chore(helm): releasing v1.0.0

chore(kustomize): releasing v1.0.0
feat(docs): conformance for v1.30
2026-02-23 14:23:56 +00:00 · 2024-06-28 10:50:18 +02:00 · 2024-06-28 10:50:18 +02:00 · 2024-06-27 16:26:57 +02:00 · 2024-06-27 16:26:57 +02:00 · 2024-06-27 11:38:41 +02:00
175 changed files with 20047 additions and 6592 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -14,12 +14,12 @@ jobs:
      - uses: actions/checkout@v2
      - uses: actions/setup-go@v3
        with:
-          go-version: '1.19'
+          go-version: '1.22'
          check-latest: true
      - name: Run golangci-lint
        uses: golangci/golangci-lint-action@v3.2.0
        with:
-          version: v1.49.0
+          version: v1.54.2
          only-new-issues: false
          args: --timeout 5m --config .golangci.yml
  diff:
@@ -31,7 +31,7 @@ jobs:
          fetch-depth: 0
      - uses: actions/setup-go@v3
        with:
-          go-version: '1.19'
+          go-version: '1.22'
          check-latest: true
      - run: make yaml-installation-file
      - name: Checking if YAML installer file is not aligned
--- a/.github/workflows/docker-ci.yml
+++ b/.github/workflows/docker-ci.yml
@@ -12,12 +12,14 @@ jobs:

      - name: Checkout
        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0

      - name: Generate build-args
        id: build-args
        run: |
          # Declare vars for internal use
-          VERSION=$(git describe --abbrev=0 --tags)
+          VERSION=$(make get_version)
          GIT_HEAD_COMMIT=$(git rev-parse --short HEAD)
          GIT_TAG_COMMIT=$(git rev-parse --short $VERSION)
          GIT_MODIFIED_1=$(git diff $GIT_HEAD_COMMIT $GIT_TAG_COMMIT --quiet && echo "" || echo ".dev")
@@ -85,7 +87,13 @@ jobs:
          platforms: linux/amd64,linux/arm64,linux/arm
          push: true
          tags: ${{ steps.meta.outputs.tags }}
-          build-args:
+          build-args: |
+            GIT_LAST_TAG=${{ env.GIT_LAST_TAG }}
+            GIT_HEAD_COMMIT=${{ env.GIT_HEAD_COMMIT }}
+            GIT_TAG_COMMIT=${{ env.GIT_TAG_COMMIT }}
+            GIT_MODIFIED=${{ env.GIT_MODIFIED }}
+            GIT_REPO=${{ env.GIT_REPO }}
+            BUILD_DATE=${{ env.BUILD_DATE }}

      - name: Image digest
        run: echo ${{ steps.build-release.outputs.digest }}
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -13,6 +13,7 @@ on:
      - 'main.go'
      - 'Makefile'
      - 'internal/**'
+      - 'cmd/**'
  pull_request:
    branches: [ "*" ]
    paths:
@@ -25,6 +26,7 @@ on:
      - 'main.go'
      - 'Makefile'
      - 'internal/**'
+      - 'cmd/**'

 jobs:
  kind:
@@ -36,7 +38,7 @@ jobs:
          fetch-depth: 0
      - uses: actions/setup-go@v3
        with:
-          go-version: '1.19'
+          go-version: '1.22'
          check-latest: true
      - run: |
          sudo apt-get update
--- a/.gitignore
+++ b/.gitignore
@@ -24,10 +24,16 @@ bin
 *~
 .vscode

+# Tilt files.
+.tiltbuild
+
 **/*.kubeconfig
 **/*.crt
 **/*.key
 **/*.pem
 **/*.csr
-**/server-csr.json
 .DS_Store
+
+**/server-csr.json
+!deploy/kine/mysql/server-csr.json
+!deploy/kine/nats/server-csr.json
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -3,7 +3,7 @@ linters-settings:
    sections:
      - standard
      - default
-      - prefix(github.com/clastix/kamaji)
+      - prefix(github.com/clastix/kamaji/)
  goheader:
    template: |-
      Copyright 2022 Clastix Labs
@@ -11,6 +11,7 @@ linters-settings:

 linters:
  disable:
+    - depguard
    - wrapcheck
    - gomnd
    - scopelint
@@ -36,6 +37,8 @@ linters:
    - funlen
    - dupl
    - cyclop
+    - gocognit
+    - nestif
    # deprecated linters
    - deadcode
    - golint
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -0,0 +1,28 @@
+# Adopters
+
+This is a list of companies that have adopted Kamaji.
+Feel free to open a Pull-Request to get yours listed.
+
+### Adopter list (alphabetically)
+
+| Type | Name | Since | Website | Use-Case |
+|:-|:-|:-|:-|:-|
+| Vendor | DCloud | 2024 | [link](https://dcloud.co.id) | DCloud is an Indonesian Cloud Provider using Kamaji to build and offer [Managed Kubernetes Service](https://dcloud.co.id/dkubes.html). |
+| End-user | Sicuro Tech Lab | 2024 | [link](https://sicurotechlab.it/) | Sicuro Tech Lab offers cloud infrastructure for Web Agencies and uses kamaji to provide managed k8s services. |
+| R&D | TIM | 2024 | [link](https://www.gruppotim.it) | TIM is an Italian telecommunications company using Kamaji for experimental research and development purposes. |
+| End-user | KINX | 2024 | [link](https://kinx.net/?lang=en) | KINX is an Internet infrastructure service provider and will use kamaji for its new [Managed Kubernetes Service](https://kinx.net/service/cloud/kubernetes/intro/?lang=en). |
+| End-user | sevensphere | 2023 | [link](https://www.sevensphere.io) | Sevensphere provides consulting services for end-user companies / cloud providers and uses Kamaji for designing cloud/on-premises Kubernetes-as-a-Service platform. |
+| Vendor | Ænix | 2023 | [link](https://aenix.io/) | Ænix provides consulting services for cloud providers and uses Kamaji for running Kubernetes-as-a-Service in free PaaS platform [Cozystack](https://cozystack.io). |
+| Vendor | Netsons | 2023 | [link](https://www.netsons.com) | Netsons is an Italian hosting and cloud provider and uses Kamaji in its [Managed Kubernetes](https://www.netsons.com/kubernetes) offering. |
+| Vendor | Aknostic | 2023 | [link](https://aknostic.com) | Aknostic is a cloud-native consultancy company using Kamaji to build a Kubernetes based PaaS. |
+
+
+### Adopter Types
+
+**End-user**: The organization runs Kamaji in production in some way.
+
+**Integration**: The organization has a product that integrates with Kamaji, but does not contain Kamaji.
+
+**Vendor**: The organization packages Kamaji in their product and sells it as part of their product.
+
+**R&D**: Company that exploring innovative technologies  and solutions for research and development purposes.
--- a/2
+++ b/2
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.19 as builder
+FROM golang:1.22 as builder

 WORKDIR /workspace
 # Copy the Go Modules manifests
--- a/30
+++ b/30
@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 0.3.0
+VERSION ?= 1.0.0

 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
@@ -85,11 +85,11 @@ kind: ## Download kind locally if necessary.

 CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
 controller-gen: ## Download controller-gen locally if necessary.
-	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.11.4)
+	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.14.0)

 GOLANGCI_LINT = $(shell pwd)/bin/golangci-lint
 golangci-lint: ## Download golangci-lint locally if necessary.
-	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint@v1.49.0)
+	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint@v1.54.2)

 KUSTOMIZE = $(shell pwd)/bin/kustomize
 kustomize: ## Download kustomize locally if necessary.
@@ -132,7 +132,11 @@ datastore-postgres:
 	$(MAKE) NAME=gold _datastore-postgres

 _datastore-etcd:
-	$(HELM) upgrade --install etcd-$(NAME) clastix/kamaji-etcd --create-namespace -n etcd-system --set datastore.enabled=true
+	$(HELM) upgrade --install etcd-$(NAME) clastix/kamaji-etcd --create-namespace -n etcd-system --set datastore.enabled=true --set fullnameOverride=etcd-$(NAME)
+
+_datastore-nats:
+	$(MAKE) NAME=$(NAME) NAMESPACE=nats-system -C deploy/kine/nats nats
+	kubectl apply -f $(shell pwd)/config/samples/kamaji_v1alpha1_datastore_nats_$(NAME).yaml

 datastore-etcd: helm
 	$(HELM) repo add clastix https://clastix.github.io/charts
@@ -141,7 +145,15 @@ datastore-etcd: helm
 	$(MAKE) NAME=silver _datastore-etcd
 	$(MAKE) NAME=gold _datastore-etcd

-datastores: datastore-mysql datastore-etcd datastore-postgres ## Install all Kamaji DataStores with multiple drivers, and different tiers.
+datastore-nats: helm
+	$(HELM) repo add nats https://nats-io.github.io/k8s/helm/charts/
+	$(HELM) repo update
+	$(MAKE) NAME=bronze _datastore-nats
+	$(MAKE) NAME=silver _datastore-nats
+	$(MAKE) NAME=gold _datastore-nats
+	$(MAKE) NAME=notls _datastore-nats
+
+datastores: datastore-mysql datastore-etcd datastore-postgres datastore-nats ## Install all Kamaji DataStores with multiple drivers, and different tiers.

 ##@ Build

@@ -154,6 +166,10 @@ GIT_MODIFIED    ?= $$(echo "$(GIT_MODIFIED_1)$(GIT_MODIFIED_2)")
 GIT_REPO        ?= $$(git config --get remote.origin.url)
 BUILD_DATE      ?= $$(git log -1 --format="%at" | xargs -I{} date -d @{} +%Y-%m-%dT%H:%M:%S)

+.PHONY: get_version
+get_version:
+	@echo -n v$(VERSION)
+
 build: generate fmt vet ## Build manager binary.
 	go build -o bin/manager main.go

@@ -165,7 +181,7 @@ docker-build: ## Build docker image with the manager.
 		--build-arg GIT_TAG_COMMIT=$(GIT_TAG_COMMIT) \
 		--build-arg GIT_MODIFIED=$(GIT_MODIFIED) \
 		--build-arg GIT_REPO=$(GIT_REPO) \
-		--build-arg GIT_LAST_TAG=$(VERSION) \
+		--build-arg GIT_LAST_TAG=v$(VERSION) \
 		--build-arg BUILD_DATE=$(BUILD_DATE)

 docker-push: ## Push docker image with the manager.
@@ -291,7 +307,7 @@ env:

 .PHONY: e2e
 e2e: env load helm ginkgo cert-manager ## Create a KinD cluster, install Kamaji on it and run the test suite.
-	$(HELM) upgrade --debug --install kamaji ./charts/kamaji --create-namespace --namespace kamaji-system --set "image.pullPolicy=Never"
+	$(HELM) upgrade --debug --install kamaji ./charts/kamaji --create-namespace --namespace kamaji-system --set "image.pullPolicy=Never" --set "telemetry.disabled=true"
 	$(MAKE) datastores
 	$(GINKGO) -v ./e2e

--- a/README.md
+++ b/README.md
@@ -3,66 +3,158 @@
 <p align="left">
  <img src="https://img.shields.io/github/license/clastix/kamaji"/>
  <img src="https://img.shields.io/github/go-mod/go-version/clastix/kamaji"/>
-  <a href="https://github.com/clastix/kamaji/releases">
-    <img src="https://img.shields.io/github/v/release/clastix/kamaji"/>
-    <img src="https://goreportcard.com/badge/github.com/clastix/kamaji">
-  </a>
+  <a href="https://github.com/clastix/kamaji/releases"><img src="https://img.shields.io/github/v/release/clastix/kamaji"/></a>
+  <img src="https://goreportcard.com/badge/github.com/clastix/kamaji">
+  <a href="https://kubernetes.slack.com/archives/C03GLTTMWNN"><img alt="#kamaji on Kubernetes Slack" src="https://img.shields.io/badge/slack-@kubernetes/kamaji-blue.svg?logo=slack"/></a>
 </p>

 ![Logo](assets/logo-black.png#gh-light-mode-only)
 ![Logo](assets/logo-white.png#gh-dark-mode-only)

-**Kamaji** deploys and operates **Kubernetes Control Plane** at scale with a fraction of the operational burden. Kamaji is special because the Control Plane components are running in a single pod instead of dedicated machines. This solution makes running multiple Control Planes cheaper and easier to deploy and operate.
+### 🤔 What is Kamaji?

-<img src="docs/content/images/architecture.png"  width="600">
+**Kamaji** is a **Kubernetes Control Plane Manager** leveraging on the concept of [**Hosted Control Plane**](https://clastix.io/post/the-raise-of-hosted-control-plane-in-kubernetes/).

-## Features
+Kamaji's approach is based on running the Kubernetes Control Plane components in Pods instead of dedicated machines.
+This allows operating Kubernetes clusters at scale, with a fraction of the operational burden.
+Thanks to this approach, running multiple Control Planes can be cheaper and easier to deploy and operate.

- **Self Service Kubernetes:** leave users the freedom to self-provision their Kubernetes clusters according to the assigned boundaries.
- **Multi-cluster Management:** centrally manage multiple clusters from a single admin cluster. Happy SREs. 
- **Cheaper Control Planes:** place multiple control planes on a single node, instead of having three nodes for a single control plane.
- **Stronger Multi-Tenancy:** leave users to access the control plane with admin permissions while keeping them isolated at the infrastructure level.
- **Kubernetes Inception:** use Kubernetes to manage Kubernetes by re-using all the Kubernetes goodies you already know and love.
- **Full APIs compliant:** all clusters are CNCF compliant built with upstream Kubernetes binaries
+_Kamaji is like a fleet of Site Reliability Engineers with expertise codified into its logic, working 24/7 to keep up and running your Control Planes._

-## Roadmap
+<img src="docs/content/images/architecture.png"  width="600" style="display: block; margin: 0 auto">
+
+### 📖 How it works
+
+Kamaji is extending the Kubernetes API capabilities thanks to [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions).
+
+By installing Kamaji, two pairs of new APIs will be available:
+
+- `TenantControlPlane`, the instance definition of your desired Kubernetes Control Plane
+- `Datastore`, the backing store used by one (or more) `TenantControlPlane`
+
+The `TenantControlPlane` (short-named as `tcp`) objects are Namespace-scoped and allows configuring every aspect of your desired Control Plane.
+Besides the Kubernetes configuration values, you can specify the Pod options such as limit, request, tolerations, node selector, etc.,
+as well as how these should be exposed (e.g.: using a `ClusterIP`, a `LoadBalancer`, or a `NodePort`).
+
+The `TenantControlPlane` is the stateless definition of the Control Plane allowing to set up the required components for a full-fledged Kubernetest cluster.
+The state is managed by the `Datastore` API, a cluster-scoped resource which can hold the data of one or more Kubernetes clusters.
+
+> For further information about the API specifications and all the available options,
+> refer to the official [API reference](https://kamaji.clastix.io/reference/api/#tenantcontrolplane).
+
+### ⭐️ Main features
+
+- **Fast provisioning time**: depending on the infrastructure, Tenant Control Planes are up and ready to serve traffic in **16 seconds**.
+- **Streamlined update**: the rollout to a new Kubernetes version for a given Tenant Control Plane takes just **10 seconds**, with a Blue/Green deployment to avoid serving mixed Kubernetes versions.
+- **Resource optimization**: thanks to the Datastore decoupling, there's no need of odd number instances (e.g.: RAFT consensus) by allowing to save up to 60% of HW resources.
+- **Scale from zero to the moon**: scale down the instance when there's no usage, or automatically scale to support the traffic spikes reusing the Kubernetes patterns.
+- **Declarative approach, constant reconciliation**: thanks to the Operator pattern, drift detection happens in real-time, maintaining the desired state.
+- **Automated certificates management**: Kamaji leverages on `kubeadm` and the certificates are automatically created and rotated for you.
+- **Managing core addons**: Kamaji allows configuring automatically `kube-proxy`, `CoreDNS`, and `konnectivity`, with automatic remediation in case of user errors (e.g.: deleting the `CoreDNS` deployment).
+- **Auto Healing**: the `TenantControlPlane` objects in the management cluster are tracked by Kamaji, in case of deletion of those, everything is created in an idempotent way.
+- **Datastore multi-tenancy**: optionally, Kamaji allows running multiple Control Planes on the same _Datastore_ instance leveraging on the multi-tenancy of each driver, decreasing operations and optimizing costs.
+- **Overcoming `etcd` limitations**: optionally, Kamaji allows using a different _Datastore_ thanks to [`kine`](https://github.com/k3s-io/kine) by supporting `MySQL`, `PostgreSQL`, or `NATS` as an alternative.
+- **Simplifying mixed-networks setup**: thanks to [`Konnectivity`](https://kubernetes.io/docs/tasks/extend-kubernetes/setup-konnectivity/),
+  the Tenant Control Plane is connected to the worker nodes hosted in a different network, overcoming the no-NAT availability when dealing with nodes with a non routable IP address
+  (e.g.: worker nodes in a different infrastructure).
+
+### 🚀 Use cases
+
+- [**Creating a private Managed Kubernetes Service**](https://clastix.io/post/netsons-builds-a-managed-kubernetes-service-with-kamaji-and-open-stack/)
+- [**Building a Platform as a Service**](https://aenix.io/cozystack/)
+- [**Overcoming public Managed Kubernetes Services**](https://clastix.io/post/overcoming-eks-limitations-with-kamaji-on-aws/) such as EKS
+- [**Hybrid infrastructures**](https://clastix.io/post/bridging-the-gap-hybrid-kubernetes-clusters-with-remote-control-planes/):
+  host the Control Plane on the Cloud and worker nodes on prem or vice-versa, according to your needs.
+- [**Kubernetes at the edge**](https://clastix.io/post/edgevolution-unleashing-the-power-of-kubernetes-clusters-for-a-revolutionary-edge-computing-experience/):
+  take full advantage of the _Kubernetes API Server as a service_ paradigm.
+- **Kubernetes Control Plane as a Service:** centrally manage multiple Kubernetes clusters from a single management point (_Multi-Cluster management_). 
+- **High-density Control Plane:** place multiple control planes on the same infrastructure, instead of having dedicated machines for each control plane.
+- **Strong Multi-tenancy:** leave users to access the control plane with admin permissions while keeping them isolated at the infrastructure level.
+- **Kubernetes Inception:** use Kubernetes to manage Kubernetes with automation, high-availability, fault tolerance, and autoscaling out of the box. 
+- **Bring Your Own Device:** keep the control plane isolated from data plane. Worker nodes can join and run consistently from everywhere: cloud, edge, and data-center.
+- **Full CNCF compliant:** all clusters are built with upstream Kubernetes binaries, resulting in full CNCF compliant Kubernetes clusters.
+
+> 🤔 You'd like to do the same but don't know how?
+> 💡 [CLASTIX](https://clastix.io/) can help you with your needs!
+
+### 🧑‍💻‍ Production grade
+
+Kamaji is empowering several businesses, and it counts public adopters.
+Check out the [adopters](./ADOPTERS.md) file to learn more.
+
+> 🤗 If you're using Kamaji, share your love by opening a PR!
+
+### 🍦 Vanilla Kubernetes clusters
+
+Kamaji is **not** yet-another-Kubernetes distribution: you have full freedom on the technology stack to provide to end users.
+Kamaji is a perfect fit for Platform Engineering, hiding the complexity of the Control Plane management to developers and DevOps engineers.
+
+The provided Kubernetes Control Planes are [CNCF compliant clusters](https://kamaji.clastix.io/reference/conformance/).
+
+<img src="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubernetes/certified-kubernetes/versionless/color/certified-kubernetes-color.png" style="display: block; width: 75px; margin: 0 auto">
+
+### 🐢 Cluster API support
+
+Kamaji is **not** a [Cluster API](https://cluster-api.sigs.k8s.io/) replacement, rather, it plays very well with it.
+
+Since Kamaji is just focusing on the Control Plane a [Kamaji's Cluster API Control Plane provider](https://github.com/clastix/cluster-api-control-plane-provider-kamaji) has been developed.
+
+### 🛣️ Roadmap

