepCopy() *CozystackResourceDefinitionSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CozystackResourceDefinitionSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in Selector) DeepCopyInto(out *Selector) {
 	{
@@ -46,6 +175,21 @@ func (in Selector) DeepCopy() Selector {
 	return *out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SourceRef) DeepCopyInto(out *SourceRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceRef.
+func (in *SourceRef) DeepCopy() *SourceRef {
+	if in == nil {
+		return nil
+	}
+	out := new(SourceRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Workload) DeepCopyInto(out *Workload) {
 	*out = *in

cmd/token-proxy/Dockerfile

@@ -0,0 +1,15 @@
+FROM golang:1.24-alpine as builder
+
+ARG TARGETOS
+ARG TARGETARCH
+
+COPY main.go go.mod go.sum /src/
+WORKDIR /src
+
+RUN go build -o /token-proxy -ldflags '-extldflags "-static" -w -s' main.go
+
+FROM scratch
+
+COPY --from=builder /token-proxy /token-proxy
+
+ENTRYPOINT ["/token-proxy"]

cmd/token-proxy/example_args.yaml

@@ -0,0 +1,8 @@
+args:
+- --upstream=http://incloud-web-nginx.incloud-web.svc:8080
+- --http-address=0.0.0.0:8000
+- --cookie-refresh=1h
+- --cookie-name=kc-access
+- --cookie-secure=true
+- --cookie-secret=$(OAUTH2_PROXY_COOKIE_SECRET)
+- --token-check-url=http://incloud-web-nginx.incloud-web.svc:8080/api/clusters/cozydev4/k8s/apis/core.cozystack.io/v1alpha1/tenantnamespaces

cmd/token-proxy/go.mod

@@ -0,0 +1,8 @@
+module token-proxy
+
+go 1.24.0
+
+require (
+	github.com/golang-jwt/jwt/v5 v5.3.0
+	github.com/gorilla/securecookie v1.1.2
+)

cmd/token-proxy/go.sum

@@ -0,0 +1,6 @@
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=

cmd/token-proxy/main.go

@@ -0,0 +1,259 @@
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"html/template"
+	"log"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"os"
+	"path"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/gorilla/securecookie"
+)
+
+/* ----------------------------- flags ------------------------------------ */
+
+var (
+	upstream, httpAddr, proxyPrefix string
+	cookieName, cookieSecretB64     string
+	cookieSecure                    bool
+	cookieRefresh                   time.Duration
+	tokenCheckURL                   string
+)
+
+func init() {
+	flag.StringVar(&upstream, "upstream", "", "Upstream URL to proxy to (required)")
+	flag.StringVar(&httpAddr, "http-address", "0.0.0.0:8000", "Listen address")
+	flag.StringVar(&proxyPrefix, "proxy-prefix", "/oauth2", "URL prefix for control endpoints")
+
+	flag.StringVar(&cookieName, "cookie-name", "_oauth2_proxy_0", "Cookie name")
+	flag.StringVar(&cookieSecretB64, "cookie-secret", "", "Base64-encoded cookie secret")
+	flag.BoolVar(&cookieSecure, "cookie-secure", false, "Set Secure flag on cookie")
+	flag.DurationVar(&cookieRefresh, "cookie-refresh", 0, "Cookie refresh interval (e.g. 1h)")
+	flag.StringVar(&tokenCheckURL, "token-check-url", "", "URL for external token validation")
+}
+
+/* ----------------------------- templates -------------------------------- */
+
+var loginTmpl = template.Must(template.New("login").Parse(`
+<!doctype html><html><head><title>Login</title></head>
+<body>
+	<h2>Enter ServiceAccount / OIDC token</h2>
+	{{if .Err}}<p style="color:red">{{.Err}}</p>{{end}}
+	<form method="POST" action="{{.Action}}">
+		<input style="width:420px" name="token" placeholder="Paste token" autofocus/>
+		<button type="submit">Login</button>
+	</form>
+</body></html>`))
+
+/* ----------------------------- helpers ---------------------------------- */
+
+func decodeJWT(raw string) jwt.MapClaims {
+	tkn, _ := jwt.Parse(raw, nil)
+	if c, ok := tkn.Claims.(jwt.MapClaims); ok {
+		return c
+	}
+	return jwt.MapClaims{}
+}
+
+func externalTokenCheck(raw string) error {
+	if tokenCheckURL == "" {
+		return nil
+	}
+	req, _ := http.NewRequest(http.MethodGet, tokenCheckURL, nil)
+	req.Header.Set("Authorization", "Bearer "+raw)
+	cli := &http.Client{Timeout: 5 * time.Second}
+	resp, err := cli.Do(req)
+	if err != nil {
+		return err
+	}
+	resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("status %d", resp.StatusCode)
+	}
+	return nil
+}
+
+func encodeSession(sc *securecookie.SecureCookie, token string, exp, issued int64) (string, error) {
+	v := map[string]interface{}{
+		"access_token": token,
+		"expires":      exp,
+		"issued":       issued,
+	}
+	return sc.Encode(cookieName, v)
+}
+
+/* ----------------------------- main ------------------------------------- */
+
+func main() {
+	flag.Parse()
+	if upstream == "" {
+		log.Fatal("--upstream is required")
+	}
+	upURL, err := url.Parse(upstream)
+	if err != nil {
+		log.Fatalf("invalid upstream url: %v", err)
+	}
+
+	if cookieSecretB64 == "" {
+		cookieSecretB64 = os.Getenv("COOKIE_SECRET")
+	}
+	if cookieSecretB64 == "" {
+		log.Fatal("--cookie-secret or $COOKIE_SECRET is required")
+	}
+	secret, err := base64.StdEncoding.DecodeString(cookieSecretB64)
+	if err != nil {
+		log.Fatalf("cookie-secret: %v", err)
+	}
+	sc := securecookie.New(secret, nil)
+
+	// control paths
+	signIn := path.Join(proxyPrefix, "sign_in")
+	signOut := path.Join(proxyPrefix, "sign_out")
+	userInfo := path.Join(proxyPrefix, "userinfo")
+
+	proxy := httputil.NewSingleHostReverseProxy(upURL)
+
+	/* ------------------------- /sign_in ---------------------------------- */
+
+	http.HandleFunc(signIn, func(w http.ResponseWriter, r *http.Request) {
+		switch r.Method {
+		case http.MethodGet:
+			_ = loginTmpl.Execute(w, struct {
+				Action string
+				Err    string
+			}{Action: signIn})
+		case http.MethodPost:
+			token := strings.TrimSpace(r.FormValue("token"))
+			if token == "" {
+				_ = loginTmpl.Execute(w, struct {
+					Action string
+					Err    string
+				}{Action: signIn, Err: "Token required"})
+				return
+			}
+			if err := externalTokenCheck(token); err != nil {
+				_ = loginTmpl.Execute(w, struct {
+					Action string
+					Err    string
+				}{Action: signIn, Err: "Invalid token"})
+				return
+			}
+
+			exp := time.Now().Add(24 * time.Hour).Unix()
+			claims := decodeJWT(token)
+			if v, ok := claims["exp"].(float64); ok {
+				exp = int64(v)
+			}
+			session, _ := encodeSession(sc, token, exp, time.Now().Unix())
+			http.SetCookie(w, &http.Cookie{
+				Name:     cookieName,
+				Value:    session,
+				Path:     "/",
+				Expires:  time.Unix(exp, 0),
+				Secure:   cookieSecure,
+				HttpOnly: true,
+				SameSite: http.SameSiteLaxMode,
+			})
+			http.Redirect(w, r, "/", http.StatusSeeOther)
+		}
+	})
+
+	/* ------------------------- /sign_out --------------------------------- */
+
+	http.HandleFunc(signOut, func(w http.ResponseWriter, r *http.Request) {
+		http.SetCookie(w, &http.Cookie{
+			Name:     cookieName,
+			Value:    "",
+			Path:     "/",
+			MaxAge:   -1,
+			Secure:   cookieSecure,
+			HttpOnly: true,
+		})
+		http.Redirect(w, r, signIn, http.StatusSeeOther)
+	})
+
+	/* ------------------------- /userinfo --------------------------------- */
+
+	http.HandleFunc(userInfo, func(w http.ResponseWriter, r *http.Request) {
+		c, err := r.Cookie(cookieName)
+		if err != nil {
+			http.Error(w, "unauthorized", http.StatusUnauthorized)
+			return
+		}
+		var sess map[string]interface{}
+		if err := sc.Decode(cookieName, c.Value, &sess); err != nil {
+			http.Error(w, "unauthorized", http.StatusUnauthorized)
+			return
+		}
+		token, _ := sess["access_token"].(string)
+		claims := decodeJWT(token)
+
+		out := map[string]interface{}{
+			"token":                 token,
+			"sub":                   claims["sub"],
+			"email":                 claims["email"],
+			"preferred_username":    claims["preferred_username"],
+			"groups":                claims["groups"],
+			"expires":               sess["expires"],
+			"issued":                sess["issued"],
+			"cookie_refresh_enable": cookieRefresh > 0,
+		}
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(out)
+	})
+
+	/* ----------------------------- proxy --------------------------------- */
+
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		c, err := r.Cookie(cookieName)
+		if err != nil {
+			http.Redirect(w, r, signIn, http.StatusFound)
+			return
+		}
+		var sess map[string]interface{}
+		if err := sc.Decode(cookieName, c.Value, &sess); err != nil {
+			http.Redirect(w, r, signIn, http.StatusFound)
+			return
+		}
+		token, _ := sess["access_token"].(string)
+		if token == "" {
+			http.Redirect(w, r, signIn, http.StatusFound)
+			return
+		}
+
+		// cookie refresh
+		if cookieRefresh > 0 {
+			if issued, ok := sess["issued"].(float64); ok {
+				if time.Since(time.Unix(int64(issued), 0)) > cookieRefresh {
+					enc, _ := encodeSession(sc, token, int64(sess["expires"].(float64)), time.Now().Unix())
+					http.SetCookie(w, &http.Cookie{
+						Name:     cookieName,
+						Value:    enc,
+						Path:     "/",
+						Expires:  time.Unix(int64(sess["expires"].(float64)), 0),
+						Secure:   cookieSecure,
+						HttpOnly: true,
+						SameSite: http.SameSiteLaxMode,
+					})
+				}
+			}
+		}
+
+		r.Header.Set("Authorization", "Bearer "+token)
+		proxy.ServeHTTP(w, r)
+	})
+
+	log.Printf("Listening on %s → %s (control prefix %s)", httpAddr, upURL, proxyPrefix)
+	if err := http.ListenAndServe(httpAddr, nil); err != nil {
+		log.Fatal(err)
+	}
+}

