From 17e92137043448a0b722f5691d93ddad262c2b54 Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Mon, 14 Oct 2024 18:48:40 +0200
Subject: [PATCH 1/4] fix uploading vm images using virtctl

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
---
 .../system/kubevirt-cdi-operator/templates/cdi-operator.yaml  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/system/kubevirt-cdi-operator/templates/cdi-operator.yaml b/packages/system/kubevirt-cdi-operator/templates/cdi-operator.yaml
index 2698b895a..585a5741d 100644
--- a/packages/system/kubevirt-cdi-operator/templates/cdi-operator.yaml
+++ b/packages/system/kubevirt-cdi-operator/templates/cdi-operator.yaml
@@ -5718,7 +5718,7 @@ spec:
         - name: APISERVER_IMAGE
           value: quay.io/kubevirt/cdi-apiserver:v1.60.2
         - name: UPLOAD_SERVER_IMAGE
-          value: quay.io/kubevirt/cdi-uploadserver:v1.60.2
+          value: ghcr.io/aenix-io/cozystack/cdi/cdi-uploadserver:v1.60.2-fix@sha256:2c0cfae427861521a204d020e2981fdb23c8b32b66261c03b2a2cdcd7089ac64
         - name: UPLOAD_PROXY_IMAGE
           value: quay.io/kubevirt/cdi-uploadproxy:v1.60.2
         - name: VERBOSITY
@@ -5753,4 +5753,4 @@ spec:
       tolerations:
       - key: CriticalAddonsOnly
         operator: Exists
----
\ No newline at end of file
+---

From cde1bcaccb164b8d2609bcdae75e5dbdc2019cfc Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Wed, 16 Oct 2024 14:33:10 +0200
Subject: [PATCH 2/4] Allow specifying uploadproxy url

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
---
 packages/apps/tenant/Chart.yaml               |  2 +-
 .../apps/tenant/templates/networkpolicy.yaml  | 12 ++++++++++
 packages/apps/versions_map                    |  3 ++-
 .../system/kubevirt-cdi/templates/cdi-cr.yaml |  3 +++
 .../kubevirt-cdi/templates/ingress.yaml       | 23 +++++++++++++++++++
 packages/system/kubevirt-cdi/values.yaml      |  2 ++
 6 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 packages/system/kubevirt-cdi/templates/ingress.yaml
 create mode 100644 packages/system/kubevirt-cdi/values.yaml

