# Disable debug information package creation
%define debug_package %{nil}

# Define the Go Import Path
%global goipath github.com/flightctl/flightctl

# SELinux specifics
%global selinuxtype targeted
%define selinux_policyver 3.14.3-67

Name:           flightctl
# Version and Release are automatically updated by Packit during build
# Do not manually change these values - they will be overwritten
Version:        0.10.0~main~886~g2eb24000
Release:        1.20251127083332336213.pr2074.886.g2eb24000%{?dist}
Summary:        Flight Control service

%gometa

License:        Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT
URL:            %{gourl}

Source0:        flightctl-0.10.0~main~886~g2eb24000.tar.gz

BuildRequires:  golang
BuildRequires:  make
BuildRequires:  git
BuildRequires:  openssl-devel
BuildRequires:  systemd-rpm-macros

Requires: openssl

%global flightctl_target flightctl.target

# --- Restart these on upgrade  ---
%global flightctl_services_restart flightctl-api.service flightctl-ui.service flightctl-worker.service flightctl-alertmanager.service flightctl-alert-exporter.service flightctl-alertmanager-proxy.service flightctl-cli-artifacts.service flightctl-periodic.service flightctl-db-migrate.service flightctl-db-wait.service


%description
# Main package is empty and not created.

# cli sub-package
%package cli
Summary: Flight Control CLI
Recommends: bash-completion
%description cli
flightctl is the CLI for controlling the Flight Control service.

# agent sub-package
%package agent
Summary: Flight Control management agent

Requires: flightctl-selinux = %{version}

%description agent
The flightctl-agent package provides the management agent for the Flight Control fleet management service.

# selinux sub-package
%package selinux
Summary: SELinux policies for the Flight Control management agent
BuildRequires: selinux-policy >= %{selinux_policyver}
BuildRequires: selinux-policy-devel >= %{selinux_policyver}
BuildRequires: container-selinux
BuildArch: noarch
Requires: selinux-policy >= %{selinux_policyver}

# For restorecon
Requires: policycoreutils
# For semanage
Requires: policycoreutils-python-utils
# For policy macros
Requires: container-selinux

%description selinux
The flightctl-selinux package provides the SELinux policy modules required by the Flight Control management agent.

# services sub-package
%package services
Summary: Flight Control services
Requires: bash
Requires: podman
Requires: python3-pyyaml
BuildRequires: systemd-rpm-macros
%{?systemd_requires}

%description services
The flightctl-services package provides installation and setup of files for running containerized Flight Control services

%package telemetry-gateway
Summary: Telemetry Gateway for FlightCtl
Requires:       flightctl-services = %{version}-%{release}
Requires:       podman
Requires:       python3-pyyaml
Requires(post): python3-pyyaml gettext
%{?systemd_requires}
Requires:       selinux-policy-targeted

%description telemetry-gateway
This package provides the FlightCtl Telemetry Gateway for telemetry collection/forwarding.
It runs in a Podman container managed by systemd and can be installed
independently of core FlightCtl services. Includes certificate tooling for Podman/Kubernetes.

%package observability
Summary: Complete FlightCtl observability stack
Requires:       flightctl-telemetry-gateway = %{version}-%{release}
Requires:       flightctl-services = %{version}-%{release}
Requires:       /usr/sbin/semanage
Requires:       /usr/sbin/restorecon
Requires:       podman
Requires:       systemd
Requires(post): python3-pyyaml gettext
%{?systemd_requires}
Requires:       selinux-policy-targeted

%description observability
This package provides the complete FlightCtl Observability Stack, including
Prometheus for metric storage, Grafana for visualization, and
Telemetry Gateway for metric collection. All components run in Podman containers
managed by systemd and can be installed independently without requiring core FlightCtl
services to be running. This package automatically includes the flightctl-telemetry-gateway package.

%files telemetry-gateway
# Telemetry Gateway specific files
/opt/flightctl-observability/templates/flightctl-telemetry-gateway.container.template
/opt/flightctl-observability/templates/flightctl-telemetry-gateway-config.yaml.template

# Shared rendering infrastructure for telemetry-gateway
/etc/flightctl/scripts/render-templates.sh
/etc/flightctl/scripts/setup_telemetry_gateway_certs.sh
/etc/flightctl/scripts/functions
/etc/flightctl/definitions/telemetry-gateway.defs

# Configuration management script - needed for standalone telemetry-gateway deployment
/usr/bin/flightctl-render-observability

# Note: Uses flightctl network from flightctl-services package

# Systemd target for service grouping
/usr/lib/systemd/system/flightctl-telemetry-gateway.target

# Directories owned by the telemetry-gateway RPM
%dir /opt/flightctl-observability/templates
%dir /etc/flightctl
%dir /etc/flightctl/telemetry-gateway
%dir /etc/flightctl/scripts
%dir /etc/flightctl/definitions

# Ghost file for generated container file
%ghost /etc/containers/systemd/flightctl-telemetry-gateway.container
%ghost /etc/flightctl/telemetry-gateway/config.yaml

%files observability
# Static configuration files (Prometheus and Grafana only)
/etc/prometheus/prometheus.yml

/etc/flightctl/scripts/render-templates.sh
/etc/flightctl/definitions/observability.defs

# Template source files (Prometheus, Grafana, and UserInfo Proxy)
/opt/flightctl-observability/templates/grafana.ini.template
/opt/flightctl-observability/templates/flightctl-grafana.container.template
/opt/flightctl-observability/templates/flightctl-prometheus.container.template
/opt/flightctl-observability/templates/flightctl-userinfo-proxy.container.template

/etc/grafana/provisioning/datasources/prometheus.yaml

/etc/grafana/provisioning/dashboards/flightctl.yaml

# The files that will be generated in %%post must be listed as %%ghost files.
%ghost /etc/grafana/grafana.ini
%ghost /etc/containers/systemd/flightctl-grafana.container
%ghost /etc/containers/systemd/flightctl-prometheus.container
%ghost /etc/containers/systemd/flightctl-userinfo-proxy.container

# Configuration management script
/usr/bin/flightctl-render-observability

# Systemd target for full observability stack
/usr/lib/systemd/system/flightctl-observability.target

# Directories owned by the observability RPM (Prometheus and Grafana only)
%dir /etc/prometheus
%dir /etc/grafana
%dir /etc/grafana/provisioning
%dir /etc/grafana/provisioning/datasources
%dir /etc/grafana/provisioning/alerting
%dir /etc/grafana/provisioning/dashboards
%dir /etc/grafana/provisioning/dashboards/flightctl
%dir /etc/grafana/certs
%dir /var/lib/prometheus
%dir /var/lib/grafana
%dir /etc/flightctl
%dir /etc/flightctl/scripts
%dir /etc/flightctl/definitions


%pre telemetry-gateway
# This script runs BEFORE the files are installed onto the system.
echo "Preparing to install FlightCtl Telemetry Gateway..."
echo "Note: OpenTelemetry collector can be installed independently of other FlightCtl services."


%post telemetry-gateway
# This script runs AFTER the files have been installed onto the system.
echo "Running post-install actions for FlightCtl Telemetry Gateway..."

# Create necessary directories on the host if they don't already exist.
/usr/bin/mkdir -p /opt/flightctl-observability/templates
/usr/bin/mkdir -p /etc/flightctl /etc/flightctl/scripts /etc/flightctl/definitions /etc/flightctl/telemetry-gateway


# Apply persistent SELinux contexts for volumes and configuration files.
/usr/sbin/semanage fcontext -a -t container_file_t "/opt/flightctl-observability/templates(/.*)?" >/dev/null 2>&1 || :
/usr/sbin/semanage fcontext -a -t container_file_t "/usr/bin/flightctl-render-observability" >/dev/null 2>&1 || :

# Restore file contexts based on the new rules (and default rules)
/usr/sbin/restorecon -RvF /opt/flightctl-observability/templates >/dev/null 2>&1 || :
/usr/sbin/restorecon -RvF /usr/bin/flightctl-render-observability >/dev/null 2>&1 || :

# Enable specific SELinux boolean if needed
/usr/sbin/setsebool -P container_manage_cgroup on >/dev/null 2>&1 || :

# Generate OpenTelemetry collector container file from template
echo "Generating OpenTelemetry collector container configuration..."
CONFIG_FILE="/etc/flightctl/service-config.yaml"
TEMPLATES_DIR="/opt/flightctl-observability/templates"
DEFINITIONS_FILE="/etc/flightctl/definitions/telemetry-gateway.defs"

# Source shared logic and call rendering with telemetry-gateway specific definitions
if [ -f "/etc/flightctl/scripts/render-templates.sh" ]; then
    source /etc/flightctl/scripts/render-templates.sh
    render_templates "$CONFIG_FILE" "$TEMPLATES_DIR" "$DEFINITIONS_FILE" || { echo "ERROR: OpenTelemetry collector config generation failed!"; exit 1; }
else
    echo "ERROR: render-templates.sh not found!"
    exit 1
fi

# Final service management
echo "Reloading systemd daemon..."
/usr/bin/systemctl daemon-reload

echo "FlightCtl Telemetry Gateway installed. Service is configured but not started."
echo "To render config: sudo flightctl-render-observability"
echo "To start services: sudo systemctl start flightctl-telemetry-gateway.target"
echo "For automatic startup: sudo systemctl enable flightctl-telemetry-gateway.target"


%preun telemetry-gateway
echo "Running pre-uninstall actions for FlightCtl Telemetry Gateway..."
# Stop and disable the target and services
/usr/bin/systemctl stop flightctl-telemetry-gateway.target >/dev/null 2>&1 || :
/usr/bin/systemctl disable flightctl-telemetry-gateway.target >/dev/null 2>&1 || :
/usr/bin/systemctl stop flightctl-telemetry-gateway.service >/dev/null 2>&1 || :
/usr/bin/systemctl disable flightctl-telemetry-gateway.service >/dev/null 2>&1 || :


%postun telemetry-gateway
echo "Running post-uninstall actions for FlightCtl Telemetry Gateway..."
# Clean up Podman container
/usr/bin/podman rm -f flightctl-telemetry-gateway >/dev/null 2>&1 || :

# Clean up Podman secrets created by the certificate setup script
echo "Cleaning up Podman secrets..."
if command -v podman >/dev/null 2>&1; then
    /usr/bin/podman secret rm telemetry-gateway-tls >/dev/null 2>&1 || :
    /usr/bin/podman secret rm telemetry-gateway-tls-key >/dev/null 2>&1 || :
    /usr/bin/podman secret rm flightctl-ca-secret >/dev/null 2>&1 || :
    echo "Podman secrets cleanup completed"

else
    echo "Podman not available, skipping cleanup"
fi

# Remove SELinux fcontext rules added by this package
/usr/sbin/semanage fcontext -d -t container_file_t "/opt/flightctl-observability/templates(/.*)?" >/dev/null 2>&1 || :
/usr/sbin/semanage fcontext -d -t container_file_t "/usr/bin/flightctl-render-observability" >/dev/null 2>&1 || :
/usr/sbin/semanage fcontext -d -t container_file_t "/usr/bin/" >/dev/null 2>&1 || :

# Restore default SELinux contexts for affected directories
/usr/sbin/restorecon -RvF /opt/flightctl-observability/templates >/dev/null 2>&1 || :
/usr/sbin/restorecon -RvF /usr/bin/flightctl-render-observability >/dev/null 2>&1 || :

/usr/bin/systemctl daemon-reload
echo "FlightCtl Telemetry Gateway uninstalled."


