Sync 0.14.1 to integration proxmox

.gitignore

@@ -1,3 +1,78 @@
 _out
 .git
-.idea
+.idea
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# AWS User-specific
+.idea/**/aws.xml
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+.DS_Store
+**/.DS_Store

Makefile

@@ -2,11 +2,15 @@
 
 build:
 	make -C packages/apps/http-cache image
+	make -C packages/apps/postgres image
+	make -C packages/apps/mysql image
+	make -C packages/apps/clickhouse image
 	make -C packages/apps/kubernetes image
 	make -C packages/system/cilium image
 	make -C packages/system/kubeovn image
 	make -C packages/system/dashboard image
 	make -C packages/system/kamaji image
+	make -C packages/core/testing image
 	make -C packages/core/installer image
 	make manifests
 
@@ -26,3 +30,8 @@ repos:
 
 assets:
 	make -C packages/core/installer/ assets
+
+test:
+	make -C packages/core/testing apply
+	make -C packages/core/testing test
+	make -C packages/core/testing delete

README.md

@@ -58,6 +58,8 @@ Commits are used to generate the changelog, and their author will be referenced
 
 In case of **Feature Requests** please use the [Discussion's Feature Request section](https://github.com/aenix-io/cozystack/discussions/categories/feature-requests).
 
+You can join our weekly community meetings (just add this events to your [Google Calendar](https://calendar.google.com/calendar?cid=ZTQzZDIxZTVjOWI0NWE5NWYyOGM1ZDY0OWMyY2IxZTFmNDMzZTJlNjUzYjU2ZGJiZGE3NGNhMzA2ZjBkMGY2OEBncm91cC5jYWxlbmRhci5nb29nbGUuY29t) or [iCal](https://calendar.google.com/calendar/ical/e43d21e5c9b45a95f28c5d649c2cb1e1f433e2e653b56dbbda74ca306f0d0f68%40group.calendar.google.com/public/basic.ics)) or [Telegram group](https://t.me/cozystack).
+
 ## License
 
 Cozystack is licensed under Apache 2.0.  

hack/e2e.sh

@@ -27,9 +27,9 @@ ip link add cozy-br0 type bridge
 ip link set cozy-br0 up
 ip addr add 192.168.123.1/24 dev cozy-br0
 
-# Enable forward & masquerading
-echo 1 > /proc/sys/net/ipv4/ip_forward
-iptables -t nat -A POSTROUTING -s 192.168.123.0/24 -j MASQUERADE
+# Enable masquerading
+iptables -t nat -D POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE 2>/dev/null || true
+iptables -t nat -A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
 
 rm -rf srv1 srv2 srv3
 mkdir -p srv1 srv2 srv3
@@ -287,7 +287,8 @@ kubectl patch -n tenant-root hr/tenant-root --type=merge -p '{"spec":{ "values":
   "host": "example.org",
   "ingress": true,
   "monitoring": true,
-  "etcd": true
+  "etcd": true,
+  "isolated": true
 }}}'
 
 # Wait for HelmRelease be created
@@ -296,6 +297,10 @@ timeout 60 sh -c 'until kubectl get hr -n tenant-root etcd ingress monitoring te
 # Wait for HelmReleases be installed
 kubectl wait --timeout=2m --for=condition=ready -n tenant-root hr etcd ingress monitoring tenant-root
 
+kubectl patch -n tenant-root hr/ingress --type=merge -p '{"spec":{ "values":{
+  "dashboard": true
+}}}'
+
 # Wait for nginx-ingress-controller
 timeout 60 sh -c 'until kubectl get deploy -n tenant-root root-ingress-controller; do sleep 1; done'
 kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy root-ingress-controller
@@ -304,8 +309,9 @@ kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy root-i
 kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=3 -n tenant-root sts etcd
 