 - [x] Dynamic address on Load Balancer
 - [x] Zero Downtime Tenant Control Plane upgrade
- [x] Join worker nodes from anywhere
- [x] Alternative datastore MySQL and PostgreSQL
- [x] Pool of multiple datastores
- [x] Seamless migration between datastores
+- [x] [Join worker nodes from anywhere thanks to Konnectivity](https://kamaji.clastix.io/concepts/#konnectivity)
+- [x] [Alternative datastore MySQL, PostgreSQL, NATS](https://kamaji.clastix.io/guides/alternative-datastore/)
+- [x] [Pool of multiple datastores](https://kamaji.clastix.io/concepts/#datastores)
+- [x] [Seamless migration between datastores](https://kamaji.clastix.io/guides/datastore-migration/)
 - [ ] Automatic assignment to a datastore
 - [ ] Autoscaling of Tenant Control Plane
- [ ] Provisioning through Cluster APIs
+- [x] [Provisioning through Cluster APIs](https://github.com/clastix/cluster-api-control-plane-provider-kamaji)
 - [ ] Terraform provider
- [ ] Custom Prometheus metrics for monitoring and alerting
+- [ ] Custom Prometheus metrics

+### 🎥 Multimedia

-## Documentation
-Please, check the project's [documentation](https://kamaji.clastix.io/) for getting started with Kamaji.
+- Playlist ▶️ [Tutorials and How-Tos by Dario Tranchitella, CLASTIX](https://www.youtube.com/playlist?list=PLjiUjoV4Ws_3pNsUpTXI-KKk731nD2MQY)
+- YouTube ▶️ [Metal³ provisioning with Kamaji Hosted Control Planes by Huy Mai, Ericsson](https://youtu.be/u9sbURj6jXY?t=10536)
+- YouTube ▶️ [Hands-on introduction to Kamaji](https://www.youtube.com/watch?v=HhevxwQWQ88)
+- YouTube ▶️ [Scaling Kubernetes up to 1,000 Control Planes](https://www.youtube.com/watch?v=W_HXRXJh96U)
+- YouTube ▶️ [Equinix, Kamaji, and Cluster API](https://www.youtube.com/watch?v=TLBTqROj_wA)
+- YouTube ▶️ [Rancher & Kamaji: solving multitenancy challenges in the Kubernetes world](https://www.youtube.com/watch?v=VXHNrMmlF8U)
+- YouTube ▶️ [Enabling Self-Service Kubernetes clusters with Kamaji and Paralus](https://www.youtube.com/watch?v=JWA2LwZazM0)

-## Contributions
-Kamaji is Open Source with Apache 2 license and any contribution is welcome. Open an issue or suggest an enhancement on the GitHub [project's page](https://github.com/clastix/kamaji). Join the [Kubernetes Slack Workspace](https://slack.k8s.io/) and the [`#kamaji`](https://kubernetes.slack.com/archives/C03GLTTMWNN) channel to meet end-users and contributors.
+### 🏷️ Versioning

-## FAQs
-Q. What does Kamaji mean?
+Versioning adheres to the [Semantic Versioning](http://semver.org/) principles.
+A full list of the available releases is available in the GitHub repository's [**Release** section](https://github.com/clastix/kamaji/releases).

-A. Kamaji is named as the character _Kamaji_ from the Japanese movie [_Spirited Away_](https://en.wikipedia.org/wiki/Spirited_Away).
+### 📄 Documentation

-Q. Is Kamaji another Kubernetes distribution?
+Further documentation can be found on the official [Kamaji documentation website](https://kamaji.clastix.io/).

-A. No, Kamaji is a Kubernetes Operator you can install on top of any Kubernetes cluster to provide hundreds or thousands of managed Kubernetes clusters as a service. We tested Kamaji on vanilla Kubernetes 1.22+, KinD, and Azure AKS. We expect it to work smoothly on other Kubernetes distributions. The tenant clusters made with Kamaji are conformant CNCF Kubernetes clusters as we leverage [`kubeadm`](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/).
+### 🤝 Contributions

-Q. Is it safe to run Kubernetes control plane components in a pod instead of dedicated virtual machines?
+Contributions are highly appreciated and very welcomed!

-A. Yes, the tenant control plane components are packaged in the same way they are running in bare metal or virtual nodes. We leverage the `kubeadm` code to set up the control plane components as they were running on their own server. The unchanged images of upstream `kube-apiserver`, `kube-scheduler`, and `kube-controller-manager` are used.
+In case of bugs, please, check if the issue has been already opened by checking the [GitHub Issues](https://github.com/clastix/kamaji/issues) section.
+In case it isn't, you can open a new one: a detailed report will help us to replicate it, assess it, and work on a fix.

-Q. You already provide a Kubernetes multi-tenancy solution with [Capsule](https://capsule.clastix.io). Why does Kamaji matter?
+You can express your intention in working on the fix on your own.
+The commit messages are checked according to the described [semantics](https://github.com/projectcapsule/capsule/blob/main/CONTRIBUTING.md#semantics).
+Commits are used to generate the changelog, and their author will be referenced in it.

-A. A multi-tenancy solution, like Capsule shares the Kubernetes control plane among all tenants keeping tenant namespaces isolated by policies. While the solution is the right choice by balancing between features and ease of usage, there are cases where a tenant user requires access to the control plane, for example, when a tenant requires to manage CRDs on his own. With Kamaji, you can provide cluster admin permissions to the tenant.
+In case of **✨ Feature Requests** please use the [Discussion's Feature Request section](https://github.com/clastix/kamaji/discussions/categories/feature-requests).

-Q. Well you convinced me, how to get a try?
+### 📝 License

-A. It is possible to get started with Kamaji on a laptop with [KinD](getting-started.md) installed.
+The Kamaji Cluster API Control Plane provider is licensed under Apache 2.0.
+The code is provided as-is with no warranties.
+
+### 🛟 Commercial Support
+
+![CLASTIX](https://avatars.githubusercontent.com/u/39170129?s=50&v=4) [CLASTIX](https://clastix.io/) is the commercial company behind Kamaji and the Cluster API Control Plane provider.
+
+If you're looking to run Kamaji in production and would like to learn more, **CLASTIX** can help by offering [Open Source support plans](https://clastix.io/support),
+as well as providing a comprehensive Enterprise Platform named [CLASTIX Enterprise Platform](https://clastix.cloud/), built on top of the Kamaji and [Capsule](https://capsule.clastix.io/) project (now donated to CNCF as a Sandbox project).
+
+Feel free to get in touch with the provided [Contact form](https://clastix.io/contact).
--- a/api/v1alpha1/datastore_types.go
+++ b/api/v1alpha1/datastore_types.go
@@ -8,7 +8,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

-// +kubebuilder:validation:Enum=etcd;MySQL;PostgreSQL
+// +kubebuilder:validation:Enum=etcd;MySQL;PostgreSQL;NATS

 type Driver string

@@ -16,6 +16,7 @@ var (
 	EtcdDriver           Driver = "etcd"
 	KineMySQLDriver      Driver = "MySQL"
 	KinePostgreSQLDriver Driver = "PostgreSQL"
+	KineNatsDriver       Driver = "NATS"
 )

 // +kubebuilder:validation:MinItems=1
@@ -33,7 +34,8 @@ type DataStoreSpec struct {
 	// This value is optional.
 	BasicAuth *BasicAuth `json:"basicAuth,omitempty"`
 	// Defines the TLS/SSL configuration required to connect to the data store in a secure way.
-	TLSConfig TLSConfig `json:"tlsConfig"`
+	// This value is optional.
+	TLSConfig *TLSConfig `json:"tlsConfig,omitempty"`
 }

 // TLSConfig contains the information used to connect to the data store using a secured connection.
@@ -42,7 +44,7 @@ type TLSConfig struct {
 	// The key reference is required since etcd authentication is based on certificates, and Kamaji is responsible in creating this.
 	CertificateAuthority CertKeyPair `json:"certificateAuthority"`
 	// Specifies the SSL/TLS key and private key pair used to connect to the data store.
-	ClientCertificate ClientCertificate `json:"clientCertificate"`
+	ClientCertificate *ClientCertificate `json:"clientCertificate,omitempty"`
 }

 type ClientCertificate struct {
--- a/api/v1alpha1/indexer_datastore_usedsecret.go
+++ b/api/v1alpha1/indexer_datastore_usedsecret.go
@@ -43,20 +43,22 @@ func (d *DatastoreUsedSecret) ExtractValue() client.IndexerFunc {
 			}
 		}

-		if ds.Spec.TLSConfig.CertificateAuthority.Certificate.SecretRef != nil {
-			res = append(res, d.namespacedName(*ds.Spec.TLSConfig.CertificateAuthority.Certificate.SecretRef))
-		}
+		if ds.Spec.TLSConfig != nil {
+			if ds.Spec.TLSConfig.CertificateAuthority.Certificate.SecretRef != nil {
+				res = append(res, d.namespacedName(*ds.Spec.TLSConfig.CertificateAuthority.Certificate.SecretRef))
+			}

-		if ds.Spec.TLSConfig.CertificateAuthority.PrivateKey != nil && ds.Spec.TLSConfig.CertificateAuthority.PrivateKey.SecretRef != nil {
-			res = append(res, d.namespacedName(*ds.Spec.TLSConfig.CertificateAuthority.PrivateKey.SecretRef))
-		}
+			if ds.Spec.TLSConfig.CertificateAuthority.PrivateKey != nil && ds.Spec.TLSConfig.CertificateAuthority.PrivateKey.SecretRef != nil {
+				res = append(res, d.namespacedName(*ds.Spec.TLSConfig.CertificateAuthority.PrivateKey.SecretRef))
+			}

-		if ds.Spec.TLSConfig.ClientCertificate.Certificate.SecretRef != nil {
-			res = append(res, d.namespacedName(*ds.Spec.TLSConfig.ClientCertificate.Certificate.SecretRef))
-		}
+			if ds.Spec.TLSConfig.ClientCertificate.Certificate.SecretRef != nil {
+				res = append(res, d.namespacedName(*ds.Spec.TLSConfig.ClientCertificate.Certificate.SecretRef))
+			}

-		if ds.Spec.TLSConfig.ClientCertificate.PrivateKey.SecretRef != nil {
-			res = append(res, d.namespacedName(*ds.Spec.TLSConfig.ClientCertificate.PrivateKey.SecretRef))
+			if ds.Spec.TLSConfig.ClientCertificate.PrivateKey.SecretRef != nil {
+				res = append(res, d.namespacedName(*ds.Spec.TLSConfig.ClientCertificate.PrivateKey.SecretRef))
+			}
 		}

 		return res
--- a/api/v1alpha1/tenantcontrolplane_types.go
+++ b/api/v1alpha1/tenantcontrolplane_types.go
@@ -108,7 +108,7 @@ type DeploymentSpec struct {
 	// +kubebuilder:default={registry:"registry.k8s.io",apiServerImage:"kube-apiserver",controllerManagerImage:"kube-controller-manager",schedulerImage:"kube-scheduler"}
 	RegistrySettings RegistrySettings `json:"registrySettings,omitempty"`
 	// +kubebuilder:default=2
-	Replicas int32 `json:"replicas,omitempty"`
+	Replicas *int32 `json:"replicas,omitempty"`
 	// NodeSelector is a selector which must be true for the pod to fit on a node.
 	// Selector which must match a node's labels for the pod to be scheduled on that node.
 	// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
@@ -138,9 +138,12 @@ type DeploymentSpec struct {
 	// (kube-apiserver, controller-manager, and scheduler).
 	Resources *ControlPlaneComponentsResources `json:"resources,omitempty"`
 	// ExtraArgs allows adding additional arguments to the Control Plane components,
-	// such as kube-apiserver, controller-manager, and scheduler.
-	ExtraArgs          *ControlPlaneExtraArgs `json:"extraArgs,omitempty"`
-	AdditionalMetadata AdditionalMetadata     `json:"additionalMetadata,omitempty"`
+	// such as kube-apiserver, controller-manager, and scheduler. WARNING - This option
+	// can override existing parameters and cause components to misbehave in unxpected ways.
+	// Only modify if you know what you are doing.
+	ExtraArgs             *ControlPlaneExtraArgs `json:"extraArgs,omitempty"`
+	AdditionalMetadata    AdditionalMetadata     `json:"additionalMetadata,omitempty"`
+	PodAdditionalMetadata AdditionalMetadata     `json:"podAdditionalMetadata,omitempty"`
 	// AdditionalInitContainers allows adding additional init containers to the Control Plane deployment.
 	AdditionalInitContainers []corev1.Container `json:"additionalInitContainers,omitempty"`
 	// AdditionalContainers allows adding additional containers to the Control Plane deployment.
@@ -150,6 +153,9 @@ type DeploymentSpec struct {
 	// AdditionalVolumeMounts allows to mount an additional volume into each component of the Control Plane
 	// (kube-apiserver, controller-manager, and scheduler).
 	AdditionalVolumeMounts *AdditionalVolumeMounts `json:"additionalVolumeMounts,omitempty"`
+	// +kubebuilder:default="default"
+	// ServiceAccountName allows to specify the service account to be mounted to the pods of the Control plane deployment
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }

 // AdditionalVolumeMounts allows mounting additional volumes to the Control Plane components.
@@ -189,6 +195,9 @@ type ImageOverrideTrait struct {
 }

 // ExtraArgs allows adding additional arguments to said component.
+// WARNING - This option can override existing konnectivity
+// parameters and cause konnectivity components to misbehave in
+// unxpected ways. Only modify if you know what you are doing.
 type ExtraArgs []string

 type KonnectivityServerSpec struct {
@@ -211,8 +220,12 @@ type KonnectivityAgentSpec struct {
 	Image string `json:"image,omitempty"`
 	// Version for Konnectivity agent.
 	// +kubebuilder:default=v0.0.32
-	Version   string    `json:"version,omitempty"`
-	ExtraArgs ExtraArgs `json:"extraArgs,omitempty"`
+	Version string `json:"version,omitempty"`
+	// Tolerations for the deployed agent.
+	// Can be customized to start the konnectivity-agent even if the nodes are not ready or tainted.
+	// +kubebuilder:default={{key: "CriticalAddonsOnly", operator: "Exists"}}
+	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
+	ExtraArgs   ExtraArgs           `json:"extraArgs,omitempty"`
 }

 // KonnectivitySpec defines the spec for Konnectivity.
@@ -253,7 +266,7 @@ type TenantControlPlaneSpec struct {
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:subresource:scale:specpath=.spec.controlPlane.deployment.replicas,statuspath=.status.kubernetesResources.deployment.replicas,selectorpath=.status.kubernetesResources.deployment.selector
-// +kubebuilder:resource:shortName=tcp
+// +kubebuilder:resource:categories=kamaji,shortName=tcp
 // +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.kubernetes.version",description="Kubernetes version"
 // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.kubernetesResources.version.status",description="Status"
 // +kubebuilder:printcolumn:name="Control-Plane endpoint",type="string",JSONPath=".status.controlPlaneEndpoint",description="Tenant Control Plane Endpoint (API server)"
--- a/api/v1alpha1/types.go
+++ b/api/v1alpha1/types.go
@@ -28,9 +28,10 @@ func (c CGroupDriver) String() string {
 }

 const (
-	ServiceTypeLoadBalancer = (ServiceType)(corev1.ServiceTypeLoadBalancer)
-	ServiceTypeClusterIP    = (ServiceType)(corev1.ServiceTypeClusterIP)
-	ServiceTypeNodePort     = (ServiceType)(corev1.ServiceTypeNodePort)
+	ServiceTypeLoadBalancer       = (ServiceType)(corev1.ServiceTypeLoadBalancer)
+	ServiceTypeClusterIP          = (ServiceType)(corev1.ServiceTypeClusterIP)
+	ServiceTypeNodePort           = (ServiceType)(corev1.ServiceTypeNodePort)
+	KubeconfigSecretKeyAnnotation = "kamaji.clastix.io/kubeconfig-secret-key"
 )

 // +kubebuilder:validation:Enum=ClusterIP;NodePort;LoadBalancer
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated

 // Copyright 2022 Clastix Labs
 // SPDX-License-Identifier: Apache-2.0
@@ -526,7 +525,11 @@ func (in *DataStoreSpec) DeepCopyInto(out *DataStoreSpec) {
 		*out = new(BasicAuth)
 		(*in).DeepCopyInto(*out)
 	}
-	in.TLSConfig.DeepCopyInto(&out.TLSConfig)
+	if in.TLSConfig != nil {
+		in, out := &in.TLSConfig, &out.TLSConfig
+		*out = new(TLSConfig)
+		(*in).DeepCopyInto(*out)
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataStoreSpec.
@@ -578,6 +581,11 @@ func (in *DatastoreUsedSecret) DeepCopy() *DatastoreUsedSecret {
 func (in *DeploymentSpec) DeepCopyInto(out *DeploymentSpec) {
 	*out = *in
 	out.RegistrySettings = in.RegistrySettings
+	if in.Replicas != nil {
+		in, out := &in.Replicas, &out.Replicas
+		*out = new(int32)
+		**out = **in
+	}
 	if in.NodeSelector != nil {
 		in, out := &in.NodeSelector, &out.NodeSelector
 		*out = make(map[string]string, len(*in))
@@ -616,6 +624,7 @@ func (in *DeploymentSpec) DeepCopyInto(out *DeploymentSpec) {
 		(*in).DeepCopyInto(*out)
 	}
 	in.AdditionalMetadata.DeepCopyInto(&out.AdditionalMetadata)
+	in.PodAdditionalMetadata.DeepCopyInto(&out.PodAdditionalMetadata)
 	if in.AdditionalInitContainers != nil {
 		in, out := &in.AdditionalInitContainers, &out.AdditionalInitContainers
 		*out = make([]v1.Container, len(*in))
@@ -775,6 +784,13 @@ func (in *IngressSpec) DeepCopy() *IngressSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KonnectivityAgentSpec) DeepCopyInto(out *KonnectivityAgentSpec) {
 	*out = *in
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]v1.Toleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ExtraArgs != nil {
 		in, out := &in.ExtraArgs, &out.ExtraArgs
 		*out = make(ExtraArgs, len(*in))
@@ -1196,7 +1212,11 @@ func (in *StorageStatus) DeepCopy() *StorageStatus {
 func (in *TLSConfig) DeepCopyInto(out *TLSConfig) {
 	*out = *in
 	in.CertificateAuthority.DeepCopyInto(&out.CertificateAuthority)
-	in.ClientCertificate.DeepCopyInto(&out.ClientCertificate)
+	if in.ClientCertificate != nil {
+		in, out := &in.ClientCertificate, &out.ClientCertificate
+		*out = new(ClientCertificate)
+		(*in).DeepCopyInto(*out)
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig.
--- a/assets/logo-colored.png
+++ b/assets/logo-colored.png
--- a/assets/logo.svg
+++ b/assets/logo.svg
--- a/charts/kamaji/Chart.yaml
+++ b/charts/kamaji/Chart.yaml
@@ -1,24 +1,24 @@
 apiVersion: v2
-appVersion: v0.3.0
-description: Kamaji is a tool aimed to build and operate a Managed Kubernetes Service
-  with a fraction of the operational burden. With Kamaji, you can deploy and operate
-  hundreds of Kubernetes clusters as a hyper-scaler.
+appVersion: v1.0.0
+description: Kamaji is the Hosted Control Plane Manager for Kubernetes.
 home: https://github.com/clastix/kamaji
-icon: https://github.com/clastix/kamaji/raw/master/assets/kamaji-logo.png
+icon: https://github.com/clastix/kamaji/raw/master/assets/logo-colored.png
 kubeVersion: ">=1.21.0-0"
 maintainers:
 - email: dario@tranchitella.eu
  name: Dario Tranchitella
+  url: https://clastix.io
 - email: me@maxgio.it
  name: Massimiliano Giovagnoli
 - email: me@bsctl.io
  name: Adriano Pezzuto
+  url: https://clastix.io
 name: kamaji
 sources:
 - https://github.com/clastix/kamaji
 type: application
-version: 0.12.0
+version: 1.0.0
 annotations:
  catalog.cattle.io/certified: partner
  catalog.cattle.io/release-name: kamaji
-  catalog.cattle.io/display-name: Kamaji - Managed Kubernetes Service
+  catalog.cattle.io/display-name: Kamaji
--- a/charts/kamaji/README.md
+++ b/charts/kamaji/README.md
@@ -1,16 +1,16 @@
 # kamaji

-![Version: 0.12.0](https://img.shields.io/badge/Version-0.12.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.3.0](https://img.shields.io/badge/AppVersion-v0.3.0-informational?style=flat-square)
+![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.0](https://img.shields.io/badge/AppVersion-v1.0.0-informational?style=flat-square)

-Kamaji is a tool aimed to build and operate a Managed Kubernetes Service with a fraction of the operational burden. With Kamaji, you can deploy and operate hundreds of Kubernetes clusters as a hyper-scaler.
+Kamaji is the Hosted Control Plane Manager for Kubernetes.