%pre observability
# This script runs BEFORE the files are installed onto the system.
echo "Preparing to install FlightCtl Observability Stack..."
echo "Note: Observability stack can be installed independently of other FlightCtl services."


%post observability
# This script runs AFTER the files have been installed onto the system.
echo "Running post-install actions for Flightctl Observability Stack..."

# Create necessary directories on the host if they don't already exist.
/usr/bin/mkdir -p /etc/prometheus /var/lib/prometheus
/usr/bin/mkdir -p /etc/grafana /etc/grafana/provisioning /etc/grafana/provisioning/datasources /etc/grafana/provisioning/alerting /var/lib/grafana
/usr/bin/mkdir -p /etc/grafana/provisioning/dashboards /etc/grafana/provisioning/dashboards/flightctl
/usr/bin/mkdir -p /etc/grafana/certs
/usr/bin/mkdir -p /etc/flightctl /opt/flightctl-observability/templates
/usr/bin/mkdir -p /usr/bin /usr/lib/systemd/system
/usr/bin/mkdir -p /etc/flightctl/scripts
/usr/bin/mkdir -p /etc/flightctl/definitions


chown 65534:65534 /var/lib/prometheus
chown 472:472 /var/lib/grafana

# Apply persistent SELinux contexts for volumes and configuration files.
/usr/sbin/semanage fcontext -a -t container_file_t "/etc/prometheus/prometheus.yml" >/dev/null 2>&1 || :
/usr/sbin/semanage fcontext -a -t container_file_t "/var/lib/prometheus(/.*)?" >/dev/null 2>&1 || :

/usr/sbin/semanage fcontext -a -t container_file_t "/etc/grafana(/.*)?" >/dev/null 2>&1 || :
/usr/sbin/semanage fcontext -a -t container_file_t "/var/lib/grafana(/.*)?" >/dev/null 2>&1 || :
/usr/sbin/semanage fcontext -a -t container_file_t "/etc/grafana/certs(/.*)?" >/dev/null 2>&1 || :

/usr/sbin/semanage fcontext -a -t container_file_t "/opt/flightctl-observability/templates(/.*)?" >/dev/null 2>&1 || :
/usr/sbin/semanage fcontext -a -t container_file_t "/usr/bin/flightctl-render-observability" >/dev/null 2>&1 || :

# Restore file contexts based on the new rules (and default rules)
/usr/sbin/restorecon -RvF /etc/prometheus >/dev/null 2>&1 || :
/usr/sbin/restorecon -RvF /var/lib/prometheus >/dev/null 2>&1 || :
/usr/sbin/restorecon -RvF /etc/grafana >/dev/null 2>&1 || :
/usr/sbin/restorecon -RvF /var/lib/grafana >/dev/null 2>&1 || :
/usr/sbin/restorecon -RvF /etc/grafana/certs >/dev/null 2>&1 || :
/usr/sbin/restorecon -RvF /opt/flightctl-observability/templates >/dev/null 2>&1 || :
/usr/sbin/restorecon -RvF /usr/bin/flightctl-render-observability >/dev/null 2>&1 || :

# Enable specific SELinux boolean if needed
/usr/sbin/setsebool -P container_manage_cgroup on >/dev/null 2>&1 || :


# --- Process Configuration Templates (Initial Generation) ---
# Call the basic config reloader script once during installation to generate initial config files.
# Note: We use the basic reloader here because FlightCtl services aren't running yet during installation.
echo "Generating initial configuration files..."
CONFIG_FILE="/etc/flightctl/service-config.yaml"
TEMPLATES_DIR="/opt/flightctl-observability/templates"
DEFINITIONS_FILE="/etc/flightctl/definitions/observability.defs"

# Source shared logic and call rendering without restarting services
if [ -f "/etc/flightctl/scripts/render-templates.sh" ]; then
    source /etc/flightctl/scripts/render-templates.sh
    render_templates "$CONFIG_FILE" "$TEMPLATES_DIR" "$DEFINITIONS_FILE" || { echo "ERROR: Initial config generation failed!"; exit 1; }
else
    echo "ERROR: render-templates.sh not found!"
    exit 1
fi


# --- Final service management ---
echo "Reloading systemd daemon..."
/usr/bin/systemctl daemon-reload

echo "Flightctl Observability Stack services installed. Services are configured but not started."
echo "To render config: sudo flightctl-render-observability"
echo "To start services: sudo systemctl start flightctl-observability.target"
echo "For automatic startup: sudo systemctl enable flightctl-observability.target"




%preun observability
echo "Running pre-uninstall actions for Flightctl Observability Stack..."
# Stop and disable the target and all services
/usr/bin/systemctl stop flightctl-observability.target >/dev/null 2>&1 || :
/usr/bin/systemctl disable flightctl-observability.target >/dev/null 2>&1 || :
/usr/bin/systemctl stop flightctl-grafana.service >/dev/null 2>&1 || :
/usr/bin/systemctl disable flightctl-grafana.service >/dev/null 2>&1 || :
/usr/bin/systemctl stop flightctl-userinfo-proxy.service >/dev/null 2>&1 || :
/usr/bin/systemctl disable flightctl-userinfo-proxy.service >/dev/null 2>&1 || :
/usr/bin/systemctl stop flightctl-prometheus.service >/dev/null 2>&1 || :
/usr/bin/systemctl disable flightctl-prometheus.service >/dev/null 2>&1 || :


%postun observability
echo "Running post-uninstall actions for Flightctl Observability Stack..."
# Clean up Podman containers associated with the services
/usr/bin/podman rm -f flightctl-grafana >/dev/null 2>&1 || :
/usr/bin/podman rm -f flightctl-userinfo-proxy >/dev/null 2>&1 || :
/usr/bin/podman rm -f flightctl-prometheus >/dev/null 2>&1 || :

# Note: Podman secrets are managed by the telemetry-gateway package
# and will be cleaned up when that package is uninstalled

# Remove SELinux fcontext rules added by this package
/usr/sbin/semanage fcontext -d -t container_file_t "/etc/grafana(/.*)?" >/dev/null 2>&1 || :
/usr/sbin/semanage fcontext -d -t container_file_t "/var/lib/grafana(/.*)?" >/dev/null 2>&1 || :
/usr/sbin/semanage fcontext -d -t container_file_t "/etc/grafana/certs(/.*)?" >/dev/null 2>&1 || :

/usr/sbin/semanage fcontext -d -t container_file_t "/etc/prometheus/prometheus.yml" >/dev/null 2>&1 || :
/usr/sbin/semanage fcontext -d -t container_file_t "/var/lib/prometheus(/.*)?" >/dev/null 2>&1 || :

/usr/sbin/semanage fcontext -d -t container_file_t "/opt/flightctl-observability/templates(/.*)?" >/dev/null 2>&1 || :
/usr/sbin/semanage fcontext -d -t container_file_t "/usr/bin/flightctl-render-observability" >/dev/null 2>&1 || :


# Restore default SELinux contexts for affected directories
/usr/sbin/restorecon -RvF /etc/grafana >/dev/null 2>&1 || :
/usr/sbin/restorecon -RvF /var/lib/grafana >/dev/null 2>&1 || :
/usr/sbin/restorecon -RvF /etc/grafana/certs >/dev/null 2>&1 || :
/usr/sbin/restorecon -RvF /etc/prometheus >/dev/null 2>&1 || :
/usr/sbin/restorecon -RvF /var/lib/prometheus >/dev/null 2>&1 || :
/usr/sbin/restorecon -RvF /opt/flightctl-observability/templates >/dev/null 2>&1 || :
/usr/sbin/restorecon -RvF /usr/bin/flightctl-render-observability >/dev/null 2>&1 || :


/usr/bin/systemctl daemon-reload
echo "Flightctl Observability Stack uninstalled."

%prep
%goprep -A
%setup -q %{forgesetupargs} -n flightctl-0.10.0~main~886~g2eb24000

%build
    # if this is a buggy version of go we need to set GOPROXY as workaround
    # see https://github.com/golang/go/issues/61928
    GOENVFILE=$(go env GOROOT)/go.env
    if [[ ! -f "${GOENVFILE}" ]]; then
        export GOPROXY='https://proxy.golang.org,direct'
    fi

    # Prefer values injected by Makefile/CI; fall back to RPM macros when unset
    SOURCE_GIT_TAG="%{?SOURCE_GIT_TAG:%{SOURCE_GIT_TAG}}%{!?SOURCE_GIT_TAG:%(./hack/current-version)}" \
    SOURCE_GIT_TREE_STATE="%{?SOURCE_GIT_TREE_STATE:%{SOURCE_GIT_TREE_STATE}}%{!?SOURCE_GIT_TREE_STATE:clean}" \
    SOURCE_GIT_COMMIT="%{?SOURCE_GIT_COMMIT:%{SOURCE_GIT_COMMIT}}%{!?SOURCE_GIT_COMMIT:%(echo %{version} | grep -o '[-~]g[0-9a-f]*' | sed 's/[-~]g//' || echo unknown)}" \
    SOURCE_GIT_TAG_NO_V="%{?SOURCE_GIT_TAG_NO_V:%{SOURCE_GIT_TAG_NO_V}}%{!?SOURCE_GIT_TAG_NO_V:%{version}}" \
    %if 0%{?rhel} == 9
        %make_build build-cli build-agent build-restore build-standalone
    %else
        DISABLE_FIPS="true" %make_build build-cli build-agent build-restore build-standalone
    %endif