diff --git a/packages/apps/tenant/Chart.yaml b/packages/apps/tenant/Chart.yaml
index baefc0e24..25f689949 100644
--- a/packages/apps/tenant/Chart.yaml
+++ b/packages/apps/tenant/Chart.yaml
@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.4.0
+version: 1.5.0
diff --git a/packages/apps/tenant/templates/networkpolicy.yaml b/packages/apps/tenant/templates/networkpolicy.yaml
index 6521bf617..aa8ed3eab 100644
--- a/packages/apps/tenant/templates/networkpolicy.yaml
+++ b/packages/apps/tenant/templates/networkpolicy.yaml
@@ -159,6 +159,18 @@ spec:
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
+metadata:
+  name: allow-to-cdi-upload-proxy
+  namespace: {{ include "tenant.name" . }}
+spec:
+  endpointSelector: {}
+  egress:
+  - toEndpoints:
+      - matchLabels:
+          "k8s:io.kubernetes.pod.namespace": cozy-kubevirt-cdi
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
 metadata:
   name: allow-to-ingress
   namespace: {{ include "tenant.name" . }}
diff --git a/packages/apps/versions_map b/packages/apps/versions_map
index 302bbcae5..8fa403e0c 100644
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -72,7 +72,8 @@ tenant 1.1.0 4da8ac3b
 tenant 1.2.0 15478a88
 tenant 1.3.0 ceefae03
 tenant 1.3.1 c56e5769
-tenant 1.4.0 HEAD
+tenant 1.4.0 94c688f7
+tenant 1.5.0 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823
diff --git a/packages/system/kubevirt-cdi/templates/cdi-cr.yaml b/packages/system/kubevirt-cdi/templates/cdi-cr.yaml
index 3e1f683a1..c7ba393e9 100644
--- a/packages/system/kubevirt-cdi/templates/cdi-cr.yaml
+++ b/packages/system/kubevirt-cdi/templates/cdi-cr.yaml
@@ -4,6 +4,9 @@ metadata:
   name: cdi
 spec:
   config:
+    {{- with .Values.uploadProxyHost }}
+    uploadProxyURLOverride: "https://{{ . }}"
+    {{- end }}
     featureGates:
     - HonorWaitForFirstConsumer
     - ExpandDisks
diff --git a/packages/system/kubevirt-cdi/templates/ingress.yaml b/packages/system/kubevirt-cdi/templates/ingress.yaml
new file mode 100644
index 000000000..a47f8c684
--- /dev/null
+++ b/packages/system/kubevirt-cdi/templates/ingress.yaml
@@ -0,0 +1,23 @@
+{{- if and .Values.uploadProxyHost .Values.ingressClass }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: cdi-uploadproxy
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+spec:
+  ingressClassName: {{ .Values.ingressClass }}
+  rules:
+  - host: {{ .Values.uploadProxyHost }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: cdi-uploadproxy
+            port:
+              number: 443
+        path: /
+        pathType: Prefix
+{{- end }}
diff --git a/packages/system/kubevirt-cdi/values.yaml b/packages/system/kubevirt-cdi/values.yaml
new file mode 100644
index 000000000..01769ba60
--- /dev/null
+++ b/packages/system/kubevirt-cdi/values.yaml
@@ -0,0 +1,2 @@
+uploadProxyHost: "cdi.infra.aenix.org"
+ingressClass: "tenant-root"

From f8df224c17ac2a0b97c48c5ace4b4e375e9277ee Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Wed, 16 Oct 2024 14:48:16 +0200
Subject: [PATCH 3/4] Move configuration to ingress

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
---
 packages/extra/ingress/Chart.yaml             |  2 +-
 packages/extra/ingress/README.md              |  1 +
 .../ingress/templates/cdi-uploadproxy.yaml    | 37 +++++++++++++++++++
 packages/extra/ingress/values.schema.json     |  5 +++
 packages/extra/ingress/values.yaml            |  3 ++
 .../system/kubevirt-cdi/templates/cdi-cr.yaml |  4 +-
 .../kubevirt-cdi/templates/ingress.yaml       | 23 ------------
 packages/system/kubevirt-cdi/values.yaml      |  3 +-
 8 files changed, 50 insertions(+), 28 deletions(-)
 create mode 100644 packages/extra/ingress/templates/cdi-uploadproxy.yaml
 delete mode 100644 packages/system/kubevirt-cdi/templates/ingress.yaml

diff --git a/packages/extra/ingress/Chart.yaml b/packages/extra/ingress/Chart.yaml
index 664a41c52..f0ff843fc 100644
--- a/packages/extra/ingress/Chart.yaml
+++ b/packages/extra/ingress/Chart.yaml
@@ -3,4 +3,4 @@ name: ingress
 description: NGINX Ingress Controller
 icon: /logos/ingress-nginx.svg
 type: application
-version: 1.2.0
+version: 1.3.0
diff --git a/packages/extra/ingress/README.md b/packages/extra/ingress/README.md
index 0d00844c4..73aec882a 100644
--- a/packages/extra/ingress/README.md
+++ b/packages/extra/ingress/README.md
@@ -11,4 +11,5 @@
 | `whitelist`      | List of client networks                                           | `[]`    |
 | `clouflareProxy` | Restoring original visitor IPs when Cloudflare proxied is enabled | `false` |
 | `dashboard`      | Should ingress serve Cozystack service dashboard                  | `false` |
+| `cdiUploadProxy` | Should ingress serve CDI upload proxy                             | `false` |
 