 ## Maintainers

 | Name | Email | Url |
 | ---- | ------ | --- |
-| Dario Tranchitella | <dario@tranchitella.eu> |  |
+| Dario Tranchitella | <dario@tranchitella.eu> | <https://clastix.io> |
 | Massimiliano Giovagnoli | <me@maxgio.it> |  |
-| Adriano Pezzuto | <me@bsctl.io> |  |
+| Adriano Pezzuto | <me@bsctl.io> | <https://clastix.io> |

 ## Source Code

@@ -66,6 +66,8 @@ Here the values you can override:
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Kubernetes affinity rules to apply to Kamaji controller pods |
+| cfssl.image.repository | string | `"cfssl/cfssl"` |  |
+| cfssl.image.tag | string | `"latest"` |  |
 | datastore.basicAuth.passwordSecret.keyPath | string | `nil` | The Secret key where the data is stored. |
 | datastore.basicAuth.passwordSecret.name | string | `nil` | The name of the Secret containing the password used to connect to the relational database. |
 | datastore.basicAuth.passwordSecret.namespace | string | `nil` | The namespace of the Secret containing the password used to connect to the relational database. |
@@ -73,8 +75,9 @@ Here the values you can override:
 | datastore.basicAuth.usernameSecret.name | string | `nil` | The name of the Secret containing the username used to connect to the relational database. |
 | datastore.basicAuth.usernameSecret.namespace | string | `nil` | The namespace of the Secret containing the username used to connect to the relational database. |
 | datastore.driver | string | `"etcd"` | (string) The Kamaji Datastore driver, supported: etcd, MySQL, PostgreSQL (defaults=etcd). |
+| datastore.enabled | bool | `true` | (bool) Enable the Kamaji Datastore creation (default=true) |
 | datastore.endpoints | list | `[]` | (array) List of endpoints of the selected Datastore. When letting the Chart install the etcd datastore, this field is populated automatically. |
-| datastore.nameOverride | string | `nil` | The Datastore name override, if empty defaults to `default` |
+| datastore.nameOverride | string | `nil` | The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. |
 | datastore.tlsConfig.certificateAuthority.certificate.keyPath | string | `nil` | Key of the Secret which contains the content of the certificate. |
 | datastore.tlsConfig.certificateAuthority.certificate.name | string | `nil` | Name of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. |
 | datastore.tlsConfig.certificateAuthority.certificate.namespace | string | `nil` | Namespace of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. |
@@ -87,6 +90,7 @@ Here the values you can override:
 | datastore.tlsConfig.clientCertificate.privateKey.keyPath | string | `nil` | Key of the Secret which contains the content of the private key. |
 | datastore.tlsConfig.clientCertificate.privateKey.name | string | `nil` | Name of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. |
 | datastore.tlsConfig.clientCertificate.privateKey.namespace | string | `nil` | Namespace of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. |
+| datastore.tlsConfig.enabled | bool | `true` |  |
 | etcd.compactionInterval | int | `0` | ETCD Compaction interval (e.g. "5m0s"). (default: "0" (disabled)) |
 | etcd.deploy | bool | `true` | Install an etcd with enabled multi-tenancy along with Kamaji |
 | etcd.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.6"}` | Install specific etcd image |
@@ -100,10 +104,11 @@ Here the values you can override:
 | etcd.persistence.accessModes[0] | string | `"ReadWriteOnce"` |  |
 | etcd.persistence.customAnnotations | object | `{}` | The custom annotations to add to the PVC |
 | etcd.persistence.size | string | `"10Gi"` |  |
-| etcd.persistence.storageClass | string | `""` |  |
+| etcd.persistence.storageClassName | string | `""` |  |
 | etcd.port | int | `2379` | The client request port. |
 | etcd.serviceAccount.create | bool | `true` | Create a ServiceAccount, required to install and provision the etcd backing storage (default: true) |
 | etcd.serviceAccount.name | string | `""` | Define the ServiceAccount name to use during the setup and provision of the etcd backing storage (default: "") |
+| etcd.tolerations | list | `[]` | (array) Kubernetes affinity rules to apply to Kamaji etcd pods |
 | extraArgs | list | `[]` | A list of extra arguments to add to the kamaji controller default ones |
 | fullnameOverride | string | `""` |  |
 | healthProbeBindAddress | string | `":8081"` | The address the probe endpoint binds to. (default ":8081") |
@@ -129,6 +134,7 @@ Here the values you can override:
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.name | string | `"kamaji-controller-manager"` |  |
 | serviceMonitor.enabled | bool | `false` | Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured |
+| telemetry | object | `{"disabled":false}` | Disable the analytics traces collection |
 | temporaryDirectoryPath | string | `"/tmp/kamaji"` | Directory which will be used to work with temporary files. (default "/tmp/kamaji") |
 | tolerations | list | `[]` | Kubernetes node taints that the Kamaji controller pods would tolerate |

--- a/charts/kamaji/app-readme.md
+++ b/charts/kamaji/app-readme.md
@@ -1,30 +1,12 @@
-# Kamaji - Managed Kubernetes Service
+# Kamaji

-Kamaji is a tool aimed to build and operate a Managed Kubernetes Service with a fraction of the operational burden.
+Kamaji deploys and operates Kubernetes at scale with a fraction of the operational burden.

 Useful links:
 - [Kamaji Github repository](https://github.com/clastix/kamaji)
- [Kamaji Documentation](https://github.com/clastix/kamaji/docs/)
+- [Kamaji Documentation](https://kamaji.clastix.io)

 ## Requirements

 * Kubernetes v1.22+
-* Helm v3
-
-# Installation
-
-To install the Chart with the release name `kamaji`:
-
-        helm upgrade --install --namespace kamaji-system --create-namespace clastix/kamaji
-
-Show the status:
-
-        helm status kamaji -n kamaji-system
-
-Upgrade the Chart
-
-        helm upgrade kamaji -n kamaji-system clastix/kamaji
-
-Uninstall the Chart
-
-        helm uninstall kamaji -n kamaji-system
+* Helm v3
--- a/charts/kamaji/crds/datastore.yaml
+++ b/charts/kamaji/crds/datastore.yaml
@@ -30,10 +30,19 @@ spec:
          description: DataStore is the Schema for the datastores API.
          properties:
            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
              type: string
            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
              type: string
            metadata:
              type: object
@@ -41,25 +50,33 @@ spec:
              description: DataStoreSpec defines the desired state of DataStore.
              properties:
                basicAuth:
-                  description: In case of authentication enabled for the given data store, specifies the username and password pair. This value is optional.
+                  description: |-
+                    In case of authentication enabled for the given data store, specifies the username and password pair.
+                    This value is optional.
                  properties:
                    password:
                      properties:
                        content:
-                          description: Bare content of the file, base64 encoded. It has precedence over the SecretReference value.
+                          description: |-
+                            Bare content of the file, base64 encoded.
+                            It has precedence over the SecretReference value.
                          format: byte
                          type: string
                        secretReference:
                          properties:
                            keyPath:
-                              description: Name of the key for the given Secret reference where the content is stored. This value is mandatory.
+                              description: |-
+                                Name of the key for the given Secret reference where the content is stored.
+                                This value is mandatory.
                              minLength: 1
                              type: string
                            name:
-                              description: name is unique within a namespace to reference a secret resource.
+                              description: name is unique within a namespace to reference
+                                a secret resource.
                              type: string
                            namespace:
-                              description: namespace defines the space within which the secret name must be unique.
+                              description: namespace defines the space within which
+                                the secret name must be unique.
                              type: string
                          required:
                            - keyPath
@@ -69,20 +86,26 @@ spec:
                    username:
                      properties:
                        content:
-                          description: Bare content of the file, base64 encoded. It has precedence over the SecretReference value.
+                          description: |-
+                            Bare content of the file, base64 encoded.
+                            It has precedence over the SecretReference value.
                          format: byte
                          type: string
                        secretReference:
                          properties:
                            keyPath:
-                              description: Name of the key for the given Secret reference where the content is stored. This value is mandatory.
+                              description: |-
+                                Name of the key for the given Secret reference where the content is stored.
+                                This value is mandatory.
                              minLength: 1
                              type: string
                            name:
-                              description: name is unique within a namespace to reference a secret resource.
+                              description: name is unique within a namespace to reference
+                                a secret resource.
                              type: string
                            namespace:
-                              description: namespace defines the space within which the secret name must be unique.
+                              description: namespace defines the space within which
+                                the secret name must be unique.
                              type: string
                          required:
                            - keyPath
@@ -99,36 +122,49 @@ spec:
                    - etcd
                    - MySQL
                    - PostgreSQL
+                    - NATS
                  type: string
                endpoints:
-                  description: List of the endpoints to connect to the shared datastore. No need for protocol, just bare IP/FQDN and port.
+                  description: |-
+                    List of the endpoints to connect to the shared datastore.
+                    No need for protocol, just bare IP/FQDN and port.
                  items:
                    type: string
                  minItems: 1
                  type: array
                tlsConfig:
-                  description: Defines the TLS/SSL configuration required to connect to the data store in a secure way.
+                  description: |-
+                    Defines the TLS/SSL configuration required to connect to the data store in a secure way.
+                    This value is optional.
                  properties:
                    certificateAuthority:
-                      description: Retrieve the Certificate Authority certificate and private key, such as bare content of the file, or a SecretReference. The key reference is required since etcd authentication is based on certificates, and Kamaji is responsible in creating this.
+                      description: |-
+                        Retrieve the Certificate Authority certificate and private key, such as bare content of the file, or a SecretReference.
+                        The key reference is required since etcd authentication is based on certificates, and Kamaji is responsible in creating this.
                      properties:
                        certificate:
                          properties:
                            content:
-                              description: Bare content of the file, base64 encoded. It has precedence over the SecretReference value.
+                              description: |-
+                                Bare content of the file, base64 encoded.
+                                It has precedence over the SecretReference value.
                              format: byte
                              type: string
                            secretReference:
                              properties:
                                keyPath:
-                                  description: Name of the key for the given Secret reference where the content is stored. This value is mandatory.
+                                  description: |-
+                                    Name of the key for the given Secret reference where the content is stored.
+                                    This value is mandatory.
                                  minLength: 1
                                  type: string
                                name:
-                                  description: name is unique within a namespace to reference a secret resource.
+                                  description: name is unique within a namespace to
+                                    reference a secret resource.
                                  type: string
                                namespace:
-                                  description: namespace defines the space within which the secret name must be unique.
+                                  description: namespace defines the space within which
+                                    the secret name must be unique.
                                  type: string
                              required:
                                - keyPath
@@ -138,20 +174,26 @@ spec:
                        privateKey:
                          properties:
                            content:
-                              description: Bare content of the file, base64 encoded. It has precedence over the SecretReference value.
+                              description: |-
+                                Bare content of the file, base64 encoded.
+                                It has precedence over the SecretReference value.
                              format: byte
                              type: string
                            secretReference:
                              properties:
                                keyPath:
-                                  description: Name of the key for the given Secret reference where the content is stored. This value is mandatory.
+                                  description: |-
+                                    Name of the key for the given Secret reference where the content is stored.
+                                    This value is mandatory.
                                  minLength: 1
                                  type: string
                                name:
-                                  description: name is unique within a namespace to reference a secret resource.
+                                  description: name is unique within a namespace to
+                                    reference a secret resource.
                                  type: string
                                namespace:
-                                  description: namespace defines the space within which the secret name must be unique.
+                                  description: namespace defines the space within which
+                                    the secret name must be unique.
                                  type: string
                              required:
                                - keyPath
@@ -162,25 +204,32 @@ spec:
                        - certificate
                      type: object
                    clientCertificate:
-                      description: Specifies the SSL/TLS key and private key pair used to connect to the data store.
+                      description: Specifies the SSL/TLS key and private key pair used
+                        to connect to the data store.
                      properties:
                        certificate:
                          properties:
                            content:
-                              description: Bare content of the file, base64 encoded. It has precedence over the SecretReference value.
+                              description: |-
+                                Bare content of the file, base64 encoded.
+                                It has precedence over the SecretReference value.
                              format: byte
                              type: string
                            secretReference:
                              properties:
                                keyPath:
-                                  description: Name of the key for the given Secret reference where the content is stored. This value is mandatory.
+                                  description: |-
+                                    Name of the key for the given Secret reference where the content is stored.
+                                    This value is mandatory.
                                  minLength: 1
                                  type: string
                                name:
-                                  description: name is unique within a namespace to reference a secret resource.
+                                  description: name is unique within a namespace to
+                                    reference a secret resource.
                                  type: string
                                namespace:
-                                  description: namespace defines the space within which the secret name must be unique.
+                                  description: namespace defines the space within which
+                                    the secret name must be unique.
                                  type: string
                              required:
                                - keyPath
@@ -190,20 +239,26 @@ spec:
                        privateKey:
                          properties:
                            content:
-                              description: Bare content of the file, base64 encoded. It has precedence over the SecretReference value.
+                              description: |-
+                                Bare content of the file, base64 encoded.
+                                It has precedence over the SecretReference value.
                              format: byte
                              type: string
                            secretReference:
                              properties:
                                keyPath:
-                                  description: Name of the key for the given Secret reference where the content is stored. This value is mandatory.
+                                  description: |-
+                                    Name of the key for the given Secret reference where the content is stored.
+                                    This value is mandatory.
                                  minLength: 1
                                  type: string
                                name:
-                                  description: name is unique within a namespace to reference a secret resource.
+                                  description: name is unique within a namespace to
+                                    reference a secret resource.
                                  type: string
                                namespace:
-                                  description: namespace defines the space within which the secret name must be unique.
+                                  description: namespace defines the space within which
+                                    the secret name must be unique.
                                  type: string
                              required:
                                - keyPath
@@ -216,18 +271,17 @@ spec:
                      type: object
                  required:
                    - certificateAuthority
-                    - clientCertificate
                  type: object
              required:
                - driver
                - endpoints
-                - tlsConfig
              type: object
            status:
              description: DataStoreStatus defines the observed state of DataStore.
              properties:
                usedBy:
-                  description: List of the Tenant Control Planes, namespaced named, using this data store.
+                  description: List of the Tenant Control Planes, namespaced named,
+                    using this data store.
                  items:
                    type: string
                  type: array
--- a/charts/kamaji/crds/tenantcontrolplane.yaml
+++ b/charts/kamaji/crds/tenantcontrolplane.yaml
--- a/charts/kamaji/templates/_helpers_datastore.tpl
+++ b/charts/kamaji/templates/_helpers_datastore.tpl
@@ -2,7 +2,11 @@
 Create a default fully qualified datastore name.
 */}}
 {{- define "datastore.fullname" -}}
+{{- if .Values.datastore.enabled }}
 {{- default "default" .Values.datastore.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- required "A valid .Values.datastore.nameOverride required!" .Values.datastore.nameOverride }}
+{{- end }}
 {{- end }}

 {{/*
--- a/charts/kamaji/templates/controller.yaml
+++ b/charts/kamaji/templates/controller.yaml
@@ -34,6 +34,9 @@ spec:
        - --metrics-bind-address={{ .Values.metricsBindAddress }}
        - --tmp-directory={{ .Values.temporaryDirectoryPath }}
        - --datastore={{ include "datastore.fullname" . }}
+        {{- if .Values.telemetry.disabled }}
+        - --disable-telemetry
+        {{- end }}
        {{- if .Values.loggingDevel.enable }}
        - --zap-devel
        {{- end }}
--- a/charts/kamaji/templates/datastore.yaml
+++ b/charts/kamaji/templates/datastore.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.datastore.enabled}}
 apiVersion: kamaji.clastix.io/v1alpha1
 kind: DataStore
 metadata:
@@ -19,8 +20,14 @@ spec:
      secretReference:
        {{- .Values.datastore.basicAuth.passwordSecret | toYaml | nindent 8 }}
 {{- end }}
+{{- if .Values.datastore.tlsConfig.enabled }}
  tlsConfig:
    certificateAuthority:
      {{- include "datastore.certificateAuthority" . | indent 6 }}
+
+    {{- if .Values.datastore.tlsConfig.clientCertificate }}
    clientCertificate:
      {{- include "datastore.clientCertificate" . | indent 6 }}
+    {{- end }}
+{{- end}}
+{{- end}}
--- a/charts/kamaji/templates/etcd_job_postinstall.yaml
+++ b/charts/kamaji/templates/etcd_job_postinstall.yaml
@@ -30,11 +30,15 @@ spec:
            - bash
            - -c
            - |-
-              etcdctl member list -w table &&
-              etcdctl user add --no-password=true root &&
-              etcdctl role add root &&
-              etcdctl user grant-role root root &&
-              etcdctl auth enable
+              etcdctl member list -w table
+              if etcdctl user get root &>/dev/null; then
+                echo "User already exists, nothing to do"
+              else
+                etcdctl user add --no-password=true root &&
+                etcdctl role add root &&
+                etcdctl user grant-role root root &&
+                etcdctl auth enable
+              fi
          env:
            - name: ETCDCTL_ENDPOINTS
              value: https://etcd-0.{{ include "etcd.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local:2379
--- a/charts/kamaji/templates/etcd_job_preinstall.yaml
+++ b/charts/kamaji/templates/etcd_job_preinstall.yaml
@@ -19,7 +19,7 @@ spec:
      restartPolicy: Never
      initContainers:
        - name: cfssl
-          image: cfssl/cfssl:latest
+          image: "{{ .Values.cfssl.image.repository }}:{{ .Values.cfssl.image.tag }}"
          command:
            - bash
            - -c
@@ -37,13 +37,21 @@ spec:
      containers:
        - name: kubectl
          image: {{ printf "clastix/kubectl:%s" (include "etcd.jobsTagKubeVersion" .) }}
-          command:
-            - sh
-            - -c
-            - |-
-              kubectl --namespace={{ .Release.Namespace }} delete secret --ignore-not-found=true {{ include "etcd.caSecretName" . }} {{ include "etcd.clientSecretName" . }} &&
-              kubectl --namespace={{ .Release.Namespace }} create secret generic {{ include "etcd.caSecretName" . }} --from-file=/certs/ca.crt --from-file=/certs/ca.key --from-file=/certs/peer-key.pem --from-file=/certs/peer.pem --from-file=/certs/server-key.pem --from-file=/certs/server.pem &&
-              kubectl --namespace={{ .Release.Namespace }} create secret tls {{ include "etcd.clientSecretName" . }} --key=/certs/root-client-key.pem --cert=/certs/root-client.pem
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              if kubectl get secret {{ include "etcd.caSecretName" . }} --namespace={{ .Release.Namespace }} &>/dev/null; then
+                echo "Secret {{ include "etcd.caSecretName" . }} already exists"
+              else
+                echo "Creating secret {{ include "etcd.caSecretName" . }}"
+                kubectl --namespace={{ .Release.Namespace }} create secret generic {{ include "etcd.caSecretName" . }} --from-file=/certs/ca.crt --from-file=/certs/ca.key --from-file=/certs/peer-key.pem --from-file=/certs/peer.pem --from-file=/certs/server-key.pem --from-file=/certs/server.pem
+              fi
+              if kubectl get secret {{ include "etcd.clientSecretName" . }} --namespace={{ .Release.Namespace }} &>/dev/null; then
+                echo "Secret {{ include "etcd.clientSecretName" . }} already exists"
+              else
+                echo "Creating secret {{ include "etcd.clientSecretName" . }}"
+                kubectl --namespace={{ .Release.Namespace }} create secret tls {{ include "etcd.clientSecretName" . }} --key=/certs/root-client-key.pem --cert=/certs/root-client.pem
+              fi
          volumeMounts:
            - mountPath: /certs
              name: certs
--- a/charts/kamaji/templates/etcd_rbac.yaml
+++ b/charts/kamaji/templates/etcd_rbac.yaml
@@ -15,6 +15,7 @@ rules:
    resources:
      - secrets
    verbs:
+      - get
      - delete
    resourceNames:
      - {{ include "etcd.caSecretName" . }}
--- a/charts/kamaji/templates/etcd_sts.yaml
+++ b/charts/kamaji/templates/etcd_sts.yaml
@@ -22,6 +22,10 @@ spec:
        - name: certs
          secret:
            secretName: {{ include "etcd.caSecretName" . }}
+      {{- with .Values.etcd.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
      containers:
        - name: etcd
          image: {{ .Values.etcd.image.repository }}:{{ .Values.etcd.image.tag | default "v3.5.4" }}
--- a/charts/kamaji/templates/validatingwebhookconfiguration.yaml
+++ b/charts/kamaji/templates/validatingwebhookconfiguration.yaml
@@ -8,6 +8,27 @@ metadata:
    {{- include "kamaji.labels" $data | nindent 4 }}
  name: kamaji-validating-webhook-configuration
 webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        name: {{ include "kamaji.webhookServiceName" . }}
+        namespace: {{ .Release.Namespace }}
+        path: /telemetry
+    failurePolicy: Ignore
+    name: telemetry.kamaji.clastix.io
+    rules:
+      - apiGroups:
+          - kamaji.clastix.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        resources:
+          - tenantcontrolplanes
+    sideEffects: None
  - admissionReviewVersions:
      - v1
    clientConfig:
--- a/charts/kamaji/values.yaml
+++ b/charts/kamaji/values.yaml
@@ -54,13 +54,16 @@ etcd:
    name: ""
  persistence:
    size: 10Gi
-    storageClass: ""
+    storageClassName: ""
    accessModes:
    - ReadWriteOnce
    # -- The custom annotations to add to the PVC
    customAnnotations: {}
    #  volumeType: local