hack/download-dashboards.sh

@@ -81,6 +81,7 @@ modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//main/capacity-p
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//flux/flux-control-plane.json
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//flux/flux-stats.json
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//kafka/strimzi-kafka.json
+modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//seaweedfs/seaweedfs.json
 modules/340-monitoring-kubernetes/monitoring/grafana-dashboards//goldpinger/goldpinger.json
 EOT
 

hack/e2e-apps/bucket.bats

@@ -0,0 +1,47 @@
+#!/usr/bin/env bats
+
+@test "Create and Verify Seeweedfs Bucket" {
+  # Create the bucket resource
+  name='test'
+  kubectl apply -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: Bucket
+metadata:
+  name: ${name}
+  namespace: tenant-test
+spec: {}
+EOF
+
+  # Wait for the bucket to be ready
+  kubectl -n tenant-test wait hr bucket-${name} --timeout=100s --for=condition=ready
+  kubectl -n tenant-test wait bucketclaims.objectstorage.k8s.io bucket-${name} --timeout=300s --for=jsonpath='{.status.bucketReady}'
+  kubectl -n tenant-test wait bucketaccesses.objectstorage.k8s.io bucket-${name} --timeout=300s --for=jsonpath='{.status.accessGranted}'
+
+  # Get and decode credentials
+  kubectl -n tenant-test get secret bucket-${name} -ojsonpath='{.data.BucketInfo}' | base64 -d > bucket-test-credentials.json
+
+  # Get credentials from the secret
+  ACCESS_KEY=$(jq -r '.spec.secretS3.accessKeyID' bucket-test-credentials.json)
+  SECRET_KEY=$(jq -r '.spec.secretS3.accessSecretKey' bucket-test-credentials.json)
+  BUCKET_NAME=$(jq -r '.spec.bucketName' bucket-test-credentials.json)
+
+  # Start port-forwarding
+  bash -c 'timeout 100s kubectl port-forward service/seaweedfs-s3 -n tenant-root 8333:8333 > /dev/null 2>&1 &'
+
+  # Wait for port-forward to be ready
+  timeout 30 sh -ec 'until nc -z localhost 8333; do sleep 1; done'
+
+  # Set up MinIO alias with error handling
+  mc alias set local https://localhost:8333 $ACCESS_KEY $SECRET_KEY --insecure
+
+  # Upload file to bucket
+  mc cp bucket-test-credentials.json $BUCKET_NAME/bucket-test-credentials.json
+
+  # Verify file was uploaded
+  mc ls $BUCKET_NAME/bucket-test-credentials.json
+
+  # Clean up uploaded file
+  mc rm $BUCKET_NAME/bucket-test-credentials.json
+
+  kubectl -n tenant-test delete bucket.apps.cozystack.io ${name}
+}

hack/e2e-apps/clickhouse.bats

@@ -38,4 +38,5 @@ EOF
   timeout 100 sh -ec "until kubectl -n tenant-test get svc chi-clickhouse-$name-clickhouse-0-0 -o jsonpath='{.spec.ports[*].port}' | grep -q '9000 8123 9009'; do sleep 10; done"
   timeout 80 sh -ec "until kubectl -n tenant-test get sts chi-clickhouse-$name-clickhouse-0-1 ; do sleep 10; done"
   kubectl -n tenant-test wait statefulset.apps/chi-clickhouse-$name-clickhouse-0-1 --timeout=140s --for=jsonpath='{.status.replicas}'=1
+  kubectl -n tenant-test delete clickhouse $name
 }

hack/e2e-apps/kubernetes-latest.bats

@@ -0,0 +1,6 @@
+#!/usr/bin/env bats
+
+@test "Create a tenant Kubernetes control plane with latest version" {
+  . hack/e2e-apps/run-kubernetes.sh
+  run_kubernetes_test 'keys | sort_by(.) | .[-1]' 'test-latest-version' '59991'
+}

hack/e2e-apps/kubernetes-previous.bats

@@ -0,0 +1,6 @@
+#!/usr/bin/env bats
+
+@test "Create a tenant Kubernetes control plane with previous version" {
+  . hack/e2e-apps/run-kubernetes.sh
+  run_kubernetes_test 'keys | sort_by(.) | .[-2]' 'test-previous-version' '59992'
+}

hack/e2e-apps/run-kubernetes.sh

@@ -1,5 +1,3 @@
-#!/usr/bin/env bats
-
 run_kubernetes_test() {
     local version_expr="$1"
     local test_name="$2"
@@ -104,10 +102,3 @@ EOF
   kubectl -n tenant-test delete kuberneteses.apps.cozystack.io $test_name
 
 }
-
-@test "Create a tenant Kubernetes control plane with latest version" {
-  run_kubernetes_test 'keys | sort_by(.) | .[-1]' 'test-latest-version' '59991'
-}
-@test "Create a tenant Kubernetes control plane with previous version" {
-  run_kubernetes_test 'keys | sort_by(.) | .[-2]' 'test-previous-version' '59992'
-}

hack/e2e-install-cozystack.bats

@@ -123,10 +123,10 @@ EOF
 
 @test "Configure Tenant and wait for applications" {
   # Patch root tenant and wait for its releases
-  kubectl patch tenants/root -n tenant-root --type merge -p '{"spec":{"host":"example.org","ingress":true,"monitoring":true,"etcd":true,"isolated":true}}'
+  kubectl patch tenants/root -n tenant-root --type merge -p '{"spec":{"host":"example.org","ingress":true,"monitoring":true,"etcd":true,"isolated":true, "seaweedfs": true}}'
 
-  timeout 60 sh -ec 'until kubectl get hr -n tenant-root etcd ingress monitoring tenant-root >/dev/null 2>&1; do sleep 1; done'
-  kubectl wait hr/etcd hr/ingress hr/tenant-root -n tenant-root --timeout=2m --for=condition=ready
+  timeout 60 sh -ec 'until kubectl get hr -n tenant-root etcd ingress monitoring seaweedfs tenant-root >/dev/null 2>&1; do sleep 1; done'
+  kubectl wait hr/etcd hr/ingress hr/tenant-root hr/seaweedfs -n tenant-root --timeout=4m --for=condition=ready
 
   if ! kubectl wait hr/monitoring -n tenant-root --timeout=2m --for=condition=ready; then
     flux reconcile hr monitoring -n tenant-root --force

hack/update-codegen.sh

@@ -32,6 +32,10 @@ kube::codegen::gen_helpers \
     --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
     "${SCRIPT_ROOT}/pkg/apis"
 
+kube::codegen::gen_helpers \
+    --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
+    "${SCRIPT_ROOT}/api"
+
 if [[ -n "${API_KNOWN_VIOLATIONS_DIR:-}" ]]; then
     report_filename="${API_KNOWN_VIOLATIONS_DIR}/cozystack_api_violation_exceptions.list"
     if [[ "${UPDATE_API_KNOWN_VIOLATIONS:-}" == "true" ]]; then

packages/apps/ferretdb/templates/external-svc.yaml

@@ -8,7 +8,9 @@ spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   {{- if .Values.external }}
   externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
   allocateLoadBalancerNodePorts: false
+    {{- end }}
   {{- end }}
   ports:
   - name: ferretdb

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.6.1@sha256:e0a07082bb6fc6aeaae2315f335386f1705a646c72f9e0af512aebbca5cb2b15
+ghcr.io/cozystack/cozystack/nginx-cache:0.6.1@sha256:b7633717cd7449c0042ae92d8ca9b36e4d69566561f5c7d44e21058e7d05c6d5

packages/apps/http-cache/templates/haproxy/service.yaml

@@ -10,7 +10,9 @@ spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   {{- if .Values.external }}
   externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
   allocateLoadBalancerNodePorts: false
+    {{- end }}
   {{- end }}
   selector:
     app: {{ .Release.Name }}-haproxy

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.26.0
+version: 0.26.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.26.0@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.26.2@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.26.0@sha256:49843a0b670eab061627e48df338b2b8bc9f577dc2cfd4c2ed4071e02e64b424
+ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.26.2@sha256:5335c044313b69ee13b30ca4941687e509005e55f4ae25723861edbf2fbd6dd2

packages/apps/kubernetes/images/kubevirt-cloud-provider/Dockerfile

@@ -21,6 +21,6 @@ RUN go mod vendor
 
 RUN CGO_ENABLED=0 go build -mod=vendor -ldflags="-s -w" -o bin/kubevirt-cloud-controller-manager ./cmd/kubevirt-cloud-controller-manager
 
-FROM registry.access.redhat.com/ubi9/ubi-micro
+FROM scratch
 COPY --from=builder /go/src/kubevirt.io/cloud-provider-kubevirt/bin/kubevirt-cloud-controller-manager /bin/kubevirt-cloud-controller-manager
 ENTRYPOINT [ "/bin/kubevirt-cloud-controller-manager" ]