    # SELinux modules build
    %make_build --directory packaging/selinux

%install
    mkdir -p %{buildroot}/usr/bin
    mkdir -p %{buildroot}/etc/flightctl
    cp bin/flightctl %{buildroot}/usr/bin
    cp bin/flightctl-restore %{buildroot}/usr/bin
    mkdir -p %{buildroot}/usr/lib/systemd/system
    mkdir -p %{buildroot}/usr/lib/tmpfiles.d
    mkdir -p %{buildroot}/usr/lib/flightctl/custom-info.d
    mkdir -p %{buildroot}/usr/lib/flightctl/hooks.d/{afterupdating,beforeupdating,afterrebooting,beforerebooting}
    mkdir -p %{buildroot}/usr/lib/greenboot/check/required.d
    install -m 0755 packaging/greenboot/flightctl-agent-running-check.sh %{buildroot}/usr/lib/greenboot/check/required.d/20_check_flightctl_agent.sh
    cp bin/flightctl-agent %{buildroot}/usr/bin
    cp packaging/must-gather/flightctl-must-gather %{buildroot}/usr/bin
    cp packaging/hooks.d/afterupdating/00-default.yaml %{buildroot}/usr/lib/flightctl/hooks.d/afterupdating
    cp packaging/systemd/flightctl-agent.service %{buildroot}/usr/lib/systemd/system
    echo "d /var/lib/flightctl 0755 root root -" > %{buildroot}/usr/lib/tmpfiles.d/flightctl.conf
    echo "# systemd-tmpfiles configuration for CentOS bootc buildinfo directories" > %{buildroot}/usr/lib/tmpfiles.d/centos-buildinfo.conf
    echo "d /var/roothome 0755 root root -" >> %{buildroot}/usr/lib/tmpfiles.d/centos-buildinfo.conf
    echo "d /var/roothome/buildinfo 0755 root root -" >> %{buildroot}/usr/lib/tmpfiles.d/centos-buildinfo.conf
    echo "d /var/roothome/buildinfo/content_manifests 0755 root root -" >> %{buildroot}/usr/lib/tmpfiles.d/centos-buildinfo.conf
    bin/flightctl completion bash > flightctl-completion.bash
    install -Dpm 0644 flightctl-completion.bash -t %{buildroot}/%{_datadir}/bash-completion/completions
    bin/flightctl completion fish > flightctl-completion.fish
    install -Dpm 0644 flightctl-completion.fish -t %{buildroot}/%{_datadir}/fish/vendor_completions.d/
    bin/flightctl completion zsh > _flightctl-completion
    install -Dpm 0644 _flightctl-completion -t %{buildroot}/%{_datadir}/zsh/site-functions/
    install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
    install -m644 packaging/selinux/*.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}

    install -Dpm 0644 packaging/flightctl-services-install.conf %{buildroot}%{_sysconfdir}/flightctl/flightctl-services-install.conf

    # flightctl-services sub-package steps
    # Use the flightctl-standalone render quadlets command to generate quadlet files with the correct image tags.
    #
    # The IMAGE_TAG is derived from the RPM version, which may include tildes (~)
    # for proper version sorting (e.g., 0.5.1~rc1-1). However, the tagged images
    # always use hyphens (-) instead of tildes (~). To ensure valid image tags we need
    # to transform the version string by replacing tildes with hyphens.
    IMAGE_TAG=$(echo %{version} | tr '~' '-')
    bin/flightctl-standalone render quadlets \
        --config deploy/podman/images.yaml \
        --flightctl-services-tag-override "${IMAGE_TAG}" \
        --readonly-config-dir "%{buildroot}%{_datadir}/flightctl" \
        --writeable-config-dir "%{buildroot}%{_sysconfdir}/flightctl" \
        --quadlet-dir "%{buildroot}%{_datadir}/containers/systemd" \
        --systemd-dir "%{buildroot}/usr/lib/systemd/system" \
        --bin-dir "%{buildroot}/usr/bin"

    # Copy services must gather script
    cp packaging/must-gather/flightctl-services-must-gather %{buildroot}%{_bindir}

    # Copy sos report flightctl plugin
    mkdir -p %{buildroot}/usr/share/sosreport
    cp packaging/sosreport/sos/report/plugins/flightctl.py %{buildroot}/usr/share/sosreport

    # install observability
     # Create target directories within the build root (where files are staged for RPM)
     mkdir -p %{buildroot}/etc/flightctl/scripts
     mkdir -p %{buildroot}/etc/flightctl/telemetry-gateway
     mkdir -p %{buildroot}/etc/flightctl/definitions
     mkdir -p %{buildroot}/etc/containers/systemd
     mkdir -p %{buildroot}/etc/prometheus
     mkdir -p %{buildroot}/etc/grafana/provisioning/datasources
     mkdir -p %{buildroot}/etc/grafana/provisioning/alerting
     mkdir -p %{buildroot}/etc/grafana/provisioning/dashboards/flightctl
     mkdir -p %{buildroot}/etc/grafana/certs
     mkdir -p %{buildroot}/var/lib/prometheus
     mkdir -p %{buildroot}/var/lib/grafana # For Grafana's data
     mkdir -p %{buildroot}/opt/flightctl-observability/templates # Staging for template files processed in %%post
     mkdir -p %{buildroot}/usr/bin # For the reloader script
     mkdir -p %{buildroot}/usr/lib/systemd/system # For systemd units

     # Install pre-upgrade helper script to libexec
     mkdir -p %{buildroot}%{_libexecdir}/flightctl
     install -Dpm 0755 deploy/scripts/pre-upgrade-dry-run.sh %{buildroot}%{_libexecdir}/flightctl/pre-upgrade-dry-run.sh

     # Copy static configuration files (those not templated)
     install -m 0644 packaging/observability/prometheus.yml %{buildroot}/etc/prometheus/

     # Copy template source files to a temporary staging area for processing in %%post
     install -m 0644 packaging/observability/grafana.ini.template %{buildroot}/opt/flightctl-observability/templates/
     install -m 0644 packaging/observability/flightctl-grafana.container.template %{buildroot}/opt/flightctl-observability/templates/
     install -m 0644 packaging/observability/flightctl-prometheus.container.template %{buildroot}/opt/flightctl-observability/templates/
     install -m 0644 packaging/observability/flightctl-telemetry-gateway.container.template %{buildroot}/opt/flightctl-observability/templates/
     install -m 0644 packaging/observability/flightctl-telemetry-gateway-config.yaml.template %{buildroot}/opt/flightctl-observability/templates/
     install -m 0644 packaging/observability/flightctl-userinfo-proxy.container.template %{buildroot}/opt/flightctl-observability/templates/

     # Copy non-templated Grafana datasource provisioning file
     install -m 0644 packaging/observability/grafana-datasources.yaml %{buildroot}/etc/grafana/provisioning/datasources/prometheus.yaml

     install -m 0644 packaging/observability/grafana-dashboards.yaml %{buildroot}/etc/grafana/provisioning/dashboards/flightctl.yaml

     # Copy the reloader script and its systemd units
     install -m 0755 packaging/observability/render-templates.sh %{buildroot}/etc/flightctl/scripts
     install -m 0755 test/scripts/setup_telemetry_gateway_certs.sh %{buildroot}/etc/flightctl/scripts
     install -m 0755 test/scripts/functions %{buildroot}/etc/flightctl/scripts

     install -m 0755 packaging/observability/flightctl-render-observability %{buildroot}/usr/bin/
     install -m 0644 packaging/observability/observability.defs %{buildroot}/etc/flightctl/definitions/
     install -m 0644 packaging/observability/telemetry-gateway.defs %{buildroot}/etc/flightctl/definitions/

     # Note: flightctl network is provided by flightctl-services package

     # Install systemd targets for service grouping
     install -m 0644 packaging/observability/flightctl-telemetry-gateway.target %{buildroot}/usr/lib/systemd/system/
     install -m 0644 packaging/observability/flightctl-observability.target %{buildroot}/usr/lib/systemd/system/

%check
    %{buildroot}%{_bindir}/flightctl-agent version


%pre selinux
%selinux_relabel_pre -s %{selinuxtype}

%post selinux
# Install SELinux module - if this fails, RPM installation will still continue
if ! semodule -s %{selinuxtype} -i %{_datadir}/selinux/packages/%{selinuxtype}/flightctl_agent.pp.bz2; then
    echo "ERROR: Failed to install flightctl SELinux policy (AST failure or compatibility issue)" >&2
    exit 1
fi

%postun selinux
if [ $1 -eq 0 ]; then
    semodule -s %{selinuxtype} -r flightctl_agent 2>/dev/null || :
fi

%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}

# File listings
# No %%files section for the main package, so it won't be built

%files cli
    %{_bindir}/flightctl
    %{_bindir}/flightctl-restore
    %license LICENSE
    %{_datadir}/bash-completion/completions/flightctl-completion.bash
    %{_datadir}/fish/vendor_completions.d/flightctl-completion.fish
    %{_datadir}/zsh/site-functions/_flightctl-completion

%files agent
    %license LICENSE
    %dir /etc/flightctl
    %{_bindir}/flightctl-agent
    %{_bindir}/flightctl-must-gather
    /usr/lib/flightctl/hooks.d/afterupdating/00-default.yaml
    /usr/lib/systemd/system/flightctl-agent.service
    /usr/lib/tmpfiles.d/flightctl.conf
    /usr/lib/tmpfiles.d/centos-buildinfo.conf
    /usr/lib/greenboot/check/required.d/20_check_flightctl_agent.sh
    /usr/share/sosreport/flightctl.py

%post agent
# Ensure /var/lib/flightctl exists immediately for environments where systemd-tmpfiles succeeds or via fallback
# Try systemd-tmpfiles first, fall back to manual creation if it fails
/usr/bin/systemd-tmpfiles --create /usr/lib/tmpfiles.d/flightctl.conf || {
    mkdir -p /var/lib/flightctl && \
    chown root:root /var/lib/flightctl && \
    chmod 0755 /var/lib/flightctl
}

# These files prevent tmpfiles.d from managing the /var/roothome/buildinfo directory
rm -f /var/roothome/buildinfo/content_manifests/content-sets.json
rm -f /var/roothome/buildinfo/labels.json
# Remove the directories so tmpfiles.d can recreate them properly
rmdir /var/roothome/buildinfo/content_manifests 2>/dev/null || true
rmdir /var/roothome/buildinfo 2>/dev/null || true

