Sync main to integration (#146)

* upd kubernetes (#134)

* Allow root login without password

* add ephemeral volumes for containerd and kubelet

* update kubernetes application

* etcd: Add quota-backend-bytes calculations (#133)

* Prepare release v0.6.0 (#135)

* etcd: enable autocompact and defrag (#137)

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

* switched place -maxdepth im Makefiles (#140)

* postgres: fix users and roles (#138)

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

* kubernetes: enable bpf masqurade and tunnel routing (#144)

* Unhardcode cluster.local domain (#142)

Allow using other domains for the cluster

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

* kamaji: unhardcode cluster.local domain (#145)

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

* kubernetes: specify correct dns address (#147)

---------

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Co-authored-by: Andrei Kvapil <kvapss@gmail.com>

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/templates/cluster.yaml

@@ -39,7 +39,9 @@ metadata:
 spec:
   dataStoreName: "{{ $etcd }}"
   addons:
-    coreDNS: {}
+    coreDNS:
+      dnsServiceIPs:
+      - 10.95.0.10
     konnectivity: {}
   kubelet:
     cgroupfs: systemd
@@ -55,7 +57,7 @@ spec:
       className: "{{ $ingress }}"
   deployment:
   replicas: 2
-  version: 1.29.0
+  version: 1.29.4
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
 kind: KubevirtCluster
@@ -176,5 +178,5 @@ spec:
         kind: KubevirtMachineTemplate
         name: {{ $.Release.Name }}-{{ $groupName }}
         namespace: default
-      version: v1.29.0
+      version: v1.29.4
 {{- end }}

packages/apps/kubernetes/templates/helmreleases/cilium.yaml

@@ -26,7 +26,9 @@ spec:
   values:
     cilium:
       tunnel: disabled
-      autoDirectNodeRoutes: true
+      autoDirectNodeRoutes: false
+      bpf:
+        masquerade: true
       cgroup:
         autoMount:
           enabled: true
@@ -38,9 +40,9 @@ spec:
         chainingMode: ~
         customConf: false
         configMap: ""
-      routingMode: native
+      routingMode: tunnel
       enableIPv4Masquerade: true
-      ipv4NativeRoutingCIDR: "10.244.0.0/16"
+      ipv4NativeRoutingCIDR: ""
   dependsOn:
   - name: {{ .Release.Name }}
     namespace: {{ .Release.Namespace }}

packages/apps/postgres/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.2.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/postgres/templates/init-script.yaml

@@ -100,13 +100,13 @@ stringData:
     echo "== assign roles to users"
     psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
     {{- range $database, $d := .Values.databases }}
-    {{- range $user, $u := $.Values.roles }}
-    {{- if has $user $d.users.admin }}
+    {{- range $user, $u := $.Values.users }}
+    {{- if has $user $d.roles.admin }}
     GRANT {{ $database }}_admin TO {{ $user }};
     {{- else }}
     REVOKE {{ $database }}_admin FROM {{ $user }};
     {{- end }}
-    {{- if has $user $d.users.readonly }}
+    {{- if has $user $d.roles.readonly }}
     GRANT {{ $database }}_readonly TO {{ $user }};
     {{- else }}
     REVOKE {{ $database }}_readonly FROM {{ $user }};

packages/apps/versions_map

@@ -5,12 +5,15 @@ http-cache 0.2.0 HEAD
 kafka 0.1.0 760f86d2
 kafka 0.2.0 HEAD
 kubernetes 0.1.0 f642698
-kubernetes 0.2.0 HEAD
+kubernetes 0.2.0 7cd7de73
+kubernetes 0.3.0 7caccec1
+kubernetes 0.4.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 HEAD
 postgres 0.1.0 f642698
-postgres 0.2.0 HEAD
+postgres 0.2.0 7cd7de73
+postgres 0.2.1 HEAD
 rabbitmq 0.1.0 f642698
 rabbitmq 0.2.0 HEAD
 redis 0.1.1 f642698