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.26.0@sha256:445c2727b04ac68595b43c988ff17b3d69a7b22b0644fde3b10c65b47a7bc036
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.26.2@sha256:761e7235ff9cb7f6f223f00954943e6a5af32ed6624ee592a8610122f96febb0

packages/apps/kubernetes/templates/helmreleases/csi.yaml

@@ -35,6 +35,8 @@ spec:
     storageClass: "{{ . }}"
   {{- end }}
   dependsOn:
+  - name: {{ .Release.Name }}-vsnap-crd
+    namespace: {{ .Release.Namespace }}
   {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
   - name: {{ .Release.Name }}
     namespace: {{ .Release.Namespace }}

packages/apps/kubernetes/templates/helmreleases/vertical-pod-autoscaler.yaml

@@ -4,6 +4,7 @@
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $targetTenant := index $myNS.metadata.annotations "namespace.cozystack.io/monitoring" }}
 vertical-pod-autoscaler:
+  vpaForVPA: false
   recommender:
     extraArgs:
       container-name-label: container

packages/apps/kubernetes/templates/helmreleases/volumesnapshot_crd.yaml

@@ -1,16 +1,16 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: {{ .Release.Name }}-volumesnapshot-crd-for-tenant-k8s
+  name: {{ .Release.Name }}-vsnap-crd
   labels:
     cozystack.io/repository: system
     cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
   interval: 5m
-  releaseName: volumesnapshot-crd-for-tenant-k8s
+  releaseName: vsnap-crd
   chart:
     spec:
-      chart: cozy-volumesnapshot-crd-for-tenant-k8s
+      chart: cozy-vsnap-crd
       reconcileStrategy: Revision
       sourceRef:
         kind: HelmRepository
@@ -21,8 +21,8 @@ spec:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig
       key: super-admin.svc
-  targetNamespace: cozy-volumesnapshot-crd-for-tenant-k8s
-  storageNamespace: cozy-volumesnapshot-crd-for-tenant-k8s
+  targetNamespace: cozy-vsnap-crd
+  storageNamespace: cozy-vsnap-crd
   install:
     createNamespace: true
     remediation:

packages/apps/postgres/templates/external-svc.yaml

@@ -7,7 +7,9 @@ spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   {{- if .Values.external }}
   externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
   allocateLoadBalancerNodePorts: false
+    {{- end }}
   {{- end }}
   ports:
   - name: postgres

packages/apps/redis/templates/service.yaml

@@ -11,7 +11,9 @@ spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   {{- if .Values.external }}
   externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
   allocateLoadBalancerNodePorts: false
+    {{- end }}
   {{- end }}
   selector:
     app.kubernetes.io/component: redis

packages/apps/tcp-balancer/templates/service.yaml

@@ -10,7 +10,9 @@ spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   {{- if .Values.external }}
   externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
   allocateLoadBalancerNodePorts: false
+    {{- end }}
   {{- end }}
   selector:
     app: {{ .Release.Name }}-haproxy

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.11.1
+version: 1.11.2

packages/apps/tenant/templates/networkpolicy.yaml

@@ -48,6 +48,20 @@ spec:
     {{- range $i, $v := $parts }}
     {{- if ne $i 0 }}
     - matchLabels:
+        "k8s:app.kubernetes.io/name": "vminsert"
+        "k8s:io.kubernetes.pod.namespace": {{ join "-" (slice $parts 0 (add $i 1)) }}
+    {{- end }}
+    {{- end }}
+    {{- end }}
+  {{- end }}    
+  {{- if ne (include "tenant.name" .) "tenant-root" }}
+  - toEndpoints:
+    {{- if hasPrefix "tenant-" .Release.Namespace }}
+    {{- $parts := splitList "-" .Release.Namespace }}
+    {{- range $i, $v := $parts }}
+    {{- if ne $i 0 }}
+    - matchLabels:
+        "k8s:app.kubernetes.io/instance": "etcd"
         "k8s:io.kubernetes.pod.namespace": {{ join "-" (slice $parts 0 (add $i 1)) }}
     {{- end }}
     {{- end }}

packages/apps/versions_map

@@ -61,7 +61,10 @@ kubernetes 0.24.0 62cb694d
 kubernetes 0.25.0 70f82667
 kubernetes 0.25.1 acd4663a
 kubernetes 0.25.2 08cb7c0f
-kubernetes 0.26.0 HEAD
+kubernetes 0.26.0 9584e5f5
+kubernetes 0.26.1 0e47e1e8
+kubernetes 0.26.2 8ddbe32e
+kubernetes 0.26.3 HEAD
 mysql 0.1.0 263e47be
 mysql 0.2.0 c24a103f
 mysql 0.3.0 53f2365e
@@ -151,7 +154,8 @@ tcp-balancer 0.5.0 08cb7c0f
 tcp-balancer 0.5.1 HEAD
 tenant 1.10.0 4369b031
 tenant 1.11.0 08cb7c0f
-tenant 1.11.1 HEAD
+tenant 1.11.1 28c9fcd6
+tenant 1.11.2 HEAD
 virtual-machine 0.1.4 f2015d65
 virtual-machine 0.1.5 263e47be
 virtual-machine 0.2.0 c0685f43
@@ -171,7 +175,8 @@ virtual-machine 0.10.2 632224a3
 virtual-machine 0.11.0 4369b031
 virtual-machine 0.12.0 acd4663a
 virtual-machine 0.12.1 909208ba
-virtual-machine 0.12.2 HEAD
+virtual-machine 0.12.2 8ddbe32e
+virtual-machine 0.12.3 HEAD
 vm-disk 0.1.0 d971f2ff
 vm-disk 0.1.1 6130f43d
 vm-disk 0.1.2 632224a3
@@ -190,7 +195,8 @@ vm-instance 0.7.2 632224a3
 vm-instance 0.8.0 4369b031
 vm-instance 0.9.0 acd4663a
 vm-instance 0.10.0 909208ba
-vm-instance 0.10.1 HEAD
+vm-instance 0.10.1 8ddbe32e
+vm-instance 0.10.2 HEAD
 vpn 0.1.0 263e47be
 vpn 0.2.0 53f2365e
 vpn 0.3.0 6c5cf5bf

packages/apps/virtual-machine/Chart.yaml

@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.12.2
+version: 0.12.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/virtual-machine/Makefile

@@ -3,10 +3,10 @@ include ../../../scripts/package.mk
 generate:
 	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
 	yq -o json -i '.properties.gpus.items.type = "object" | .properties.gpus.default = []' values.schema.json
-	INSTANCE_TYPES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/instancetypes.yaml | yq 'split(" ") | . + [""]' -o json) \
-	  && yq -i -o json ".properties.instanceType.optional=true | .properties.instanceType.enum = $${INSTANCE_TYPES}" values.schema.json
+	# INSTANCE_TYPES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/instancetypes.yaml | yq 'split(" ") | . + [""]' -o json) \
+	#  && yq -i -o json ".properties.instanceType.enum = $${INSTANCE_TYPES}" values.schema.json
 	PREFERENCES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/preferences.yaml | yq 'split(" ") | . + [""]' -o json) \
-	  && yq -i -o json ".properties.instanceProfile.optional=true | .properties.instanceProfile.enum = $${PREFERENCES}" values.schema.json
+	  && yq -i -o json ".properties.instanceProfile.enum = $${PREFERENCES}" values.schema.json
 	yq -i -o json '.properties.externalPorts.items.type = "integer"' values.schema.json
 	yq -i -o json '.properties.systemDisk.properties.image.enum = ["ubuntu", "cirros", "alpine", "fedora", "talos"]' values.schema.json
 	yq -i -o json '.properties.externalMethod.enum = ["PortList", "WholeIP"]' values.schema.json

packages/apps/virtual-machine/templates/service.yaml

@@ -13,7 +13,9 @@ metadata:
 spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
   allocateLoadBalancerNodePorts: false
+    {{- end }}
   selector:
     {{- include "virtual-machine.selectorLabels" . | nindent 4 }}
   ports:

packages/apps/virtual-machine/values.schema.json

@@ -44,7 +44,6 @@
       "default": "ubuntu",
       "description": "Virtual Machine preferences profile",
       "type": "string",
-      "optional": true,
       "enum": [
         "alpine",
         "centos.7",
@@ -94,59 +93,7 @@
     "instanceType": {
       "default": "u1.medium",
       "description": "Virtual Machine instance type",
-      "type": "string",
-      "optional": true,
-      "enum": [
-        "cx1.2xlarge",
-        "cx1.4xlarge",
-        "cx1.8xlarge",
-        "cx1.large",
-        "cx1.medium",
-        "cx1.xlarge",
-        "gn1.2xlarge",
-        "gn1.4xlarge",
-        "gn1.8xlarge",
-        "gn1.xlarge",
-        "m1.2xlarge",
-        "m1.4xlarge",
-        "m1.8xlarge",
-        "m1.large",
-        "m1.xlarge",
-        "n1.2xlarge",
-        "n1.4xlarge",
-        "n1.8xlarge",
-        "n1.large",
-        "n1.medium",
-        "n1.xlarge",
-        "o1.2xlarge",
-        "o1.4xlarge",
-        "o1.8xlarge",
-        "o1.large",
-        "o1.medium",
-        "o1.micro",
-        "o1.nano",
-        "o1.small",
-        "o1.xlarge",
-        "rt1.2xlarge",
-        "rt1.4xlarge",
-        "rt1.8xlarge",
-        "rt1.large",
-        "rt1.medium",
-        "rt1.micro",
-        "rt1.small",
-        "rt1.xlarge",
-        "u1.2xlarge",
-        "u1.2xmedium",
-        "u1.4xlarge",
-        "u1.8xlarge",
-        "u1.large",
-        "u1.medium",
-        "u1.micro",
-        "u1.nano",
-        "u1.small",
-        "u1.xlarge",
-        ""
-      ]
+      "type": "string"
     },
     "resources": {
       "properties": {

packages/apps/vm-instance/Chart.yaml

@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.10.1
+version: 0.10.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/vm-instance/Makefile