INSTALL_DIR="/usr/lib/python$(python3 --version | sed 's/^.* \(3[.][0-9]*\).*$/\1/')/site-packages/sos/report/plugins"
mkdir -p $INSTALL_DIR
cp /usr/share/sosreport/flightctl.py $INSTALL_DIR
chmod 0644 $INSTALL_DIR/flightctl.py
rm -rf /usr/share/sosreport


%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/flightctl_agent.pp.bz2

%files services
    %defattr(0644,root,root,-)
    # Files mounted to system config
    %dir %{_sysconfdir}/flightctl
    %dir %{_sysconfdir}/flightctl/pki
    %dir %{_sysconfdir}/flightctl/flightctl-api
    %dir %{_sysconfdir}/flightctl/flightctl-ui
    %dir %{_sysconfdir}/flightctl/flightctl-cli-artifacts
    %dir %{_sysconfdir}/flightctl/flightctl-alertmanager-proxy
    %dir %{_sysconfdir}/flightctl/flightctl-pam-issuer
    %dir %{_sysconfdir}/flightctl/flightctl-db-migrate
    %dir %{_sysconfdir}/flightctl/ssh
    %config(noreplace) %{_sysconfdir}/flightctl/service-config.yaml
    %config(noreplace) %{_sysconfdir}/flightctl/flightctl-services-install.conf
    %config(noreplace) %{_sysconfdir}/flightctl/ssh/known_hosts

    # Files mounted to data dir
    %dir %attr(0755,root,root) %{_datadir}/flightctl
    %dir %attr(0755,root,root) %{_datadir}/flightctl/flightctl-api
    %dir %attr(0755,root,root) %{_datadir}/flightctl/flightctl-db
    %dir %attr(0755,root,root) %{_datadir}/flightctl/flightctl-kv
    %dir %attr(0755,root,root) %{_datadir}/flightctl/flightctl-alertmanager-proxy
    %dir %attr(0755,root,root) %{_datadir}/flightctl/flightctl-ui
    %dir %attr(0755,root,root) %{_datadir}/flightctl/flightctl-cli-artifacts
    %dir %attr(0755,root,root) %{_datadir}/flightctl/flightctl-pam-issuer
    %dir %attr(0755,root,root) %{_datadir}/flightctl/flightctl-alert-exporter
    %dir %attr(0755,root,root) %{_datadir}/flightctl/flightctl-periodic
    %dir %attr(0755,root,root) %{_datadir}/flightctl/flightctl-worker
    %dir %attr(0755,root,root) %{_datadir}/flightctl/flightctl-db-migrate
    %{_datadir}/flightctl/flightctl-api/config.yaml.template
    %{_datadir}/flightctl/flightctl-api/env.template
    %attr(0755,root,root) %{_datadir}/flightctl/flightctl-api/init.sh
    %attr(0755,root,root) %{_datadir}/flightctl/flightctl-api/create_aap_application.sh
    %attr(0755,root,root) %{_datadir}/flightctl/flightctl-db/enable-superuser.sh
    %{_datadir}/flightctl/flightctl-kv/redis.conf
    %{_datadir}/flightctl/flightctl-ui/env.template
    %attr(0755,root,root) %{_datadir}/flightctl/flightctl-ui/init.sh
    %attr(0755,root,root) %{_datadir}/flightctl/init_utils.sh
    %{_datadir}/flightctl/flightctl-cli-artifacts/env.template
    %{_datadir}/flightctl/flightctl-cli-artifacts/nginx.conf
    %attr(0755,root,root) %{_datadir}/flightctl/flightctl-cli-artifacts/init.sh
    %{_datadir}/containers/systemd/flightctl*
    %{_datadir}/flightctl/flightctl-alertmanager/alertmanager.yml
    %{_datadir}/flightctl/flightctl-alertmanager-proxy/env.template
    %{_datadir}/flightctl/flightctl-pam-issuer/config.yaml.template
    %{_datadir}/flightctl/flightctl-alertmanager-proxy/config.yaml.template
    %{_datadir}/flightctl/flightctl-alert-exporter/config.yaml.template
    %{_datadir}/flightctl/flightctl-periodic/config.yaml.template
    %{_datadir}/flightctl/flightctl-worker/config.yaml.template
    %{_datadir}/flightctl/flightctl-db-migrate/config.yaml.template

    # Handle permissions for scripts setting host config
    %attr(0755,root,root) %{_datadir}/flightctl/init_host.sh
    %attr(0755,root,root) %{_datadir}/flightctl/secrets.sh
    %attr(0755,root,root) %{_datadir}/flightctl/yaml_helpers.py
    %attr(0755,root,root) %{_datadir}/flightctl/generate-certificates.sh

    # flightctl-services pre upgrade checks
    %dir %{_libexecdir}/flightctl
    %attr(0755,root,root) %{_libexecdir}/flightctl/pre-upgrade-dry-run.sh

    # Files mounted to lib dir
    /usr/lib/systemd/system/flightctl.target
    /usr/lib/systemd/system/flightctl-certs-init.service

    # Files mounted to bin dir
    %attr(0755,root,root) %{_bindir}/flightctl-services-must-gather
    %attr(0755,root,root) %{_bindir}/flightctl-standalone

# Optional pre-upgrade database migration dry-run
%pre services
# $1 == 1 if it's an install
# $1 == 2 if it's an upgrade
if [ "$1" -eq 2 ]; then
    IMAGE_TAG="$(echo %{version} | tr '~' '-')"
    echo "flightctl: running pre upgrade checks, target version $IMAGE_TAG"
    if [ -x "%{_libexecdir}/flightctl/pre-upgrade-dry-run.sh" ]; then
        IMAGE_TAG="$IMAGE_TAG" \
        CONFIG_PATH="%{_sysconfdir}/flightctl/flightctl-api/config.yaml" \
        "%{_libexecdir}/flightctl/pre-upgrade-dry-run.sh" "$IMAGE_TAG" "%{_sysconfdir}/flightctl/flightctl-api/config.yaml" || {
            echo "flightctl: dry-run failed; aborting upgrade." >&2
            exit 1
        }
    else
        echo "flightctl: pre-upgrade-dry-run.sh not found at %{_libexecdir}/flightctl; skipping."
    fi
fi

%post services
# On initial install: apply preset policy to enable/disable services based on system defaults
%systemd_post %{flightctl_target}

# Reload systemd to recognize new container files
/usr/bin/systemctl daemon-reload >/dev/null 2>&1 || :

cfg="%{_sysconfdir}/flightctl/flightctl-services-install.conf"

if [ "$1" -eq 1 ]; then # it's a fresh install
  %{__cat} <<EOF
[flightctl] Installed.

Start services:
  sudo systemctl start flightctl.target

Check status:
  systemctl list-units 'flightctl*' --all
EOF
fi

# Suggest enabling migration dry-run if not set
if [ -f "$cfg" ] && ! %{__grep} -q '^[[:space:]]*FLIGHTCTL_MIGRATION_DRY_RUN=1[[:space:]]*$' "$cfg"; then
  %{__cat} <<EOF
Recommendation:
  A database migration dry-run before updates is currently DISABLED.
  To enable it, edit:
    $cfg
  and set:
    FLIGHTCTL_MIGRATION_DRY_RUN=1
EOF
fi

if [ "$1" -eq 2 ]; then # it's an upgrade
  %{__cat} <<'EOF'
[flightctl] Upgraded.

Review status:
  systemctl list-units 'flightctl*' --all
EOF
fi

%preun services
# On package removal: stop and disable all services
%systemd_preun %{flightctl_target}
%systemd_preun flightctl-network.service

%postun services
# On upgrade: mark services for restart after transaction completes
%systemd_postun_with_restart %{flightctl_services_restart}
%systemd_postun %{flightctl_target}