packages/core/fluxcd/Makefile

@@ -11,3 +11,10 @@ apply:
 
 diff:
 	helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f-
+
+update:
+	rm -rf charts
+	helm repo add fluxcd-community https://fluxcd-community.github.io/helm-charts
+	helm repo update fluxcd-community
+	helm pull fluxcd-community/flux2 --untar --untardir charts
+	sed -i 's/\.{{ \.Values\.clusterDomain | default "cluster\.local" }}\.//g' `grep -rl '.{{ .Values.clusterDomain | default "cluster.local" }}.' charts`

packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml

@@ -44,7 +44,7 @@ spec:
         - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default"  }}
         {{- end}}
         {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
+        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
         {{- end}}
         - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
         - --log-level={{ .Values.logLevel | default "info" }}

packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml

@@ -43,7 +43,7 @@ spec:
         - --no-cross-namespace-refs=true
         {{- end}}
         {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
+        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
         {{- end}}
         - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
         - --log-level={{ .Values.logLevel | default "info" }}

packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml

@@ -43,7 +43,7 @@ spec:
         - --no-cross-namespace-refs=true
         {{- end}}
         {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
+        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
         {{- end}}
         - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
         - --log-level={{ .Values.logLevel | default "info" }}

packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml

@@ -44,7 +44,7 @@ spec:
         - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default"  }}
         {{- end}}
         {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
+        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
         {{- end}}
         - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
         - --log-level={{ .Values.logLevel | default "info" }}

packages/core/fluxcd/charts/flux2/templates/source-controller.yaml

@@ -38,14 +38,14 @@ spec:
       containers:
       - args:
         {{- if .Values.notificationController.create }}
-        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
+        - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc
         {{- end}}
         - --watch-all-namespaces={{ .Values.watchAllNamespaces }}
         - --log-level={{ .Values.logLevel | default "info" }}
         - --log-encoding=json
         - --enable-leader-election
         - --storage-path=/data
-        - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}.
+        - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc
         {{- range .Values.sourceController.container.additionalArgs }}
         - {{ . }}
         {{- end}}

packages/core/installer/images/cozystack.json

@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:dac122af1e85d9d668e0a0260d08bb80892f1087b09fb4a4ace2e568257889d2",
-  "containerimage.digest": "sha256:bc9029117d985748290b88839082b65b28aaa718b694ff686d6cf49971be424f"
+  "containerimage.config.digest": "sha256:8726af130b534d259ae28a92d84fb866df045765739a59146974d85554e5f188",
+  "containerimage.digest": "sha256:bc9109b0ed072ecbb143ea74edb9bf8a801b4903e0b849aeaa79488c4a9fb7f2"
 }

packages/core/installer/images/cozystack.tag

@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/cozystack:v0.5.0
+ghcr.io/aenix-io/cozystack/cozystack:v0.6.0

packages/extra/Makefile

@@ -11,7 +11,7 @@ repo:
 	rm -rf "$(TMP)"
 
 fix-chartnames:
-	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done
+	find . -maxdepth 2 -name Chart.yaml | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done
 
 gen-versions-map: fix-chartnames
 	../../hack/gen_versions_map.sh

packages/extra/etcd/Chart.yaml

@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: https://www.svgrepo.com/show/353714/etcd.svg
 type: application
-version: 2.0.0
+version: 2.1.0

packages/extra/etcd/templates/etcd-cluster.yaml

@@ -1,9 +1,23 @@
+{{- define "calculateQuotaBackendBytes" -}}
+{{- $units := dict "Ki" 1024 "Mi" 1048576 "Gi" 1073741824 -}}
+{{- $value := regexFind "[0-9.]+" . -}}
+{{- $unit := regexFind "[a-zA-Z]+" . -}}
+{{- $numericValue := float64 $value -}}
+{{- $bytes := mulf $numericValue (index $units $unit) -}}
+{{- $result := mulf $bytes 0.95 -}}
+{{- printf "%.0f" $result -}}
+{{- end -}}
 ---
 apiVersion: etcd.aenix.io/v1alpha1
 kind: EtcdCluster
 metadata:
   name: etcd
 spec:
+  options:
+    quota-backend-bytes: {{ include "calculateQuotaBackendBytes" .Values.size | quote }}
+    auto-compaction-mode: "periodic"
+    auto-compaction-retention: "5m"
+    snapshot-count: "10000"
   replicas: {{ .Values.replicas }}
   storage:
     volumeClaimTemplate:

packages/extra/etcd/templates/etcd-defrag.yaml

@@ -0,0 +1,31 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ .Release.Name }}-defrag
+spec:
+  schedule: "0 * * * *"
+  successfulJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: etcd-defrag
+            image: ghcr.io/ahrtr/etcd-defrag:v0.13.0
+            args:
+            - --endpoints={{ range $i, $e := until (int .Values.replicas) }}{{ if $i }},{{ end }}https://{{ $.Release.Name }}-{{ $i }}.{{ $.Release.Name }}-headless.{{ $.Release.Namespace }}.svc:2379{{ end }}
+            - --cacert=/etc/etcd/pki/client/cert/ca.crt
+            - --cert=/etc/etcd/pki/client/cert/tls.crt
+            - --key=/etc/etcd/pki/client/cert/tls.key
+            - --cluster
+            - --defrag-rule
+            - "dbQuotaUsage > 0.8 || dbSize - dbSizeInUse > 200*1024*1024"
+            volumeMounts:
+            - mountPath: /etc/etcd/pki/client/cert
+              name: client-certificate
+              readOnly: true
+          volumes:
+          - name: client-certificate
+            secret:
+              secretName: {{ .Release.Name }}-client-tls
+          restartPolicy: OnFailure

packages/extra/versions_map

@@ -1,4 +1,6 @@
 etcd 1.0.0 f7eaab0
-etcd 2.0.0 HEAD
+etcd 2.0.0 a6d0f7cf
+etcd 2.0.1 6fc1cc7d
+etcd 2.1.0 HEAD
 ingress 1.0.0 HEAD
 monitoring 1.0.0 HEAD

packages/system/Makefile

@@ -9,4 +9,4 @@ repo:
 	cd "$(OUT)" && helm repo index .
 
 fix-chartnames:
-	find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: cozy-$$i/" "$$i/Chart.yaml"; done
+	find . -maxdepth 2 -name Chart.yaml | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: cozy-$$i/" "$$i/Chart.yaml"; done

packages/system/dashboard/Makefile

@@ -14,6 +14,7 @@ update-chart:
 	helm pull bitnami/kubeapps --untar --untardir charts
 	rm -rf charts/kubeapps/charts/postgresql/
 	ln -s ../../images charts/kubeapps/images
+	sed -i 's/.cluster.local//g' charts/kubeapps/templates/kubeappsapis/deployment.yaml
 
 update-dockerfiles:
 	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/vmware-tanzu/kubeapps  | awk -F'[/^]' 'END{print $$3}') && \

packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml

@@ -133,7 +133,7 @@ spec:
             # longer-term pass something to the plugins so that the plugins won't need to
             # know these details). Currently they're used directly by the flux plugin
             - name: REDIS_ADDR
-              value: {{ printf "%s-master.%s.svc.cluster.local:6379" (include "kubeapps.redis.fullname" .) .Release.Namespace }}
+              value: {{ printf "%s-master.%s.svc:6379" (include "kubeapps.redis.fullname" .) .Release.Namespace }}
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:

packages/system/kamaji/values.yaml

@@ -1,3 +1,8 @@
 kamaji:
   etcd:
     deploy: false
+
+  # Fix https://github.com/clastix/kamaji/pull/467
+  image:
+    repository: ghcr.io/kvaps/test
+    tag: kamaji-v0.6.0-fix