@@ -4,9 +4,9 @@ generate:
 	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
 	yq -o json -i '.properties.disks.items.type = "object" | .properties.disks.default = []' values.schema.json
 	yq -o json -i '.properties.gpus.items.type = "object" | .properties.gpus.default = []' values.schema.json
-	INSTANCE_TYPES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/instancetypes.yaml | yq 'split(" ") | . + [""]' -o json) \
-	  && yq -i -o json ".properties.instanceType.optional=true | .properties.instanceType.enum = $${INSTANCE_TYPES}" values.schema.json
+	#INSTANCE_TYPES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/instancetypes.yaml | yq 'split(" ") | . + [""]' -o json) \
+	#  && yq -i -o json ".properties.instanceType.enum = $${INSTANCE_TYPES}" values.schema.json
 	PREFERENCES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/preferences.yaml | yq 'split(" ") | . + [""]' -o json) \
-	  && yq -i -o json ".properties.instanceProfile.optional=true | .properties.instanceProfile.enum = $${PREFERENCES}" values.schema.json
+	  && yq -i -o json ".properties.instanceProfile.enum = $${PREFERENCES}" values.schema.json
 	yq -i -o json '.properties.externalPorts.items.type = "integer"' values.schema.json
 	yq -i -o json '.properties.externalMethod.enum = ["PortList", "WholeIP"]' values.schema.json

packages/apps/vm-instance/templates/service.yaml

@@ -13,7 +13,9 @@ metadata:
 spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   externalTrafficPolicy: Local
+    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
   allocateLoadBalancerNodePorts: false
+    {{- end }}
   selector:
     {{- include "virtual-machine.selectorLabels" . | nindent 4 }}
   ports:

packages/apps/vm-instance/values.schema.json

@@ -52,7 +52,6 @@
       "default": "ubuntu",
       "description": "Virtual Machine preferences profile",
       "type": "string",
-      "optional": true,
       "enum": [
         "alpine",
         "centos.7",
@@ -102,59 +101,7 @@
     "instanceType": {
       "default": "u1.medium",
       "description": "Virtual Machine instance type",
-      "type": "string",
-      "optional": true,
-      "enum": [
-        "cx1.2xlarge",
-        "cx1.4xlarge",
-        "cx1.8xlarge",
-        "cx1.large",
-        "cx1.medium",
-        "cx1.xlarge",
-        "gn1.2xlarge",
-        "gn1.4xlarge",
-        "gn1.8xlarge",
-        "gn1.xlarge",
-        "m1.2xlarge",
-        "m1.4xlarge",
-        "m1.8xlarge",
-        "m1.large",
-        "m1.xlarge",
-        "n1.2xlarge",
-        "n1.4xlarge",
-        "n1.8xlarge",
-        "n1.large",
-        "n1.medium",
-        "n1.xlarge",
-        "o1.2xlarge",
-        "o1.4xlarge",
-        "o1.8xlarge",
-        "o1.large",
-        "o1.medium",
-        "o1.micro",
-        "o1.nano",
-        "o1.small",
-        "o1.xlarge",
-        "rt1.2xlarge",
-        "rt1.4xlarge",
-        "rt1.8xlarge",
-        "rt1.large",
-        "rt1.medium",
-        "rt1.micro",
-        "rt1.small",
-        "rt1.xlarge",
-        "u1.2xlarge",
-        "u1.2xmedium",
-        "u1.4xlarge",
-        "u1.8xlarge",
-        "u1.large",
-        "u1.medium",
-        "u1.micro",
-        "u1.nano",
-        "u1.small",
-        "u1.xlarge",
-        ""
-      ]
+      "type": "string"
     },
     "resources": {
       "properties": {

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.34.2@sha256:ad596b3c34f41087597cb28ae3365e82e4e74b62c16a4c8eafc5ad6670564851
+  image: ghcr.io/cozystack/cozystack/installer:v0.35.0-alpha.3@sha256:b43615350697dbbc377d31152b290722c2bba7a053fd7c69403d666e6c7d53ee

packages/core/platform/bundles/distro-full.yaml

@@ -258,3 +258,10 @@ releases:
   privileged: true
   optional: true
   dependsOn: [cilium]
+
+- name: hetzner-robotlb
+  releaseName: robotlb
+  optional: true
+  chart: cozy-hetzner-robotlb
+  namespace: cozy-hetzner-robotlb
+  dependsOn: [cilium]

packages/core/platform/bundles/distro-hosted.yaml

@@ -171,3 +171,9 @@ releases:
   namespace: cozy-velero
   privileged: true
   optional: true
+
+- name: hetzner-robotlb
+  releaseName: robotlb
+  optional: true
+  chart: cozy-hetzner-robotlb
+  namespace: cozy-hetzner-robotlb

packages/core/platform/bundles/paas-full.yaml

@@ -415,3 +415,10 @@ releases:
   privileged: true
   optional: true
   dependsOn: [monitoring-agents]
+
+- name: hetzner-robotlb
+  releaseName: robotlb
+  optional: true
+  chart: cozy-hetzner-robotlb
+  namespace: cozy-hetzner-robotlb
+  dependsOn: [cilium, kubeovn]

packages/core/platform/bundles/paas-hosted.yaml

@@ -238,3 +238,9 @@ releases:
   privileged: true
   optional: true
   dependsOn: [monitoring-agents]
+
+- name: hetzner-robotlb
+  releaseName: robotlb
+  optional: true
+  chart: cozy-hetzner-robotlb
+  namespace: cozy-hetzner-robotlb

packages/core/testing/images/e2e-sandbox/Dockerfile

@@ -19,6 +19,7 @@ RUN curl -sSL "https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_${TA
  && chmod +x /usr/local/bin/yq
 RUN curl -sSL "https://fluxcd.io/install.sh" | bash
 RUN curl -sSL "https://github.com/cozystack/cozypkg/raw/refs/heads/main/hack/install.sh" | sh -s -- -v "${COZYPKG_VERSION}"
-
+RUN curl https://dl.min.io/client/mc/release/${TARGETOS}-${TARGETARCH}/mc --create-dirs -o  /usr/local/bin/mc \
+&& chmod +x /usr/local/bin/mc
 COPY entrypoint.sh /usr/local/bin/entrypoint.sh
 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.34.2@sha256:ff93361a7b55de4d4c8adb7d7b69e7d60cc67d055de7d2f5cacf26847fda8262
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.35.0-alpha.3@sha256:cd6d65230150171c0e3934f71fcc270718f2bfec7509989b9d4d996ddef916d9

packages/extra/bootbox/images/matchbox.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v0.34.2@sha256:2f2bd75d39a02316e458df9fca95ddb6610557a26cfd53c8dbcef47c0a784507
+ghcr.io/cozystack/cozystack/matchbox:v0.35.0-alpha.3@sha256:043051d7c368b73943051b51bacfb3e383541b53190f74452d552ea2f30e420e

packages/extra/monitoring/Chart.yaml

@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.12.0
+version: 1.12.1

packages/extra/monitoring/dashboards.list

@@ -37,4 +37,5 @@ flux/flux-stats
 kafka/strimzi-kafka
 goldpinger/goldpinger
 clickhouse/altinity-clickhouse-operator-dashboard
-storage/linstor
+storage/linstor
+seaweedfs/seaweedfs

packages/extra/monitoring/images/grafana.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/grafana:1.12.0@sha256:c63978e1ed0304e8518b31ddee56c4e8115541b997d8efbe1c0a74da57140399
+ghcr.io/cozystack/cozystack/grafana:1.12.1@sha256:c63978e1ed0304e8518b31ddee56c4e8115541b997d8efbe1c0a74da57140399

packages/extra/seaweedfs/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.6.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/extra/seaweedfs/Makefile

@@ -4,4 +4,4 @@ include ../../../scripts/package.mk
 
 generate:
 	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
-	yq -o json -i '.properties.topology.enum = ["Simple","MultiZone"]' values.schema.json
+	yq -o json -i '.properties.topology.enum = ["Simple","MultiZone","Client"]' values.schema.json

packages/extra/seaweedfs/README.md

@@ -7,9 +7,12 @@
 | Name                | Description                                                                                            | Value    |
 | ------------------- | ------------------------------------------------------------------------------------------------------ | -------- |
 | `host`              | The hostname used to access the SeaweedFS externally (defaults to 's3' subdomain for the tenant host). | `""`     |
-| `topology`          | The topology of the SeaweedFS cluster. (allowed values: Simple, MultiZone)                             | `Simple` |
+| `topology`          | The topology of the SeaweedFS cluster. (allowed values: Simple, MultiZone, Client)                     | `Simple` |
 | `replicationFactor` | The number of replicas for each volume in the SeaweedFS cluster.                                       | `2`      |
 | `replicas`          | Persistent Volume size for SeaweedFS                                                                   | `2`      |
 | `size`              | Persistent Volume size                                                                                 | `10Gi`   |
 | `storageClass`      | StorageClass used to store the data                                                                    | `""`     |
 | `zones`             | A map of zones for MultiZone topology. Each zone can have its own number of replicas and size.         | `{}`     |
+| `filer.grpcHost`    | The hostname used to expose or access the filer service externally.                                    | `""`     |
+| `filer.grpcPort`    | The port used to access the filer service externally.                                                  | `443`    |
+| `filer.whitelist`   | A list of IP addresses or CIDR ranges that are allowed to access the filer service.                    | `[]`     |

packages/extra/seaweedfs/images/objectstorage-sidecar.tag

@@ -0,0 +1 @@
+ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.35.0-alpha.3@sha256:4a67ec40c13bf912151957dc0e7409f7e01a2859905285c98c20baae7b667ae2

packages/extra/seaweedfs/images/seaweedfs-cosi-driver.tag

@@ -0,0 +1 @@
+ghcr.io/seaweedfs/seaweedfs-cosi-driver:v0.2.0

packages/extra/seaweedfs/templates/client/cosi-bucket-class.yaml

@@ -0,0 +1,16 @@
+{{- if eq .Values.topology "Client" }}
+---
+kind: BucketClass
+apiVersion: objectstorage.k8s.io/v1alpha1
+metadata:
+  name: {{ .Release.Namespace }}
+driverName: {{ .Release.Namespace }}.seaweedfs.objectstorage.k8s.io
+deletionPolicy: Delete
+---
+kind: BucketAccessClass
+apiVersion: objectstorage.k8s.io/v1alpha1
+metadata:
+  name: {{ .Release.Namespace }}
+driverName: {{ .Release.Namespace }}.seaweedfs.objectstorage.k8s.io
+authenticationType: KEY
+{{- end }}

packages/extra/seaweedfs/templates/client/cosi-cluster-role.yaml

@@ -0,0 +1,61 @@
+{{- if eq .Values.topology "Client" }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Namespace }}-objectstorage-provisioner
+rules:
+- apiGroups: ["objectstorage.k8s.io"]
+  resources:
+    - "buckets"
+    - "bucketaccesses"
+    - "bucketclaims"
+    - "bucketclasses"
+    - "bucketclasses/status"
+    - "bucketaccessclasses"
+    - "buckets/status"
+    - "bucketaccesses/status"
+    - "bucketclaims/status"
+    - "bucketaccessclasses/status"
+  verbs:
+    - "get"
+    - "list"
+    - "watch"
+    - "update"
+    - "create"
+    - "delete"
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs:
+    - "get"
+    - "watch"
+    - "list"
+    - "delete"
+    - "update"
+    - "create"
+- apiGroups: [""]
+  resources:
+    - "secrets"
+    - "events"
+  verbs:
+    - "get"
+    - "list"
+    - "watch"
+    - "update"
+    - "create"
+    - "delete"
+    - "patch"
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Namespace }}-objectstorage-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-objectstorage-provisioner
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Release.Namespace }}-objectstorage-provisioner
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

packages/extra/seaweedfs/templates/client/cosi-deployment.yaml

@@ -0,0 +1,88 @@
+{{- if eq .Values.topology "Client" }}
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ $.Release.Name }}-objectstorage-provisioner
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: objectstorage-provisioner
+    app.kubernetes.io/instance: seaweedfs
+    app.kubernetes.io/name: {{ $.Release.Name }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: objectstorage-provisioner
+      app.kubernetes.io/instance: seaweedfs
+      app.kubernetes.io/name: {{ $.Release.Name }}
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        policy.cozystack.io/allow-to-apiserver: "true"
+        app.kubernetes.io/component: objectstorage-provisioner
+        app.kubernetes.io/instance: seaweedfs
+        app.kubernetes.io/name: {{ $.Release.Name }}
+    spec:
+      containers:
+      - name: seaweedfs-cosi-driver
+        image: "{{ $.Files.Get "images/seaweedfs-cosi-driver.tag" | trim }}"
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: DRIVERNAME
+          value: {{ .Release.Namespace }}.seaweedfs.objectstorage.k8s.io
+        - name: ENDPOINT
+          value: https://{{ .Values.host | default (printf "s3.%s" $host) }}
+        - name: SEAWEEDFS_FILER
+          value: "{{ .Values.filer.grpcHost }}:{{ .Values.filer.grpcPort }}"
+        - name: WEED_GRPC_CLIENT_KEY
+          value: /usr/local/share/ca-certificates/client/tls.key
+        - name: WEED_GRPC_CLIENT_CERT
+          value: /usr/local/share/ca-certificates/client/tls.crt
+        - name: WEED_GRPC_CA
+          value: /usr/local/share/ca-certificates/client/ca.crt
+        resources:
+          limits:
+            cpu: 500m
+            memory: 512Mi
+          requests:
+            cpu: 100m
+            memory: 128Mi
+        volumeMounts:
+        - mountPath: /var/lib/cosi
+          name: socket
+        - mountPath: /usr/local/share/ca-certificates/client/
+          name: client-cert
+          readOnly: true
+      - name: seaweedfs-cosi-sidecar
+        image: "{{ $.Files.Get "images/objectstorage-sidecar.tag" | trim }}"
+        imagePullPolicy: IfNotPresent
+        args:
+        - --v=5
+        env:
+        - name: POD_NAMESPACE
+          value: {{ .Release.Namespace }}
+        volumeMounts:
+        - mountPath: /var/lib/cosi
+          name: socket
+      enableServiceLinks: false
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 10
+      serviceAccountName: {{ .Release.Name }}-objectstorage-provisioner
+      volumes:
+      - name: socket
+        emptyDir: {}
+      - name: client-cert
+        secret:
+          defaultMode: 420
+          secretName: seaweedfs-client-cert
+{{- end }}

packages/extra/seaweedfs/templates/client/cosi-service-account.yaml

@@ -0,0 +1,8 @@
+{{- if eq .Values.topology "Client" }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-objectstorage-provisioner
+  namespace: {{ .Release.Namespace }}
+automountServiceAccountToken: true
+{{- end }}

packages/extra/seaweedfs/templates/cm.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "{{ .Release.Name }}-deployed-topology"
+data:
+  topology: {{ quote .Values.topology }}

packages/extra/seaweedfs/templates/dashboard-resourcemap.yaml

@@ -3,6 +3,7 @@ kind: Role
 metadata:
   name: {{ .Release.Name }}-dashboard-resources
 rules:
+{{- if not (eq .Values.topology "Client") }}
 - apiGroups:
   - ""
   resources:
@@ -27,13 +28,15 @@ rules:
   - {{ $.Release.Name }}-volume
   - {{ $.Release.Name }}-db
   verbs: ["get", "list", "watch"]
+{{- end }}
+
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ .Release.Name }}-dashboard-resources
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" .Release.Namespace) }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "super-admin" .Release.Namespace) }}
 roleRef:
   kind: Role
   name: {{ .Release.Name }}-dashboard-resources

packages/extra/seaweedfs/templates/ingress.yaml

@@ -0,0 +1,44 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
+
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+{{- if and (not (eq .Values.topology "Client")) (.Values.filer.grpcHost) }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: GRPCS
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," (.Values.filer.whitelist | default "0.0.0.0/32") }}"
+  name: seaweedfs-filer-external
+spec:
+  ingressClassName: tenant-root
+  rules:
+  - host: {{ .Values.filer.grpcHost | default (printf "filer.%s" $host) }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: {{ $.Release.Name }}-filer-external
+            port:
+              number: 18888
+        path: /
+        pathType: ImplementationSpecific
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $.Release.Name }}-filer-external
+spec:
+  ports:
+  - name: swfs-filer-grpc
+    port: 18888
+    protocol: TCP
+    targetPort: 18888
+  selector:
+    app.kubernetes.io/component: filer
+    app.kubernetes.io/name: {{ $.Release.Name }}
+{{- end }}

packages/extra/seaweedfs/templates/seaweedfs.yaml

@@ -1,6 +1,9 @@
 {{- /* Preflight checks for Helm template */ -}}
-{{- if not (has .Values.topology (list "Simple" "MultiZone")) }}
-{{-   fail "Invalid value for .Values.topology. Must be one of 'Simple' or 'MultiZone'." }}
+{{- if not (has .Values.topology (list "Simple" "MultiZone" "Client")) }}
+{{-   fail "Invalid value for .Values.topology. Must be one of 'Simple', 'MultiZone' or 'Client'." }}
+{{- end }}
+{{- if and (eq .Values.topology "Client") (not .Values.filer.grpcHost) }}
+{{-   fail "When topology is 'Client', .Values.filer.grpcHost must be set to a valid remote filer GRPC service endpoint." }}
 {{- end }}
 {{- if lt (int .Values.replicationFactor) 1 }}
 {{-   fail "Invalid value for .Values.replicationFactor. Must be at least 1." }}
@@ -13,16 +16,24 @@
 {{-     fail "replicationFactor must be less than or equal to the number of zones defined in .Values.zones." }}
 {{-   end }}
 {{- end }}
-{{- if lookup "v1" "PersistentVolumeClaim" "" (printf "%s-data1-seaweedfs-volume-0" .Release.Name) }}
-{{-   if eq .Values.topology "MultiZone" }}
-{{-     fail "Not allowed to switch between Simple and MultiZone topologies after the first deployment." }}
-{{-   end }}
+
+{{- $detectedTopology := "Unknown" }}
+{{- $configMap := lookup "v1" "ConfigMap" .Release.Namespace (printf "%s-deployed-topology" .Release.Name) }}
+{{- if $configMap }}
+{{-   $detectedTopology = dig "data" "topology" "Unknown" $configMap }}
 {{- else }}
-{{-   if and (eq .Values.topology "Simple") (.Release.IsUpgrade) }}
-{{-     fail "Not allowed to switch between Simple and MultiZone topologies after the first deployment." }}
+{{-   if lookup "v1" "PersistentVolumeClaim" .Release.Namespace (printf "data1-%s-volume-0" .Release.Name) }}
+{{-     $detectedTopology = "Simple" }}
+{{-   else if lookup "apps/v1" "StatefulSet" .Release.Namespace (printf "%s-master" .Release.Name) }}
+{{-     $detectedTopology = "MultiZone" }}
 {{-   end }}
 {{- end }}
 