# If contexts were managed via policy, no cleanup is needed here.

%changelog
* Thu Nov 27 2025 Packit <hello@packit.dev> - 0.10.0~main~886~g2eb24000-1.20251127083332336213.pr2074.886.g2eb24000
- EDM-2402: fix GetEnrollmentConfig should return signer and api certs (Asaf Ben Natan)
- EDM-2402: Add certs generation service to quadlets (Dakota Crowder)
- EDM-2402: Fix typo (Dakota Crowder)
- EDM-2402: Static secret names, add alertmanager proxy crt (Dakota Crowder)
- EDM-2402: Align helm certificate generation with api, alertmanager-proxy, and telemetry ingestion (Dakota Crowder)
- EDM-2402: Remove service ca and service certificate generation, instead require server and client-signer certificates (Dakota Crowder)
- EDM-2680: Fix issue with OCI artifacts on the agent (#2068) (kkyrazis)
- EDM-2534: removing AUTH=true and ORGS=true (Asaf Ben Natan)
- NO-ISSUE: Fix telemetry-gateway pods not starting properly (Celia Amador)
- NO-ISSUE: Fix event emission for repositories (Avishay Traeger)
- EDM-2679: Implement shared publisher to fix queue maintenance interference (Avishay Traeger)
- EDM-2669: Generate certificates (Frank A. Zdarsky)
- EDM-2583: Invalid Systemd Services block updates (Ori Amizur)
- NO-ISSUE: detect docker images (Ilya Skornyakov)
- NO-ISSUE: Ensure worker clusterrole/crb is unique (rawagner)
- NO-ISSUE: Reference correct RHEM images (rawagner)
- EDM-2670: Fix label indentation (rawagner)
- EDM-2008: user/doc: add upstream upgrade compatibility matrix (Sam Batschelet)
- EDM-2548: Quadlet application documentation (Kyle Kyrazis)
- EDM-2166: user/docs: add protocol requirements (Sam Batschelet)
- EDM-2652: Required application type (Kyle Kyrazis)
- EDM-2624: Pass external API token by secret ref (rawagner)
- EDM-2624: Remove generateSecrets helm prop. Users should provide the secrets, otherwise we will generate them (rawagner)
- NO-ISSUE: fixed additional auth types on K8 being overriden by K8's Authz , (Asaf Ben Natan)
- EDM-2546: Add API validation for single container app type (#2014) (kkyrazis)
- NO-ISSUE: Add standard labels to every resource (rawagner)
- EDM-2640: Add Helm schema and basic API test (rawagner)
- EDM-2650: Add error messages to ResourceSync status conditions (Avishay Traeger)
- EDM-2651: Ensure MCE has permissions to create repo/get devices (rawagner)
- NO-ISSUE: Do not create oauth secret, reuse the oauthclient resource instead (rawagner)
- NO-ISSUE: added flightctl login --show-providers (Asaf Ben Natan)
- NO-ISSUE: fix AAP authentication (Asaf Ben Natan)
- EDM-2092: Cleanup resources left after tests (Eldar Weiss)
- NO-ISSUE: fix oauth2 authentication (tested with github) (Asaf Ben Natan)
- NO-ISSUE: api: regenerate (Sam Batschelet)
- NO-ISSUE: *: react to api version bump (Sam Batschelet)
- NO-ISSUE: api: bump version to v1beta1 (Sam Batschelet)
- EDM-2565: Update services must gather params (Dakota Crowder)
- EDM-2547: Single Container Quadlet Generation (#2019) (kkyrazis)
- EDM-2624: Review db section of values.yaml Fix external DB config - ssl certs Passwords are passed as Secret reference only (rawagner)
- EDM-2624: Reference base domain TLS via secret name Mount the secret to API pod as well (rawagner)
- EDM-1977: Org Update Transport Layer (Siddarth R)
- NO-ISSUE: fix openshift (Asaf Ben Natan)
- EDM-2445: ADD Artifact Support (Siddarth R)
- EDM-2331: add user log (#1937) (noga-magen)
- NO-ISSUE: enable version support to test quadlets-vm (sserafin)
- NO-ISSUE: add pam-devel to the Dev's prerequisites (amalykhi)
- EDM-2544: login (Noga Magen)
- NO-ISSUE: Fix brokwn links in authentication docs (Itzik Brown)
- NO-ISSUE: Centralize logging initialization and eliminate code duplication (#2032) (Gregory Shilin)
- EDM-2328: Adding a selector for fetching orgs by id (Noga Magen)
- EDM-2607: proper support for AP enabled flag (Asaf Ben Natan)
- NO-ISSUE: fix issuer and api templates to include scopes and redirect uris (Asaf Ben Natan)
- NO-ISSUE: fix pam issuer (Asaf Ben Natan)
- NO-ISSUE: pkg/poll: use math/rand/v2 (Sam Batschelet)
- EDM-2631: docs/user: update docs to reference disk protections (Sam Batschelet)
- EDM-2631: fail upgrade if critical disk alert is firing (Sam Batschelet)
- NO-ISSUE: agent/device/status: add embedded and appType (Sam Batschelet)
- EDM-2623: Add quadlet generator logs to error messages (#2018) (kkyrazis)
- EDM-2624: Helm values.yaml cleanup (rawagner)
- EDM-2626: Update paths to reflect moved files (Frank A. Zdarsky)
- NO-ISSUE: Make the token expire in 8 hours instead of 1 (Celia Amador)
- EDM-2293: Quadlet Volumes (#1947) (kkyrazis)
- EDM-2621: added support for AAP roles, adds proper context for app client as well (Asaf Ben Natan)
- NO-ISSUE: prepare merge groups (Asaf Ben Natan)
- EDM-2304: Consolidate into single standalone cmd with render subcommand (Dakota Crowder)
- EDM-2304: Add db migration specific config (Dakota Crowder)
- EDM-2304: Use logger for renderer, require in test, yaml alignment, sp fixes (Dakota Crowder)
- EDM-2304: Rewrite quadlet rendering in go with new binary installed on host to aid in go templating (Dakota Crowder)
- EDM-2377: automate flightctl completion (Eldar Weiss)
- EDM-2610: fixed OIDC using incorrect token (Asaf Ben Natan)
- NO-ISSUE: fix authz incorrect usage of org key (Asaf Ben Natan)
- EDM-2368: adds CRUD for AuthProviders (Asaf Ben Natan)
- EDM-2368: CLI support for CRUD Auth providers (Noga Magen)
- EDM-2606: [DEV] Ensure client_secret is not being displayed anywere. (Ori Amizur)
- EDM-2614: Flight Control Auth Doc (Asaf Ben Natan)
- NO-ISSUE: Close stale pull requests (Avishay Traeger)
- EDM-2592: Template community and RHEM chart Add helm lint CI workflow (rawagner)
- EDM-2414:  Fix /var/lib/grafana ownership and its sub-files to the user expected by the container image (Ori Amizur)
- NO-ISSUE: fix oauthclient condition (Asaf Ben Natan)
- NO-ISSUE: fix pam issuer callback (Asaf Ben Natan)
- EDM-2617: More agent selinux systemd permissions (#1994) (kkyrazis)
- NO-ISSUE: fix openshift token exchange (Asaf Ben Natan)
- EDM-2540: added list user Permission API (Asaf Ben Natan)
- EDM-2626: Reorganise docs (Frank A. Zdarsky)
- EDM-2626: Update markdownlint (Frank A. Zdarsky)
- EDM-2593: add auto exposeServicesMethod, hide nodePort configs, mark gateway as experimental (rawagner)
- EDM-2593: Remove global.target in favor of enableOpenShift/MCExtensions Remove global.apiUrl used by ACM operator (rawagner)
- EDM-2584: Hide Quadlet Applications from Systemd Status (#1971) (kkyrazis)
- EDM-2511: Disallow editing ERs in CLI (Ben Keith)
- EDM-2579: Add integration tests for agent audit logging (#1969) (Gal)
- NO-ISSUE: change standard Go log package to logrus (#1987) (Gregory Shilin)
- NO-ISSUE: 1. have roles scoped to organization 2. add super admin boolean 3. make flightctl-admin service account as part of the helm deployment 4. support openshift auth/authz specifically (Asaf Ben Natan)
- EDM-2373: Remove template variables no longer needed (Celia Amador)
- EDM-2604: fixed auto set redirect uri , fixed pam issuer errors (per spec) (Asaf Ben Natan)
- NO-ISSUE: fix org prefix for pam (Asaf Ben Natan)
- EDM-2295: Clean up quadlet podman resources (#1970) (kkyrazis)
- EDM-2507: Add OCI auto detection (Kyle Kyrazis)
- EDM-2594: Remove RH PaaS specific labels and enable passing additional labels for all PVCs/Routes (rawagner)
- EDM-2597: and EDM-2598 and EDM-2599 (Asaf Ben Natan)
- EDM-2600: added missing folder from spec (Asaf Ben Natan)
- EDM-2567: Revert changes in hack/current-version and .packit.yaml (#1968) (Gregory Shilin)
- EDM-2595: Remove UI subchart and make it a component of a fctl helm chart (rawagner)
- EDM-2545: Single Container App Type API Defs (Kyle Kyrazis)
- EDM-2564: support confidential oauth2 clients via the BFF pattern (Asaf Ben Natan)
- EDM-2579: Add integration tests for agent metrics and pprof endpoints (asafbss)
- NO-ISSUE: Alertmanager-proxy can not access rolebindings (Celia Amador)
- EDM-2321: Add Agent Audit Log (#1938) (Gal)
- NO-ISSUE: Do not rebuild lint and spellcheck images in case nothing was changed (#1963) (Gregory Shilin)
- NO-ISSUE: missing -f flag for cleaning ~/.flightctl (Asaf Ben Natan)
- EDM-2508: Preverify for Embedded apps (Siddarth R)
- EDM-2508: agent/device/application: prefetch image targets (Sam Batschelet)
- EDM-2568: Add namespacing to named values (#1956) (kkyrazis)
- NO-ISSUE: fix make file slowness (Asaf Ben Natan)
- NO-ISSUE: fix aap config (Asaf Ben Natan)
- EDM-2042: Misleading wording in Alertmanager proxy logs (#1934) (Andy Dalton)
- EDM-2530: Flightctl version/tagging mismatch (#1954) (Andy Dalton)
- NO-ISSUE: Fix various console issues (Ori Amizur)
- EDM-2529: Fix observability and telemetry-gateway RPM Deps (Ben Keith)
- EDM-2347: multi auth providers (Asaf Ben Natan)
- EDM-2550: disable agent metrics handler by default (Sam Batschelet)
- EDM-2551: agent/selinx: enable listening on unreserved ports (Sam Batschelet)
- EDM-2030: Added verify fleet check shows aggregated device status (hferber1)
- EDM-2421: Implement systemd status on agent (Frank A. Zdarsky)
- EDM-2420: Define systemd status API (Frank A. Zdarsky)
- NO-ISSUE: Preserve -main for main branch development builds (#1946) (Gregory Shilin)
- NO-ISSUE: Update go.mod to support both 1.24 (Fedora 42) and 1.25 (Fedora 43) (#1944) (Gregory Shilin)
- EDM-2528: Add bash-completion as recommended RPM package (Ben Keith)
- EDM-2505: Add CLI autocomplete for decommission command (Ben Keith)
- NO-ISSUE: fix build - update dependencies (Asaf Ben Natan)
- EDM-2460: Add local Prometheus metrics in the agent (#1916) (Assaf Albo)
- EDM-2444: Embedded Quadlet App Providers (#1920) (kkyrazis)
- EDM-2375: Fix csr example (Siddarth R)
- NO-ISSUE: Update go-toolset to 1.24 (Frank A. Zdarsky)
- NO-ISSUE: speed up build (Asaf Ben Natan)
- EDM-2382: forward to external open telemetry collector is not working with quadlets (Ori Amizur)
- EDM-2509: enforcing PKCE for public clients (Asaf Ben Natan)
- EDM-2234: CLI Kind/Name Autocomplete (#1871) (Ben Keith)
- NO-ISSUE: use systemd stop selinux macro (#1928) (kkyrazis)
- EDM-2294: Quadlet reset failed systemd units on remove (#1919) (kkyrazis)
- NO-ISSUE: add dependency to test vms (sserafin)
- EDM-2230: Persist CSR Until enrollment (Siddarth R)
- EDM-2329: Auto select org on login (Siddarth R)
- NO-ISSUE: add link to orgs user docs from main nav (Dakota Crowder)
- EDM-2443: Add Inline Provider for Quadlet Apps (#1913) (kkyrazis)
- EDM-2269: Upstream flightctl services rpm version is incorrect (remove branch info) (#1914) (Gregory Shilin)
- EDM-2265: fix E2E rollout tests beforeEach in OCP (sserafin)
- EDM-2346: replaced keycloak with PAM issuer (Asaf Ben Natan)
- EDM-2358: fix lint cache (Asaf Ben Natan)
- EDM-2395: Add Inline Quadlet Validation (Kyle Kyrazis)
- EDM-2294: Add Quadlet App Lifecycle Handler (#1875) (kkyrazis)
- EDM-2393: Added quadlet spec definition (#1855) (kkyrazis)
- EDM-2414: grafana starts but there are warnings and errors (Ori Amizur)
- EDM-1116: Audit the use of rate limiting controls (Ori Amizur)
- EDM-2455: Add quadlet installation logic (#1881) (kkyrazis)
- EDM-2269: Upstream flightctl services rpm version is incorrect (#1897) (Gregory Shilin)
- EDM-2465: Add upstream RHEL/CS-10 targes targets (#1895) (Gregory Shilin)
- NO-ISSUE: Fix TLD in image labels (Frank A. Zdarsky)
- EDM-2459: add pprof server for runtime profiling (#1887) (Assaf Albo)
- EDM-2302: User quadlet docs (Dakota Crowder)
- EDM-2495: Add HSTS and X-Content-Type-Options headers (Avishay Traeger)
- EDM-2424: helm - preserve migration job (#1866) (Ilya)
- EDM-1124: null_method_call: Calling a method on null object (Ori Amizur)
- EDM-2250: Treat graceful HTTP shutdown correctly in metrics server (#1888) (Assaf Albo)
- NO-ISSUE: Temporarily disable backward compatibility integration tests (Avishay Traeger)