+  # -- (array) Kubernetes affinity rules to apply to Kamaji etcd pods
+  tolerations: []
+
  overrides:
    caSecret:
      # -- Name of the secret which contains CA's certificate and private key. (default: "etcd-certs")
@@ -157,7 +160,9 @@ loggingDevel:
  enable: false

 datastore:
-  # -- (string) The Datastore name override, if empty defaults to `default`
+  # -- (bool) Enable the Kamaji Datastore creation (default=true)
+  enabled: true
+  # -- (string) The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to.
  nameOverride:
  # -- (string) The Kamaji Datastore driver, supported: etcd, MySQL, PostgreSQL (defaults=etcd).
  driver: etcd
@@ -179,6 +184,7 @@ datastore:
      # -- The Secret key where the data is stored.
      keyPath:
  tlsConfig:
+    enabled: true
    certificateAuthority:
      certificate:
        # -- Name of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore.
@@ -209,3 +215,13 @@ datastore:
        namespace:
        # -- Key of the Secret which contains the content of the private key.
        keyPath:
+
+cfssl:
+  image:
+    repository: cfssl/cfssl
+    tag: latest
+
+# -- Disable the analytics traces collection
+telemetry:
+  disabled: false 
+  
--- a/cmd/manager/cmd.go
+++ b/cmd/manager/cmd.go
@@ -7,16 +7,23 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"net/http"
 	"os"
 	goRuntime "runtime"
+	"time"

+	telemetryclient "github.com/clastix/kamaji-telemetry/pkg/client"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/rest"
 	"k8s.io/klog/v2"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	ctrlwebhook "sigs.k8s.io/controller-runtime/pkg/webhook"

 	kamajiv1alpha1 "github.com/clastix/kamaji/api/v1alpha1"
 	cmdutils "github.com/clastix/kamaji/cmd/utils"
@@ -30,21 +37,25 @@ import (
 	"github.com/clastix/kamaji/internal/webhook/routes"
 )

+//nolint:maintidx
 func NewCmd(scheme *runtime.Scheme) *cobra.Command {
 	// CLI flags
 	var (
-		metricsBindAddress        string
-		healthProbeBindAddress    string
-		leaderElect               bool
-		tmpDirectory              string
-		kineImage                 string
-		datastore                 string
-		managerNamespace          string
-		managerServiceAccountName string
-		managerServiceName        string
-		webhookCABundle           []byte
-		migrateJobImage           string
-		maxConcurrentReconciles   int
+		metricsBindAddress         string
+		healthProbeBindAddress     string
+		leaderElect                bool
+		tmpDirectory               string
+		kineImage                  string
+		controllerReconcileTimeout time.Duration
+		cacheResyncPeriod          time.Duration
+		datastore                  string
+		managerNamespace           string
+		managerServiceAccountName  string
+		managerServiceName         string
+		webhookCABundle            []byte
+		migrateJobImage            string
+		maxConcurrentReconciles    int
+		disableTelemetry           bool

 		webhookCAPath string
 	)
@@ -73,6 +84,10 @@ func NewCmd(scheme *runtime.Scheme) *cobra.Command {
 				return err
 			}

+			if controllerReconcileTimeout.Seconds() == 0 {
+				return fmt.Errorf("the controller reconcile timeout must be greater than zero")
+			}
+
 			return nil
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -83,25 +98,42 @@ func NewCmd(scheme *runtime.Scheme) *cobra.Command {
 			setupLog.Info(fmt.Sprintf("Build date: %s", internal.BuildTime))
 			setupLog.Info(fmt.Sprintf("Go Version: %s", goRuntime.Version()))
 			setupLog.Info(fmt.Sprintf("Go OS/Arch: %s/%s", goRuntime.GOOS, goRuntime.GOARCH))
+			setupLog.Info(fmt.Sprintf("Telemetry enabled: %t", !disableTelemetry))

-			mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-				Scheme:                  scheme,
-				MetricsBindAddress:      metricsBindAddress,
-				Port:                    9443,
+			telemetryClient := telemetryclient.New(http.Client{Timeout: 5 * time.Second}, "https://telemetry.clastix.io")
+			if disableTelemetry {
+				telemetryClient = telemetryclient.NewNewOp()
+			}
+
+			ctrlOpts := ctrl.Options{
+				Scheme: scheme,
+				Metrics: metricsserver.Options{
+					BindAddress: metricsBindAddress,
+				},
+				WebhookServer: ctrlwebhook.NewServer(ctrlwebhook.Options{
+					Port: 9443,
+				}),
 				HealthProbeBindAddress:  healthProbeBindAddress,
 				LeaderElection:          leaderElect,
 				LeaderElectionNamespace: managerNamespace,
-				LeaderElectionID:        "799b98bc.clastix.io",
-			})
+				LeaderElectionID:        "kamaji.clastix.io",
+				NewCache: func(config *rest.Config, opts cache.Options) (cache.Cache, error) {
+					opts.SyncPeriod = &cacheResyncPeriod
+
+					return cache.New(config, opts)
+				},
+			}
+
+			mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrlOpts)
 			if err != nil {
 				setupLog.Error(err, "unable to start manager")

 				return err
 			}

-			tcpChannel := make(controllers.TenantControlPlaneChannel)
+			tcpChannel, certChannel := make(controllers.TenantControlPlaneChannel), make(controllers.CertificateChannel)

-			if err = (&controllers.DataStore{TenantControlPlaneTrigger: tcpChannel}).SetupWithManager(mgr); err != nil {
+			if err = (&controllers.DataStore{Client: mgr.GetClient(), TenantControlPlaneTrigger: tcpChannel}).SetupWithManager(mgr); err != nil {
 				setupLog.Error(err, "unable to create controller", "controller", "DataStore")

 				return err
@@ -111,10 +143,12 @@ func NewCmd(scheme *runtime.Scheme) *cobra.Command {
 				Client:    mgr.GetClient(),
 				APIReader: mgr.GetAPIReader(),
 				Config: controllers.TenantControlPlaneReconcilerConfig{
+					ReconcileTimeout:     controllerReconcileTimeout,
 					DefaultDataStoreName: datastore,
 					KineContainerImage:   kineImage,
 					TmpBaseDirectory:     tmpDirectory,
 				},
+				CertificateChan:         certChannel,
 				TriggerChan:             tcpChannel,
 				KamajiNamespace:         managerNamespace,
 				KamajiServiceAccount:    managerServiceAccountName,
@@ -129,6 +163,35 @@ func NewCmd(scheme *runtime.Scheme) *cobra.Command {
 				return err
 			}

+			k8sVersion, versionErr := cmdutils.KubernetesVersion(mgr.GetConfig())
+			if versionErr != nil {
+				setupLog.Error(err, "unable to get kubernetes version")
+
+				k8sVersion = "Unknown"
+			}
+
+			if !disableTelemetry {
+				err = mgr.Add(&controllers.TelemetryController{
+					Client:                  mgr.GetClient(),
+					KubernetesVersion:       k8sVersion,
+					KamajiVersion:           internal.GitTag,
+					TelemetryClient:         telemetryClient,
+					LeaderElectionNamespace: ctrlOpts.LeaderElectionNamespace,
+					LeaderElectionID:        ctrlOpts.LeaderElectionID,
+				})
+				if err != nil {
+					setupLog.Error(err, "unable to create controller", "controller", "TelemetryController")
+
+					return err
+				}
+			}
+
+			if err = (&controllers.CertificateLifecycle{Channel: certChannel}).SetupWithManager(mgr); err != nil {
+				setupLog.Error(err, "unable to create controller", "controller", "CertificateLifecycle")
+
+				return err
+			}
+
 			if err = (&kamajiv1alpha1.DatastoreUsedSecret{}).SetupWithManager(ctx, mgr); err != nil {
 				setupLog.Error(err, "unable to create indexer", "indexer", "DatastoreUsedSecret")

@@ -146,9 +209,12 @@ func NewCmd(scheme *runtime.Scheme) *cobra.Command {
 					handlers.Freeze{},
 				},
 				routes.TenantControlPlaneDefaults{}: {
-					handlers.TenantControlPlaneDefaults{DefaultDatastore: datastore},
+					handlers.TenantControlPlaneDefaults{
+						DefaultDatastore: datastore,
+					},
 				},
 				routes.TenantControlPlaneValidate{}: {
+					handlers.TenantControlPlaneName{},
 					handlers.TenantControlPlaneVersion{},
 					handlers.TenantControlPlaneKubeletAddresses{},
 					handlers.TenantControlPlaneDataStore{Client: mgr.GetClient()},
@@ -162,6 +228,15 @@ func NewCmd(scheme *runtime.Scheme) *cobra.Command {
 							Scheme: *mgr.GetScheme(),
 						},
 					},
+					handlers.TenantControlPlaneServiceCIDR{},
+				},
+				routes.TenantControlPlaneTelemetry{}: {
+					handlers.TenantControlPlaneTelemetry{
+						Enabled:           !disableTelemetry,
+						TelemetryClient:   telemetryClient,
+						KamajiVersion:     internal.GitTag,
+						KubernetesVersion: k8sVersion,
+					},
 				},
 				routes.DataStoreValidate{}: {
 					handlers.DataStoreValidation{Client: mgr.GetClient()},
@@ -224,12 +299,15 @@ func NewCmd(scheme *runtime.Scheme) *cobra.Command {
 	cmd.Flags().StringVar(&tmpDirectory, "tmp-directory", "/tmp/kamaji", "Directory which will be used to work with temporary files.")
 	cmd.Flags().StringVar(&kineImage, "kine-image", "rancher/kine:v0.9.2-amd64", "Container image along with tag to use for the Kine sidecar container (used only if etcd-storage-type is set to one of kine strategies).")
 	cmd.Flags().StringVar(&datastore, "datastore", "etcd", "The default DataStore that should be used by Kamaji to setup the required storage.")
-	cmd.Flags().StringVar(&migrateJobImage, "migrate-image", fmt.Sprintf("clastix/kamaji:v%s", internal.GitTag), "Specify the container image to launch when a TenantControlPlane is migrated to a new datastore.")
+	cmd.Flags().StringVar(&migrateJobImage, "migrate-image", fmt.Sprintf("clastix/kamaji:%s", internal.GitTag), "Specify the container image to launch when a TenantControlPlane is migrated to a new datastore.")
 	cmd.Flags().IntVar(&maxConcurrentReconciles, "max-concurrent-tcp-reconciles", 1, "Specify the number of workers for the Tenant Control Plane controller (beware of CPU consumption)")
 	cmd.Flags().StringVar(&managerNamespace, "pod-namespace", os.Getenv("POD_NAMESPACE"), "The Kubernetes Namespace on which the Operator is running in, required for the TenantControlPlane migration jobs.")
 	cmd.Flags().StringVar(&managerServiceName, "webhook-service-name", "kamaji-webhook-service", "The Kamaji webhook server Service name which is used to get validation webhooks, required for the TenantControlPlane migration jobs.")
 	cmd.Flags().StringVar(&managerServiceAccountName, "serviceaccount-name", os.Getenv("SERVICE_ACCOUNT"), "The Kubernetes Namespace on which the Operator is running in, required for the TenantControlPlane migration jobs.")
 	cmd.Flags().StringVar(&webhookCAPath, "webhook-ca-path", "/tmp/k8s-webhook-server/serving-certs/ca.crt", "Path to the Manager webhook server CA, required for the TenantControlPlane migration jobs.")
+	cmd.Flags().DurationVar(&controllerReconcileTimeout, "controller-reconcile-timeout", 30*time.Second, "The reconciliation request timeout before the controller withdraw the external resource calls, such as dealing with the Datastore, or the Tenant Control Plane API endpoint.")
+	cmd.Flags().DurationVar(&cacheResyncPeriod, "cache-resync-period", 10*time.Hour, "The controller-runtime.Manager cache resync period.")
+	cmd.Flags().BoolVar(&disableTelemetry, "disable-telemetry", false, "Disable the analytics traces collection.")

 	cobra.OnInitialize(func() {
 		viper.AutomaticEnv()
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -4,14 +4,12 @@
 package cmd

 import (
-	"math/rand"
-	"time"
-
 	"github.com/spf13/cobra"
 	_ "go.uber.org/automaxprocs" // Automatically set `GOMAXPROCS` to match Linux container CPU quota.
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	appsv1 "k8s.io/kubernetes/pkg/apis/apps/v1"

 	kamajiv1alpha1 "github.com/clastix/kamaji/api/v1alpha1"
 )
@@ -21,11 +19,9 @@ func NewCmd(scheme *runtime.Scheme) *cobra.Command {
 		Use:   "kamaji",
 		Short: "Build and operate Kubernetes at scale with a fraction of operational burden.",
 		PersistentPreRun: func(cmd *cobra.Command, args []string) {
-			// Seed is required to ensure non reproducibility for the certificates generate by Kamaji.
-			rand.Seed(time.Now().UnixNano())
-
 			utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 			utilruntime.Must(kamajiv1alpha1.AddToScheme(scheme))
+			utilruntime.Must(appsv1.RegisterDefaults(scheme))
 		},
 	}
 }
--- a/cmd/utils/k8s_version.go
+++ b/cmd/utils/k8s_version.go
@@ -0,0 +1,24 @@
+// Copyright 2022 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package utils
+
+import (
+	"github.com/pkg/errors"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+)
+
+func KubernetesVersion(config *rest.Config) (string, error) {
+	cs, csErr := kubernetes.NewForConfig(config)
+	if csErr != nil {
+		return "", errors.Wrap(csErr, "cannot create kubernetes clientset")
+	}
+
+	sv, svErr := cs.ServerVersion()
+	if svErr != nil {
+		return "", errors.Wrap(svErr, "cannot get Kubernetes version")
+	}
+
+	return sv.GitVersion, nil
+}
--- a/config/crd/bases/kamaji.clastix.io_datastores.yaml
+++ b/config/crd/bases/kamaji.clastix.io_datastores.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.14.0
  name: datastores.kamaji.clastix.io
 spec:
  group: kamaji.clastix.io
@@ -29,14 +29,19 @@ spec:
        description: DataStore is the Schema for the datastores API.
        properties:
          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
@@ -44,21 +49,24 @@ spec:
            description: DataStoreSpec defines the desired state of DataStore.
            properties:
              basicAuth:
-                description: In case of authentication enabled for the given data
-                  store, specifies the username and password pair. This value is optional.
+                description: |-
+                  In case of authentication enabled for the given data store, specifies the username and password pair.
+                  This value is optional.
                properties:
                  password:
                    properties:
                      content:
-                        description: Bare content of the file, base64 encoded. It
-                          has precedence over the SecretReference value.
+                        description: |-
+                          Bare content of the file, base64 encoded.
+                          It has precedence over the SecretReference value.
                        format: byte
                        type: string
                      secretReference:
                        properties:
                          keyPath:
-                            description: Name of the key for the given Secret reference
-                              where the content is stored. This value is mandatory.
+                            description: |-
+                              Name of the key for the given Secret reference where the content is stored.
+                              This value is mandatory.
                            minLength: 1
                            type: string
                          name:
@@ -77,15 +85,17 @@ spec:
                  username:
                    properties:
                      content:
-                        description: Bare content of the file, base64 encoded. It
-                          has precedence over the SecretReference value.
+                        description: |-
+                          Bare content of the file, base64 encoded.
+                          It has precedence over the SecretReference value.
                        format: byte
                        type: string
                      secretReference:
                        properties:
                          keyPath:
-                            description: Name of the key for the given Secret reference
-                              where the content is stored. This value is mandatory.
+                            description: |-
+                              Name of the key for the given Secret reference where the content is stored.
+                              This value is mandatory.
                            minLength: 1
                            type: string
                          name:
@@ -111,37 +121,40 @@ spec:
                - etcd
                - MySQL
                - PostgreSQL
+                - NATS
                type: string
              endpoints:
-                description: List of the endpoints to connect to the shared datastore.
+                description: |-
+                  List of the endpoints to connect to the shared datastore.
                  No need for protocol, just bare IP/FQDN and port.
                items:
                  type: string
                minItems: 1
                type: array
              tlsConfig:
-                description: Defines the TLS/SSL configuration required to connect
-                  to the data store in a secure way.
+                description: |-
+                  Defines the TLS/SSL configuration required to connect to the data store in a secure way.
+                  This value is optional.
                properties:
                  certificateAuthority:
-                    description: Retrieve the Certificate Authority certificate and
-                      private key, such as bare content of the file, or a SecretReference.
-                      The key reference is required since etcd authentication is based
-                      on certificates, and Kamaji is responsible in creating this.
+                    description: |-
+                      Retrieve the Certificate Authority certificate and private key, such as bare content of the file, or a SecretReference.
+                      The key reference is required since etcd authentication is based on certificates, and Kamaji is responsible in creating this.
                    properties:
                      certificate:
                        properties:
                          content:
-                            description: Bare content of the file, base64 encoded.
+                            description: |-
+                              Bare content of the file, base64 encoded.
                              It has precedence over the SecretReference value.
                            format: byte
                            type: string
                          secretReference:
                            properties:
                              keyPath:
-                                description: Name of the key for the given Secret
-                                  reference where the content is stored. This value
-                                  is mandatory.
+                                description: |-
+                                  Name of the key for the given Secret reference where the content is stored.
+                                  This value is mandatory.
                                minLength: 1
                                type: string
                              name:
@@ -160,16 +173,17 @@ spec:
                      privateKey:
                        properties:
                          content:
-                            description: Bare content of the file, base64 encoded.
+                            description: |-
+                              Bare content of the file, base64 encoded.
                              It has precedence over the SecretReference value.
                            format: byte
                            type: string
                          secretReference:
                            properties:
                              keyPath:
-                                description: Name of the key for the given Secret
-                                  reference where the content is stored. This value
-                                  is mandatory.
+                                description: |-
+                                  Name of the key for the given Secret reference where the content is stored.
+                                  This value is mandatory.
                                minLength: 1
                                type: string
                              name:
@@ -195,16 +209,17 @@ spec:
                      certificate:
                        properties:
                          content:
-                            description: Bare content of the file, base64 encoded.
+                            description: |-
+                              Bare content of the file, base64 encoded.
                              It has precedence over the SecretReference value.
                            format: byte
                            type: string
                          secretReference:
                            properties:
                              keyPath:
-                                description: Name of the key for the given Secret
-                                  reference where the content is stored. This value
-                                  is mandatory.
+                                description: |-
+                                  Name of the key for the given Secret reference where the content is stored.
+                                  This value is mandatory.
                                minLength: 1
                                type: string
                              name:
@@ -223,16 +238,17 @@ spec:
                      privateKey:
                        properties:
                          content:
-                            description: Bare content of the file, base64 encoded.
+                            description: |-
+                              Bare content of the file, base64 encoded.
                              It has precedence over the SecretReference value.
                            format: byte
                            type: string
                          secretReference:
                            properties:
                              keyPath:
-                                description: Name of the key for the given Secret
-                                  reference where the content is stored. This value
-                                  is mandatory.
+                                description: |-
+                                  Name of the key for the given Secret reference where the content is stored.
+                                  This value is mandatory.
                                minLength: 1
                                type: string
                              name:
@@ -254,12 +270,10 @@ spec:
                    type: object
                required:
                - certificateAuthority
-                - clientCertificate
                type: object
            required:
            - driver
            - endpoints
-            - tlsConfig
            type: object
          status:
            description: DataStoreStatus defines the observed state of DataStore.
--- a/config/crd/bases/kamaji.clastix.io_tenantcontrolplanes.yaml
+++ b/config/crd/bases/kamaji.clastix.io_tenantcontrolplanes.yaml
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -9,8 +9,8 @@ namespace: kamaji-system
 namePrefix: kamaji-