+{{- if not (has $detectedTopology (list .Values.topology "Unknown")) }}
+{{-   fail (printf "Not allowed to switch between topologies after the first deployment: %s" $detectedTopology) }}
+{{- end }}
+
+{{- if not (eq .Values.topology "Client") }}
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
 {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
@@ -198,3 +209,4 @@ spec:
     cnpg.io/cluster: seaweedfs-db
     cnpg.io/podRole: instance
   version: {{ $.Chart.Version }}
+{{- end }}

packages/extra/seaweedfs/templates/vpa.yaml

@@ -1,3 +1,4 @@
+{{- if not (eq .Values.topology "Client") }}
 apiVersion: autoscaling.k8s.io/v1
 kind: VerticalPodAutoscaler
 metadata:
@@ -64,3 +65,4 @@ spec:
         maxAllowed:
           cpu: "1"
           memory: 2048Mi
+{{- end }}

packages/extra/seaweedfs/values.schema.json

@@ -1,5 +1,26 @@
 {
   "properties": {
+    "filer": {
+      "properties": {
+        "grpcHost": {
+          "default": "",
+          "description": "The hostname used to expose or access the filer service externally.",
+          "type": "string"
+        },
+        "grpcPort": {
+          "default": 443,
+          "description": "The port used to access the filer service externally.",
+          "type": "number"
+        },
+        "whitelist": {
+          "default": [],
+          "description": "A list of IP addresses or CIDR ranges that are allowed to access the filer service.",
+          "items": {},
+          "type": "array"
+        }
+      },
+      "type": "object"
+    },
     "host": {
       "default": "",
       "description": "The hostname used to access the SeaweedFS externally (defaults to 's3' subdomain for the tenant host).",
@@ -27,11 +48,12 @@
     },
     "topology": {
       "default": "Simple",
-      "description": "The topology of the SeaweedFS cluster. (allowed values: Simple, MultiZone)",
+      "description": "The topology of the SeaweedFS cluster. (allowed values: Simple, MultiZone, Client)",
       "type": "string",
       "enum": [
         "Simple",
-        "MultiZone"
+        "MultiZone",
+        "Client"
       ]
     },
     "zones": {

packages/extra/seaweedfs/values.yaml

@@ -3,7 +3,7 @@
 ## @param host The hostname used to access the SeaweedFS externally (defaults to 's3' subdomain for the tenant host).
 host: ""
 
-## @param topology The topology of the SeaweedFS cluster. (allowed values: Simple, MultiZone)
+## @param topology The topology of the SeaweedFS cluster. (allowed values: Simple, MultiZone, Client)
 ##
 topology: Simple
 
@@ -31,3 +31,11 @@ storageClass: ""
 ##     replicas: 2
 ##     size: 10Gi
 zones: {}
+
+## @param filer.grpcHost The hostname used to expose or access the filer service externally.
+## @param filer.grpcPort The port used to access the filer service externally.
+## @param filer.whitelist A list of IP addresses or CIDR ranges that are allowed to access the filer service.
+filer:
+  grpcHost: ""
+  grpcPort: 443
+  whitelist: []

packages/extra/versions_map

@@ -47,11 +47,13 @@ monitoring 1.9.2 f9f8bb2f
 monitoring 1.10.0 632224a3
 monitoring 1.10.1 8c86905b
 monitoring 1.11.0 4369b031
-monitoring 1.12.0 HEAD
+monitoring 1.12.0 0e47e1e8
+monitoring 1.12.1 HEAD
 seaweedfs 0.1.0 71514249
 seaweedfs 0.2.0 5fb9cfe3
 seaweedfs 0.2.1 fde4bcfa
 seaweedfs 0.3.0 45a7416c
 seaweedfs 0.4.0 632224a3
 seaweedfs 0.4.1 8c86905b
-seaweedfs 0.5.0 HEAD
+seaweedfs 0.5.0 9584e5f5
+seaweedfs 0.6.0 HEAD

packages/library/cozy-lib/templates/_network.tpl

@@ -0,0 +1,23 @@
+{{- define "cozy-lib.network.defaultDisableLoadBalancerNodePorts" }}
+{{/* Default behavior prior to introduction */}}
+{{-   `true` }}
+{{- end }}
+
+{{/* 
+Invoke as {{ include "cozy-lib.network.disableLoadBalancerNodePorts" $ }}.
+Detects whether the current load balancer class requires nodeports to function
+correctly. Currently just checks if Hetzner's RobotLB is enabled, which does
+require nodeports, and so, returns `false`. Otherwise assumes that metallb is
+in use and returns `true`.
+*/}}
+
+{{- define "cozy-lib.network.disableLoadBalancerNodePorts" }}
+{{-   include "cozy-lib.loadCozyConfig" (list "" .) }}
+{{-   $cozyConfig := index . 1 "cozyConfig" }}
+{{-   if not $cozyConfig }}
+{{-     include "cozy-lib.network.defaultDisableLoadBalancerNodePorts" . }}
+{{-   else }}
+{{-     $enabledComponents := splitList "," ((index $cozyConfig.data "bundle-enable") | default "") }}
+{{-     not (has "robotlb" $enabledComponents) }}
+{{-   end }}
+{{- end }}

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:b4d19f3448d77b55974cccb6c8a0a2d0a54ad3af3880dcf0d84d8941430959f7
+ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:b39a00543d28cb72617bc50c7a9f873d65c3cd34114d9690cf044f7fac66c8da

packages/system/cozystack-api/templates/configmap.yaml

@@ -1,353 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: cozystack-api
-  namespace: cozy-system
-data:
-  config.yaml: |
-    resources:
-    - application:
-        kind: Bucket
-        singular: bucket
-        plural: buckets
-        openAPISchema: {{ .Files.Get "openapi-schemas/bucket.json" | fromJson | toJson | quote }}
-      release:
-        prefix: bucket-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: bucket
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: ClickHouse
-        singular: clickhouse
-        plural: clickhouses
-        openAPISchema: {{ .Files.Get "openapi-schemas/clickhouse.json" | fromJson | toJson | quote }}
-      release:
-        prefix: clickhouse-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: clickhouse
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: HTTPCache
-        singular: httpcache
-        plural: httpcaches
-        openAPISchema: {{ .Files.Get "openapi-schemas/http-cache.json" | fromJson | toJson | quote }}
-      release:
-        prefix: http-cache-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: http-cache
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: NATS
-        singular: nats
-        plural: natses
-        openAPISchema: {{ .Files.Get "openapi-schemas/nats.json" | fromJson | toJson | quote }}
-      release:
-        prefix: nats-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: nats
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: TCPBalancer
-        singular: tcpbalancer
-        plural: tcpbalancers
-        openAPISchema: {{ .Files.Get "openapi-schemas/tcp-balancer.json" | fromJson | toJson | quote }}
-      release:
-        prefix: tcp-balancer-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: tcp-balancer
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: VirtualMachine
-        singular: virtualmachine
-        plural: virtualmachines
-        openAPISchema: {{ .Files.Get "openapi-schemas/virtual-machine.json" | fromJson | toJson | quote }}
-      release:
-        prefix: virtual-machine-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: virtual-machine
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: VPN
-        singular: vpn
-        plural: vpns
-        openAPISchema: {{ .Files.Get "openapi-schemas/vpn.json" | fromJson | toJson | quote }}
-      release:
-        prefix: vpn-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: vpn
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: MySQL
-        singular: mysql
-        plural: mysqls
-        openAPISchema: {{ .Files.Get "openapi-schemas/mysql.json" | fromJson | toJson | quote }}
-      release:
-        prefix: mysql-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: mysql
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: Tenant
-        singular: tenant
-        plural: tenants
-        openAPISchema: {{ .Files.Get "openapi-schemas/tenant.json" | fromJson | toJson | quote }}
-      release:
-        prefix: tenant-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: tenant
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: Kubernetes
-        singular: kubernetes
-        plural: kuberneteses
-        openAPISchema: {{ .Files.Get "openapi-schemas/kubernetes.json" | fromJson | toJson | quote }}
-      release:
-        prefix: kubernetes-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: kubernetes
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: Redis
-        singular: redis
-        plural: redises
-        openAPISchema: {{ .Files.Get "openapi-schemas/redis.json" | fromJson | toJson | quote }}
-      release:
-        prefix: redis-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: redis
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: RabbitMQ
-        singular: rabbitmq
-        plural: rabbitmqs
-        openAPISchema: {{ .Files.Get "openapi-schemas/rabbitmq.json" | fromJson | toJson | quote }}
-      release:
-        prefix: rabbitmq-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: rabbitmq
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: Postgres
-        singular: postgres
-        plural: postgreses
-        openAPISchema: {{ .Files.Get "openapi-schemas/postgres.json" | fromJson | toJson | quote }}
-      release:
-        prefix: postgres-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: postgres
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: FerretDB
-        singular: ferretdb
-        plural: ferretdb
-        openAPISchema: {{ .Files.Get "openapi-schemas/ferretdb.json" | fromJson | toJson | quote }}
-      release:
-        prefix: ferretdb-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: ferretdb
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: Kafka
-        singular: kafka
-        plural: kafkas
-        openAPISchema: {{ .Files.Get "openapi-schemas/kafka.json" | fromJson | toJson | quote }}
-      release:
-        prefix: kafka-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: kafka
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: VMDisk
-        plural: vmdisks
-        singular: vmdisk
-        openAPISchema: {{ .Files.Get "openapi-schemas/vm-disk.json" | fromJson | toJson | quote }}
-      release:
-        prefix: vm-disk-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: vm-disk
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: VMInstance
-        plural: vminstances
-        singular: vminstance
-        openAPISchema: {{ .Files.Get "openapi-schemas/vm-instance.json" | fromJson | toJson | quote }}
-      release:
-        prefix: vm-instance-
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: vm-instance
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-apps
-            namespace: cozy-public
-    - application:
-        kind: Monitoring
-        plural: monitorings
-        singular: monitoring
-        openAPISchema: {{ .Files.Get "openapi-schemas/monitoring.json" | fromJson | toJson | quote }}
-      release:
-        prefix: ""
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: monitoring
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-extra
-            namespace: cozy-public
-    - application:
-        kind: Etcd
-        plural: etcds
-        singular: etcd
-        openAPISchema: {{ .Files.Get "openapi-schemas/etcd.json" | fromJson | toJson | quote }}
-      release:
-        prefix: ""
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: etcd
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-extra
-            namespace: cozy-public
-    - application:
-        kind: Ingress
-        plural: ingresses
-        singular: ingress
-        openAPISchema: {{ .Files.Get "openapi-schemas/ingress.json" | fromJson | toJson | quote }}
-      release:
-        prefix: ""
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: ingress
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-extra
-            namespace: cozy-public
-    - application:
-        kind: SeaweedFS
-        plural: seaweedfses
-        singular: seaweedfs
-        openAPISchema: {{ .Files.Get "openapi-schemas/seaweedfs.json" | fromJson | toJson | quote }}
-      release:
-        prefix: ""
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: seaweedfs
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-extra
-            namespace: cozy-public
-    - application:
-        kind: BootBox
-        plural: bootboxes
-        singular: bootbox
-        openAPISchema: {{ .Files.Get "openapi-schemas/bootbox.json" | fromJson | toJson | quote }}
-      release:
-        prefix: ""
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: bootbox
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-extra
-            namespace: cozy-public
-    - application:
-        kind: Info
-        plural: infos
-        singular: info
-        openAPISchema: {{ .Files.Get "openapi-schemas/info.json" | fromJson | toJson | quote }}
-      release:
-        prefix: ""
-        labels:
-          cozystack.io/ui: "true"
-        chart:
-          name: info
-          sourceRef:
-            kind: HelmRepository
-            name: cozystack-extra
-            namespace: cozy-public