diff --git a/packages/extra/ingress/templates/cdi-uploadproxy.yaml b/packages/extra/ingress/templates/cdi-uploadproxy.yaml
new file mode 100644
index 000000000..e82e0d26e
--- /dev/null
+++ b/packages/extra/ingress/templates/cdi-uploadproxy.yaml
@@ -0,0 +1,37 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
+
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+
+{{- if .Values.cdiUploadProxy }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    {{- if eq $issuerType "cloudflare" }} 
+    {{- else }}
+    acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}
+    {{- end }}
+  name: cdi-uploadproxy-{{ .Release.Namespace }}
+  namespace: cozy-kubevirt-cdi
+spec:
+  ingressClassName: {{ .Release.Namespace }}
+  rules:
+  - host: cdi-uploadproxy.{{ $host }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: cdi-uploadproxy
+            port:
+              number: 443
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - cdi-uploadproxy.{{ $host }}
+    secretName: cdi-uploadproxy-{{ .Release.Namespace }}-tls
+{{- end }}
diff --git a/packages/extra/ingress/values.schema.json b/packages/extra/ingress/values.schema.json
index e669d70e7..7fcefe688 100644
--- a/packages/extra/ingress/values.schema.json
+++ b/packages/extra/ingress/values.schema.json
@@ -30,6 +30,11 @@
             "type": "boolean",
             "description": "Should ingress serve Cozystack service dashboard",
             "default": false
+        },
+        "cdiUploadProxy": {
+            "type": "boolean",
+            "description": "Should ingress serve CDI upload proxy",
+            "default": false
         }
     }
 }
\ No newline at end of file
diff --git a/packages/extra/ingress/values.yaml b/packages/extra/ingress/values.yaml
index b05d6bb56..947808ae2 100644
--- a/packages/extra/ingress/values.yaml
+++ b/packages/extra/ingress/values.yaml
@@ -27,3 +27,6 @@ clouflareProxy: false
 
 ## @param dashboard Should ingress serve Cozystack service dashboard
 dashboard: false
+
+## @param cdiUploadProxy Should ingress serve CDI upload proxy
+cdiUploadProxy: false
diff --git a/packages/system/kubevirt-cdi/templates/cdi-cr.yaml b/packages/system/kubevirt-cdi/templates/cdi-cr.yaml
index c7ba393e9..af905af24 100644
--- a/packages/system/kubevirt-cdi/templates/cdi-cr.yaml
+++ b/packages/system/kubevirt-cdi/templates/cdi-cr.yaml
@@ -4,8 +4,8 @@ metadata:
   name: cdi
 spec:
   config:
-    {{- with .Values.uploadProxyHost }}
-    uploadProxyURLOverride: "https://{{ . }}"
+    {{- with .Values.uploadProxyURL }}
+    uploadProxyURLOverride: {{ quote . }}
     {{- end }}
     featureGates:
     - HonorWaitForFirstConsumer
diff --git a/packages/system/kubevirt-cdi/templates/ingress.yaml b/packages/system/kubevirt-cdi/templates/ingress.yaml
deleted file mode 100644
index a47f8c684..000000000
--- a/packages/system/kubevirt-cdi/templates/ingress.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-{{- if and .Values.uploadProxyHost .Values.ingressClass }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: cdi-uploadproxy
-  annotations:
-    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
-    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-spec:
-  ingressClassName: {{ .Values.ingressClass }}
-  rules:
-  - host: {{ .Values.uploadProxyHost }}
-    http:
-      paths:
-      - backend:
-          service:
-            name: cdi-uploadproxy
-            port:
-              number: 443
-        path: /
-        pathType: Prefix
-{{- end }}
diff --git a/packages/system/kubevirt-cdi/values.yaml b/packages/system/kubevirt-cdi/values.yaml
index 01769ba60..bd9e604a0 100644
--- a/packages/system/kubevirt-cdi/values.yaml
+++ b/packages/system/kubevirt-cdi/values.yaml
@@ -1,2 +1 @@
-uploadProxyHost: "cdi.infra.aenix.org"
-ingressClass: "tenant-root"
+uploadProxyURL: ""