 # Labels to add to all resources and selectors.
-#commonLabels:
-#  someName: someValue
+commonLabels:
+  cluster.x-k8s.io/provider: "kamaji-core"

 bases:
 - ../crd
--- a/config/install.yaml
+++ b/config/install.yaml
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@@ -13,4 +13,4 @@ kind: Kustomization
 images:
 - name: controller
  newName: clastix/kamaji
-  newTag: v0.3.0
+  newTag: v1.0.0
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -30,6 +30,7 @@ spec:
        args:
        - manager
        - --leader-elect
+        - --datastore=kamaji-etcd
        env:
          - name: POD_NAMESPACE
            valueFrom:
--- a/config/metadata.yaml
+++ b/config/metadata.yaml
@@ -0,0 +1,10 @@
+# maps release series of major.minor to cluster-api contract version
+# the contract version may change between minor or major versions, but *not*
+# between patch versions.
+#
+# update this file only when a new major or minor version is released
+apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3
+releaseSeries:
+  - major: 0
+    minor: 3
+    contract: v1beta1
--- a/config/samples/kamaji_v1alpha1_datastore_nats_bronze.yaml
+++ b/config/samples/kamaji_v1alpha1_datastore_nats_bronze.yaml
@@ -0,0 +1,34 @@
+apiVersion: kamaji.clastix.io/v1alpha1
+kind: DataStore
+metadata:
+  name: nats-bronze
+spec:
+  driver: NATS
+  endpoints:
+    - bronze-nats.nats-system.svc:4222
+  basicAuth:
+    username:
+      content: YWRtaW4=
+    password:
+      secretReference:
+        name: nats-bronze-config
+        namespace: nats-system
+        keyPath: password
+  tlsConfig:
+    certificateAuthority:
+      certificate:
+        secretReference:
+          name: nats-bronze-config
+          namespace: nats-system
+          keyPath: ca.crt
+    clientCertificate:
+      certificate:
+        secretReference:
+          name: nats-bronze-config
+          namespace: nats-system
+          keyPath: server.crt
+      privateKey:
+        secretReference:
+          name: nats-bronze-config
+          namespace: nats-system
+          keyPath: server.key
--- a/config/samples/kamaji_v1alpha1_datastore_nats_gold.yaml
+++ b/config/samples/kamaji_v1alpha1_datastore_nats_gold.yaml
@@ -0,0 +1,34 @@
+apiVersion: kamaji.clastix.io/v1alpha1
+kind: DataStore
+metadata:
+  name: nats-gold
+spec:
+  driver: NATS
+  endpoints:
+    - nats-gold.nats-system.svc:4222
+  basicAuth:
+    username:
+      content: YWRtaW4=
+    password:
+      secretReference:
+        name: nats-gold-config
+        namespace: nats-system
+        keyPath: password
+  tlsConfig:
+    certificateAuthority:
+      certificate:
+        secretReference:
+          name: nats-gold-config
+          namespace: nats-system
+          keyPath: ca.crt
+    clientCertificate:
+      certificate:
+        secretReference:
+          name: nats-gold-config
+          namespace: nats-system
+          keyPath: server.crt
+      privateKey:
+        secretReference:
+          name: nats-gold-config
+          namespace: nats-system
+          keyPath: server.key
--- a/config/samples/kamaji_v1alpha1_datastore_nats_notls.yaml
+++ b/config/samples/kamaji_v1alpha1_datastore_nats_notls.yaml
@@ -0,0 +1,17 @@
+apiVersion: kamaji.clastix.io/v1alpha1
+kind: DataStore
+metadata:
+  name: nats-notls
+spec:
+  driver: NATS
+  endpoints:
+    - notls-nats.nats-system.svc:4222
+  basicAuth:
+    username:
+      content: YWRtaW4=
+    password:
+      secretReference:
+        name: nats-notls-config
+        namespace: nats-system
+        keyPath: password
+
--- a/config/samples/kamaji_v1alpha1_datastore_nats_silver.yaml
+++ b/config/samples/kamaji_v1alpha1_datastore_nats_silver.yaml
@@ -0,0 +1,34 @@
+apiVersion: kamaji.clastix.io/v1alpha1
+kind: DataStore
+metadata:
+  name: nats-silver
+spec:
+  driver: NATS
+  endpoints:
+    - nats-silver.nats-system.svc:4222
+  basicAuth:
+    username:
+      content: YWRtaW4=
+    password:
+      secretReference:
+        name: nats-silver-config
+        namespace: nats-system
+        keyPath: password
+  tlsConfig:
+    certificateAuthority:
+      certificate:
+        secretReference:
+          name: nats-silver-config
+          namespace: nats-system
+          keyPath: ca.crt
+    clientCertificate:
+      certificate:
+        secretReference:
+          name: nats-silver-config
+          namespace: nats-system
+          keyPath: server.crt
+      privateKey:
+        secretReference:
+          name: nats-silver-config
+          namespace: nats-system
+          keyPath: server.key
--- a/config/samples/kamaji_v1alpha1_tenantcontrolplane.yaml
+++ b/config/samples/kamaji_v1alpha1_tenantcontrolplane.yaml
@@ -2,6 +2,8 @@ apiVersion: kamaji.clastix.io/v1alpha1
 kind: TenantControlPlane
 metadata:
  name: k8s-126
+  labels:
+    tenant.clastix.io: k8s-126
 spec:
  controlPlane:
    deployment:
--- a/config/samples/kamaji_v1alpha1_tenantcontrolplane_additionalcontainers.yaml
+++ b/config/samples/kamaji_v1alpha1_tenantcontrolplane_additionalcontainers.yaml
@@ -2,6 +2,8 @@ apiVersion: kamaji.clastix.io/v1alpha1
 kind: TenantControlPlane
 metadata:
  name: additionalcontainers
+  labels:
+    tenant.clastix.io: additionalcontainers
 spec:
  dataStore: postgresql-bronze
  controlPlane:
--- a/config/samples/kamaji_v1alpha1_tenantcontrolplane_additionalvolumes.yaml
+++ b/config/samples/kamaji_v1alpha1_tenantcontrolplane_additionalvolumes.yaml
@@ -2,6 +2,8 @@ apiVersion: kamaji.clastix.io/v1alpha1
 kind: TenantControlPlane
 metadata:
  name: additional-volumes
+  labels:
+    tenant.clastix.io: additional-volumes
 spec:
  controlPlane:
    deployment:
--- a/config/samples/kamaji_v1alpha1_tenantcontrolplane_kine.yaml
+++ b/config/samples/kamaji_v1alpha1_tenantcontrolplane_kine.yaml
@@ -2,6 +2,8 @@ apiVersion: kamaji.clastix.io/v1alpha1
 kind: TenantControlPlane
 metadata:
  name: kine
+  labels:
+    tenant.clastix.io: kine
 spec:
  addons:
    coreDNS: {}
--- a/config/samples/kamaji_v1alpha1_tenantcontrolplane_konnectivity.yaml
+++ b/config/samples/kamaji_v1alpha1_tenantcontrolplane_konnectivity.yaml
@@ -2,6 +2,8 @@ apiVersion: kamaji.clastix.io/v1alpha1
 kind: TenantControlPlane
 metadata:
  name: konnectivity-addon
+  labels:
+    tenant.clastix.io: konnectivity-addon
 spec:
  deployment:
    replicas: 2
--- a/config/webhook/manifests.yaml
+++ b/config/webhook/manifests.yaml
@@ -36,18 +36,20 @@ webhooks:
    service:
      name: webhook-service
      namespace: system
-      path: /validate--v1-secret
+      path: /telemetry
  failurePolicy: Ignore
-  name: vdatastoresecrets.kb.io
+  name: telemetry.kamaji.clastix.io
  rules:
  - apiGroups:
-    - ""
+    - kamaji.clastix.io
    apiVersions:
-    - v1
+    - v1alpha1
    operations:
+    - CREATE
+    - UPDATE
    - DELETE
    resources:
-    - secrets
+    - tenantcontrolplanes
  sideEffects: None
 - admissionReviewVersions:
  - v1
@@ -70,6 +72,25 @@ webhooks:
    resources:
    - datastores
  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate--v1-secret
+  failurePolicy: Ignore
+  name: vdatastoresecrets.kb.io
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - DELETE
+    resources:
+    - secrets
+  sideEffects: None
 - admissionReviewVersions:
  - v1
  clientConfig:
--- a/controllers/cert_channel.go
+++ b/controllers/cert_channel.go
@@ -0,0 +1,10 @@
+// Copyright 2022 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package controllers
+
+import (
+	"sigs.k8s.io/controller-runtime/pkg/event"
+)
+
+type CertificateChannel chan event.GenericEvent
--- a/controllers/certificate_lifecycle_controller.go
+++ b/controllers/certificate_lifecycle_controller.go
@@ -0,0 +1,163 @@
+// Copyright 2022 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package controllers
+
+import (
+	"context"
+	"crypto/x509"
+	"fmt"
+	"time"
+
+	"github.com/pkg/errors"
+	corev1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	clientcmdapiv1 "k8s.io/client-go/tools/clientcmd/api/v1"
+	controllerruntime "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+
+	kamajiv1alpha1 "github.com/clastix/kamaji/api/v1alpha1"
+	"github.com/clastix/kamaji/internal/constants"
+	"github.com/clastix/kamaji/internal/crypto"
+	"github.com/clastix/kamaji/internal/utilities"
+)
+
+type CertificateLifecycle struct {
+	Channel CertificateChannel
+	client  client.Client
+}
+
+func (s *CertificateLifecycle) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
+	logger := log.FromContext(ctx)
+
+	logger.Info("starting CertificateLifecycle handling")
+
+	secret := corev1.Secret{}
+	err := s.client.Get(ctx, request.NamespacedName, &secret)
+	if k8serrors.IsNotFound(err) {
+		logger.Info("resource have been deleted, skipping")
+
+		return reconcile.Result{}, nil
+	}
+	if err != nil {
+		logger.Error(err, "cannot retrieve the required resource")
+
+		return reconcile.Result{}, err
+	}
+
+	checkType, ok := secret.GetLabels()[constants.ControllerLabelResource]
+	if !ok {
+		logger.Info("missing controller label, shouldn't happen")
+
+		return reconcile.Result{}, nil
+	}
+
+	var crt *x509.Certificate
+
+	switch checkType {
+	case "x509":
+		crt, err = s.extractCertificateFromBareSecret(secret)
+	case "kubeconfig":
+		crt, err = s.extractCertificateFromKubeconfig(secret)
+	default:
+		err = fmt.Errorf("unsupported strategy, %s", checkType)
+	}
+
+	if err != nil {
+		logger.Error(err, "skipping reconciliation")
+
+		return reconcile.Result{}, nil
+	}
+
+	deadline := time.Now().AddDate(0, 0, 1)
+
+	if deadline.After(crt.NotAfter) {
+		logger.Info("certificate near expiration, must be rotated")
+
+		s.Channel <- event.GenericEvent{Object: &kamajiv1alpha1.TenantControlPlane{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      secret.GetOwnerReferences()[0].Name,
+				Namespace: secret.Namespace,
+			},
+		}}
+
+		logger.Info("certificate rotation triggered")
+
+		return reconcile.Result{}, nil
+	}
+
+	after := crt.NotAfter.Sub(deadline)
+
+	logger.Info("certificate is still valid, enqueuing back", "after", after.String())
+
+	return reconcile.Result{Requeue: true, RequeueAfter: after}, nil
+}
+
+func (s *CertificateLifecycle) extractCertificateFromBareSecret(secret corev1.Secret) (*x509.Certificate, error) {
+	var crt *x509.Certificate
+	var err error
+
+	for _, v := range secret.Data {
+		if crt, err = crypto.ParseCertificateBytes(v); err == nil {
+			break
+		}
+	}
+
+	if crt == nil {
+		return nil, fmt.Errorf("none of the provided keys is containing a valid x509 certificate")
+	}
+
+	return crt, nil
+}
+
+func (s *CertificateLifecycle) extractCertificateFromKubeconfig(secret corev1.Secret) (*x509.Certificate, error) {
+	var kc *clientcmdapiv1.Config
+	var err error
+
+	for k := range secret.Data {
+		if kc, err = utilities.DecodeKubeconfig(secret, k); err == nil {
+			break
+		}
+	}
+
+	if kc == nil {
+		return nil, fmt.Errorf("none of the provided keys is containing a valid kubeconfig")
+	}
+
+	crt, err := crypto.ParseCertificateBytes(kc.AuthInfos[0].AuthInfo.ClientCertificateData)
+	if err != nil {
+		return nil, errors.Wrap(err, "cannot parse kubeconfig certificate bytes")
+	}
+
+	return crt, nil
+}
+
+func (s *CertificateLifecycle) SetupWithManager(mgr controllerruntime.Manager) error {
+	s.client = mgr.GetClient()
+
+	supportedStrategies := sets.New[string]("x509", "kubeconfig")
+
+	return controllerruntime.NewControllerManagedBy(mgr).
+		For(&corev1.Secret{}, builder.WithPredicates(predicate.NewPredicateFuncs(func(object client.Object) bool {
+			labels := object.GetLabels()
+
+			if labels == nil {
+				return false
+			}
+
+			value, ok := labels[constants.ControllerLabelResource]
+			if !ok {
+				return false
+			}
+
+			return supportedStrategies.Has(value)
+		}))).
+		Complete(s)
+}
--- a/controllers/datastore_controller.go
+++ b/controllers/datastore_controller.go
@@ -19,13 +19,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"sigs.k8s.io/controller-runtime/pkg/source"

 	kamajiv1alpha1 "github.com/clastix/kamaji/api/v1alpha1"
 )

 type DataStore struct {
-	client client.Client
+	Client client.Client
 	// TenantControlPlaneTrigger is the channel used to communicate across the controllers:
 	// if a Data Source is updated we have to be sure that the reconciliation of the certificates content
 	// for each Tenant Control Plane is put in place properly.
@@ -39,19 +38,21 @@ func (r *DataStore) Reconcile(ctx context.Context, request reconcile.Request) (r
 	log := log.FromContext(ctx)

 	ds := &kamajiv1alpha1.DataStore{}
-	if err := r.client.Get(ctx, request.NamespacedName, ds); err != nil {
-		if k8serrors.IsNotFound(err) {
-			return reconcile.Result{}, nil
-		}
+	err := r.Client.Get(ctx, request.NamespacedName, ds)
+	if k8serrors.IsNotFound(err) {
+		log.Info("resource have been deleted, skipping")

-		log.Error(err, "unable to retrieve the request")
+		return reconcile.Result{}, nil
+	}
+	if err != nil {
+		log.Error(err, "cannot retrieve the required resource")

 		return reconcile.Result{}, err
 	}

 	tcpList := kamajiv1alpha1.TenantControlPlaneList{}

-	if err := r.client.List(ctx, &tcpList, client.MatchingFieldsSelector{
+	if err := r.Client.List(ctx, &tcpList, client.MatchingFieldsSelector{
 		Selector: fields.OneTermEqualSelector(kamajiv1alpha1.TenantControlPlaneUsedDataStoreKey, ds.GetName()),
 	}); err != nil {
 		log.Error(err, "cannot retrieve list of the Tenant Control Plane using the following instance")
@@ -66,7 +67,7 @@ func (r *DataStore) Reconcile(ctx context.Context, request reconcile.Request) (r

 	ds.Status.UsedBy = tcpSets.List()

-	if err := r.client.Status().Update(ctx, ds); err != nil {
+	if err := r.Client.Status().Update(ctx, ds); err != nil {
 		log.Error(err, "cannot update the status for the given instance")

 		return reconcile.Result{}, err
@@ -81,12 +82,6 @@ func (r *DataStore) Reconcile(ctx context.Context, request reconcile.Request) (r
 	return reconcile.Result{}, nil
 }

-func (r *DataStore) InjectClient(client client.Client) error {
-	r.client = client
-
-	return nil
-}
-
 func (r *DataStore) SetupWithManager(mgr controllerruntime.Manager) error {
 	enqueueFn := func(tcp *kamajiv1alpha1.TenantControlPlane, limitingInterface workqueue.RateLimitingInterface) {
 		if dataStoreName := tcp.Status.Storage.DataStoreName; len(dataStoreName) > 0 {
@@ -102,15 +97,15 @@ func (r *DataStore) SetupWithManager(mgr controllerruntime.Manager) error {
 		For(&kamajiv1alpha1.DataStore{}, builder.WithPredicates(
 			predicate.ResourceVersionChangedPredicate{},
 		)).
-		Watches(&source.Kind{Type: &kamajiv1alpha1.TenantControlPlane{}}, handler.Funcs{
-			CreateFunc: func(createEvent event.CreateEvent, limitingInterface workqueue.RateLimitingInterface) {
+		Watches(&kamajiv1alpha1.TenantControlPlane{}, handler.Funcs{
+			CreateFunc: func(_ context.Context, createEvent event.CreateEvent, limitingInterface workqueue.RateLimitingInterface) {
 				enqueueFn(createEvent.Object.(*kamajiv1alpha1.TenantControlPlane), limitingInterface)
 			},
-			UpdateFunc: func(updateEvent event.UpdateEvent, limitingInterface workqueue.RateLimitingInterface) {
+			UpdateFunc: func(_ context.Context, updateEvent event.UpdateEvent, limitingInterface workqueue.RateLimitingInterface) {
 				enqueueFn(updateEvent.ObjectOld.(*kamajiv1alpha1.TenantControlPlane), limitingInterface)
 				enqueueFn(updateEvent.ObjectNew.(*kamajiv1alpha1.TenantControlPlane), limitingInterface)
 			},
-			DeleteFunc: func(deleteEvent event.DeleteEvent, limitingInterface workqueue.RateLimitingInterface) {
+			DeleteFunc: func(_ context.Context, deleteEvent event.DeleteEvent, limitingInterface workqueue.RateLimitingInterface) {
 				enqueueFn(deleteEvent.Object.(*kamajiv1alpha1.TenantControlPlane), limitingInterface)
 			},
 		}).
--- a/controllers/finalizers/tcp.go
+++ b/controllers/finalizers/tcp.go
@@ -5,6 +5,7 @@ package finalizers

 const (
 	// DatastoreFinalizer is using a wrong name, since it's related to the underlying datastore.
-	DatastoreFinalizer = "finalizer.kamaji.clastix.io"
-	SootFinalizer      = "finalizer.kamaji.clastix.io/soot"
+	DatastoreFinalizer       = "finalizer.kamaji.clastix.io"
+	DatastoreSecretFinalizer = "finalizer.kamaji.clastix.io/datastore-secret"
+	SootFinalizer            = "finalizer.kamaji.clastix.io/soot"
 )
--- a/controllers/resources.go
+++ b/controllers/resources.go
@@ -40,6 +40,7 @@ type GroupDeletableResourceBuilderConfiguration struct {
 	tcpReconcilerConfig TenantControlPlaneReconcilerConfig
 	tenantControlPlane  kamajiv1alpha1.TenantControlPlane
 	connection          datastore.Connection
+	dataStore           kamajiv1alpha1.DataStore
 }