- EDM-2404: Add debug logs to snapshot restore (sserafin)
- NO-ISSUE: Remove rate limit environment variables (Avishay Traeger)
- NO-ISSUE: Add explicit enabled field for rate limiting configuration (Avishay Traeger)
- EDM-2405: Increase default rate limiting from 60/10 to 300/20 requests (Avishay Traeger)
- EDM-2378: automate flightctl edit (Eldar Weiss)
- EDM-2240: Default to YAML format when using --rendered (Celia Amador)
- EDM-2240: Fix bug lastSeen allowed for multiple devices but info not shown (Celia Amador)
- EDM-2240: Flags shown in help for 'get' commands are contextual (Celia Amador)
- EDM-2300: Services must-gather script (Dakota Crowder)
- NO-ISSUE: Use selected organization when creating new devices with agent-vm (Celia Amador)
- EDM-2739: automate new get format (Eldar Weiss)
- EDM-2233: Automation of Deny feature (Eldar Weiss)
- EDM-2168: Fix for [It] VM Agent behavior status Device status tests (Itzik Brown)
- EDM-2031: Added checking number of devices in each fleet test (Hadar Ferber)
- NO-ISSUE: add missing labels (#1861) (Ilya)
- EDM-2419: fixed meter collector to have a single label (Asaf Ben Natan)
- EDM-2412: store: return not found if checkpoint does not exist (Sam Batschelet)
- EDM-2408: Move redis config for quadlets kv service to a .conf file to prevent directory permissions issues (Dakota Crowder)
- EDM-2409: Add internal ctx key to alert exporter service (Dakota Crowder)
- EDM-2400: Fix bootc linting issue for CentOS buildinfo directories (Gal Elharar)
- EDM-2385:Redis integration test race  condition fix (amalykhi)
- EDM-1961: Enhance CLI Login error handling and Docs (Siddarth R)
- EDM-2396: Fix build source tag detection (Ben Keith)
- EDM-2387: Allow flightctl_agent_t to get status of systemd services (Ben Keith)
- NO-ISSUE: Fix commit message check for backport branches (Avishay Traeger)
- EDM-2322: Flightctl is using the Internal database when enabling the … (#1797) (Gregory Shilin)
- EDM-2354: agent: remove klog as dependency (Sam Batschelet)
- EDM-2354: device/systeminfo: improve context handling (Sam Batschelet)
- EDM-2354: packaging/greenboot: bump timeout (Sam Batschelet)
- EDM-2354: test/agent: use drop-in for system-info config (Sam Batschelet)
- EDM-2350-v2: Fix documentation to reference correct telemetery gateway export listen port (9464) for prometheus (Ori Amizur)
- NO-ISSUE: move files (JasonN3)
- EDM-2350: [documenttion] Telemetry quadlets configuration is wrong in the doc (Ori Amizur)
- EDM-2236: use require package for approve command tests (Gal Elharar)
- EDM-2351: Update doc refs from new utilty usage, accept stdin input in py yaml utility (Dakota Crowder)
- EDM-2253: Add hostname support to systeminfo and improve agent config (Gal Elharar)
- EDM-2251: remove start condition for db-migrate (#1815) (Ilya)
- NO-ISSUE: workflow disk cleanup config update (Ilya)
- EDM-2367: Separate last seen from device (Ori Amizur)
- EDM-2161: detect integration tests base (#1809) (Ilya)
- EDM-2236: Add support for space-separated approve command syntax (Gal Elharar)
- EDM-2341: flightctl-userinfo-proxy container doesn't support the Memory setting (Ori Amizur)
- EDM-1834: Agent attempts to reconcile before reboot on OS upgrade (noga-magen)
- EDM-2351: Add python utility for transforming yaml (Dakota Crowder)
- EDM-2352: improve e2e beforeEach stability (sserafin)
- EDM-1392: Add fallback for immediate /var/lib/flightctl creation (Gal Elharar)
- EDM-2214: create migration pod just once and retry without a limit (#1794) (Ilya)
- EDM-2288: remove yq dependency (Siddarth R)
- EDM-1601: Prevent Invalid Memory monitor type path fields (Gal Elharar)
- EDM-1601: Add unit tests for ResourceMonitor validation (Gal Elharar)
- EDM-1601: Prevent duplicate monitorType and invalid CPU path fields (Gal Elharar)
- EDM-1601: Add validation to prevent duplicate monitorType in fleet resources (Gal Elharar)
- NO-ISSUE: dont shutdown deployments in ACM (#1793) (Ilya)
- NO-ISSUE: fix broken link (#1796) (Ilya)
- NO-ISSUE: Fix custom-info examples in agent-vm (Celia Amador)
- NO-ISSUE: Fix git container on deploy (#1772) (Siddarth Royapally)
- EDM-2214: helm add migration wait init containers to services (#1785) (Siddarth Royapally)
- EDM-2286: Add correct selinux policy to custom-info directory (#1788) (kkyrazis)
- EDM-2259: Fix draining workloads on shutdown (#1786) (kkyrazis)
- NO-ISSUE: deploy/helm: fix doc links (Sam Batschelet)
- EMD-2207: Remove Docs and duplicate licenses from RPMs (#1781) (kkyrazis)
- Merge pull request #1779 from keitwb/rhel-build-note (Ben Keith)
- EDM-2254: Fix directory drop in reference for db/kv (Dakota Crowder)
- Add doc on how to access downstream builds (#1774) (Ben Keith)
- NO-ISSUE: Various doc fixes (Frank A. Zdarsky)
- EDM-2043: Create SSH known_hosts file during installation (#1775) (Siddarth Royapally)
- EDM-2273: device/dependency: ensure stale images are removed on version change (Sam Batschelet)
- EDM-2271: Fix TPM Activate Credential with tracing disabled (#1763) (kkyrazis)
- EDM-2255: added flightctl-restore to the rpm (Asaf Ben Natan)
- EDM-2272: device/application/podman: ensure pods are cleaned up on removal (Sam Batschelet)
- EDM-2266: Append org id param to console requests from cli and address outdated const refs (Dakota Crowder)
- EDM-1870: automation of quadlets installation in RHEL9 vm (sserafin)
- NO-ISSUE: Update repo to rpm.flightctl.io (Frank A. Zdarsky)
- EDM-2254: fixed quadlets docs, added restore version option (Asaf Ben Natan)
- EDM-1183: Encapsulate template detection logic (Gal Elharar)
- EDM-2171: Update dry run script (Siddarth R)
- EDM-2043: bypass known_hosts check for skip verification (#1602) (Siddarth Royapally)
- EDM-2036: CLI Update Flightctl completion (#1601) (Siddarth Royapally)
- EDM-2211: docs: clarify bootc image building dep (Sam Batschelet)
- EDM-2248: Replace yq dep with jq/pyyaml (Dakota Crowder)
- EDM-2246: Ensure alertmanager-proxy tag is updated from :latest when installing rpm (Dakota Crowder)
- NO-ISSUE: agent: remove stop and unnecessary locking (Sam Batschelet)
- EDM-2088: docs: revert downgrade support (Sam Batschelet)
- EDM-2232: Explicitly set device fields unset by ApplyJSONPatch (Dakota Crowder)
- NO-ISSUE: fixed race condition when stop is called before start is finished on agent (Asaf Ben Natan)
- NO-ISSUE: create clean snap and verify snapshot revert (Asaf Ben Natan)
- EDM-2224: setting awaitingReconnect annotation on ERs based on renderedVersion parameter ( new parameter) (Asaf Ben Natan)
- EDM-2169: ERs marked when restoring (Asaf Ben Natan)
- EDM-1246: Add FIPS validator (Frank A. Zdarsky)
- NO-ISSUE: Fix mismatch in RPM version calculation across builds (#1729) (#1730) (Assaf Albo)
- NO-ISSUE: agent: clarify concurrency model (Sam Batschelet)
- EDM-959: Add documentation for device observability with Telemetry Gateway and otelcol (#1695) (Assaf Albo)
- EDM-552: support for cli format (Asaf Ben Natan)
- EDM-2228: Installation fails when using an external database with sslmode verify-ca (#1716) (Gregory Shilin)
- Bump tj-actions/changed-files from 44 to 46 in /.github/workflows (dependabot[bot])
- EDM-2133: Ensure only valid orgs can be selected in CLI (noga-magen)
- NO-ISSUE: Update base image version to 9.6-1758714456 (#1715) (Assaf Albo)
- NO-ISSUE: LastSeen CLI use "never" not "none" (Avishay Traeger)
- EDM-2016: Credential Challenge documentation (#1709) (kkyrazis)
- EDM-2196: Add AAP details and update org docs (Dakota Crowder)
- NO-ISSUE: Include pkg in unit tests (#1712) (kkyrazis)
- EDM-1659: removing certs intermediate step (#1708) (asafbennatan)
- EDM-2149: Move LastSeen from device status to dedicated subresource (Avishay Traeger)
- NO-ISSUE: Fix race in Redis test (Avishay Traeger)
- EDM-1183: Add comprehensive unit tests for template OCI image validation (Gal Elharar)
- EDM-1659: removing certs intermediate step (Asaf Ben Natan)
- EDM-1659: Restore flightctl-base (asafbss)
- NO-ISSUE: set update status for AwaitingReconnect/ConflictPaused devices (Asaf Ben Natan)
- EDM-1804: Cert Manager with TPM identity support (#1702) (kkyrazis)
- EDM-1917: Update quadlets to pull organizations enabled config (Dakota Crowder)
- EDM-1781: Pass ORGANIZATIONS_ENABLED settings to the UI (Celia Amador)
- NO-ISSUE: Allow to resize the agent-vm disks (Celia Amador)
- EDM-2058:  1.moved AwaitingReconnect-> conflictPaused logic from the replaceDevice api to the GetRenderedDevice api  2.restore now sets a key that marks individual devices as AwaitingRestore , this keeps GetRenderedDevice efficient  3. agent now sends the newest seen version from desired.json - this works across agent restarts as the desired version is parsed on agent startup (Asaf Ben Natan)
- EDM-1804: Add ability to generate Application Identities (#1700) (kkyrazis)
- EDM-1915: Update alert proxy return values (Dakota Crowder)
- EDM-1915: Implement AAP based organization authorization (Dakota Crowder)
- EDM-2100: Gate proxy by org_id filter (Dakota Crowder)
- EDM-1868: Adding multi-org support to Alert Exporter (noga-magen)
- EDM-2195: helm: honor generateSecrets for all secrets (Sam Batschelet)
- EDM-1804: Add TSS2 private key generation (#1689) (kkyrazis)
- EDM-2138: Add support for telemetry gateway for standalone observability (Ori Amizur)
- NO-ISSUE: refactor publisher (Sam Batschelet)
- EDM-2016: internal/agent/identity/tpm: persist cert (Sam Batschelet)
- EDM-2016: TPM Activate Credential Agent Side (#1664) (kkyrazis)
- EDM-2088: rpm upgrade guidance  (#1687) (Ilya)
- EDM-2132:Update Agent rollback logs (#1676) (Siddarth Royapally)
- EDM-2058: added jitter for retries , infinite retry for enrollment requests in case of 5xx , wipe certificate and flightctl-agent service restart in the case of device not found (Asaf Ben Natan)
- EDM-2146: fix grpclog data race; make setting OTel gRPC logger optional Enable SkipSettingGRPCLogger in tests to eliminate -race flakiness. (asafbss)
- EDM-2035: Update Deny CLI help (#1600) (Siddarth Royapally)
- EDM-2145: The SSL certificate implementation for Flight Control's external database support (#1683) (Gregory Shilin)
- EDM-1183: Enhance OCI image reference validation to support template parameters (Gal Elharar)
- NO-ISSUE: fix publish e2e containers - build rpms (Asaf Ben Natan)
- NO-ISSUE: fixing e2e container publishing (Asaf Ben Natan)
- EDM-2160: render on resume (Asaf Ben Natan)
- EDM-830: Add RBAC user role and cluster role tests (Itzik Brown)
- EDM-2090: align DB env vars (#1679) (Ilya)
- EDM-2090: RPM - use systemd macros & upgrade dry run support (#1660) (Ilya)
- EDM-1392: Remove test containerfiles (Gal Elharar)
- NO-ISSUE: Run lint in a container (Avishay Traeger)
- EDM-1967: TPM e2e test (amalykhi)
- EDM-2146: Add integration tests for agent cert provisioning and TG mTLS/forwarding (#1669) (Assaf Albo)
- EDM-2087: add Helm upgrade + db migration dry run docs (#1636) (Ilya)
- EDM-2157: flightctl-db-migration and flightctl-api are in error when installing with an external db (#1673) (Gregory Shilin)
- EDM-2145: Use native Kubernetes Secrets for all DB parameters (#1671) (Gregory Shilin)
- NO-ISSUE: Add isACMRunning return value to isAcmInstalled (Itzik Brown)
- EDM-1803: agent/device/errors: improve IsRetryable (Sam Batschelet)
- NO-ISSUE: wrap the plane logo in a code block for proper rendering in openshift (#1667) (Ilya)
- EDM-1870: enable client and agent deployment from brew build (sserafin)
- EDM-1852: Support for external PostgreSQL Database (#1591) (Gregory Shilin)
- NO-ISSUE: remove dnf update as it is unnecessary (Asaf Ben Natan)
- NO-ISSUE: Add output in case of an error in IsAcmInstalled (Itzik Brown)
- NO-ISSUE: Remove CODEOWNERS until further discussions are held. (Amir Yogev)
- EDM-551: edit command (Asaf Ben Natan)
- NO-ISSUE: CODEOWNERS/internal/agent: add Ori and Kyle (Sam Batschelet)
- NO-ISSUE: fix publish order (Asaf Ben Natan)
- EDM-2137: Support security-related DB connection parameters (#1656) (Gregory Shilin)
- EDM-2139: fixed decommissioning devices are excluded from restore (Asaf Ben Natan)
- NO-ISSUE: internal/agent: add AGENTS.md (Sam Batschelet)
- EDM-2015: Add TPM Manufacturer certs (#1650) (kkyrazis)
- EDM-2016: TPM Activate Credential Service Side (#1637) (kkyrazis)
- EDM-2058: agent/client: add retry transport and RequestHook (Sam Batschelet)
- EDM-1911: Implement JWT specific identity and organization provider (Dakota Crowder)
- NO-ISSUE: agent/device/spec: ensure agent never goes backwards (Sam Batschelet)
- EDM-1264: Postgresql backup strategy (Asaf Ben Natan)
- EDM-830: RBAC Testing an admin role (Itzik Brown)
- EDM-762: automatic helm chart docs generation (Asaf Ben Natan)
- NO-ISSUE: Revert accidental changes to RPM spec (Avishay Traeger)
- EDM-2135: fixed resume command not returning an error (Asaf Ben Natan)
- NO-ISSUE: Don't call migration in organization integration test as it results in permissions issues when future prs change organizations (Dakota Crowder)
- EDM-2098: SELinux - Allow read/write of bin_t domain (Ben Keith)
- EDM-2102: Render device spec upon label changes (Avishay Traeger)
- EDM-2129: configure Redis as in-memory only (Avishay Traeger)
- EDM-1269: worker metrics collection (Avishay Traeger)
- NO-ISSUE: fix deploy target (Asaf Ben Natan)
- EDM-2110: explicit rbac support from openapi.yaml (Asaf Ben Natan)
- EDM-2005: api: add breaking test (Sam Batschelet)
- EDM-2072: add recommended Helm tags, scale some deployments to 0 gracefully (#1622) (Ilya)
- EDM-2001: Performance improvements for steady state scenario (Ori Amizur)
- EDM-2072: db migration dry run hook and other Helm enhancements (#1615) (Ilya)
- EDM-1268: Document Redis Cache Behavior and Failure Scenarios (Avishay Traeger)
- EDM-1265: Enable task execution resilience after Redis restarts (Avishay Traeger)
- EDM-2111: added docs for restore and resume (Asaf Ben Natan)
- EDM-1877 - Telemetry Gateway (OTel-based) (#1595) (Assaf Albo)
- EDM-1949: Fix misleading 'fleet deleted' log for empty selectors when a fleet has an empty selector (Gal Elharar)
- NO-ISSUE: fix restore annotations not being saved properly (Asaf Ben Natan)
- EDM-2104: Add PR check to run previous integration tests against this PR’s migration job (#1603) (Ilya)
- EDM-2107: Improve version format by converting tildes to dashes (Gal Elharar)
- NO-ISSUE: Fix quote syntax error in RPM spec build section (Gal Elharar)
- NO-ISSUE: suitable output for CLI when resuming a single device that doesnt exist (Asaf Ben Natan)
- EDM-2107: Fix missing 'v' prefix in RPM version builds (coderabbit) (Gal Elharar)
- NO-ISSUE: fix restore statuses not taking effect due to lower precedence. (Asaf Ben Natan)
- EDM-2016: Add Activate Credential infra (#1619) (kkyrazis)
- EDM-1032: docs/user/hooks: add shell expansion example for envVar (Sam Batschelet)
- EDM-643: docs/user: add expectations for floating tags (Sam Batschelet)
- NO-ISSUE: fix to e2e RevertToSnapshot function (sserafin)
- EDM-2097: RPM links in flightctl UI of a local deployment are not directly starting the rpm download for a configuration issue (#1606) (Gregory Shilin)
- EDM-2020: fixed group by incorrect (Asaf Ben Natan)
- EDM-2072: db init container + configurable db hostname (#1605) (Ilya)
- NO-ISSUE: small fix to e2e test 79649 (sserafin)
- EDM-1266: Emit event when message reaches MaxRetries (Avishay Traeger)
- EDM-1266: Periodic task to handle failed messages (Avishay Traeger)
- EDM-1266: Consumer groups and retries for Redis provider (Avishay Traeger)
- EDM-1266: Add processID to queue (Avishay Traeger)
- EDM-2103: Support running integration tests with with a configurable migration image (#1594) (Ilya)
- EDM-1986: Enable Source IP binding for the simulator (#1480) (kkyrazis)
- NO-ISSUE: add codeowners (Sam Batschelet)
- EDM-2086: Rollout policy test with label 79649 is failing in OCP (Ori Amizur)
- EDM-2095: Devices not rendered with disruption budget (Ori Amizur)
- NO-ISSUE:  Add unit test to validate that immediateRollout is set correctly when template version is generated (Ori Amizur)
- NO-ISSUE: pull and push e2e images to their own org (Asaf Ben Natan)
- EDM-1962: Don't set a unit service in hooks test (Itzik Brown)
- EDM-2050: db migration dry-run (#1577) (Ilya)
- EDM-2066: add liveness and readiness endpoints, integrate with Helm (#1585) (Ilya)
- EDM-2075: added resume api and cli (Asaf Ben Natan)
- NO-ISSUE: fixed e2e publish (Asaf Ben Natan)
- NO-ISSUE: address nil pointer in login flow (Dakota Crowder)
- EDM-1962: Add a unit parameter to ReadPrimaryVMAgentLogs (Itzik Brown)
- EDM-2079: Enhance login command to allow optional arguments and provide help message (Amir Yogev)
- EDM-2079: Remove API URL validation from login options and update tests to reflect changes (Amir Yogev)
- EDM-1545: Certificate manager infrastructure to flightctl agent (#1382) (Assaf Albo)
- EDM-2079: Enhance CLI error reporting for API URL validation with improved messages and suggestions (Amir Yogev)
- EDM-2079: Fix cli-artifact access when deploying with nodeports (Avishay Traeger)
- EDM-2079: Enhance error messages for API URL validation to handle IPv6 addresses correctly (Amir Yogev)
- EDM-2079: Enhance CLI error reporting for API URL validation and authentication handling (Amir Yogev)
- EDM-2079: Remove 'https' from spelling list (Amir Yogev)
- EDM-2079: Add removed section on using the Flight Control CLI in README (Amir Yogev)
- EDM-2079: Remove redundant CLI troubleshooting section from README (Amir Yogev)
- EDM-2079: Add lowercase 'https' to spelling dictionary for CLI error reporting (Amir Yogev)
- EDM-2079: enhance CLI error messages for API URL validation with clearer descriptions and examples (Amir Yogev)
- EDM-2079: Enhance CLI troubleshooting documentation with additional command examples and formatting improvements (Amir Yogev)
- EDM-2057: added flightctl-restore cmd and relevant services (Asaf Ben Natan)
- EDM-2079: Improve CLI error messages for API URL validation and enhance troubleshooting documentation (Amir Yogev)
- EDM-2078: Enhance CLI error reporting for login command with actionable messages (Amir Yogev)
- EDM-2056: Fix rollout policy test in OCP (sserafin)
- NO-ISSUE: Added rpmlint (#1565) (Gregory Shilin)
- EDM-2059: handling paused / waiting for connection after restore annotations and statuses transitions (Asaf Ben Natan)
- EDM-1911: Add initial docs for service configuration and organizations (Dakota Crowder)
- EDM-1911: Configure keycloak odic provider multi orgs (Dakota Crowder)
- EDM-2061: Return immediate rollout boolean condition (Ori Amizur)
- EDM-1659: e2e-speed-up , snaps vm parallelism support , multi node usage (Asaf Ben Natan)
- EDM-2049: transactional db migration (#1556) (Ilya)
- EDM-1951: Replace callback manager with event-driven (Avishay Traeger)
- EDM-1204: print summary just once when batching (#1546) (Ilya)
- NO-ISSUE: fix file ownership (Asaf Ben Natan)
- EDM-1995: Fix version inconsistency by passing build-args to container builds (Gal Elharar)
- EDM-1995: Fix version inconsistency by passing build-args to container builds (#1549) (Gal)
- EDM-1392: Fix bootc linting issue with tmpfiles.d configuration (Gal Elharar)
- EDM-2022: fix make agent vm - make e2e-agent-images dependent on deploy-e2e-extras (Asaf Ben Natan)
- EDM-1619: Updating Metrics Docs (#1528) (Siddarth Royapally)
- NO-ISSUE: fix publish containers (Asaf Ben Natan)
- EDM-1659: e2e speed up, build files only (Asaf Ben Natan)
- EDM-2004: Fix alertmanager access when deploying with nodeports (Avishay Traeger)
- Replace unsupported dorny/paths-filter with tj-actions/changed-files (#1533) (Gregory Shilin)
- EDM-1845: support embedding OrgID in certificates (#1527) (Ilya)
- EDM-1702: Cleanup and refactoring of periodic checker (Dakota Crowder)
- EDM-1702: Remove static default schedule loop/ticker, config updates (Dakota Crowder)
- EDM-1702: Add a wakeup signal for changes in task scheduling when the scheduler might be sleeping (Dakota Crowder)
- EDM-1702: Simplify handling of publisher / consumer shutdown (Dakota Crowder)
- EDM-1702: Use heap with tighter interval and backoff for publishing tasks (Dakota Crowder)
- EDM-1702: Simplify channel manager / consumer / publisher lifecycle mgmt (Dakota Crowder)
- EDM-1702: Pass org id to executors (Dakota Crowder)
- EDM-1702: Adopt task queue consumer and publisher pattern for periodic tasks split by organization (Dakota Crowder)
- EDM-1937: fix rollout disruption budget in ocp (sserafin)
- EDM-1997: Annotate alerts with the event message (Avishay Traeger)
- EDM-1996: Emit single event for disconnected device (Avishay Traeger)
- EDM-1992: Agent SystemInfo smart collection (#1526) (kkyrazis)
- EDM-1476: add Events validation TCs (amalykhi)
- EDM-799:Decommission test CLI (Samuel de la Cruz)
- EDM-799:Decommission test CLI (Samuel de la Cruz)
- EDM-1821: test pass (Asaf Ben Natan)
- EDM-1821: added monitoring validation (Asaf Ben Natan)
- EDM-1993: Add restart configuration and polling for generated certificate files (Dakota Crowder)
- NO-ISSUE: publisher: call stop() before wg.Done() to fix flaky cancellation test (#1524) (Ilya)
- NO-ISSUE: Fix broken link in docs (Avishay Traeger)
- EDM-1987: Disallow label updates for owned fleets (Avishay Traeger)
- EDM-1712: fixed stuff based on PR reviews (Asaf Ben Natan)
- EDM-1712: Migrate HTTP metrics to OTEL (#1489) (Siddarth Royapally)
- EDM-1712: added tests renamed to domain metrics (asafbss)
- EDM-1845: signer refactoring: avoid parsing CSR multiple times, decouple from API layer (Ilya)
- EDM-1938: agent/dependency: ensure partial layer pull cleanup (Sam Batschelet)
- EDM-1818: Prefetch Manager Config Docs (#1514) (kkyrazis)
- EDM-1058: docs/user: add TPM related docs (Sam Batschelet)
- EDM-1058: internal/agent: small TPM api update (Sam Batschelet)
- EDM-1058: internal/service: refactor TPM csr logic (Sam Batschelet)
- EDM-1058: internal/tpm: ensure chain validaition (Sam Batschelet)
- NO-ISSUE: Event fixes (Avishay Traeger)
- EDM-1170: Fix Makefile (#1490) (Siddarth Royapally)
- EDM-799:Decommission test CLI (Samuel de la Cruz)
- EDM-799:Decommission test CLI (Samuel de la Cruz)
- EDM-799:Decommission test CLI (Samuel de la Cruz)
- EDM-1946: labels endpoint with field-selector=metadata.labels returns error 400 (#1495) (noga-magen)
- EDM-1058: internal/tpm: ensure conditions are maintained during approval (Sam Batschelet)
- EDM-1058: Fix simulator tests and flush key bug (Kyle Kyrazis)
- EDM-1058: Testing TPM Ownership Auth (Kyle Kyrazis)
- EDM-1058: Implement TPM-rooted device identities (Sam Batschelet)
- EDM-1869: Add missing events (Avishay Traeger)
- NO-ISSUE: reverting EDM-1871 (noga-magen)
- EDM-626: Add Git support for test harness (#1328) (Siddarth Royapally)
- EDM-1958: Fix Device UpdateStatus event panics (#1482) (kkyrazis)
- NO-ISSUE: Add io.openshift.tags to db-setup container (#1486) (Assaf Albo)
- EDM-1170: Auto-discover VM IP for agent updates (#1393) (Siddarth Royapally)
- EDM-1845: middleware agent cert OrgID support (#1471) (Ilya)
- NO-ISSUE: no need to keep rpms in gh-pages (#1477) (Gregory Shilin)
- EDM-1952: Add middlewares alertmanager proxy (Avishay Traeger)
- EDM-1838: deny DELETE ER  when device exists (#1415) (Ilya)
- NO-ISSUE: fix version generation for COPR for release (#1468) (Gregory Shilin)
- EDM-1944: setting Enforcing selinux in microshift registartion E2E test (sserafin)
- EDM-1942: Redact passwords when config is logged (Dakota Crowder)
- EDM-1936: Fix Router group order to make auth/validate reachable (rawagner)
- EDM-1846: orgs cli support (#1424) (Ilya)
- NO-ISSUE: Add VM_DISK_SIZE_INC to set the disk size increment in vm (Itzik Brown)
- EDM-1766: Small SELinux Related Tweaks (Ben Keith)

* Wed Nov 26 2025 Dakota Crowder <dcrowder@redhat.com> - 1.0-1
- Adding certificate generation service
* Mon Nov 17 2025 Dakota Crowder <dcrowder@redhat.com> - 1.0-1
- Refactoring quadlet install, add standalone utils
* Wed Nov 12 2025 Ben Keith <bkeith@redhat.com> - 1.0-1
- Make observability and telemetry-gateway packages require services package
* Mon Oct 27 2025 Dakota Crowder <dcrowder@redhat.com> - 1.0-1
- Add must-gather script for the services sub package
* Wed Oct 8 2025 Ilya Skornyakov <iskornya@redhat.com> - 0.10.0
- Add pre-upgrade database migration dry-run capability
* Tue Jul 15 2025 Sam Batschelet <sbatsche@redhat.com> - 0.9.0-2
- Improve selinux policy deps and install
* Sun Jul 6 2025 Ori Amizur <oamizur@redhat.com> - 0.9.0-1
- Add support for Flight Control standalone observability stack
* Tue Apr 15 2025 Dakota Crowder <dcrowder@redhat.com> - 0.6.0-4
- Add ability to create an AAP Oauth Application within flightctl-services sub-package
* Fri Apr 11 2025 Dakota Crowder <dcrowder@redhat.com> - 0.6.0-3
- Add versioning to container images within flightctl-services sub-package
* Thu Apr 3 2025 Ori Amizur <oamizur@redhat.com> - 0.6.0-2
- Add sos report plugin support
* Mon Mar 31 2025 Dakota Crowder <dcrowder@redhat.com> - 0.6.0-1
- Add services sub-package for installation of containerized flightctl services
* Fri Feb 7 2025 Miguel Angel Ajo <majopela@redhat.com> - 0.4.0-1
- Add selinux support for console pty access
* Mon Nov 4 2024 Miguel Angel Ajo <majopela@redhat.com> - 0.3.0-1
- Move the Release field to -1 so we avoid auto generating packages
  with -5 all the time.
* Wed Aug 21 2024 Sam Batschelet <sbatsche@redhat.com> - 0.0.1-5
- Add must-gather script to provide a simple mechanism to collect agent debug
* Wed Aug 7 2024 Sam Batschelet <sbatsche@redhat.com> - 0.0.1-4
- Add basic greenboot support for failed flightctl-agent service
* Wed Mar 13 2024 Ricardo Noriega <rnoriega@redhat.com> - 0.0.1-3
- New specfile for both CLI and agent packages