From 8bf00afd704bc32abc43f9f427a0716763ed50c7 Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Wed, 16 Oct 2024 14:54:41 +0200
Subject: [PATCH 4/4] refactor

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
---
 .../extra/ingress/templates/dashboard.yaml    | 64 +++++++++----------
 .../monitoring/templates/alerta/alerta.yaml   |  4 +-
 .../monitoring/templates/grafana/grafana.yaml |  4 +-
 3 files changed, 36 insertions(+), 36 deletions(-)

diff --git a/packages/extra/ingress/templates/dashboard.yaml b/packages/extra/ingress/templates/dashboard.yaml
index 106f2e6af..63b59e02e 100644
--- a/packages/extra/ingress/templates/dashboard.yaml
+++ b/packages/extra/ingress/templates/dashboard.yaml
@@ -1,36 +1,36 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
-{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}  
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
 
-{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}  
-{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}  
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
 
-{{- if .Values.dashboard }}  
-apiVersion: networking.k8s.io/v1  
-kind: Ingress  
-metadata:  
-  annotations:  
-    cert-manager.io/cluster-issuer: letsencrypt-prod  
+{{- if .Values.dashboard }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
     {{- if eq $issuerType "cloudflare" }} 
-    {{- else }}  
-    acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}  
-    {{- end }}  
-  name: dashboard-{{ .Release.Namespace }}  
-  namespace: cozy-dashboard  
-spec:  
-  ingressClassName: {{ .Release.Namespace }}  
-  rules:  
-  - host: dashboard.{{ $host }}  
-    http:  
-      paths:  
-      - backend:  
-          service:  
-            name: dashboard  
-            port:  
-              number: 80  
-        path: /  
-        pathType: Prefix  
-  tls:  
-  - hosts:  
-    - dashboard.{{ $host }}  
-    secretName: dashboard-{{ .Release.Namespace }}-tls  
+    {{- else }}
+    acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}
+    {{- end }}
+  name: dashboard-{{ .Release.Namespace }}
+  namespace: cozy-dashboard
+spec:
+  ingressClassName: {{ .Release.Namespace }}
+  rules:
+  - host: dashboard.{{ $host }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: dashboard
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - dashboard.{{ $host }}
+    secretName: dashboard-{{ .Release.Namespace }}-tls
 {{- end }}
diff --git a/packages/extra/monitoring/templates/alerta/alerta.yaml b/packages/extra/monitoring/templates/alerta/alerta.yaml
index 30aa24932..87d408f5d 100644
--- a/packages/extra/monitoring/templates/alerta/alerta.yaml
+++ b/packages/extra/monitoring/templates/alerta/alerta.yaml
@@ -1,4 +1,4 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
 
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
@@ -36,7 +36,7 @@ data:
         'endpoint'    : "/api",
         'provider'    : "basic"
       })
-      .constant('colors', {});    
+      .constant('colors', {});  
 ---
 apiVersion: v1
 kind: Service
diff --git a/packages/extra/monitoring/templates/grafana/grafana.yaml b/packages/extra/monitoring/templates/grafana/grafana.yaml
index bce84d13d..c86b0483c 100644
--- a/packages/extra/monitoring/templates/grafana/grafana.yaml
+++ b/packages/extra/monitoring/templates/grafana/grafana.yaml
@@ -1,4 +1,4 @@
-{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }} 
 
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
@@ -94,7 +94,7 @@ spec:
     metadata:
       annotations:
         {{- if ne $issuerType "cloudflare" }}
-        acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}"  
+        acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}"
         {{- end }}
         cert-manager.io/cluster-issuer: letsencrypt-prod
     spec: