Release v0.41.11 (#2185)

This PR prepares the release `v0.41.11`.

internal/controller/dashboard/customcolumns.go

@@ -34,9 +34,6 @@ func (m *Manager) ensureCustomColumnsOverride(ctx context.Context, crd *cozyv1al
 	obj.SetName(name)
 
 	href := fmt.Sprintf("/openapi-ui/{2}/{reqsJsonPath[0]['.metadata.namespace']['-']}/factory/%s/{reqsJsonPath[0]['.metadata.name']['-']}", detailsSegment)
-	if g == "apps.cozystack.io" && kind == "Tenant" && plural == "tenants" {
-		href = "/openapi-ui/{2}/{reqsJsonPath[0]['.status.namespace']['-']}/api-table/core.cozystack.io/v1alpha1/tenantmodules"
-	}
 
 	desired := map[string]any{
 		"spec": map[string]any{

internal/controller/dashboard/factory.go

@@ -174,6 +174,48 @@ func detailsTab(kind, endpoint, schemaJSON string, keysOrder [][]string) map[str
 			}),
 		)
 	}
+	if kind == "Info" {
+		rightColStack = append(rightColStack,
+			antdFlexVertical("resource-quotas-block", 4, []any{
+				antdText("resource-quotas-label", true, "Resource Quotas", map[string]any{
+					"fontSize":     float64(20),
+					"marginBottom": float64(12),
+				}),
+				map[string]any{
+					"type": "EnrichedTable",
+					"data": map[string]any{
+						"id":                   "resource-quotas-table",
+						"baseprefix":           "/openapi-ui",
+						"clusterNamePartOfUrl": "{2}",
+						"customizationId":      "factory-resource-quotas",
+						"fetchUrl":             "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/resourcequotas",
+						"pathToItems":          []any{`items`},
+					},
+				},
+			}),
+		)
+	}
+	if kind == "Tenant" {
+		rightColStack = append(rightColStack,
+			antdFlexVertical("resource-quotas-block", 4, []any{
+				antdText("resource-quotas-label", true, "Resource Quotas", map[string]any{
+					"fontSize":     float64(20),
+					"marginBottom": float64(12),
+				}),
+				map[string]any{
+					"type": "EnrichedTable",
+					"data": map[string]any{
+						"id":                   "resource-quotas-table",
+						"baseprefix":           "/openapi-ui",
+						"clusterNamePartOfUrl": "{2}",
+						"customizationId":      "factory-resource-quotas",
+						"fetchUrl":             "/api/clusters/{2}/k8s/api/v1/namespaces/{3}/resourcequotas",
+						"pathToItems":          []any{`items`},
+					},
+				},
+			}),
+		)
+	}
 
 	return map[string]any{
 		"key":   "details",

internal/controller/dashboard/static_refactored.go

@@ -189,6 +189,14 @@ func CreateAllCustomColumnsOverrides() []*dashboardv1alpha1.CustomColumnsOverrid
 			createStringColumn("Values", "_flatMapData_Value"),
 		}),
 
+		// Factory resource quotas
+		createCustomColumnsOverride("factory-resource-quotas", []any{
+			createFlatMapColumn("Data", ".spec.hard"),
+			createStringColumn("Resource", "_flatMapData_Key"),
+			createStringColumn("Hard", "_flatMapData_Value"),
+			createStringColumn("Used", ".status.used['{_flatMapData_Key}']"),
+		}),
+
 		// Factory ingress details rules
 		createCustomColumnsOverride("factory-kube-ingress-details-rules", []any{
 			createStringColumn("Host", ".host"),

internal/controller/dashboard/ui_helpers.go

@@ -102,6 +102,22 @@ func antdFlex(id string, gap float64, children []any) map[string]any {
 	}
 }
 
+func antdFlexSpaceBetween(id string, children []any) map[string]any {
+	if id == "" {
+		id = generateContainerID("auto", "flex")
+	}
+
+	return map[string]any{
+		"type": "antdFlex",
+		"data": map[string]any{
+			"id":      id,
+			"align":   "center",
+			"justify": "space-between",
+		},
+		"children": children,
+	}
+}
+
 func antdFlexVertical(id string, gap float64, children []any) map[string]any {
 	// Auto-generate ID if not provided
 	if id == "" {

internal/controller/dashboard/unified_helpers.go

@@ -237,9 +237,16 @@ func createUnifiedFactory(config UnifiedResourceConfig, tabs []any, urlsToFetch
 		"lineHeight": "24px",
 	})
 
-	header := antdFlex(generateContainerID("header", "row"), float64(6), []any{
-		badge,
-		nameText,
+	header := antdFlexSpaceBetween(generateContainerID("header", "row"), []any{
+		antdFlex(generateContainerID("header", "title-text"), float64(6), []any{
+			badge,
+			nameText,
+		}),
+		antdLink(generateLinkID("header", "edit"),
+			"Edit",
+			fmt.Sprintf("/openapi-ui/{2}/{3}/forms/apis/{reqsJsonPath[0]['.apiVersion']['-']}/%s/{reqsJsonPath[0]['.metadata.name']['-']}",
+				config.Plural),
+		),
 	})
 
 	// Add marginBottom style to header

internal/controller/workloadmonitor_controller.go

@@ -467,5 +467,8 @@ func (r *WorkloadMonitorReconciler) getWorkloadMetadata(obj client.Object) map[s
 	if instanceType, ok := annotations["kubevirt.io/cluster-instancetype-name"]; ok {
 		labels["workloads.cozystack.io/kubevirt-vmi-instance-type"] = instanceType
 	}
+	if instanceProfile, ok := annotations["kubevirt.io/cluster-instanceprofile-name"]; ok {
+		labels["workloads.cozystack.io/kubevirt-vmi-instance-profile"] = instanceProfile
+	}
 	return labels
 }

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.0.0@sha256:9e34fd50393b418d9516aadb488067a3a63675b045811beb1c0afc9c61e149e8
+ghcr.io/cozystack/cozystack/nginx-cache:0.0.0@sha256:cb25e40cb665b8bbeee8cb1ec39da4c9a7452ef3f2f371912bbc0d1b1e2d40a8

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:6f2b1d6b0b2bdc66f1cbb30c59393369cbf070cb8f5fec748f176952273483cc
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.0.0@sha256:3753b735b0315bee90de54cb25cfebc63bd2cc90ad11ca4fdc0e70439abd5096

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:726d9287e8caaea94eaf24c4f44734e3fbf4f8aa032b66b81848ebf95297cffe
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:bb5b17044969e663c3b391f7274883735c0ffe05a9523988469bdf2974de2dea

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.33@sha256:71a74ca30f75967bae309be2758f19aa3d37c60b19426b9b622ff1c33a80362f
+ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.33@sha256:9d4ad080ef729e0f9f1f5919cb85c0c9b6dc772a22d52046b2de9ccba3772715

packages/apps/kubernetes/templates/cluster.yaml

@@ -292,6 +292,12 @@ metadata:
     {{- end }}
 spec:
   clusterName: {{ $.Release.Name }}
+  replicas: 2
+  strategy:
+    rollingUpdate:
+      maxSurge: {{ $group.maxReplicas }}
+      maxUnavailable: 1
+    type: RollingUpdate
   selector:
     matchLabels:
       cluster.x-k8s.io/cluster-name: {{ $.Release.Name }}
@@ -326,6 +332,7 @@ metadata:
   namespace: {{ $.Release.Namespace }}
 spec:
   clusterName: {{ $.Release.Name }}
+  maxUnhealthy: 0
   nodeStartupTimeout: 10m
   selector:
     matchLabels:

packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml

@@ -1,3 +1,13 @@
+{{- define "cozystack.defaultCertManagerValues" -}}
+{{- if $.Values.addons.gatewayAPI.enabled }}
+cert-manager:
+  config:
+    apiVersion: controller.config.cert-manager.io/v1alpha1
+    kind: ControllerConfiguration
+    enableGatewayAPI: true
+{{- end }}
+{{- end }}
+
 {{- if .Values.addons.certManager.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
@@ -33,11 +43,8 @@ spec:
     force: true
     remediation:
       retries: -1
-  {{- with .Values.addons.certManager.valuesOverride }}
   values:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-
+    {{- toYaml (deepCopy .Values.addons.certManager.valuesOverride | mergeOverwrite (fromYaml (include "cozystack.defaultCertManagerValues" .))) | nindent 4 }}
   dependsOn:
   {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
   - name: {{ .Release.Name }}

packages/apps/tenant/templates/tenant.yaml

@@ -231,7 +231,6 @@ rules:
     - get
     - list
     - watch
-    - delete
   - apiGroups: ["kubevirt.io"]
     resources:
     - virtualmachines
@@ -330,7 +329,6 @@ rules:
     - get
     - list
     - watch
-    - delete
   - apiGroups: ["kubevirt.io"]
     resources:
     - virtualmachines

packages/apps/virtual-machine/templates/_helpers.tpl

@@ -70,6 +70,29 @@ Generate a stable UUID for cloud-init re-initialization upon upgrade.
 {{- $uuid }}
 {{- end }}
 
+{{/*
+Domain resources (cpu, memory) as a JSON object.
+Used in vm.yaml for rendering and in the update hook for merge patches.
+*/}}
+{{- define "virtual-machine.domainResources" -}}
+{{- $result := dict -}}
+{{- if or .Values.cpuModel (and .Values.resources .Values.resources.cpu .Values.resources.sockets) -}}
+  {{- $cpu := dict -}}
+  {{- if and .Values.resources .Values.resources.cpu .Values.resources.sockets -}}
+    {{- $_ := set $cpu "cores" (.Values.resources.cpu | int64) -}}
+    {{- $_ := set $cpu "sockets" (.Values.resources.sockets | int64) -}}
+  {{- end -}}
+  {{- if .Values.cpuModel -}}
+    {{- $_ := set $cpu "model" .Values.cpuModel -}}
+  {{- end -}}
+  {{- $_ := set $result "cpu" $cpu -}}
+{{- end -}}
+{{- if and .Values.resources .Values.resources.memory -}}
+  {{- $_ := set $result "resources" (dict "requests" (dict "memory" .Values.resources.memory)) -}}
+{{- end -}}
+{{- $result | toJson -}}
+{{- end -}}
+
 {{/*
 Node Affinity for Windows VMs
 */}}

packages/apps/virtual-machine/templates/vm-update-hook.yaml

@@ -3,22 +3,32 @@
 
 {{- $existingVM := lookup "kubevirt.io/v1" "VirtualMachine" $namespace $vmName -}}
 {{- $existingPVC := lookup "v1" "PersistentVolumeClaim" $namespace $vmName -}}
+{{- $existingService := lookup "v1" "Service" $namespace $vmName -}}
 
 {{- $instanceType := .Values.instanceType | default "" -}}
 {{- $instanceProfile := .Values.instanceProfile | default "" -}}
 {{- $desiredStorage := .Values.systemDisk.storage | default "" -}}
+{{- $desiredServiceType := ternary "LoadBalancer" "ClusterIP" .Values.external -}}
 
 {{- $needUpdateType := false -}}
 {{- $needUpdateProfile := false -}}
 {{- $needResizePVC := false -}}
+{{- $needRecreateService := false -}}
+{{- $needRemoveInstanceType := false -}}
+{{- $needRemoveCustomResources := false -}}
 
-{{- if and $existingVM $instanceType -}}
+{{- $existingHasInstanceType := and $existingVM $existingVM.spec.instancetype -}}
+{{- if and $existingHasInstanceType (not $instanceType) -}}
+  {{- $needRemoveInstanceType = true -}}
+{{- else if and $existingHasInstanceType $instanceType -}}
   {{- if not (eq $existingVM.spec.instancetype.name $instanceType) -}}
     {{- $needUpdateType = true -}}
   {{- end -}}
+{{- else if and $existingVM (not $existingHasInstanceType) $instanceType -}}
+  {{- $needRemoveCustomResources = true -}}
 {{- end -}}
 
-{{- if and $existingVM $instanceProfile -}}
+{{- if and $existingVM $existingVM.spec.preference $instanceProfile -}}
   {{- if not (eq $existingVM.spec.preference.name $instanceProfile) -}}
     {{- $needUpdateProfile = true -}}
   {{- end -}}
@@ -35,7 +45,14 @@
   {{- end -}}
 {{- end -}}
 
-{{- if or $needUpdateType $needUpdateProfile $needResizePVC }}
+{{- if $existingService -}}
+  {{- $currentServiceType := $existingService.spec.type -}}
+  {{- if ne $currentServiceType $desiredServiceType -}}
+    {{- $needRecreateService = true -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if or $needUpdateType $needUpdateProfile $needResizePVC $needRecreateService $needRemoveInstanceType $needRemoveCustomResources }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -80,12 +97,31 @@ spec:
                 -p '{"spec":{"preference":{"name": "{{ $instanceProfile }}", "revisionName": null}}}'
               {{- end }}
 
+              {{- if $needRemoveInstanceType }}
+              echo "Removing instancetype from VM (switching to custom resources)..."
+              kubectl patch virtualmachines.kubevirt.io {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"instancetype":null{{- if not $instanceProfile }},"preference":null{{- end }},"template":{"spec":{"domain":{{ include "virtual-machine.domainResources" . }}}}}}'
+              {{- end }}
+
+              {{- if $needRemoveCustomResources }}
+              echo "Removing custom CPU/memory from domain (switching to instancetype)..."
+              kubectl patch virtualmachines.kubevirt.io {{ $vmName }} -n {{ $namespace }} \
+                --type merge \
+                -p '{"spec":{"instancetype":{"name":"{{ $instanceType }}","revisionName":null},"template":{"spec":{"domain":{"cpu":null,"resources":null}}}}}'
+              {{- end }}
+
               {{- if $needResizePVC }}
               echo "Patching PVC for storage resize..."
               kubectl patch pvc {{ $vmName }} -n {{ $namespace }} \
                 --type merge \
                 -p '{"spec":{"resources":{"requests":{"storage":"{{ $desiredStorage }}"}}}}'
               {{- end }}
+
+              {{- if $needRecreateService }}
+              echo "Removing Service..."
+              kubectl delete service --cascade=orphan -n {{ $namespace }} {{ $vmName }}
+              {{- end }}
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -111,6 +147,10 @@ rules:
   - apiGroups: [""]
     resources: ["persistentvolumeclaims"]
     verbs: ["patch", "get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["services"]
+    resourceNames: ["{{ $vmName }}"]
+    verbs: ["delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

packages/apps/virtual-machine/templates/vm.yaml

@@ -4,6 +4,9 @@
 {{- if and .Values.instanceProfile (not (lookup "instancetype.kubevirt.io/v1beta1" "VirtualMachineClusterPreference" "" .Values.instanceProfile)) }}
 {{-   fail (printf "Specified profile not exists in cluster: %s" .Values.instanceProfile) }}
 {{- end }}
+{{- if and (not .Values.instanceType) (not (and .Values.resources .Values.resources.cpu .Values.resources.sockets .Values.resources.memory)) }}
+{{-   fail "Either instanceType or resources (cpu, sockets, memory) must be specified" }}
+{{- end }}
 
 apiVersion: kubevirt.io/v1
 kind: VirtualMachine
@@ -67,15 +70,12 @@ spec:
         {{- include "virtual-machine.labels" . | nindent 8 }}
     spec:
       domain:
-        {{- if and .Values.resources .Values.resources.cpu .Values.resources.sockets }}
-        cpu:
-          cores: {{ .Values.resources.cpu }}
-          sockets: {{ .Values.resources.sockets }}
+        {{- $domainRes := include "virtual-machine.domainResources" . | fromJson -}}
+        {{- with $domainRes.cpu }}
+        cpu: {{- . | toYaml | nindent 10 }}
         {{- end }}
-        {{- if and .Values.resources .Values.resources.memory }}
-        resources:
-          requests:
-            memory: {{ .Values.resources.memory | quote }}
+        {{- with $domainRes.resources }}
+        resources: {{- . | toYaml | nindent 10 }}
         {{- end }}
         firmware:
           uuid: {{ include "virtual-machine.stableUuid" . }}

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.41.4@sha256:f973ec3c90935b363b3bd1839e31b33ce6bb186a697f40a196686affe59c7c77
+  image: ghcr.io/cozystack/cozystack/installer:v0.41.11@sha256:ba9271deb2f6ac29dd067a1277a4b3c33504a045c375957a2175deaee6fdfec3

packages/core/platform/bundles/distro-full.yaml

@@ -27,7 +27,7 @@ releases:
   dependsOn: [cilium]
 
 - name: cozy-proxy
-  releaseName: cozystack
+  releaseName: cozy-proxy
   chart: cozy-cozy-proxy
   namespace: cozy-system
   optional: true

packages/core/platform/bundles/paas-full.yaml

@@ -66,7 +66,7 @@ releases:
   dependsOn: [cilium,kubeovn]
 
 - name: cozy-proxy
-  releaseName: cozystack
+  releaseName: cozy-proxy
   chart: cozy-cozy-proxy
   namespace: cozy-system
   dependsOn: [cilium,kubeovn,multus]

packages/core/platform/values.yaml

@@ -1,2 +1,2 @@
 assets:
-  image: ghcr.io/cozystack/cozystack/cozystack-assets:v0.41.4@sha256:0cf7e4e96c7b41c420cf4fe0964a0b8180f8adb972fd7fcc33278a3b347c6ce6
+  image: ghcr.io/cozystack/cozystack/cozystack-assets:v0.41.11@sha256:04ca6ac7ac72f4a4d975a33436dc401abf457eb27a7e59f32a333f0b689a11e3

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.41.4@sha256:eac71ef0de3450fce96255629e77903630c63ade62b81e7055f1a689f92ee153
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.41.11@sha256:0eae9f519669667d60b160ebb93c127843c470ad9ca3447fceaa54604503a7ba

packages/extra/bootbox/images/matchbox.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v0.41.4@sha256:b693d643a2f268fdf3cabecba92aa3da51fed398a7849a8008081c52a958d13a
+ghcr.io/cozystack/cozystack/matchbox:v0.41.11@sha256:d11c034f1475d40e83f94a7f51a21082203c72346fe6a35fc931de976c0546c2

packages/extra/seaweedfs/images/objectstorage-sidecar.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.41.4@sha256:f0751f677dd49e9f775950f9ee81a19db532702e1741bc09a266b81f7f1a6cf8
+ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.41.11@sha256:2a3595cd88b30af55b2000d3ca204899beecef0012b0e0402754c3914aad1f7f

packages/system/bucket/images/s3manager.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:3013e13ba967070948653cc5b913a920dea93a24370b10731fafcfd8fb6a21b0
+ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:1f03fde12124b94b646532e3ebdebf62b8d87e42e0aa5576cd07c4559ce66403

packages/system/coredns/values.yaml

@@ -6,3 +6,6 @@ coredns:
   k8sAppLabelOverride: kube-dns
   service:
     name: kube-dns
+  serviceAccount:
+    create: true
+    name: kube-dns

packages/system/cozystack-api/values.yaml

@@ -1,5 +1,5 @@
 cozystackAPI:
-  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.41.4@sha256:5f0b59c844a1c619ae27825df08f8cc11869aa22410bba14369569948c3108f4
+  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.41.11@sha256:3a8cb618f140c60eb2a5afd3f07a5ec7e638ab4cd949ea0913abc372703a2d82
   localK8sAPIEndpoint:
     enabled: true
   replicas: 2

packages/system/cozystack-controller/values.yaml

@@ -1,6 +1,6 @@
 cozystackController:
-  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.41.4@sha256:ffebcdf0cea7e3acc0e80b8e381dfd2199fb3bc80537f772b9a93f65457bc2d8
+  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.41.11@sha256:8f1c725989e32706293afaea195d110d7690b06ad2e52742fce2bbe9f71cbe48
   debug: false
   disableTelemetry: false
-  cozystackVersion: "v0.41.4"
+  cozystackVersion: "v0.41.11"
   cozystackAPIKind: "DaemonSet"

packages/system/dashboard/images/token-proxy/go.mod

@@ -3,6 +3,21 @@ module token-proxy
 go 1.24.0
 
 require (
-	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/gorilla/securecookie v1.1.2
+	github.com/lestrrat-go/httprc/v3 v3.0.2
+	github.com/lestrrat-go/jwx/v3 v3.0.13
+)
+
+require (
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
+	github.com/lestrrat-go/dsig v1.0.0 // indirect
+	github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
+	github.com/segmentio/asm v1.2.1 // indirect
+	github.com/valyala/fastjson v1.6.7 // indirect
+	golang.org/x/crypto v0.46.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
 )

packages/system/dashboard/images/token-proxy/go.sum

@@ -1,6 +1,43 @@
-github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
-github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
+github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
+github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
+github.com/lestrrat-go/blackmagic v1.0.4 h1:IwQibdnf8l2KoO+qC3uT4OaTWsW7tuRQXy9TRN9QanA=
+github.com/lestrrat-go/blackmagic v1.0.4/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=
+github.com/lestrrat-go/dsig v1.0.0 h1:OE09s2r9Z81kxzJYRn07TFM9XA4akrUdoMwr0L8xj38=
+github.com/lestrrat-go/dsig v1.0.0/go.mod h1:dEgoOYYEJvW6XGbLasr8TFcAxoWrKlbQvmJgCR0qkDo=
+github.com/lestrrat-go/dsig-secp256k1 v1.0.0 h1:JpDe4Aybfl0soBvoVwjqDbp+9S1Y2OM7gcrVVMFPOzY=
+github.com/lestrrat-go/dsig-secp256k1 v1.0.0/go.mod h1:CxUgAhssb8FToqbL8NjSPoGQlnO4w3LG1P0qPWQm/NU=
+github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
+github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
+github.com/lestrrat-go/httprc/v3 v3.0.2 h1:7u4HUaD0NQbf2/n5+fyp+T10hNCsAnwKfqn4A4Baif0=
+github.com/lestrrat-go/httprc/v3 v3.0.2/go.mod h1:mSMtkZW92Z98M5YoNNztbRGxbXHql7tSitCvaxvo9l0=
+github.com/lestrrat-go/jwx/v3 v3.0.13 h1:AdHKiPIYeCSnOJtvdpipPg/0SuFh9rdkN+HF3O0VdSk=
+github.com/lestrrat-go/jwx/v3 v3.0.13/go.mod h1:2m0PV1A9tM4b/jVLMx8rh6rBl7F6WGb3EG2hufN9OQU=
+github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss=
+github.com/lestrrat-go/option/v2 v2.0.0/go.mod h1:oSySsmzMoR0iRzCDCaUfsCzxQHUEuhOViQObyy7S6Vg=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0=
+github.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/valyala/fastjson v1.6.7 h1:ZE4tRy0CIkh+qDc5McjatheGX2czdn8slQjomexVpBM=
+github.com/valyala/fastjson v1.6.7/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

packages/system/dashboard/images/token-proxy/main.go

@@ -1,6 +1,9 @@
 package main
 
 import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"flag"
@@ -13,10 +16,13 @@ import (
 	"os"
 	"path"
 	"strings"
+	"sync"
 	"time"
 
-	"github.com/golang-jwt/jwt/v5"
 	"github.com/gorilla/securecookie"
+	"github.com/lestrrat-go/httprc/v3"
+	"github.com/lestrrat-go/jwx/v3/jwk"
+	"github.com/lestrrat-go/jwx/v3/jwt"
 )
 