 // GetResources returns a list of resources that will be used to provide tenant control planes
@@ -60,6 +61,11 @@ func GetDeletableResources(tcp *kamajiv1alpha1.TenantControlPlane, config GroupD
 			Client:     config.client,
 			Connection: config.connection,
 		})
+		res = append(res, &ds.Config{
+			Client:     config.client,
+			ConnString: config.connection.GetConnectionString(),
+			DataStore:  config.dataStore,
+		})
 	}

 	return res
@@ -176,6 +182,12 @@ func getKubeconfigResources(c client.Client, tcpReconcilerConfig TenantControlPl
 			KubeConfigFileName: resources.AdminKubeConfigFileName,
 			TmpDirectory:       getTmpDirectory(tcpReconcilerConfig.TmpBaseDirectory, tenantControlPlane),
 		},
+		&resources.KubeconfigResource{
+			Name:               "admin-kubeconfig",
+			Client:             c,
+			KubeConfigFileName: resources.SuperAdminKubeConfigFileName,
+			TmpDirectory:       getTmpDirectory(tcpReconcilerConfig.TmpBaseDirectory, tenantControlPlane),
+		},
 		&resources.KubeconfigResource{
 			Name:               "controller-manager-kubeconfig",
 			Client:             c,
@@ -193,6 +205,9 @@ func getKubeconfigResources(c client.Client, tcpReconcilerConfig TenantControlPl

 func getKubernetesStorageResources(c client.Client, dbConnection datastore.Connection, datastore kamajiv1alpha1.DataStore) []resources.Resource {
 	return []resources.Resource{
+		&ds.MultiTenancy{
+			DataStore: datastore,
+		},
 		&ds.Config{
 			Client:     c,
 			ConnString: dbConnection.GetConnectionString(),
--- a/controllers/soot/controllers/coredns.go
+++ b/controllers/soot/controllers/coredns.go
@@ -35,7 +35,7 @@ type CoreDNS struct {
 	TriggerChannel            chan event.GenericEvent
 }

-func (c *CoreDNS) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
+func (c *CoreDNS) Reconcile(ctx context.Context, _ reconcile.Request) (reconcile.Result, error) {
 	tcp, err := c.GetTenantControlPlaneFunc()
 	if err != nil {
 		c.logger.Error(err, "cannot retrieve TenantControlPlane")
@@ -79,7 +79,7 @@ func (c *CoreDNS) SetupWithManager(mgr manager.Manager) error {
 		For(&rbacv1.ClusterRoleBinding{}, builder.WithPredicates(predicate.NewPredicateFuncs(func(object client.Object) bool {
 			return object.GetName() == kubeadm.CoreDNSClusterRoleBindingName
 		}))).
-		Watches(&source.Channel{Source: c.TriggerChannel}, &handler.EnqueueRequestForObject{}).
+		WatchesRawSource(source.Channel(c.TriggerChannel, &handler.EnqueueRequestForObject{})).
 		Owns(&rbacv1.ClusterRole{}).
 		Owns(&corev1.ServiceAccount{}).
 		Owns(&corev1.Service{}).
--- a/controllers/soot/controllers/konnectivity.go
+++ b/controllers/soot/controllers/konnectivity.go
@@ -80,7 +80,7 @@ func (k *KonnectivityAgent) SetupWithManager(mgr manager.Manager) error {
 		For(&appsv1.DaemonSet{}, builder.WithPredicates(predicate.NewPredicateFuncs(func(object client.Object) bool {
 			return object.GetName() == konnectivity.AgentName && object.GetNamespace() == konnectivity.AgentNamespace
 		}))).
-		Watches(&source.Kind{Type: &corev1.ServiceAccount{}}, handler.EnqueueRequestsFromMapFunc(func(object client.Object) []reconcile.Request {
+		Watches(&corev1.ServiceAccount{}, handler.EnqueueRequestsFromMapFunc(func(_ context.Context, object client.Object) []reconcile.Request {
 			if object.GetName() == konnectivity.AgentName && object.GetNamespace() == konnectivity.AgentNamespace {
 				return []reconcile.Request{
 					{
@@ -94,7 +94,7 @@ func (k *KonnectivityAgent) SetupWithManager(mgr manager.Manager) error {

 			return nil
 		})).
-		Watches(&source.Kind{Type: &v1.ClusterRoleBinding{}}, handler.EnqueueRequestsFromMapFunc(func(object client.Object) []reconcile.Request {
+		Watches(&v1.ClusterRoleBinding{}, handler.EnqueueRequestsFromMapFunc(func(_ context.Context, object client.Object) []reconcile.Request {
 			if object.GetName() == konnectivity.CertCommonName {
 				return []reconcile.Request{
 					{
@@ -107,6 +107,6 @@ func (k *KonnectivityAgent) SetupWithManager(mgr manager.Manager) error {

 			return nil
 		})).
-		Watches(&source.Channel{Source: k.TriggerChannel}, &handler.EnqueueRequestForObject{}).
+		WatchesRawSource(source.Channel(k.TriggerChannel, &handler.EnqueueRequestForObject{})).
 		Complete(k)
 }
--- a/controllers/soot/controllers/kubeadm_phase.go
+++ b/controllers/soot/controllers/kubeadm_phase.go
@@ -67,6 +67,6 @@ func (k *KubeadmPhase) SetupWithManager(mgr manager.Manager) error {

 	return controllerruntime.NewControllerManagedBy(mgr).
 		For(k.Phase.GetWatchedObject(), builder.WithPredicates(predicate.NewPredicateFuncs(k.Phase.GetPredicateFunc()))).
-		Watches(&source.Channel{Source: k.TriggerChannel}, &handler.EnqueueRequestForObject{}).
+		WatchesRawSource(source.Channel(k.TriggerChannel, &handler.EnqueueRequestForObject{})).
 		Complete(k)
 }
--- a/controllers/soot/controllers/kubeproxy.go
+++ b/controllers/soot/controllers/kubeproxy.go
@@ -79,7 +79,7 @@ func (k *KubeProxy) SetupWithManager(mgr manager.Manager) error {
 		For(&rbacv1.ClusterRoleBinding{}, builder.WithPredicates(predicate.NewPredicateFuncs(func(object client.Object) bool {
 			return object.GetName() == kubeadm.KubeProxyClusterRoleBindingName
 		}))).
-		Watches(&source.Channel{Source: k.TriggerChannel}, &handler.EnqueueRequestForObject{}).
+		WatchesRawSource(source.Channel(k.TriggerChannel, &handler.EnqueueRequestForObject{})).
 		Owns(&corev1.ServiceAccount{}).
 		Owns(&rbacv1.Role{}).
 		Owns(&rbacv1.RoleBinding{}).
--- a/controllers/soot/controllers/migrate.go
+++ b/controllers/soot/controllers/migrate.go
@@ -11,7 +11,7 @@ import (
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/utils/pointer"
+	pointer "k8s.io/utils/ptr"
 	controllerruntime "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -84,7 +84,7 @@ func (m *Migrate) createOrUpdate(ctx context.Context) error {
 			{
 				Name: "leases.migrate.kamaji.clastix.io",
 				ClientConfig: admissionregistrationv1.WebhookClientConfig{
-					URL:      pointer.String(fmt.Sprintf("https://%s.%s.svc:443/migrate", m.WebhookServiceName, m.WebhookNamespace)),
+					URL:      pointer.To(fmt.Sprintf("https://%s.%s.svc:443/migrate", m.WebhookServiceName, m.WebhookNamespace)),
 					CABundle: m.WebhookCABundle,
 				},
 				Rules: []admissionregistrationv1.RuleWithOperations{
@@ -128,7 +128,7 @@ func (m *Migrate) createOrUpdate(ctx context.Context) error {
 			{
 				Name: "catchall.migrate.kamaji.clastix.io",
 				ClientConfig: admissionregistrationv1.WebhookClientConfig{
-					URL:      pointer.String(fmt.Sprintf("https://%s.%s.svc:443/migrate", m.WebhookServiceName, m.WebhookNamespace)),
+					URL:      pointer.To(fmt.Sprintf("https://%s.%s.svc:443/migrate", m.WebhookServiceName, m.WebhookNamespace)),
 					CABundle: m.WebhookCABundle,
 				},
 				Rules: []admissionregistrationv1.RuleWithOperations{
@@ -187,7 +187,7 @@ func (m *Migrate) SetupWithManager(mgr manager.Manager) error {

 			return object.GetName() == vwc.GetName()
 		}))).
-		Watches(&source.Channel{Source: m.TriggerChannel}, &handler.EnqueueRequestForObject{}).
+		WatchesRawSource(source.Channel(m.TriggerChannel, &handler.EnqueueRequestForObject{})).
 		Complete(m)
 }

--- a/controllers/soot/manager.go
+++ b/controllers/soot/manager.go
@@ -12,13 +12,13 @@ import (
 	"k8s.io/client-go/util/retry"
 	controllerruntime "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
-	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"sigs.k8s.io/controller-runtime/pkg/source"
@@ -175,10 +175,12 @@ func (m *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res
 	}()

 	mgr, err := controllerruntime.NewManager(tcpRest, controllerruntime.Options{
-		Logger:             log.Log.WithName(fmt.Sprintf("soot_%s_%s", tcp.GetNamespace(), tcp.GetName())),
-		Scheme:             m.client.Scheme(),
-		MetricsBindAddress: "0",
-		NewClient: func(cache cache.Cache, config *rest.Config, options client.Options, uncachedObjects ...client.Object) (client.Client, error) {
+		Logger: log.Log.WithName(fmt.Sprintf("soot_%s_%s", tcp.GetNamespace(), tcp.GetName())),
+		Scheme: m.client.Scheme(),
+		Metrics: metricsserver.Options{
+			BindAddress: "0",
+		},
+		NewClient: func(config *rest.Config, options client.Options) (client.Client, error) {
 			return client.New(config, client.Options{
 				Scheme: m.client.Scheme(),
 			})
@@ -256,6 +258,17 @@ func (m *Manager) Reconcile(ctx context.Context, request reconcile.Request) (res
 	if err = bootstrapToken.SetupWithManager(mgr); err != nil {
 		return reconcile.Result{}, err
 	}
+
+	kubeadmRbac := &controllers.KubeadmPhase{
+		GetTenantControlPlaneFunc: m.retrieveTenantControlPlane(tcpCtx, request),
+		Phase: &resources.KubeadmPhase{
+			Client: m.AdminClient,
+			Phase:  resources.PhaseClusterAdminRBAC,
+		},
+	}
+	if err = kubeadmRbac.SetupWithManager(mgr); err != nil {
+		return reconcile.Result{}, err
+	}
 	// Starting the manager
 	go func() {
 		if err = mgr.Start(tcpCtx); err != nil {
@@ -289,7 +302,7 @@ func (m *Manager) SetupWithManager(mgr manager.Manager) error {
 	m.sootMap = make(map[string]sootItem)

 	return controllerruntime.NewControllerManagedBy(mgr).
-		Watches(&source.Channel{Source: m.sootManagerErrChan}, &handler.EnqueueRequestForObject{}).
+		WatchesRawSource(source.Channel(m.sootManagerErrChan, &handler.EnqueueRequestForObject{})).
 		For(&kamajiv1alpha1.TenantControlPlane{}, builder.WithPredicates(predicate.NewPredicateFuncs(func(object client.Object) bool {
 			obj := object.(*kamajiv1alpha1.TenantControlPlane) //nolint:forcetypeassert
 			// status is required to understand if we have to start or stop the soot manager
--- a/controllers/telemetry_controller.go
+++ b/controllers/telemetry_controller.go
@@ -0,0 +1,120 @@
+// Copyright 2022 Clastix Labs
+// SPDX-License-Identifier: Apache-2.0
+
+package controllers
+
+import (
+	"context"
+	"time"
+
+	"github.com/clastix/kamaji-telemetry/api"
+	telemetry "github.com/clastix/kamaji-telemetry/pkg/client"
+	"github.com/pkg/errors"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	kamajiv1alpha1 "github.com/clastix/kamaji/api/v1alpha1"
+)
+
+type TelemetryController struct {
+	Client                  client.Client
+	TelemetryClient         telemetry.Client
+	LeaderElectionNamespace string
+	LeaderElectionID        string
+	KamajiVersion           string
+	KubernetesVersion       string
+}
+
+func (m *TelemetryController) retrieveControllerUID(ctx context.Context) (string, error) {
+	var defaultSvc corev1.Service
+	if err := m.Client.Get(ctx, types.NamespacedName{Name: "kubernetes", Namespace: "default"}, &defaultSvc); err != nil {
+		return "", errors.Wrap(err, "cannot start the telemetry controller")
+	}
+
+	return string(defaultSvc.UID), nil
+}
+
+func (m *TelemetryController) Start(ctx context.Context) error {
+	logger := log.FromContext(ctx)
+
+	ticker := time.NewTicker(5 * time.Minute)
+	defer ticker.Stop()
+
+	uid, err := m.retrieveControllerUID(ctx)
+	if err != nil {
+		logger.Error(err, "cannot retrieve controller UID")
+
+		return err
+	}
+	// First run to avoid waiting 5 minutes
+	go m.collectStats(ctx, uid)
+
+	for {
+		select {
+		case <-ctx.Done():
+			return nil
+		case <-ticker.C:
+			go m.collectStats(ctx, uid)
+		}
+	}
+}
+
+func (m *TelemetryController) collectStats(ctx context.Context, uid string) {
+	logger := log.FromContext(ctx)
+
+	stats := api.Stats{
+		UUID:                uid,
+		KamajiVersion:       m.KamajiVersion,
+		KubernetesVersion:   m.KubernetesVersion,
+		TenantControlPlanes: api.TenantControlPlane{},
+		Datastores:          api.Datastores{},
+	}
+
+	var tcpList kamajiv1alpha1.TenantControlPlaneList
+	if err := m.Client.List(ctx, &tcpList); err != nil {
+		logger.Error(err, "cannot list TenantControlPlane")
+
+		return
+	}
+
+	for _, tcp := range tcpList.Items {
+		switch {
+		case tcp.Spec.ControlPlane.Deployment.Replicas == nil || *tcp.Spec.ControlPlane.Deployment.Replicas == 0:
+			stats.TenantControlPlanes.Sleeping++
+		case tcp.Status.Kubernetes.Version.Status != nil && *tcp.Status.Kubernetes.Version.Status == kamajiv1alpha1.VersionNotReady:
+			stats.TenantControlPlanes.NotReady++
+		case tcp.Status.Kubernetes.Version.Status != nil && *tcp.Status.Kubernetes.Version.Status == kamajiv1alpha1.VersionUpgrading:
+			stats.TenantControlPlanes.Upgrading++
+		default:
+			stats.TenantControlPlanes.Running++
+		}
+	}
+
+	var datastoreList kamajiv1alpha1.DataStoreList
+	if err := m.Client.List(ctx, &datastoreList); err != nil {
+		logger.Error(err, "cannot list DataStores")
+
+		return
+	}
+
+	for _, ds := range datastoreList.Items {
+		switch ds.Spec.Driver {
+		case kamajiv1alpha1.EtcdDriver:
+			stats.Datastores.Etcd.ShardCount++
+			stats.Datastores.Etcd.UsedByCount += len(ds.Status.UsedBy)
+		case kamajiv1alpha1.KinePostgreSQLDriver:
+			stats.Datastores.PostgreSQL.ShardCount++
+			stats.Datastores.PostgreSQL.UsedByCount += len(ds.Status.UsedBy)
+		case kamajiv1alpha1.KineMySQLDriver:
+			stats.Datastores.MySQL.ShardCount++
+			stats.Datastores.MySQL.UsedByCount += len(ds.Status.UsedBy)
+		case kamajiv1alpha1.KineNatsDriver:
+			stats.Datastores.NATS.ShardCount++
+			stats.Datastores.NATS.UsedByCount += len(ds.Status.UsedBy)
+		}
+	}
+
+	m.TelemetryClient.PushStats(ctx, stats)
+}
--- a/controllers/tenantcontrolplane_controller.go
+++ b/controllers/tenantcontrolplane_controller.go
@@ -15,7 +15,7 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
-	apimachineryerrors "k8s.io/apimachinery/pkg/api/errors"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/utils/clock"
@@ -50,12 +50,17 @@ type TenantControlPlaneReconciler struct {
 	KamajiService           string
 	KamajiMigrateImage      string
 	MaxConcurrentReconciles int
+	// CertificateChan is the channel used by the CertificateLifecycleController that is checking for
+	// certificates and kubeconfig user certs validity: a generic event for the given TCP will be triggered
+	// once the validity threshold for the given certificate is reached.
+	CertificateChan CertificateChannel

 	clock mutex.Clock
 }

 // TenantControlPlaneReconcilerConfig gives the necessary configuration for TenantControlPlaneReconciler.
 type TenantControlPlaneReconcilerConfig struct {
+	ReconcileTimeout     time.Duration
 	DefaultDataStoreName string
 	KineContainerImage   string
 	TmpBaseDirectory     string
@@ -74,17 +79,20 @@ type TenantControlPlaneReconcilerConfig struct {
 func (r *TenantControlPlaneReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := log.FromContext(ctx)

+	var cancelFn context.CancelFunc
+	ctx, cancelFn = context.WithTimeout(ctx, r.Config.ReconcileTimeout)
+	defer cancelFn()
+
 	tenantControlPlane, err := r.getTenantControlPlane(ctx, req.NamespacedName)()
+	if k8serrors.IsNotFound(err) {
+		log.Info("resource have been deleted, skipping")
+
+		return reconcile.Result{}, nil
+	}
 	if err != nil {
-		if apimachineryerrors.IsNotFound(err) {
-			log.Info("resource may have been deleted, skipping")
+		log.Error(err, "cannot retrieve the required resource")