 # Wait for Victoria metrics
-kubectl wait --timeout=5m --for=condition=available deploy -n tenant-root vmalert-vmalert vminsert-longterm vminsert-shortterm
-kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=2 -n tenant-root sts vmalertmanager-alertmanager vmselect-longterm vmselect-shortterm vmstorage-longterm vmstorage-shortterm
+kubectl wait --timeout=5m --for=jsonpath=.status.updateStatus=operational -n tenant-root vmalert/vmalert-longterm vmalert/vmalert-shortterm vmalertmanager/alertmanager
+kubectl wait --timeout=5m --for=jsonpath=.status.status=operational -n tenant-root vlogs/generic
+kubectl wait --timeout=5m --for=jsonpath=.status.clusterStatus=operational -n tenant-root vmcluster/shortterm vmcluster/longterm
 
 # Wait for grafana
 kubectl wait --timeout=5m --for=condition=ready -n tenant-root clusters.postgresql.cnpg.io grafana-db

hack/gen_versions_map.sh

@@ -24,24 +24,36 @@ resolved_miss_map=$(
       change_commit=$(git --no-pager blame -L"$line",+1 -- "$chart/Chart.yaml" | awk '{print $1}')
 
       if [ "$change_commit" = "00000000" ]; then
-        # Not commited yet, use previus commit
+        # Not committed yet, use previous commit
         line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
         commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
         if [ $(echo $commit | cut -c1) = "^" ]; then
-          # Previus commit not exists
+          # Previous commit not exists
           commit=$(echo $commit | cut -c2-)
         fi
       else
-        # Commited, but version_map wasn't updated
+        # Committed, but version_map wasn't updated
         line=$(git show HEAD:"./$chart/Chart.yaml" | awk '/^version:/ {print NR; exit}')
         change_commit=$(git --no-pager blame -L"$line",+1 HEAD -- "$chart/Chart.yaml" | awk '{print $1}')
         if [ $(echo $change_commit | cut -c1) = "^" ]; then
-          # Previus commit not exists
+          # Previous commit not exists
           commit=$(echo $change_commit | cut -c2-)
         else
           commit=$(git describe --always "$change_commit~1")
         fi
       fi
+
+      # Check if the commit belongs to the main branch
+      if ! git merge-base --is-ancestor "$commit" main; then
+        # Find the closest parent commit that belongs to main
+        commit_in_main=$(git log --pretty=format:"%h" main -- "$chart" | head -n 1)
+        if [ -n "$commit_in_main" ]; then
+          commit="$commit_in_main"
+        else
+          # No valid commit found in main branch for $chart, skipping..."
+          continue
+        fi
+      fi
     fi
     echo "$chart $version $commit"
   done

manifests/cozystack-installer.yaml

@@ -68,7 +68,7 @@ spec:
       serviceAccountName: cozystack
       containers:
       - name: cozystack
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.10.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.14.1"
         env:
         - name: KUBERNETES_SERVICE_HOST
           value: localhost
@@ -87,7 +87,7 @@ spec:
             fieldRef:
               fieldPath: metadata.name
       - name: darkhttpd
-        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.10.1"
+        image: "ghcr.io/aenix-io/cozystack/cozystack:v0.14.1"
         command:
         - /usr/bin/darkhttpd
         - /cozystack/assets

packages/apps/bucket/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+name: bucket
+description: S3 compatible storage
+icon: /logos/bucket.svg
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"

packages/apps/bucket/Makefile

@@ -0,0 +1,4 @@
+include ../../../scripts/package.mk
+
+generate:
+	readme-generator -v values.yaml -s values.schema.json -r README.md

packages/apps/bucket/templates/bucketclaim.yaml

@@ -0,0 +1,20 @@
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $seaweedfs := index $myNS.metadata.annotations "namespace.cozystack.io/seaweedfs" }}
+apiVersion: objectstorage.k8s.io/v1alpha1
+kind: BucketClaim
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  bucketClassName: {{ $seaweedfs }}
+  protocols:
+    - s3
+---
+apiVersion: objectstorage.k8s.io/v1alpha1
+kind: BucketAccess
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  bucketAccessClassName: {{ $seaweedfs }}
+  bucketClaimName: {{ .Release.Name }}
+  credentialsSecretName: {{ .Release.Name }}
+  protocol: s3

packages/apps/bucket/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}
+  verbs: ["get", "list", "watch"]

packages/apps/clickhouse/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.1
+version: 0.5.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/clickhouse/Makefile

@@ -1,2 +1,20 @@
+CLICKHOUSE_BACKUP_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
+
+include ../../../scripts/common-envs.mk
+include ../../../scripts/package.mk
+
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
+
+image:
+	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/clickhouse-backup \
+		--provenance false \
+		--tag $(REGISTRY)/clickhouse-backup:$(call settag,$(CLICKHOUSE_BACKUP_TAG)) \
+		--cache-from type=registry,ref=$(REGISTRY)/clickhouse-backup:latest \
+		--cache-to type=inline \
+		--metadata-file images/clickhouse-backup.json \
+		--push=$(PUSH) \
+		--load=$(LOAD)
+	echo "$(REGISTRY)/clickhouse-backup:$(call settag,$(CLICKHOUSE_BACKUP_TAG))@$$(yq e '."containerimage.digest"' images/clickhouse-backup.json -o json -r)" \
+		> images/clickhouse-backup.tag
+	rm -f images/clickhouse-backup.json

packages/apps/clickhouse/README.md

@@ -1,17 +1,46 @@
 # Managed Clickhouse Service
 
+### How to restore backup:
+
+find snapshot:
+```
+restic -r s3:s3.example.org/clickhouse-backups/table_name snapshots
+```
+
+restore:
+```
+restic -r s3:s3.example.org/clickhouse-backups/table_name restore latest --target /tmp/
+```
+
+more details:
+- https://itnext.io/restic-effective-backup-from-stdin-4bc1e8f083c1
+
 ## Parameters
 
 ### Common parameters
 
-| Name       | Description                   | Value  |
-| ---------- | ----------------------------- | ------ |
-| `size`     | Persistent Volume size        | `10Gi` |
-| `shards`   | Number of Clickhouse replicas | `1`    |
-| `replicas` | Number of Clickhouse shards   | `2`    |
+| Name           | Description                         | Value  |
+| -------------- | ----------------------------------- | ------ |
+| `size`         | Persistent Volume size              | `10Gi` |
+| `shards`       | Number of Clickhouse replicas       | `1`    |
+| `replicas`     | Number of Clickhouse shards         | `2`    |
+| `storageClass` | StorageClass used to store the data | `""`   |
 
 ### Configuration parameters
 
 | Name    | Description         | Value |
 | ------- | ------------------- | ----- |
 | `users` | Users configuration | `{}`  |
+
+### Backup parameters
+
+| Name                     | Description                                    | Value                                                  |
+| ------------------------ | ---------------------------------------------- | ------------------------------------------------------ |
+| `backup.enabled`         | Enable pereiodic backups                       | `false`                                                |
+| `backup.s3Region`        | The AWS S3 region where backups are stored     | `us-east-1`                                            |
+| `backup.s3Bucket`        | The S3 bucket used for storing backups         | `s3.example.org/clickhouse-backups`                    |
+| `backup.schedule`        | Cron schedule for automated backups            | `0 2 * * *`                                            |
+| `backup.cleanupStrategy` | The strategy for cleaning up old backups       | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.s3AccessKey`     | The access key for S3, used for authentication | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3SecretKey`     | The secret key for S3, used for authentication | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.resticPassword`  | The password for Restic backup encryption      | `ChaXoveekoh6eigh4siesheeda2quai0`                     |

packages/apps/clickhouse/images/clickhouse-backup.tag

@@ -0,0 +1 @@
+ghcr.io/aenix-io/cozystack/clickhouse-backup:latest@sha256:dda84420cb8648721299221268a00d72a05c7af5b7fb452619bac727068b9e61

packages/apps/clickhouse/images/clickhouse-backup/Dockerfile

@@ -0,0 +1,2 @@
+FROM clickhouse/clickhouse-server:24.8.4-alpine
+RUN apk add --no-cache restic uuidgen