 /* ----------------------------- flags ------------------------------------ */
@@ -26,7 +32,9 @@ var (
 	cookieName, cookieSecretB64     string
 	cookieSecure                    bool
 	cookieRefresh                   time.Duration
-	tokenCheckURL                   string
+	jwksURL                         string
+	saTokenPath                     string
+	saCACertPath                    string
 )
 
 func init() {
@@ -38,7 +46,70 @@ func init() {
 	flag.StringVar(&cookieSecretB64, "cookie-secret", "", "Base64-encoded cookie secret")
 	flag.BoolVar(&cookieSecure, "cookie-secure", false, "Set Secure flag on cookie")
 	flag.DurationVar(&cookieRefresh, "cookie-refresh", 0, "Cookie refresh interval (e.g. 1h)")
-	flag.StringVar(&tokenCheckURL, "token-check-url", "", "URL for external token validation")
+	flag.StringVar(&jwksURL, "jwks-url", "https://kubernetes.default.svc/openid/v1/jwks", "JWKS URL for token verification")
+	flag.StringVar(&saTokenPath, "sa-token-path", "/var/run/secrets/kubernetes.io/serviceaccount/token", "Path to service account token")
+	flag.StringVar(&saCACertPath, "sa-ca-cert-path", "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt", "Path to service account CA certificate")
+
+	flag.Parse()
+
+	// Initialize jwkCache
+	ctx := context.Background()
+	// Load CA certificate
+	caCert, err := os.ReadFile(saCACertPath)
+	if err != nil {
+		jwkCacheErr := fmt.Errorf("failed to read CA cert: %w", err)
+		panic(jwkCacheErr)
+	}
+	caCertPool := x509.NewCertPool()
+	if !caCertPool.AppendCertsFromPEM(caCert) {
+		jwkCacheErr := fmt.Errorf("failed to parse CA cert")
+		panic(jwkCacheErr)
+	}
+
+	// Create transport with SA token injection
+	transport := &saTokenTransport{
+		base: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				RootCAs: caCertPool,
+			},
+		},
+		tokenPath: saTokenPath,
+	}
+	transport.startRefresh(ctx, 5*time.Minute)
+
+	httpClient := &http.Client{
+		Transport: transport,
+		Timeout:   10 * time.Second,
+	}
+
+	// Create httprc client with custom HTTP client
+	httprcClient := httprc.NewClient(
+		httprc.WithHTTPClient(httpClient),
+	)
+
+	// Create JWK cache
+	jwkCache, err = jwk.NewCache(ctx, httprcClient)
+	if err != nil {
+		jwkCacheErr := fmt.Errorf("failed to create JWK cache: %w", err)
+		panic(jwkCacheErr)
+	}
+
+	// Register the JWKS URL with refresh settings
+	if err := jwkCache.Register(ctx, jwksURL,
+		jwk.WithMinInterval(5*time.Minute),
+		jwk.WithMaxInterval(15*time.Minute),
+	); err != nil {
+		jwkCacheErr := fmt.Errorf("failed to register JWKS URL: %w", err)
+		panic(jwkCacheErr)
+	}
+
+	// Perform initial fetch to ensure the JWKS is available
+	if _, err := jwkCache.Refresh(ctx, jwksURL); err != nil {
+		jwkCacheErr := fmt.Errorf("failed to fetch initial JWKS: %w", err)
+		panic(jwkCacheErr)
+	}
+
+	log.Printf("JWK cache initialized with JWKS URL: %s", jwksURL)
 }
 
 /* ----------------------------- templates -------------------------------- */
@@ -117,42 +188,94 @@ var loginTmpl = template.Must(template.New("login").Parse(`
 </body>
 </html>`))
 
-/* ----------------------------- helpers ---------------------------------- */
+/* ----------------------------- JWK cache -------------------------------- */
 
-func decodeJWT(raw string) jwt.MapClaims {
-	if raw == "" {
-		return jwt.MapClaims{}
-	}
-	tkn, _, err := new(jwt.Parser).ParseUnverified(raw, jwt.MapClaims{})
-	if err != nil || tkn == nil {
-		return jwt.MapClaims{}
-	}
-	if c, ok := tkn.Claims.(jwt.MapClaims); ok {
-		return c
-	}
-	return jwt.MapClaims{}
+var (
+	jwkCache *jwk.Cache
+)
+
+// saTokenTransport adds the service account token to requests and refreshes it periodically.
+type saTokenTransport struct {
+	base      http.RoundTripper
+	tokenPath string
+	mu        sync.RWMutex
+	token     string
 }
 
-func externalTokenCheck(raw string) error {
-	if tokenCheckURL == "" {
+func (t *saTokenTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	t.mu.RLock()
+	token := t.token
+	t.mu.RUnlock()
+
+	if token != "" {
+		req = req.Clone(req.Context())
+		req.Header.Set("Authorization", "Bearer "+token)
+	}
+	return t.base.RoundTrip(req)
+}
+
+func (t *saTokenTransport) refreshToken() {
+	data, err := os.ReadFile(t.tokenPath)
+	if err != nil {
+		log.Printf("warning: failed to read SA token: %v", err)
+		return
+	}
+	t.mu.Lock()
+	t.token = string(data)
+	t.mu.Unlock()
+}
+
+func (t *saTokenTransport) startRefresh(ctx context.Context, interval time.Duration) {
+	t.refreshToken()
+	go func() {
+		ticker := time.NewTicker(interval)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				t.refreshToken()
+			}
+		}
+	}()
+}
+
+/* ----------------------------- helpers ---------------------------------- */
+
+// verifyAndParseJWT verifies the token signature and returns the parsed token.
+func verifyAndParseJWT(ctx context.Context, raw string) (jwt.Token, error) {
+	if raw == "" {
+		return nil, fmt.Errorf("empty token")
+	}
+
+	keySet, err := jwkCache.Lookup(ctx, jwksURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get JWKS: %w", err)
+	}
+
+	token, err := jwt.Parse([]byte(raw), jwt.WithKeySet(keySet))
+	if err != nil {
+		return nil, fmt.Errorf("failed to verify token: %w", err)
+	}
+
+	return token, nil
+}
+
+// getClaim extracts a claim value from a verified token.
+func getClaim(token jwt.Token, key string) any {
+	if token == nil {
 		return nil
 	}
-	req, _ := http.NewRequest(http.MethodGet, tokenCheckURL, nil)
-	req.Header.Set("Authorization", "Bearer "+raw)
-	cli := &http.Client{Timeout: 5 * time.Second}
-	resp, err := cli.Do(req)
-	if err != nil {
-		return err
+	var val any
+	if err := token.Get(key, &val); err != nil {
+		return nil
 	}
-	resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("status %d", resp.StatusCode)
-	}
-	return nil
+	return val
 }
 
 func encodeSession(sc *securecookie.SecureCookie, token string, exp, issued int64) (string, error) {
-	v := map[string]interface{}{
+	v := map[string]any{
 		"access_token": token,
 		"expires":      exp,
 		"issued":       issued,
@@ -166,7 +289,6 @@ func encodeSession(sc *securecookie.SecureCookie, token string, exp, issued int6
 /* ----------------------------- main ------------------------------------- */
 
 func main() {
-	flag.Parse()
 	if upstream == "" {
 		log.Fatal("--upstream is required")
 	}
@@ -214,7 +336,11 @@ func main() {
 				}{Action: signIn, Err: "Token required"})
 				return
 			}
-			if err := externalTokenCheck(token); err != nil {
+
+			// Verify token signature using JWKS
+			verifiedToken, err := verifyAndParseJWT(r.Context(), token)
+			if err != nil {
+				log.Printf("token verification failed: %v", err)
 				_ = loginTmpl.Execute(w, struct {
 					Action string
 					Err    string
@@ -223,9 +349,8 @@ func main() {
 			}
 
 			exp := time.Now().Add(24 * time.Hour).Unix()
-			claims := decodeJWT(token)
-			if v, ok := claims["exp"].(float64); ok {
-				exp = int64(v)
+			if expTime, ok := verifiedToken.Expiration(); ok && !expTime.IsZero() {
+				exp = expTime.Unix()
 			}
 			session, _ := encodeSession(sc, token, exp, time.Now().Unix())
 			http.SetCookie(w, &http.Cookie{
@@ -264,7 +389,7 @@ func main() {
 			return
 		}
 		var token string
-		var sess map[string]interface{}
+		var sess map[string]any
 		if sc != nil {
 			if err := sc.Decode(cookieName, c.Value, &sess); err != nil {
 				http.Error(w, "unauthorized", http.StatusUnauthorized)
@@ -273,19 +398,25 @@ func main() {
 			token, _ = sess["access_token"].(string)
 		} else {
 			token = c.Value
-			sess = map[string]interface{}{
+			sess = map[string]any{
 				"expires": time.Now().Add(24 * time.Hour).Unix(),
 				"issued":  time.Now().Unix(),
 			}
 		}
-		claims := decodeJWT(token)
 
-		out := map[string]interface{}{
+		// Re-verify the token to ensure it's still valid
+		verifiedToken, err := verifyAndParseJWT(r.Context(), token)
+		if err != nil {
+			http.Error(w, "unauthorized", http.StatusUnauthorized)
+			return
+		}
+
+		out := map[string]any{
 			"token":                 token,
-			"sub":                   claims["sub"],
-			"email":                 claims["email"],
-			"preferred_username":    claims["preferred_username"],
-			"groups":                claims["groups"],
+			"sub":                   getClaim(verifiedToken, "sub"),
+			"email":                 getClaim(verifiedToken, "email"),
+			"preferred_username":    getClaim(verifiedToken, "preferred_username"),
+			"groups":                getClaim(verifiedToken, "groups"),
 			"expires":               sess["expires"],
 			"issued":                sess["issued"],
 			"cookie_refresh_enable": cookieRefresh > 0,
@@ -303,7 +434,7 @@ func main() {
 			return
 		}
 		var token string
-		var sess map[string]interface{}
+		var sess map[string]any
 		if sc != nil {
 			if err := sc.Decode(cookieName, c.Value, &sess); err != nil {
 				http.Redirect(w, r, signIn, http.StatusFound)
@@ -312,7 +443,7 @@ func main() {
 			token, _ = sess["access_token"].(string)
 		} else {
 			token = c.Value
-			sess = map[string]interface{}{
+			sess = map[string]any{
 				"expires": time.Now().Add(24 * time.Hour).Unix(),
 				"issued":  time.Now().Unix(),
 			}

packages/system/dashboard/templates/configmap.yaml

@@ -1,6 +1,6 @@
 {{- $brandingConfig := .Values._cluster.branding | default dict }}
 
-{{- $tenantText := "v0.41.4" }}
+{{- $tenantText := "v0.41.11" }}
 {{- $footerText := "Cozystack" }}
 {{- $titleText := "Cozystack Dashboard" }}
 {{- $logoText := "" }}

packages/system/dashboard/templates/gatekeeper-sa.yaml

@@ -2,3 +2,30 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: incloud-web-gatekeeper
+{{- $oidcEnabled := index .Values._cluster "oidc-enabled" }}
+{{- if ne $oidcEnabled "true" }}
+---
+# ClusterRole to allow token-proxy to fetch JWKS for JWT verification
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: incloud-web-gatekeeper-jwks
+rules:
+- nonResourceURLs:
+  - /openid/v1/jwks
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: incloud-web-gatekeeper-jwks
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: incloud-web-gatekeeper-jwks
+subjects:
+- kind: ServiceAccount
+  name: incloud-web-gatekeeper
+  namespace: {{ .Release.Namespace }}
+{{- end }}

packages/system/dashboard/templates/gatekeeper.yaml

@@ -89,7 +89,6 @@ spec:
             - --cookie-name=kc-access
             - --cookie-secure=true
             - --cookie-secret=$(TOKEN_PROXY_COOKIE_SECRET)
-            - --token-check-url=http://incloud-web-nginx.{{ .Release.Namespace }}.svc:8080/api/clusters/default/k8s/apis/core.cozystack.io/v1alpha1/tenantnamespaces
           env:
             - name: TOKEN_PROXY_COOKIE_SECRET
               valueFrom:

packages/system/dashboard/templates/web.yaml

@@ -63,6 +63,13 @@ spec:
             periodSeconds: 10
             successThreshold: 1
             timeoutSeconds: 2
+          startupProbe:
+            httpGet:
+              path: /healthcheck
+              port: 64231
+              scheme: HTTP
+            failureThreshold: 30
+            periodSeconds: 2
           name: bff
           ports:
             - containerPort: 64231
@@ -183,6 +190,13 @@ spec:
             periodSeconds: 10
             successThreshold: 1
             timeoutSeconds: 2
+          startupProbe:
+            httpGet:
+              path: /healthcheck
+              port: 8080
+              scheme: HTTP
+            failureThreshold: 30
+            periodSeconds: 2
           name: web
           ports:
             - containerPort: 8080

packages/system/dashboard/values.yaml

@@ -1,6 +1,6 @@
 openapiUI:
-  image: ghcr.io/cozystack/cozystack/openapi-ui:v0.41.4@sha256:1418d386ebdf1d773ac450d6ac596edb99f3ae5f413a8a289805652e6461deac
+  image: ghcr.io/cozystack/cozystack/openapi-ui:v0.41.11@sha256:87dfcda3aaaade114e099a3bd8fbb4479a20a761d60849dd2fe47ba245db7cb8
 openapiUIK8sBff:
-  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v0.41.4@sha256:fda379dce49c2cd8cb8d7d2a1d8ec6f7bedb3419c058c4355ecdece1c1e937f4
+  image: ghcr.io/cozystack/cozystack/openapi-ui-k8s-bff:v0.41.11@sha256:0ee55b703839497b7d8264000c3f39c3688b550de1047eb754577523c810fa79
 tokenProxy:
-  image: ghcr.io/cozystack/cozystack/token-proxy:v0.41.4@sha256:e91d9c722da0912b94430b356cabb5706049b2ff2717161bf55c8e9ea612d55c
+  image: ghcr.io/cozystack/cozystack/token-proxy:v0.41.11@sha256:2e280991e07853ea48f97b0a42946afffa10d03d6a83d41099ed83e6ffc94fdc

packages/system/etcd-operator/charts/etcd-operator/README.md

@@ -38,8 +38,8 @@
 | kubeRbacProxy.args[2] | string | `"--logtostderr=true"` |  |
 | kubeRbacProxy.args[3] | string | `"--v=0"` |  |
 | kubeRbacProxy.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
-| kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | Image repository |
-| kubeRbacProxy.image.tag | string | `"v0.16.0"` | Version of image |
+| kubeRbacProxy.image.repository | string | `"quay.io/brancz/kube-rbac-proxy"` | Image repository |
+| kubeRbacProxy.image.tag | string | `"v0.18.1"` | Version of image |
 | kubeRbacProxy.livenessProbe | object | `{}` | https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ |
 | kubeRbacProxy.readinessProbe | object | `{}` | https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ |
 | kubeRbacProxy.resources | object | `{"limits":{"cpu":"250m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |

packages/system/etcd-operator/charts/etcd-operator/values.yaml

@@ -98,13 +98,13 @@ kubeRbacProxy:
   image:
 
     # -- Image repository
-    repository: gcr.io/kubebuilder/kube-rbac-proxy
+    repository: quay.io/brancz/kube-rbac-proxy
 
     # -- Image pull policy
     pullPolicy: IfNotPresent
 
     # -- Version of image
-    tag: v0.16.0
+    tag: v0.18.1
 
   args:
     - --secure-listen-address=0.0.0.0:8443

packages/system/kamaji/values.yaml

@@ -3,7 +3,7 @@ kamaji:
     deploy: false
   image:
     pullPolicy: IfNotPresent
-    tag: v0.41.4@sha256:d5f2fa2972ba33cd2ccb855256e4bda4734d7e250638811b77f2e0dc72ad6b19
+    tag: v0.41.11@sha256:9ac09f817c67de652bacedcdc0390cd343401879b6c1a1c28131a0f109af3804
     repository: ghcr.io/cozystack/cozystack/kamaji
   resources:
     limits:
@@ -13,4 +13,4 @@ kamaji:
       cpu: 100m
       memory: 100Mi
   extraArgs:
-    - --migrate-image=ghcr.io/cozystack/cozystack/kamaji:v0.41.4@sha256:d5f2fa2972ba33cd2ccb855256e4bda4734d7e250638811b77f2e0dc72ad6b19
+    - --migrate-image=ghcr.io/cozystack/cozystack/kamaji:v0.41.11@sha256:9ac09f817c67de652bacedcdc0390cd343401879b6c1a1c28131a0f109af3804

packages/system/keycloak-configure/templates/configure-kk.yaml

@@ -5,12 +5,6 @@
 {{- $existingKubeappsSecret := lookup "v1" "Secret" .Release.Namespace "kubeapps-client" }}
 {{- $existingAuthConfig := lookup "v1" "Secret" "cozy-dashboard" "kubeapps-auth-config" }}
 {{- $brandingConfig := .Values._cluster.branding | default dict }}
-
-{{ $branding := "" }}
-{{- if $brandingConfig }}
-  {{- $branding = $brandingConfig.branding }}
-{{- end }}
-
 ---
 
 apiVersion: v1.edp.epam.com/v1alpha1
@@ -32,9 +26,15 @@ metadata:
 spec:
   realmName: cozy
   clusterKeycloakRef: keycloak-cozy
-  {{- if $branding }}
-  displayHtmlName: {{ $branding }}
-  displayName: {{ $branding }}
+  {{- if $brandingConfig }}
+  {{- if hasKey $brandingConfig "brandName" }}
+  displayName: {{ $brandingConfig.brandName }}
+  {{- end }}
+  {{- if hasKey $brandingConfig "brandHtmlName" }}
+  displayHtmlName: {{ $brandingConfig.brandHtmlName }}
+  {{- else if hasKey $brandingConfig "branding" }}
+  displayHtmlName: {{ $brandingConfig.branding }}
+  {{- end }}
   {{- end }}
 
 ---

packages/system/kubeovn-plunger/values.yaml

@@ -1,4 +1,4 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-plunger:v0.41.4@sha256:a6070f149b19b4b0eea101b58a3a14285013059802d174698e0b80b357eb12be
+image: ghcr.io/cozystack/cozystack/kubeovn-plunger:v0.41.11@sha256:50dcf0aa177d8b88949d15cdbbb225f4ac06677048111b5d8ff4910d6ec97d11
 ovnCentralName: ovn-central

packages/system/kubeovn-webhook/values.yaml

@@ -1,3 +1,3 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.41.4@sha256:e18f9fd679e38f65362a8d0042f25468272f6d081136ad47027168d8e7e07a4a
+image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.41.11@sha256:e18f9fd679e38f65362a8d0042f25468272f6d081136ad47027168d8e7e07a4a

packages/system/kubeovn/Makefile

@@ -1,5 +1,3 @@
-KUBEOVN_TAG=v0.40.0
-
 export NAME=kubeovn
 export NAMESPACE=cozy-$(NAME)
 
@@ -8,6 +6,6 @@ include ../../../scripts/package.mk
 
 update:
 	rm -rf charts values.yaml Chart.yaml
-	tag=$(KUBEOVN_TAG) && \
-	curl -sSL https://github.com/cozystack/kubeovn/archive/refs/tags/$${tag}.tar.gz | \
-	tar xzvf - --strip 2 kubeovn-$${tag#*v}/chart
+	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/cozystack/kubeovn-chart | awk -F'[/^]' 'END{print $$3}') && \
+	curl -sSL https://github.com/cozystack/kubeovn-chart/archive/refs/tags/$${tag}.tar.gz | \
+	tar xzvf - --strip 2 kubeovn-chart-$${tag#*v}/chart

packages/system/kubeovn/charts/kube-ovn/Chart.yaml

@@ -15,12 +15,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: v1.14.25
+version: v1.15.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.14.25"
+appVersion: "1.15.3"
 
 kubeVersion: ">= 1.29.0-0"

packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl

@@ -69,7 +69,9 @@ Number of master nodes
     {{- $imageVersion := (index $ds.spec.template.spec.containers 0).image | splitList ":" | last | trimPrefix "v" -}}
     {{- $versionRegex := `^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)` -}}
     {{- if and (ne $newChartVersion $chartVersion) (regexMatch $versionRegex $imageVersion) -}}
-      {{- if regexFind $versionRegex $imageVersion | semverCompare ">= 1.13.0" -}}
+      {{- if regexFind $versionRegex $imageVersion | semverCompare ">= 1.15.0" -}}
+        25.03
+      {{- else if regexFind $versionRegex $imageVersion | semverCompare ">= 1.13.0" -}}
         24.03
       {{- else if regexFind $versionRegex $imageVersion | semverCompare ">= 1.12.0" -}}
         22.12

packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml

@@ -122,6 +122,7 @@ spec:
             limits:
               cpu: {{ index .Values "ovn-central" "limits" "cpu" }}
               memory: {{ index .Values "ovn-central" "limits" "memory" }}
+              ephemeral-storage: {{ index .Values "ovn-central" "limits" "ephemeral-storage" }}
           volumeMounts:
             - mountPath: /var/run/ovn
               name: host-run-ovn

packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml

@@ -101,6 +101,7 @@ spec:
           - --pod-nic-type={{- .Values.networking.POD_NIC_TYPE }}
           - --enable-lb={{- .Values.func.ENABLE_LB }}
           - --enable-np={{- .Values.func.ENABLE_NP }}
+          - --np-enforcement={{- .Values.func.NP_ENFORCEMENT }}
           - --enable-eip-snat={{- .Values.networking.ENABLE_EIP_SNAT }}
           - --enable-external-vpc={{- .Values.func.ENABLE_EXTERNAL_VPC }}
           - --enable-ecmp={{- .Values.networking.ENABLE_ECMP }}
@@ -117,11 +118,14 @@ spec:
           - --secure-serving={{- .Values.func.SECURE_SERVING }}
           - --enable-ovn-ipsec={{- .Values.func.ENABLE_OVN_IPSEC }}
           - --enable-anp={{- .Values.func.ENABLE_ANP }}
+          - --enable-dns-name-resolver={{- .Values.func.ENABLE_DNS_NAME_RESOLVER }}
           - --ovsdb-con-timeout={{- .Values.func.OVSDB_CON_TIMEOUT }}
           - --ovsdb-inactivity-timeout={{- .Values.func.OVSDB_INACTIVITY_TIMEOUT }}
           - --enable-live-migration-optimize={{- .Values.func.ENABLE_LIVE_MIGRATION_OPTIMIZE }}
           - --enable-ovn-lb-prefer-local={{- .Values.func.ENABLE_OVN_LB_PREFER_LOCAL }}
           - --image={{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}
+          - --skip-conntrack-dst-cidrs={{- .Values.networking.SKIP_CONNTRACK_DST_CIDRS }}
+          - --non-primary-cni-mode={{- .Values.cni_conf.NON_PRIMARY_CNI }}
           securityContext:
             runAsUser: {{ include "kubeovn.runAsUser" . }}
             privileged: false
@@ -140,11 +144,7 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
-            - name: KUBE_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: KUBE_NODE_NAME
+            - name: NODE_NAME
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
@@ -194,6 +194,7 @@ spec:
             limits:
               cpu: {{ index .Values "kube-ovn-controller" "limits" "cpu" }}
               memory: {{ index .Values "kube-ovn-controller" "limits" "memory" }}
+              ephemeral-storage: {{ index .Values "kube-ovn-controller" "limits" "ephemeral-storage" }}
       nodeSelector:
         kubernetes.io/os: "linux"
       volumes:

packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml

@@ -100,6 +100,7 @@ spec:
             limits:
               cpu: 3
               memory: 1Gi
+              ephemeral-storage: 1Gi
           volumeMounts:
             - mountPath: /var/run/ovn
               name: host-run-ovn

packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml

@@ -81,7 +81,7 @@ spec:
           env:
             - name: ENABLE_SSL
               value: "{{ .Values.networking.ENABLE_SSL }}"
-            - name: KUBE_NODE_NAME
+            - name: NODE_NAME
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
@@ -110,6 +110,7 @@ spec:
             limits:
               cpu: {{ index .Values "kube-ovn-monitor" "limits" "cpu" }}
               memory: {{ index .Values "kube-ovn-monitor" "limits" "memory" }}
+              ephemeral-storage: {{ index .Values "kube-ovn-monitor" "limits" "ephemeral-storage" }}
           volumeMounts:
             - mountPath: /var/run/ovn
               name: host-run-ovn

packages/system/kubeovn/charts/kube-ovn/templates/ovn-CR.yaml

@@ -48,10 +48,18 @@ rules:
       - switch-lb-rules/status
       - vpc-dnses
       - vpc-dnses/status
+      - dnsnameresolvers
+      - dnsnameresolvers/status
       - qos-policies
       - qos-policies/status
     verbs:
-      - "*"
+      - create
+      - get
+      - list
+      - update
+      - patch
+      - watch
+      - delete
   - apiGroups:
       - ""
     resources:
@@ -84,6 +92,8 @@ rules:
       - network-attachment-definitions
     verbs:
       - get
+      - list
+      - watch
   - apiGroups:
       - ""
       - networking.k8s.io
@@ -166,7 +176,11 @@ rules:
     resources:
       - leases
     verbs:
-      - "*"
+      - create
+      - update
+      - patch
+      - get
+      - watch
   - apiGroups:
       - "kubevirt.io"
     resources:
@@ -181,6 +195,7 @@ rules:
     resources:
       - adminnetworkpolicies
       - baselineadminnetworkpolicies
+      - clusternetworkpolicies
     verbs:
       - get
       - list
@@ -276,7 +291,6 @@ rules:
     verbs:
       - get
       - list
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -355,12 +369,23 @@ rules:
       - "list"
       - "watch"
       - "delete"
-  - apiGroups:
-      - ""
-    resources:
-      - "secrets"
-    verbs:
-      - "get"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secret-reader-ovn-ipsec
+  namespace: {{ .Values.namespace }}
+rules:
+- apiGroups: 
+    - ""
+  resources: 
+    - "secrets"
+  resourceNames: 
+    - "ovn-ipsec-ca"
+  verbs: 
+    - "get"
+    - "list"
+    - "watch"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

packages/system/kubeovn/charts/kube-ovn/templates/ovn-CRB.yaml

@@ -67,6 +67,20 @@ subjects:
     namespace: {{ .Values.namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kube-ovn-cni-secret-reader
+  namespace: {{ .Values.namespace }}
+subjects:
+- kind: ServiceAccount
+  name: kube-ovn-cni
+  namespace: {{ .Values.namespace }}
+roleRef:
+  kind: Role
+  name: secret-reader-ovn-ipsec
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: kube-ovn-app

packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml

@@ -54,7 +54,7 @@ spec:
               value: "{{- .Values.networking.TUNNEL_TYPE }}"
             - name: DPDK_TUNNEL_IFACE
               value: "{{- .Values.networking.DPDK_TUNNEL_IFACE }}"
-            - name: KUBE_NODE_NAME
+            - name: NODE_NAME
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName

packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml

@@ -122,9 +122,7 @@ spec:
           - --secure-serving={{- .Values.func.SECURE_SERVING }}
           - --enable-ovn-ipsec={{- .Values.func.ENABLE_OVN_IPSEC }}
           - --set-vxlan-tx-off={{- .Values.func.SET_VXLAN_TX_OFF }}
-          {{- with .Values.mtu }}
-          - --mtu={{ . }}
-          {{- end }}
+          - --non-primary-cni-mode={{- .Values.cni_conf.NON_PRIMARY_CNI }}
         securityContext:
           runAsUser: 0
           privileged: false
@@ -143,7 +141,7 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: status.podIP
-          - name: KUBE_NODE_NAME
+          - name: NODE_NAME
             valueFrom:
               fieldRef:
                 fieldPath: spec.nodeName
@@ -227,6 +225,7 @@ spec:
           limits:
             cpu: {{ index .Values "kube-ovn-cni" "limits" "cpu" }}
             memory: {{ index .Values "kube-ovn-cni" "limits" "memory" }}
+            ephemeral-storage: {{ index .Values "kube-ovn-cni" "limits" "ephemeral-storage" }}
       nodeSelector:
         kubernetes.io/os: "linux"
       volumes:

packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml

@@ -115,7 +115,7 @@ spec:
               value: "{{- .Values.func.HW_OFFLOAD }}"
             - name: TUNNEL_TYPE
               value: "{{- .Values.networking.TUNNEL_TYPE }}"
-            - name: KUBE_NODE_NAME
+            - name: NODE_NAME
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
@@ -173,6 +173,7 @@ spec:
             limits:
               cpu: {{ index .Values "ovs-ovn" "limits" "cpu" }}
               memory: {{ index .Values "ovs-ovn" "limits" "memory" }}
+              ephemeral-storage: {{ index .Values "ovs-ovn" "limits" "ephemeral-storage" }}
       nodeSelector:
         kubernetes.io/os: "linux"
       volumes:

packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml

@@ -73,7 +73,6 @@ spec:
           {{- else if eq .Values.networking.NET_STACK "ipv6" -}}
           {{ .Values.ipv6.PINGER_EXTERNAL_DOMAIN }}
           {{- end }}
-          - --ds-namespace={{ .Values.namespace }}
           - --logtostderr=false
           - --alsologtostderr=true
           - --log_file=/var/log/kube-ovn/kube-ovn-pinger.log
@@ -102,6 +101,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
             - name: NODE_NAME
               valueFrom:
                 fieldRef:
@@ -133,6 +136,7 @@ spec:
             limits:
               cpu: {{ index .Values "kube-ovn-pinger" "limits" "cpu" }}
               memory: {{ index .Values "kube-ovn-pinger" "limits" "memory" }}
+              ephemeral-storage: {{ index .Values "kube-ovn-pinger" "limits" "ephemeral-storage" }}
           livenessProbe:
             httpGet:
               path: /metrics

packages/system/kubeovn/charts/kube-ovn/templates/post-delete-hook.yaml

@@ -120,6 +120,14 @@ spec:
             - sh
             - -c
             - /kube-ovn/remove-finalizer.sh 2>&1 | tee -a /var/log/kube-ovn/remove-finalizer.log
+          resources:
+            requests:
+              cpu: 100m
+              memory: 200Mi
+            limits:
+              cpu: 1
+              memory: 500Mi
+              ephemeral-storage: 1Gi
           volumeMounts:
             - mountPath: /var/log/kube-ovn
               name: kube-ovn-log

packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml

@@ -31,6 +31,8 @@ rules:
       - daemonsets
     verbs:
       - list
+      - get
+      - watch
   - apiGroups:
       - apps
     resources:

packages/system/kubeovn/charts/kube-ovn/templates/vpc-nat-config.yaml

@@ -7,7 +7,7 @@ metadata:
     kubernetes.io/description: |
       kube-ovn vpc-nat common config
 data:
-  image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.vpcRepository }}:{{ .Values.global.images.kubeovn.tag }}
+  image: {{ .Values.global.registry.address }}/{{ .Values.global.images.natgateway.repository }}:{{ or .Values.global.images.natgateway.tag .Values.global.images.kubeovn.tag }}
 
 ---
 kind: ConfigMap

packages/system/kubeovn/charts/kube-ovn/values.yaml

@@ -8,10 +8,11 @@ global:
   images:
     kubeovn:
       repository: kube-ovn
-      vpcRepository: vpc-nat-gateway
-      tag: v1.14.25
-      support_arm: true
-      thirdparty: true
+      tag: v1.15.3
+    natgateway:
+      repository: vpc-nat-gateway
+      # Falls back to the same tag as kubeovn if empty
+      tag: v1.15.3
 
 image:
   pullPolicy: IfNotPresent
@@ -46,6 +47,8 @@ networking:
   ENABLE_METRICS: true
   # comma-separated string of nodelocal DNS ip addresses
   NODE_LOCAL_DNS_IP: ""
+  # comma-separated list of destination IP CIDRs that should skip conntrack processing
+  SKIP_CONNTRACK_DST_CIDRS: ""
   PROBE_INTERVAL: 180000
   OVN_NORTHD_PROBE_INTERVAL: 5000
   OVN_LEADER_PROBE_INTERVAL: 5
@@ -57,6 +60,7 @@ networking:
 func:
   ENABLE_LB: true
   ENABLE_NP: true
+  NP_ENFORCEMENT: standard
   ENABLE_EXTERNAL_VPC: false
   HW_OFFLOAD: false
   ENABLE_LB_SVC: false
@@ -73,6 +77,7 @@ func:
   ENABLE_NAT_GW: true
   ENABLE_OVN_IPSEC: false
   ENABLE_ANP: false
+  ENABLE_DNS_NAME_RESOLVER: false
   SET_VXLAN_TX_OFF: false
   OVSDB_CON_TIMEOUT: 3
   OVSDB_INACTIVITY_TIMEOUT: 10
@@ -80,6 +85,10 @@ func:
   ENABLE_OVN_LB_PREFER_LOCAL: false
 
 ipv4:
+  POD_CIDR: "10.16.0.0/16"
+  POD_GATEWAY: "10.16.0.1"
+  SVC_CIDR: "10.96.0.0/12"
+  JOIN_CIDR: "100.64.0.0/16"
   PINGER_EXTERNAL_ADDRESS: "1.1.1.1"
   PINGER_EXTERNAL_DOMAIN: "kube-ovn.io."
 
@@ -116,6 +125,7 @@ cni_conf:
   CNI_CONF_FILE: "/kube-ovn/01-kube-ovn.conflist"
   LOCAL_BIN_DIR: "/usr/local/bin"
   MOUNT_LOCAL_BIN_DIR: false
+  NON_PRIMARY_CNI: false
 
 kubelet_conf:
   KUBELET_DIR: "/var/lib/kubelet"
@@ -135,7 +145,7 @@ fullnameOverride: ""
 HYBRID_DPDK: false
 HUGEPAGE_SIZE_TYPE: hugepages-2Mi # Default
 HUGEPAGES: 1Gi
-DPDK_IMAGE_TAG: "v1.14.0-dpdk"
+DPDK_IMAGE_TAG: "v1.15.0-dpdk"
 DPDK_CPU: "1000m" # Default CPU configuration
 DPDK_MEMORY: "2Gi" # Default Memory configuration
 
@@ -146,6 +156,7 @@ ovn-central:
   limits:
     cpu: "3"
     memory: "4Gi"
+    ephemeral-storage: 1Gi
 ovs-ovn:
   requests:
     cpu: "200m"
@@ -153,6 +164,7 @@ ovs-ovn:
   limits:
     cpu: "2"
     memory: "1000Mi"
+    ephemeral-storage: 1Gi
 kube-ovn-controller:
   requests:
     cpu: "200m"
@@ -160,6 +172,7 @@ kube-ovn-controller:
   limits:
     cpu: "1000m"
     memory: "1Gi"
+    ephemeral-storage: 1Gi
 kube-ovn-cni:
   requests:
     cpu: "100m"
@@ -167,6 +180,7 @@ kube-ovn-cni:
   limits:
     cpu: "1000m"
     memory: "1Gi"
+    ephemeral-storage: 1Gi
 kube-ovn-pinger:
   requests:
     cpu: "100m"
@@ -174,6 +188,7 @@ kube-ovn-pinger:
   limits:
     cpu: "200m"
     memory: "400Mi"
+    ephemeral-storage: 1Gi
 kube-ovn-monitor:
   requests:
     cpu: "200m"
@@ -181,3 +196,4 @@ kube-ovn-monitor:
   limits:
     cpu: "200m"
     memory: "200Mi"
+    ephemeral-storage: 1Gi

packages/system/kubeovn/values.yaml

@@ -65,4 +65,4 @@ global:
   images:
     kubeovn:
       repository: kubeovn
-      tag: v1.14.25@sha256:d0b29daaf36e81cac0f9fb15d0ea6b1b49f1abba81a14c73b88a2e60ffcc5978
+      tag: v1.15.3@sha256:fa53d5f254f640cb626329ad35d9e7aad647dd8e1e645e68f3f13c3659472a30

packages/system/kubevirt-csi-node/values.yaml

@@ -1,3 +1,3 @@
 storageClass: replicated
 csiDriver:
-  image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:726d9287e8caaea94eaf24c4f44734e3fbf4f8aa032b66b81848ebf95297cffe
+  image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.0.0@sha256:bb5b17044969e663c3b391f7274883735c0ffe05a9523988469bdf2974de2dea

packages/system/lineage-controller-webhook/values.yaml

@@ -1,5 +1,5 @@
 lineageControllerWebhook:
-  image: ghcr.io/cozystack/cozystack/lineage-controller-webhook:v0.41.4@sha256:26bc948cce31408259034f8626cbddd594774102d21cbae86e4a9c9b41d32b17
+  image: ghcr.io/cozystack/cozystack/lineage-controller-webhook:v0.41.11@sha256:91ad700fe681c6f96e756c51ee22ff50e606536c316c608e11207bdca817e0ce
   debug: false
   localK8sAPIEndpoint:
     enabled: true

packages/system/linstor/values.yaml

@@ -1,7 +1,7 @@
 piraeusServer:
   image:
     repository: ghcr.io/cozystack/cozystack/piraeus-server
-    tag: 1.32.3@sha256:1138c8dc0a117360ef70e2e2ab97bc2696419b63f46358f7668c7e01a96c419b
+    tag: 1.32.3@sha256:18fac1ac740ce64c1dfb31b5ab36b6d008af8d9a70aedd451b32a726c79ca794
 linstor:
   autoDiskful:
     enabled: true
@@ -10,4 +10,4 @@ linstor:
 linstorCSI:
   image:
     repository: ghcr.io/cozystack/cozystack/linstor-csi
-    tag: v1.10.5@sha256:353a8bea0b41f832975132da3569da7d4fce85980474edce41a2a37097c7c3a9
+    tag: v1.10.5@sha256:50ab1ab0210d4e7ebfca311f445bb764516db5ddb63fc6d28536b28622eee753

packages/system/objectstorage-controller/values.yaml

@@ -1,3 +1,3 @@
 objectstorage:
   controller:
-    image: "ghcr.io/cozystack/cozystack/objectstorage-controller:v0.41.4@sha256:cea9f0a1aa059fb0e30c43e8fd2e7cbbebfcc70b7265af196bb045c376e13168"
+    image: "ghcr.io/cozystack/cozystack/objectstorage-controller:v0.41.11@sha256:e40e94f3014cfd04cce4230597315a1acfcca2daa8051b987614d0c05da6d928"

packages/system/postgres-operator/alerts/cnpg-default-alerts.yaml

@@ -92,7 +92,7 @@ spec:
           potential service disruption and/or data loss.
         runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md
       expr: |
-        sum by (namespace, pod) (cnpg_collector_up)) OR on() vector(0) == 0
+        (sum by (namespace, pod) (cnpg_collector_up) OR on() vector(0)) == 0
       for: 5m
       labels:
         severity: critical

packages/system/seaweedfs/values.yaml

@@ -177,7 +177,7 @@ seaweedfs:
     bucketClassName: "seaweedfs"
     region: ""
     sidecar:
-      image: "ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.41.4@sha256:f0751f677dd49e9f775950f9ee81a19db532702e1741bc09a266b81f7f1a6cf8"
+      image: "ghcr.io/cozystack/cozystack/objectstorage-sidecar:v0.41.11@sha256:2a3595cd88b30af55b2000d3ca204899beecef0012b0e0402754c3914aad1f7f"
   certificates:
     commonName: "SeaweedFS CA"
     ipAddresses: []