-			return ctrl.Result{}, nil
-		}
-
-		log.Error(err, "cannot retrieve the required instance")
-
-		return ctrl.Result{}, err
+		return reconcile.Result{}, err
 	}

 	releaser, err := mutex.Acquire(r.mutexSpec(tenantControlPlane))
@@ -136,6 +144,7 @@ func (r *TenantControlPlaneReconciler) Reconcile(ctx context.Context, req ctrl.R
 			tcpReconcilerConfig: r.Config,
 			tenantControlPlane:  *tenantControlPlane,
 			connection:          dsConnection,
+			dataStore:           *ds,
 		}

 		for _, resource := range GetDeletableResources(tenantControlPlane, groupDeletableResourceBuilderConfiguration) {
@@ -218,21 +227,29 @@ func (r *TenantControlPlaneReconciler) SetupWithManager(mgr ctrl.Manager) error
 	r.clock = clock.RealClock{}

 	return ctrl.NewControllerManagedBy(mgr).
-		Watches(&source.Channel{Source: r.TriggerChan}, handler.Funcs{GenericFunc: func(genericEvent event.GenericEvent, limitingInterface workqueue.RateLimitingInterface) {
+		WatchesRawSource(source.Channel(r.CertificateChan, handler.Funcs{GenericFunc: func(_ context.Context, genericEvent event.GenericEvent, limitingInterface workqueue.RateLimitingInterface) {
 			limitingInterface.AddRateLimited(ctrl.Request{
 				NamespacedName: k8stypes.NamespacedName{
 					Namespace: genericEvent.Object.GetNamespace(),
 					Name:      genericEvent.Object.GetName(),
 				},
 			})
-		}}).
+		}})).
+		WatchesRawSource(source.Channel(r.TriggerChan, handler.Funcs{GenericFunc: func(_ context.Context, genericEvent event.GenericEvent, limitingInterface workqueue.RateLimitingInterface) {
+			limitingInterface.AddRateLimited(ctrl.Request{
+				NamespacedName: k8stypes.NamespacedName{
+					Namespace: genericEvent.Object.GetNamespace(),
+					Name:      genericEvent.Object.GetName(),
+				},
+			})
+		}})).
 		For(&kamajiv1alpha1.TenantControlPlane{}).
 		Owns(&corev1.Secret{}).
 		Owns(&corev1.ConfigMap{}).
 		Owns(&appsv1.Deployment{}).
 		Owns(&corev1.Service{}).
 		Owns(&networkingv1.Ingress{}).
-		Watches(&source.Kind{Type: &batchv1.Job{}}, handler.EnqueueRequestsFromMapFunc(func(object client.Object) []reconcile.Request {
+		Watches(&batchv1.Job{}, handler.EnqueueRequestsFromMapFunc(func(_ context.Context, object client.Object) []reconcile.Request {
 			labels := object.GetLabels()

 			name, namespace := labels["tcp.kamaji.clastix.io/name"], labels["tcp.kamaji.clastix.io/namespace"]
--- a/deploy/kind/kind-kamaji.yaml
+++ b/deploy/kind/kind-kamaji.yaml
@@ -26,7 +26,7 @@ nodes:
    ## expose port 31132 of the node to port 31132 on the host for konnectivity
  - containerPort: 31132
    hostPort: 31132
-    protocol: TCP   
+    protocol: TCP
    ## expose port 31443 of the node to port 31443 on the host
  - containerPort: 31443
    hostPort: 31443
--- a/deploy/kine/mysql/certs/bronze/server-csr.json
+++ b/deploy/kine/mysql/certs/bronze/server-csr.json
@@ -1,14 +0,0 @@
-{
-  "CN": "bronze.mysql-system.svc.cluster.local",
-  "key": {
-    "algo": "rsa",
-    "size": 2048
-  },
-  "hosts": [
-    "127.0.0.1",
-    "localhost",
-    "bronze",
-    "bronze.mysql-system.svc",
-    "bronze.mysql-system.svc.cluster.local"
-  ]
-}
--- a/deploy/kine/nats/Makefile
+++ b/deploy/kine/nats/Makefile
@@ -0,0 +1,40 @@
+ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+NAME:=default
+NAMESPACE:=nats-system
+
+.PHONY: helm
+HELM = $(shell pwd)/../../../bin/helm
+helm: ## Download helm locally if necessary.
+	$(call go-install-tool,$(HELM),helm.sh/helm/v3/cmd/helm@v3.9.0)
+
+nats: nats-certificates nats-secret nats-deployment
+
+nats-certificates:
+	rm -rf $(ROOT_DIR)/certs/$(NAME) && mkdir -p $(ROOT_DIR)/certs/$(NAME)
+	cfssl gencert -initca $(ROOT_DIR)/ca-csr.json | cfssljson -bare $(ROOT_DIR)/certs/$(NAME)/ca
+	@mv $(ROOT_DIR)/certs/$(NAME)/ca.pem $(ROOT_DIR)/certs/$(NAME)/ca.crt
+	@mv $(ROOT_DIR)/certs/$(NAME)/ca-key.pem $(ROOT_DIR)/certs/$(NAME)/ca.key
+	@NAME=$(NAME) NAMESPACE=$(NAMESPACE) envsubst < server-csr.json > $(ROOT_DIR)/certs/$(NAME)/server-csr.json
+	cfssl gencert -ca=$(ROOT_DIR)/certs/$(NAME)/ca.crt -ca-key=$(ROOT_DIR)/certs/$(NAME)/ca.key \
+		-config=$(ROOT_DIR)/config.json -profile=server \
+		$(ROOT_DIR)/certs/$(NAME)/server-csr.json | cfssljson -bare $(ROOT_DIR)/certs/$(NAME)/server
+	@mv $(ROOT_DIR)/certs/$(NAME)/server.pem $(ROOT_DIR)/certs/$(NAME)/server.crt
+	@mv $(ROOT_DIR)/certs/$(NAME)/server-key.pem $(ROOT_DIR)/certs/$(NAME)/server.key
+	chmod 644 $(ROOT_DIR)/certs/$(NAME)/*
+
+nats-secret:
+	@kubectl create namespace $(NAMESPACE) || true
+	@kubectl -n $(NAMESPACE) create secret generic nats-$(NAME)-config \
+		--from-file=$(ROOT_DIR)/certs/$(NAME)/ca.crt --from-file=$(ROOT_DIR)/certs/$(NAME)/ca.key \
+		--from-file=$(ROOT_DIR)/certs/$(NAME)/server.key --from-file=$(ROOT_DIR)/certs/$(NAME)/server.crt \
+		--from-literal=password=password \
+		--dry-run=client -o yaml | kubectl apply -f -
+
+nats-deployment:
+	@VALUES_FILE=$(if $(findstring notls,$(NAME)),values-notls.yaml,values.yaml); \
+	NAME=$(NAME) envsubst < $(ROOT_DIR)/$$VALUES_FILE | $(HELM) upgrade --install $(NAME) nats/nats --create-namespace -n nats-system -f -
+
+
+nats-destroy:
+	@NAME=$(NAME) envsubst < $(ROOT_DIR)/nats.yaml | kubectl -n $(NAMESPACE) delete --ignore-not-found -f -
+	@kubectl delete -n $(NAMESPACE) secret mysql-$(NAME)config --ignore-not-found
--- a/deploy/kine/nats/ca-csr.json
+++ b/deploy/kine/nats/ca-csr.json
@@ -0,0 +1,18 @@
+{
+  "CN": "Clastix CA",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "IT",
+      "ST": "Italy",
+      "L": "Milan"
+    }
+  ],
+  "hosts": [
+    "127.0.0.1",
+    "localhost"
+  ]
+}
--- a/deploy/kine/nats/config.json
+++ b/deploy/kine/nats/config.json
@@ -0,0 +1,18 @@
+{
+  "signing": {
+      "default": {
+          "expiry": "8760h"
+      },
+      "profiles": {
+          "server": {
+              "expiry": "8760h",
+              "usages": [
+                  "signing",
+                  "key encipherment",
+                  "server auth",
+                  "client auth"
+              ]
+          }
+      }
+  }
+}
--- a/deploy/kine/nats/server-csr.json
+++ b/deploy/kine/nats/server-csr.json
@@ -0,0 +1,14 @@
+{
+  "CN": "$NAME.$NAMESPACE.svc.cluster.local",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "hosts": [
+    "127.0.0.1",
+    "localhost",
+    "$NAME-nats",
+    "$NAME-nats.$NAMESPACE.svc",
+    "$NAME-nats.$NAMESPACE.svc.cluster.local"
+  ]
+}
--- a/deploy/kine/nats/values-notls.yaml
+++ b/deploy/kine/nats/values-notls.yaml
@@ -0,0 +1,14 @@
+config:
+  merge:
+    accounts:
+      private:
+        jetstream: enabled
+        users:
+        - {user: admin, password: "password", permissions: {subscribe: [">"], publish: [">"]}}
+  cluster:
+    enabled: no
+  jetstream:
+    enabled: true
+    fileStore:
+      pvc:
+        size: 32Mi
--- a/deploy/kine/nats/values.yaml
+++ b/deploy/kine/nats/values.yaml
@@ -0,0 +1,20 @@
+config:
+  merge:
+    accounts:
+      private:
+        jetstream: enabled
+        users:
+        - {user: admin, password: "password", permissions: {subscribe: [">"], publish: [">"]}}
+  cluster:
+    enabled: no
+  nats:
+    tls:
+      enabled: true
+      secretName: nats-$NAME-config
+      cert: server.crt
+      key: server.key
+  jetstream:
+    enabled: true
+    fileStore:
+      pvc:
+        size: 32Mi
--- a/deploy/nodes-prerequisites.sh
+++ b/deploy/nodes-prerequisites.sh
@@ -1,47 +0,0 @@
-#!/usr/bin/env bash
-
-KUBERNETES_VERSION=$1; shift
-HOSTS=("$@")
-
-# Install `containerd` as container runtime.
-cat << EOF | tee containerd.conf
-overlay
-br_netfilter
-EOF
-
-cat << EOF | tee 99-kubernetes-cri.conf
-net.bridge.bridge-nf-call-iptables  = 1
-net.ipv4.ip_forward                 = 1
-net.bridge.bridge-nf-call-ip6tables = 1
-EOF
-
-for i in "${!HOSTS[@]}"; do
-  HOST=${HOSTS[$i]}
-  ssh ${USER}@${HOST} -t 'sudo apt update && sudo apt install -y containerd'
-  ssh ${USER}@${HOST} -t 'sudo mkdir -p /etc/containerd'
-  ssh ${USER}@${HOST} -t 'containerd config default | sed -e "s#SystemdCgroup = false#SystemdCgroup = true#g" | sudo tee -a /etc/containerd/config.toml'
-  ssh ${USER}@${HOST} -t 'sudo systemctl restart containerd && sudo systemctl enable containerd'
-  scp containerd.conf ${USER}@${HOST}:
-  ssh ${USER}@${HOST} -t 'sudo chown -R root:root containerd.conf && sudo mv containerd.conf /etc/modules-load.d/containerd.conf'
-  ssh ${USER}@${HOST} -t 'sudo modprobe overlay && sudo modprobe br_netfilter'
-  scp 99-kubernetes-cri.conf ${USER}@${HOST}:
-  ssh ${USER}@${HOST} -t 'sudo chown -R root:root 99-kubernetes-cri.conf && sudo mv 99-kubernetes-cri.conf /etc/sysctl.d/99-kubernetes-cri.conf'
-  ssh ${USER}@${HOST} -t 'sudo sysctl --system'
-done
-
-rm -f containerd.conf 99-kubernetes-cri.conf 
-
-# Install `kubectl`, `kubelet`, and `kubeadm` in the desired version.
-
-INSTALL_KUBERNETES="sudo apt install -y kubelet=${KUBERNETES_VERSION}-00 kubeadm=${KUBERNETES_VERSION}-00 kubectl=${KUBERNETES_VERSION}-00 --allow-downgrades --allow-change-held-packages"
-
-for i in "${!HOSTS[@]}"; do
-  HOST=${HOSTS[$i]}
-  ssh ${USER}@${HOST} -t 'sudo apt update'
-  ssh ${USER}@${HOST} -t 'sudo apt install -y apt-transport-https ca-certificates curl'
-  ssh ${USER}@${HOST} -t 'sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg'
-  ssh ${USER}@${HOST} -t 'echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list'
-  ssh ${USER}@${HOST} -t 'sudo apt update'
-  ssh ${USER}@${HOST} -t ${INSTALL_KUBERNETES}
-  ssh ${USER}@${HOST} -t 'sudo apt-mark hold kubelet kubeadm kubectl'
-done
--- a/deploy/tenant-cloudinit.yaml
+++ b/deploy/tenant-cloudinit.yaml
@@ -1,32 +0,0 @@
-#cloud-config
-package_upgrade: true
-packages:
-  - containerd
-  - apt-transport-https
-  - ca-certificates
-  - curl
-write_files:
-  - owner: root:root
-    path: /etc/modules-load.d/containerd.conf
-    content: |
-      overlay
-      br_netfilter
-  - owner: root:root
-    path: /etc/sysctl.d/99-kubernetes-cri.conf
-    content: |
-      net.bridge.bridge-nf-call-iptables  = 1
-      net.ipv4.ip_forward                 = 1
-      net.bridge.bridge-nf-call-ip6tables = 1
-runcmd:
-  - sudo modprobe overlay
-  - sudo modprobe br_netfilter
-  - sudo sysctl --system
-  - sudo mkdir -p /etc/containerd
-  - containerd config default | sed -e 's#SystemdCgroup = false#SystemdCgroup = true#g' | sudo tee -a /etc/containerd/config.toml
-  - sudo systemctl restart containerd
-  - sudo systemctl enable containerd
-  - sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
-  - echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
-  - sudo apt update
-  - sudo apt install -y kubelet=1.25.0-00 kubeadm=1.25.0-00 kubectl=1.25.0-00
-  - sudo apt-mark hold kubelet kubeadm kubectl containerd
--- a/docs/content/concepts.md
+++ b/docs/content/concepts.md
@@ -1,37 +1,41 @@
 # Concepts

-Kamaji is a Kubernetes Operator. It turns any Kubernetes cluster into an _“admin cluster”_ to orchestrate other Kubernetes clusters called _“tenant clusters”_.
+**Kamaji** is a **Kubernetes Control Plane Manager**. It operates Kubernetes at scale with a fraction of the operational burden. Kamaji turns any Kubernetes cluster into a _“Management Cluster”_ to orchestrate other Kubernetes clusters called _“Tenant Clusters”_.

 These are requirements of the design behind Kamaji:

- Communication between the _“admin cluster”_ and a _“tenant cluster”_ is unidirectional. The _“admin cluster”_ manages a _“tenant cluster”_, but a _“tenant cluster”_ has no awareness of the _“admin cluster”_.
- Communication between different _“tenant clusters”_ is not allowed.
+- Communication between the _“Management Cluster”_ and a _“Tenant Cluster”_ is unidirectional. The _“Management Cluster”_ manages a _“Tenant Cluster”_, but a _“Tenant Cluster”_ has no awareness of the _“Management Cluster”_.
+- Communication between different _“Tenant Clusters”_ is not allowed.
 - The worker nodes of tenant should not run anything beyond tenant's workloads.

 Goals and scope may vary as the project evolves.

 ## Tenant Control Plane
-Kamaji is special because the Control Planes of the _“tenant cluster”_ are regular pods running in a namespace of the _“admin cluster”_ instead of a dedicated set of Virtual Machines. This solution makes running Control Planes at scale cheaper and easier to deploy and operate. The Tenant Control Plane components are packaged in the same way they are running in bare metal or virtual nodes. We leverage the `kubeadm` code to set up the control plane components as they were running on their own server. The unchanged images of upstream `kube-apiserver`, `kube-scheduler`, and `kube-controller-manager` are used.
+Kamaji is special because the Control Planes of the _“Tenant Clusters”_ are regular pods running in a namespace of the _“Management Cluster”_ instead of a dedicated machines. This solution makes running Control Planes at scale cheaper and easier to deploy and operate. The Tenant Control Plane components are packaged in the same way they are running in bare metal or virtual nodes. We leverage the `kubeadm` code to set up the control plane components as they were running on their own server. The unchanged images of upstream `kube-apiserver`, `kube-scheduler`, and `kube-controller-manager` are used.

-High Availability and rolling updates of the Tenant Control Plane pods are provided by a regular Deployment. Autoscaling based on the metrics is available. A Service is used to espose the Tenant Control Plane outside of the _“admin cluster”_. The `LoadBalancer` service type is used, `NodePort` and `ClusterIP` are other viable options, depending on the case.
+High Availability and rolling updates of the Tenant Control Plane pods are provided by a regular Deployment. Autoscaling based on the metrics is available. A Service is used to espose the Tenant Control Plane outside of the _“Management Cluster”_. The `LoadBalancer` service type is used, `NodePort` and `ClusterIP` are other viable options, depending on the case.

 Kamaji offers a [Custom Resource Definition](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/) to provide a declarative approach of managing a Tenant Control Plane. This *CRD* is called `TenantControlPlane`, or `tcp` in short.

-All the _“tenant clusters”_ built with Kamaji are fully compliant CNCF Kubernetes clusters and are compatible with the standard Kubernetes toolchains everybody knows and loves. See [CNCF compliance](reference/conformance.md).
+All the _“Tenant Clusters”_ built with Kamaji are fully compliant CNCF Kubernetes clusters and are compatible with the standard Kubernetes toolchains everybody knows and loves. See [CNCF compliance](reference/conformance.md).

 ## Tenant worker nodes
-And what about the tenant worker nodes? They are just _"worker nodes"_, i.e. regular virtual or bare metal machines, connecting to the APIs server of the Tenant Control Plane. Kamaji's goal is to manage the lifecycle of hundreds of these _“tenant clusters”_, not only one, so how to add another tenant cluster to Kamaji? As you could expect, you have just deploys a new Tenant Control Plane in one of the _“admin cluster”_ namespace, and then joins the tenant worker nodes to it.

-We have in roadmap, the Cluster APIs support as well as a Terraform provider so that you can create _“tenant clusters”_ in a declarative way.
+And what about the tenant worker nodes?
+They are just _"worker nodes"_, i.e. regular virtual or bare metal machines, connecting to the APIs server of the Tenant Control Plane.
+Kamaji's goal is to manage the lifecycle of hundreds of these _“Tenant Clusters”_, not only one, so how to add another Tenant Cluster to Kamaji?
+As you could expect, you have just deploys a new Tenant Control Plane in one of the _“Management Cluster”_ namespace, and then joins the tenant worker nodes to it.
+
+A [Cluster API ControlPlane provider](https://github.com/clastix/cluster-api-control-plane-provider-kamaji) has been released, allowing to offer a Cluster API-native declarative lifecycle, by automating the worker nodes join.

 ## Datastores
-Putting the Tenant Control Plane in a pod is the easiest part. Also, we have to make sure each tenant cluster saves the state to be able to store and retrieve data. As we can deploy a Kubernetes cluster with an external `etcd` cluster, we explored this option for the Tenant Control Planes. On the admin cluster, you can deploy one or multi-tenant `etcd` to save the state of multiple tenant clusters. Kamaji offers a Custom Resource Definition called `DataStore` to provide a declarative approach of managing multiple datastores. By sharing the datastore between multiple tenants, the resiliency is still guaranteed and the pods' count remains under control, so it solves the main goal of resiliency and costs optimization. The trade-off here is that you have to operate external datastores, in addition to `etcd` of the _“admin cluster”_ and manage the access to be sure that each _“tenant cluster”_ uses only its data.
+Putting the Tenant Control Plane in a pod is the easiest part. Also, we have to make sure each Tenant Cluster saves the state to be able to store and retrieve data. As we can deploy a Kubernetes cluster with an external `etcd` cluster, we explored this option for the Tenant Control Planes. On the Management Cluster, you can deploy one or multi-tenant `etcd` to save the state of multiple Tenant Clusters. Kamaji offers a Custom Resource Definition called `DataStore` to provide a declarative approach of managing multiple datastores. By sharing the datastore between multiple tenants, the resiliency is still guaranteed and the pods' count remains under control, so it solves the main goal of resiliency and costs optimization. The trade-off here is that you have to operate external datastores, in addition to `etcd` of the _“Management Cluster”_ and manage the access to be sure that each _“Tenant Cluster”_ uses only its data.

 ### Other storage drivers
-Kamaji offers the option of using a more capable datastore than `etcd` to save the state of multiple tenants' clusters. Thanks to the native [kine](https://github.com/k3s-io/kine) integration, you can run _MySQL_ or _PostgreSQL_ compatible databases as datastore for _“tenant clusters”_.
+Kamaji offers the option of using a more capable datastore than `etcd` to save the state of multiple tenants' clusters. Thanks to the native [kine](https://github.com/k3s-io/kine) integration, you can run _MySQL_ or _PostgreSQL_ compatible databases as datastore for _“Tenant Clusters”_.