packages/system/cozystack-api/templates/cozystack-resource-definitions.yaml

@@ -0,0 +1,505 @@
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: bucket
+spec:
+  application:
+    kind: Bucket
+    singular: bucket
+    plural: buckets
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/bucket.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: bucket-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: bucket
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: clickhouse
+spec:
+  application:
+    kind: ClickHouse
+    singular: clickhouse
+    plural: clickhouses
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/clickhouse.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: clickhouse-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: clickhouse
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: httpcache
+spec:
+  application:
+    kind: HTTPCache
+    singular: httpcache
+    plural: httpcaches
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/http-cache.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: http-cache-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: http-cache
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: nats
+spec:
+  application:
+    kind: NATS
+    singular: nats
+    plural: natses
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/nats.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: nats-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: nats
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: tcpbalancer
+spec:
+  application:
+    kind: TCPBalancer
+    singular: tcpbalancer
+    plural: tcpbalancers
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/tcp-balancer.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: tcp-balancer-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: tcp-balancer
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: virtualmachine
+spec:
+  application:
+    kind: VirtualMachine
+    singular: virtualmachine
+    plural: virtualmachines
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/virtual-machine.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: virtual-machine-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: virtual-machine
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: vpn
+spec:
+  application:
+    kind: VPN
+    singular: vpn
+    plural: vpns
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/vpn.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: vpn-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: vpn
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: mysql
+spec:
+  application:
+    kind: MySQL
+    singular: mysql
+    plural: mysqls
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/mysql.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: mysql-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: mysql
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: tenant
+spec:
+  application:
+    kind: Tenant
+    singular: tenant
+    plural: tenants
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/tenant.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: tenant-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: tenant
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: kubernetes
+spec:
+  application:
+    kind: Kubernetes
+    singular: kubernetes
+    plural: kuberneteses
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/kubernetes.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: kubernetes-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: kubernetes
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: redis
+spec:
+  application:
+    kind: Redis
+    singular: redis
+    plural: redises
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/redis.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: redis-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: redis
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: rabbitmq
+spec:
+  application:
+    kind: RabbitMQ
+    singular: rabbitmq
+    plural: rabbitmqs
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/rabbitmq.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: rabbitmq-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: rabbitmq
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: postgres
+spec:
+  application:
+    kind: Postgres
+    singular: postgres
+    plural: postgreses
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/postgres.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: postgres-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: postgres
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: ferretdb
+spec:
+  application:
+    kind: FerretDB
+    singular: ferretdb
+    plural: ferretdbs
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/ferretdb.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: ferretdb-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: ferretdb
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: kafka
+spec:
+  application:
+    kind: Kafka
+    singular: kafka
+    plural: kafkas
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/kafka.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: kafka-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: kafka
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: vmdisk
+spec:
+  application:
+    kind: VMDisk
+    singular: vmdisk
+    plural: vmdisks
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/vm-disk.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: vm-disk-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: vm-disk
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: vminstance
+spec:
+  application:
+    kind: VMInstance
+    singular: vminstance
+    plural: vminstances
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/vm-instance.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: vm-instance-
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: vm-instance
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-apps
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: monitoring
+spec:
+  application:
+    kind: Monitoring
+    singular: monitoring
+    plural: monitorings
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/monitoring.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: ""
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: monitoring
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-extra
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: etcd
+spec:
+  application:
+    kind: Etcd
+    singular: etcd
+    plural: etcds
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/etcd.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: ""
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: etcd
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-extra
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: ingress
+spec:
+  application:
+    kind: Ingress
+    singular: ingress
+    plural: ingresses
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/ingress.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: ""
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: ingress
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-extra
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: seaweedfs
+spec:
+  application:
+    kind: SeaweedFS
+    singular: seaweedfs
+    plural: seaweedfses
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/seaweedfs.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: ""
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: seaweedfs
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-extra
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: bootbox
+spec:
+  application:
+    kind: BootBox
+    singular: bootbox
+    plural: bootboxes
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/bootbox.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: ""
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: bootbox
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-extra
+        namespace: cozy-public
+---
+apiVersion: cozystack.io/v1alpha1
+kind: CozystackResourceDefinition
+metadata:
+  name: info
+spec:
+  application:
+    kind: Info
+    singular: info
+    plural: infos
+    openAPISchema: |
+      {{- .Files.Get "openapi-schemas/info.json" | fromJson | toJson | nindent 6 }}
+  release:
+    prefix: ""
+    labels:
+      cozystack.io/ui: "true"
+    chart:
+      name: info
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-extra
+        namespace: cozy-public

packages/system/cozystack-api/templates/deployment.yaml

@@ -14,22 +14,8 @@ spec:
     metadata:
       labels:
         app: cozystack-api
-      annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
     spec:
       serviceAccountName: cozystack-api
       containers:
       - name: cozystack-api
         image: "{{ .Values.cozystackAPI.image }}"
-        args: ["--config=/config/config.yaml"]
-        volumeMounts:
-        - name: config-volume
-          mountPath: /config/config.yaml
-          subPath: config.yaml
-      volumes:
-      - name: config-volume
-        configMap:
-          name: cozystack-api
-          items:
-          - key: config.yaml
-            path: config.yaml

packages/system/cozystack-api/templates/rbac.yaml

@@ -10,8 +10,11 @@ rules:
   resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations", "validatingadmissionpolicies", "validatingadmissionpolicybindings"]
   verbs: ["get", "watch", "list"]
 - apiGroups: ["flowcontrol.apiserver.k8s.io"]
-  resources: ['prioritylevelconfigurations', 'flowschemas']
-  verbs: ['list', 'watch']
-- apiGroups: ['helm.toolkit.fluxcd.io']
-  resources: ['*']
-  verbs: ['*']
+  resources: ["prioritylevelconfigurations", "flowschemas"]
+  verbs: ["list", "watch"]
+- apiGroups: ["cozystack.io"]
+  resources: ["*"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["helm.toolkit.fluxcd.io"]
+  resources: ["*"]
+  verbs: ["*"]

packages/system/cozystack-api/values.yaml

@@ -1,2 +1,2 @@
 cozystackAPI:
-  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.34.2@sha256:afe3505e148cea237fcd34a440c9f9b09449d208f9ca365b3ab09902fe303431
+  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.35.0-alpha.3@sha256:d4cfc2afacc30d383f7b5454e97bb77f2e9bfc33dbc3dc512bfe671300e3ad51

packages/system/cozystack-controller/templates/crds/cozystack.io_cozystackresourcedefinitions.yaml

@@ -0,0 +1,115 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: cozystackresourcedefinitions.cozystack.io
+spec:
+  group: cozystack.io
+  names:
+    kind: CozystackResourceDefinition
+    listKind: CozystackResourceDefinitionList
+    plural: cozystackresourcedefinitions
+    singular: cozystackresourcedefinition
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: CozystackResourceDefinition is the Schema for the cozystackresourcedefinitions
+          API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              application:
+                description: Application configuration
+                properties:
+                  kind:
+                    description: Kind of the application, used for UI and API
+                    type: string
+                  openAPISchema:
+                    description: OpenAPI schema for the application, used for API
+                      validation
+                    type: string
+                  plural:
+                    description: Plural name of the application, used for UI and API
+                    type: string
+                  singular:
+                    description: Singular name of the application, used for UI and
+                      API
+                    type: string
+                required:
+                - kind
+                - openAPISchema
+                - plural
+                - singular
+                type: object
+              release:
+                description: Release configuration
+                properties:
+                  chart:
+                    description: Helm chart configuration
+                    properties:
+                      name:
+                        description: Name of the Helm chart
+                        type: string
+                      sourceRef:
+                        description: Source reference for the Helm chart
+                        properties:
+                          kind:
+                            default: HelmRepository
+                            description: Kind of the source reference
+                            type: string
+                          name:
+                            description: Name of the source reference
+                            type: string
+                          namespace:
+                            default: cozy-public
+                            description: Namespace of the source reference
+                            type: string
+                        required:
+                        - kind
+                        - name
+                        - namespace
+                        type: object
+                    required:
+                    - name
+                    - sourceRef
+                    type: object
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: Labels for the release
+                    type: object
+                  prefix:
+                    description: Prefix for the release name
+                    type: string
+                required:
+                - chart
+                - prefix
+                type: object
+            required:
+            - application
+            - release
+            type: object
+        type: object
+    served: true
+    storage: true

packages/system/cozystack-controller/values.yaml

@@ -1,5 +1,5 @@
 cozystackController:
-  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.34.2@sha256:efc7c74d2c45f6a83350a7715e3b6217883fa8bfc65a24ad71364dd34b1b8804
+  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.35.0-alpha.3@sha256:98d0b945630c3dd7c39adc7a5326f0e0e0b49a18641bec911aeb6c62beca4e1f
   debug: false
   disableTelemetry: false
-  cozystackVersion: "v0.34.2"
+  cozystackVersion: "v0.35.0-alpha.3"

packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml

@@ -76,7 +76,7 @@ data:
       "kubeappsNamespace": {{ .Release.Namespace | quote }},
       "helmGlobalNamespace": {{ include "kubeapps.helmGlobalPackagingNamespace" . | quote }},
       "carvelGlobalNamespace": {{ .Values.kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace | quote }},
-      "appVersion": "v0.34.2",
+      "appVersion": "v0.35.0-alpha.3",
       "authProxyEnabled": {{ .Values.authProxy.enabled }},
       "oauthLoginURI": {{ .Values.authProxy.oauthLoginURI | quote }},
       "oauthLogoutURI": {{ .Values.authProxy.oauthLogoutURI | quote }},

packages/system/dashboard/values.yaml

@@ -19,8 +19,8 @@ kubeapps:
     image:
       registry: ghcr.io/cozystack/cozystack
       repository: dashboard
-      tag: v0.34.2
-      digest: "sha256:84c333ce0ecddb153a6886b1c633e4480c78690fb0b49cc0f4cb980bee565134"
+      tag: v0.35.0-alpha.3
+      digest: "sha256:ad4b95660b6c5c1b9736ca4768a3f9648705c2855d0a08880d570b4e480dba78"
   redis:
     master:
       resourcesPreset: "none"
@@ -37,8 +37,8 @@ kubeapps:
     image:
       registry: ghcr.io/cozystack/cozystack
       repository: kubeapps-apis
-      tag: v0.34.2
-      digest: "sha256:674a78dc5fa45213a1b717f9a5fde1d3d47b36c92c4988994918dc42ead9dbe3"
+      tag: v0.35.0-alpha.3
+      digest: "sha256:55b1aacdcb8f7e96b75396e461fbba612498095515b9a437b8f925802f06c485"
     pluginConfig:
       flux:
         packages:

packages/system/hetzner-robotlb/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-hetzner-robotlb
+version: 0.1.3  # Placeholder, the actual version will be automatically set during the build process

packages/system/hetzner-robotlb/Makefile

@@ -0,0 +1,9 @@
+export NAME=hetzner-robotlb
+export NAMESPACE=cozy-$(NAME)
+
+include ../../../scripts/package.mk
+
+update:
+	rm -rf charts
+	mkdir -p charts
+	helm pull oci://ghcr.io/intreecom/charts/robotlb --untar --untardir charts

packages/system/hetzner-robotlb/charts/robotlb/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

packages/system/hetzner-robotlb/charts/robotlb/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+appVersion: 0.0.5
+description: A Helm chart for robotlb (loadbalancer on hetzner cloud).
+name: robotlb
+type: application
+version: 0.1.3

packages/system/hetzner-robotlb/charts/robotlb/templates/NOTES.txt

@@ -0,0 +1,4 @@
+The RobotLB Operator was successfully installed.
+Please follow the readme to create loadbalanced services.
+
+README: https://github.com/intreecom/robotlb

packages/system/hetzner-robotlb/charts/robotlb/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "robotlb.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "robotlb.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "robotlb.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "robotlb.labels" -}}
+helm.sh/chart: {{ include "robotlb.chart" . }}
+{{ include "robotlb.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "robotlb.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "robotlb.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "robotlb.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "robotlb.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

packages/system/hetzner-robotlb/charts/robotlb/templates/deployment.yaml

@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "robotlb.fullname" . }}
+  labels:
+    {{- include "robotlb.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      {{- include "robotlb.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "robotlb.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "robotlb.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - /usr/local/bin/robotlb
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.envs }}
+          env:
+            {{- range $key, $val := . }}
+              - name: {{ $key | quote }}
+                value: {{ $val | quote }}
+            {{ end -}}
+          {{- end }}
+          {{- with .Values.existingSecrets }}
+          envFrom:
+            {{- range $val := . }}
+            - secretRef:
+                name: {{ $val | quote }}
+            {{ end -}}
+          {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

packages/system/hetzner-robotlb/charts/robotlb/templates/role.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "robotlb.fullname" . }}-cr
+rules: {{- toYaml .Values.serviceAccount.permissions | nindent 2 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "robotlb.fullname" . }}-crb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "robotlb.fullname" . }}-cr
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "robotlb.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

packages/system/hetzner-robotlb/charts/robotlb/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "robotlb.serviceAccountName" . }}
+  labels:
+    {{- include "robotlb.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}

packages/system/hetzner-robotlb/charts/robotlb/values.yaml

@@ -0,0 +1,73 @@
+# Default values for robotlb.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+image:
+  repository: ghcr.io/intreecom/robotlb
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+envs:
+  ROBOTLB_LOG_LEVEL: "INFO"
+
+existingSecrets: []
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+  # This is a list of cluster permissions to apply to the service account.
+  # By default it grants all permissions.
+  permissions:
+  - apiGroups: [""]
+    resources: [services, services/status]
+    verbs: [get, list, patch, update, watch]
+  - apiGroups: [""]
+    resources: [nodes, pods]
+    verbs: [get, list, watch]
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext:
+  {}
+  # fsGroup: 2000
+
+securityContext:
+  {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+resources:
+  {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

packages/system/hetzner-robotlb/values.yaml

@@ -0,0 +1,3 @@
+robotlb:
+  replicas: 1
+  existingSecrets: ["hetzner-robotlb-credentials"]

packages/system/kamaji/values.yaml

@@ -3,7 +3,7 @@ kamaji:
     deploy: false
   image:
     pullPolicy: IfNotPresent
-    tag: v0.34.2@sha256:dd662e320f44342fe5f10d63545bf1915e97de380c1685e7b28f7a7fce87512e
+    tag: v0.35.0-alpha.3@sha256:34500654751ceef7a57562fb1edc6928d91245ad8e41da732788dcf10ec330b5
     repository: ghcr.io/cozystack/cozystack/kamaji
   resources:
     limits:

packages/system/keycloak-configure/templates/configure-kk.yaml

@@ -200,7 +200,7 @@ spec:
     - groups
     - kubernetes-client
   redirectUris:
-    - "http://dashboard.{{ $host }}/oauth2/callback/*"
+    - "https://dashboard.{{ $host }}/oauth2/callback/*"
     {{- range $i, $v := $extraRedirectUris }}
     - "{{ $v }}"
     {{- end }}
@@ -223,8 +223,7 @@ data:
         clientSecret: {{ $kubeappsClient }}
         cookieSecret: {{ $cookieSecret }}
         extraFlags:
-          - --ssl-insecure-skip-verify
-          - --cookie-secure=false
+          - --cookie-secure
           - --scope=openid email groups
           - --oidc-issuer-url=https://keycloak.{{ $host }}/realms/cozy
 

packages/system/keycloak/templates/sts.yaml

@@ -87,7 +87,10 @@ spec:
             - name: KEYCLOAK_ADMIN
               value: admin
             - name: KEYCLOAK_ADMIN_PASSWORD
-              value: {{ $password }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-credentials
+                  key: password
             - name: KC_DB
               value: "postgres"
             - name: KC_DB_URL_HOST

packages/system/kubeovn-webhook/values.yaml

@@ -1,3 +1,3 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.34.2@sha256:22c91ff21e44aef520a5daa5b83608fb2c5c796ed1c5a645c0a9a0dc69f086cf
+image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.35.0-alpha.3@sha256:ad4e506065458b039a86c7f03a35dbb6918756e117ce74dd931089383cfd91f8

packages/system/kubeovn/values.yaml

@@ -64,4 +64,4 @@ global:
   images:
     kubeovn:
       repository: kubeovn
-      tag: v1.13.14@sha256:9136c774410bf4d4343fca7e1e8901c05fd698b9b91cbf6bcf7183a0e4752316
+      tag: v1.13.14@sha256:bacd68243ee9fd94f5f0e377801ed3e99cd0762ff5df0d0ec73a73130180d8ca

packages/system/kubevirt-csi-node/values.yaml

@@ -1,3 +1,3 @@
 storageClass: replicated
 csiDriver:
-  image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.26.0@sha256:445c2727b04ac68595b43c988ff17b3d69a7b22b0644fde3b10c65b47a7bc036
+  image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.26.2@sha256:761e7235ff9cb7f6f223f00954943e6a5af32ed6624ee592a8610122f96febb0