 ### Pooling
-By default, Kamaji is expecting to persist all the _“tenant clusters”_ data in a unique datastore that could be backed by different drivers. However, you can pick a different datastore for a specific set of _“tenant clusters”_ that could have different resources assigned or a different tiering. Pooling of multiple datastore is an option you can leverage for a very large set of _“tenant clusters”_ so you can distribute the load properly. As future improvements, we have a _datastore scheduler_ feature in roadmap so that Kamaji itself can assign automatically a _“tenant cluster”_ to the best datastore in the pool.
+By default, Kamaji is expecting to persist all the _“Tenant Clusters”_ data in a unique datastore that could be backed by different drivers. However, you can pick a different datastore for a specific set of _“Tenant Clusters”_ that could have different resources assigned or a different tiering. Pooling of multiple datastore is an option you can leverage for a very large set of _“Tenant Clusters”_ so you can distribute the load properly. As future improvements, we have a _datastore scheduler_ feature in roadmap so that Kamaji itself can assign automatically a _“Tenant Cluster”_ to the best datastore in the pool.

 ### Migration
 In order to simplify Day2 Operations and reduce the operational burden, Kamaji provides the capability to live migrate data from a datastore to another one of the same driver without manual and error prone backup and restore operations.
--- a/docs/content/getting-started.md
+++ b/docs/content/getting-started.md
@@ -13,7 +13,7 @@ The guide requires:
 ## Summary

  * [Prepare the bootstrap workspace](#prepare-the-bootstrap-workspace)
-  * [Access Admin cluster](#access-admin-cluster)
+  * [Access Management Cluster](#access-management-cluster)
  * [Install Cert Manager](#install-cert-manager)
  * [Install Kamaji controller](#install-kamaji-controller)
  * [Create Tenant Cluster](#create-tenant-cluster)
@@ -27,15 +27,15 @@ git clone https://github.com/clastix/kamaji
 cd kamaji/deploy
 ```

-We assume you have installed on the bootstrap machine:
+We assume you have installed on the bootstrap workstation:

 - [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl)
 - [kubeadm](https://kubernetes.io/docs/tasks/tools/#kubeadm)
 - [helm](https://helm.sh/docs/intro/install/)
 - [jq](https://stedolan.github.io/jq/)

-## Access Admin cluster
-In Kamaji, an Admin Cluster is a regular Kubernetes cluster which hosts zero to many Tenant Cluster Control Planes. The admin cluster acts as management cluster for all the Tenant clusters and hosts monitoring, logging, and governance of Kamaji setup, including all Tenant clusters. 
+## Access Management Cluster
+In Kamaji, the Management Cluster is a regular Kubernetes cluster which hosts zero to many Tenant Cluster Control Planes. The Management Cluster acts as cockpit for all the Tenant Clusters as it hosts monitoring, logging, and governance of Kamaji setup, including all Tenant Clusters. 

 Throughout the following instructions, shell variables are used to indicate values that you should adjust to your environment:

@@ -43,14 +43,14 @@ Throughout the following instructions, shell variables are used to indicate valu
 source kamaji.env
 ```

-Any regular and conformant Kubernetes v1.22+ cluster can be turned into a Kamaji setup. To work properly, the admin cluster should provide:
+Any regular and conformant Kubernetes v1.22+ cluster can be turned into a Kamaji setup. To work properly, the Management Clusterr should provide:

 - CNI module installed, eg. [Calico](https://github.com/projectcalico/calico), [Cilium](https://github.com/cilium/cilium).
 - CSI module installed with a Storage Class for the Tenant datastores. Local Persistent Volumes are an option.
 - Support for LoadBalancer service type, eg. [MetalLB](https://metallb.universe.tf/), or a Cloud based controller.
 - Optionally, a Monitoring Stack installed, eg. [Prometheus](https://github.com/prometheus-community).

-Make sure you have a `kubeconfig` file with admin permissions on the cluster you want to turn into Kamaji Admin Cluster and check you can access:
+Make sure you have a `kubeconfig` file with admin permissions on the cluster you want to turn into Kamaji Management Cluster and check you can access:

 ```bash
 kubectl cluster-info
@@ -73,7 +73,7 @@ helm install \

 ## Install Kamaji Controller

-Installing Kamaji via Helm charts is the preferred way. The Kamaji controller needs to access a Datastore in order to save data of the tenants' clusters. The Kamaji Helm Chart provides the installation of a basic unamanaged `etcd` as datastore, out of box. 
+Installing Kamaji via Helm charts is the preferred way. The Kamaji controller needs to access a Datastore in order to save data of the tenants' clusters. The Kamaji Helm Chart provides the installation of a basic unmanaged `etcd` as datastore, out of box. 

 Install Kamaji with `helm` using an unmanaged `etcd` as default datastore:

@@ -86,6 +86,21 @@ helm install kamaji clastix/kamaji -n kamaji-system --create-namespace
 !!! note "A managed datastore is highly recommended in production"
     The [kamaji-etcd](https://github.com/clastix/kamaji-etcd) project provides the code to setup a multi-tenant `etcd` running as StatefulSet made of three replicas. Optionally, Kamaji offers support for a more robust storage system, as `MySQL` or `PostgreSQL` compatible database, thanks to the native [kine](https://github.com/k3s-io/kine) integration.

+Now you should end up with a working Kamaji instance, including the default `datastore`:
+
+```bash
+kubectl -n kamaji-system get pods
+NAME                         READY   STATUS      RESTARTS      AGE
+etcd-0                       1/1     Running     0             50s
+etcd-1                       1/1     Running     0             60s
+etcd-2                       1/1     Running     0             90s
+kamaji-7949578bfb-lj44p      1/1     Running     0             12s
+```
+
+> An unsuccessful first installation could fail for several reasons, such as missing a `StorageClass`, or even for a trivial `Ctrl+C` during the installation phase.
+>
+> See the [Cleanup](#cleanup) section before to retry an aborted installation. 
+
 ## Create Tenant Cluster

 ### Tenant Control Plane
@@ -99,6 +114,8 @@ kind: TenantControlPlane
 metadata:
  name: ${TENANT_NAME}
  namespace: ${TENANT_NAMESPACE}
+  labels:
+    tenant.clastix.io: ${TENANT_NAME}
 spec:
  dataStore: default
  controlPlane:
@@ -183,7 +200,7 @@ NAME                TYPE           CLUSTER-IP      EXTERNAL-IP      PORT(S)
 service/tenant-00   LoadBalancer   10.32.132.241   192.168.32.240   6443:32152/TCP,8132:32713/TCP   2m20s
 ```

-The regular Tenant Control Plane containers: `kube-apiserver`, `kube-controller-manager`, `kube-scheduler` are running unchanged in the `tcp` pods instead of dedicated machines and they are exposed through a service on the port `6443` of worker nodes in the admin cluster.
+The regular Tenant Control Plane containers: `kube-apiserver`, `kube-controller-manager`, `kube-scheduler` are running unchanged in the `tcp` pods instead of dedicated machines and they are exposed through a service on the port `6443` of worker nodes in the Management Cluster.

 The `LoadBalancer` service type is used to expose the Tenant Control Plane on the assigned `loadBalancerIP` acting as `ControlPlaneEndpoint` for the worker nodes and other clients as, for example, `kubectl`. Service types `NodePort` and `ClusterIP` are still viable options to expose the Tenant Control Plane, depending on the case. High Availability and rolling updates of the Tenant Control Planes are provided by the `tcp` Deployment and all the resources reconcilied by the Kamaji controller.

@@ -220,7 +237,7 @@ Kubernetes control plane is running at https://192.168.32.240:6443
 CoreDNS is running at https://192.168.32.240:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
 ```

-Check out how the Tenant control Plane advertises itself to workloads:
+Check out how the Tenant Control Plane advertises itself to workloads:

 ```bash
 kubectl --kubeconfig=${TENANT_NAMESPACE}-${TENANT_NAME}.kubeconfig get svc
@@ -238,37 +255,34 @@ kubernetes   192.168.32.240:6443   18m

 And make sure it is `${TENANT_ADDR}:${TENANT_PORT}`.

-### Prepare worker nodes to join
+### Join worker nodes

-Currently Kamaji does not provide any helper for creation of tenant worker nodes. You should get a set of machines from your infrastructure provider, turn them into worker nodes, and then join to the tenant control plane with the `kubeadm`. 
+The Tenant Control Plane is made of pods running in the Kamaji Management Cluster. At this point, the Tenant Cluster has no worker nodes. So, the next step is to join some worker nodes to the Tenant Control Plane.

-!!! note "Cluster APIs support"
-     In the future, we'll provide creation of tenant clusters through Cluster APIs.
+Kamaji does not provide any helper for creation of tenant worker nodes, instead it leverages the [Cluster Management API](https://github.com/kubernetes-sigs/cluster-api). This allows you to create the Tenant Clusters, including worker nodes, in a completely declarative way. Refer to the [Cluster API guide](guides/cluster-api.md) to learn more about supported providers.

-You can use the provided helper script `/deploy/nodes-prerequisites.sh`, in order to install the dependencies on all the worker nodes:
+An alternative approach for joining nodes is to use the `kubeadm` command on each node. Follow the related [documentation](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/) in order to:

- Install `containerd` as container runtime
- Install `crictl`, the command line for working with `containerd`
- Install `kubectl`, `kubelet`, and `kubeadm` in the desired version
+- install `containerd` as container runtime
+- install `crictl`, the command line for working with `containerd`
+- install `kubectl`, `kubelet`, and `kubeadm` in the desired version

-!!! warning ""
-    The provided script is just a facility: it assumes all worker nodes are running `Ubuntu 20.04`. Make sure to adapt the script if you're using a different distribution.
-
-Run the script:
+After the installation is complete on all the nodes, open the command line on your Linux workstation and store the IP address of each node in an environment variable:

 ```bash
-HOSTS=(${WORKER0} ${WORKER1} ${WORKER2})
-./nodes-prerequisites.sh ${TENANT_VERSION:1} ${HOSTS[@]}
+WORKER0=<address of first node>
+WORKER1=<address of second node>
+WORKER2=<address of third node>
 ```

-### Join worker nodes
-The current approach for joining nodes is to use `kubeadm` and therefore, we will create a bootstrap token to perform the action. In order to facilitate the step, we will store the entire command of joining in a variable:
+Store the join command in a variable:

 ```bash
 JOIN_CMD=$(echo "sudo ")$(kubeadm --kubeconfig=${TENANT_NAMESPACE}-${TENANT_NAME}.kubeconfig token create --print-join-command)
+
 ```

-A bash loop will be used to join all the available nodes.
+Use a loop to log in to and run the join command on each node:

 ```bash
 HOSTS=(${WORKER0} ${WORKER1} ${WORKER2})
@@ -278,6 +292,10 @@ for i in "${!HOSTS[@]}"; do
 done
 ```

+!!! tip "yaki"
+    This manual process can be further automated to handle the node prerequisites and joining. See [yaki](https://github.com/clastix/yaki) script, which you could modify for your preferred operating system and version. The provided script is just a facility: it assumes all worker nodes are running `Ubuntu 22.04`. Make sure to adapt the script if you're using a different distribution.
+
+
 Checking the nodes:

 ```bash
@@ -299,7 +317,7 @@ curl https://raw.githubusercontent.com/projectcalico/calico/v3.24.1/manifests/ca

 Before to apply the Calico manifest, you can customize it as necessary according to your preferences.

-Apply to the tenant cluster:
+Apply to the Tenant Cluster:

 ```bash
 kubectl --kubeconfig=${TENANT_NAMESPACE}-${TENANT_NAME}.kubeconfig apply -f calico.yaml
@@ -316,7 +334,8 @@ tenant-00-worker-02   Ready    <none>   2m32s   v1.25.0
 ```

 ## Cleanup
-Remove the worker nodes joined the tenant control plane
+### Delete a Tenant Cluster
+First, remove the worker nodes joined the tenant control plane

 ```bash
 kubectl --kubeconfig=${TENANT_NAMESPACE}-${TENANT_NAME}.kubeconfig delete nodes --all 
@@ -334,10 +353,37 @@ for i in "${!HOSTS[@]}"; do
 done
 ```

-Delete the tenant control plane from kamaji
+Delete the tenant control plane from Kamaji

 ```bash
 kubectl delete -f ${TENANT_NAMESPACE}-${TENANT_NAME}-tcp.yaml
 ```

+### Uninstall Kamaji
+Uninstall the Kamaji controller by removing the Helm release
+
+```bash
+helm uninstall kamaji -n kamaji-system
+```
+
+The default datastore installed three `etcd` replicas with persistent volumes, so remove the `PersistentVolumeClaims` resources:
+
+```bash
+kubectl -n kamaji-system delete pvc --all
+```
+
+Also delete the custom resources:
+
+```bash
+kubectl delete crd tenantcontrolplanes.kamaji.clastix.io
+kubectl delete crd datastores.kamaji.clastix.io
+```
+
+In case of a broken installation, manually remove the hooks installed by Kamaji:
+
+```bash
+kubectl delete ValidatingWebhookConfiguration kamaji-validating-webhook-configuration
+kubectl delete MutatingWebhookConfiguration kamaji-mutating-webhook-configuration
+```
+
 That's all folks!
--- a/docs/content/guides/alternative-datastore.md
+++ b/docs/content/guides/alternative-datastore.md
@@ -1,39 +1,28 @@
-# Use alternative datastores
+# Use Alternative Datastores

-Kamaji offers the possibility of having a different storage system than `etcd` thanks to [kine](https://github.com/k3s-io/kine) integration. One of the implementations is [PostgreSQL](https://www.postgresql.org/).
+Kamaji offers the possibility of having a different storage system than `etcd` thanks to [kine](https://github.com/k3s-io/kine) integration.

-## Install the datastore
+## Installing Drivers

-On the admin cluster, install one of the alternative supported datastore:
+The following `make` recipes help you to setup alternative `Datastore` resources.

- **MySQL** install it with command:
+> The default settings are not production grade:
+> the following scripts are just used to test the Kamaji usage of different drivers.

-    `$ make -C deploy/kine/mysql mariadb`
+On the Management Cluster, you can use the following commands:

- **PostgreSQL** install it with command:
+- **MySQL**: `$ make -C deploy/kine/mysql mariadb`

-    `$ make -C deploy/kine/postgresql postgresql`
+- **PostgreSQL**: `$ make -C deploy/kine/postgresql postgresql`

-## Install Cert Manager
+- **NATS**: `$ make -C deploy/kine/nats nats`

-As prerequisite for Kamaji, install the Cert Manager
+## Defining a default Datastore upon Kamaji installation

-```bash
-helm repo add jetstack https://charts.jetstack.io
-helm repo update
-helm install \
-  cert-manager jetstack/cert-manager \
-  --namespace cert-manager \
-  --create-namespace \
-  --version v1.11.0 \
-  --set installCRDs=true
-```
+Use Helm to install the Kamaji Operator and make sure it uses a datastore with the proper driver `datastore.driver=<MySQL|PostgreSQL|NATS>`.
+Please refer to the Chart available values for more information on supported options.

-## Install Kamaji
-
-Use Helm to install the Kamaji Operator and make sure it uses a datastore with the proper driver `datastore.driver=<MySQL|PostgreSQL>`.
-
-For example, with a PostreSQL datastore installed:
+For example, with a PostgreSQL datastore installed:

 ```bash
 helm install kamaji charts/kamaji -n kamaji-system --create-namespace \
@@ -60,4 +49,19 @@ helm install kamaji charts/kamaji -n kamaji-system --create-namespace \
  --set datastore.tlsConfig.clientCertificate.privateKey.keyPath=tls.key
 ```

-Once installed, you will able to create Tenant Control Planes using an alternative datastore.
+Once installed, you will be able to create Tenant Control Planes using an alternative datastore.
+
+## Defining specific Datastore per Tenant Control Plane
+
+Each `TenantControlPlane` can refer to a specific `Datastore` thanks to the `/spec/dataStore` field.
+This allows you to implement your preferred sharding or pooling strategy.
+
+When the said key is omitted, Kamaji will use the default datastore configured with its CLI argument `--datastore`.
+
+## NATS considerations
+
+The NATS support is still experimental, mostly because multi-tenancy is **NOT** supported.
+
+> A `NATS` based DataStore can host one and only one Tenant Control Plane.
+> When a `TenantControlPlane` is referring to a NATS `DataStore` already used by another instance,
+> reconciliation will fail and blocked.
--- a/docs/content/guides/backup-and-restore.md
+++ b/docs/content/guides/backup-and-restore.md
@@ -1,18 +1,18 @@
-# Backup and restore
+# Backup and Restore

-As mentioned in the introduction, Kamaji “tenant clusters” are just regular pods scheduled on top of a choosn admin cluster; as such, you can take advantage of the same backup and restore methods that you would use to maintain the standard workload.
+As mentioned in the introduction, Tenant Control Planes are just regular pods scheduled in the Management Cluster. As such, you can take advantage of the same backup and restore methods that you would use to maintain the standard workload.

-This guide will assist you in how to backup and restore TCP resources on the admin cluster using [Velero](https://tanzu.vmware.com/developer/guides/what-is-velero/).
+This guide will assist you in how to backup and restore TCP resources on the Management Cluster using [Velero](https://tanzu.vmware.com/developer/guides/what-is-velero/).

 ## Prerequisites

 Before proceeding with the next steps, we assume that the following prerequisites are met:

- Working admin cluster
+- Working Kamaji setup
 - Working datastore resource
 - Working TCP resource
 - Velero binary installed on the operator VM
- Velero installed on the admin cluster
+- Velero installed on the Management Cluster
 - Configured BackupStorageLocation for Velero

 ## Backup step
--- a/docs/content/guides/certs-lifecycle.md
+++ b/docs/content/guides/certs-lifecycle.md
@@ -0,0 +1,143 @@
+# Certificates Lifecycle
+
+Kamaji is responsible for creating the required certificates, such as:
+
+- the Kubernetes API Server certificate
+- the Kubernetes API Server kubelet client certificate
+- the Datastore certificate
+- the front proxy client certificate
+- the konnectivity certificate (if enabled)
+
+Also, the following `kubeconfig` resources contain client certificates, which are created by Kamaji, such as:
+
+- `admin`
+- `controller-manager`
+- `konnectivity` (if enabled)
+- `scheduler`
+
+All the certificates are created with the `kubeadm` defaults, thus their validity is set to 1 year.
+
+## How to rotate certificates
+
+If you need to manually rotate one of these certificates, the required operation is the deletion for the given Secret.
+
+```
+$: kubectl get secret
+NAME                                            TYPE                DATA   AGE
+k8s-126-admin-kubeconfig                        Opaque              1      12m
+k8s-126-api-server-certificate                  Opaque              2      12m
+k8s-126-api-server-kubelet-client-certificate   Opaque              2      3h45m
+k8s-126-ca                                      Opaque              4      3h45m
+k8s-126-controller-manager-kubeconfig           Opaque              1      3h45m
+k8s-126-datastore-certificate                   Opaque              3      3h45m
+k8s-126-datastore-config                        Opaque              4      3h45m
+k8s-126-front-proxy-ca-certificate              Opaque              2      3h45m
+k8s-126-front-proxy-client-certificate          Opaque              2      3h45m
+k8s-126-konnectivity-certificate                kubernetes.io/tls   2      3h45m
+k8s-126-konnectivity-kubeconfig                 Opaque              1      3h45m
+k8s-126-sa-certificate                          Opaque              2      3h45m
+k8s-126-scheduler-kubeconfig                    Opaque              1      3h45m
+```
+
+Once this operation is performed, Kamaji will be notified of the missing certificate, and it will create it back.
+
+```
+$: kubectl delete secret -l kamaji.clastix.io/certificate_lifecycle_controller=x509
+secret "k8s-126-api-server-certificate" deleted
+secret "k8s-126-api-server-kubelet-client-certificate" deleted
+secret "k8s-126-front-proxy-client-certificate" deleted
+secret "k8s-126-konnectivity-certificate" deleted
+
+$: kubectl delete secret -l kamaji.clastix.io/certificate_lifecycle_controller=x509
+NAME                                            TYPE                DATA   AGE
+k8s-126-admin-kubeconfig                        Opaque              1      15m
+k8s-126-api-server-certificate                  Opaque              2      12s
+k8s-126-api-server-kubelet-client-certificate   Opaque              2      12s
+k8s-126-ca                                      Opaque              4      3h48m
+k8s-126-controller-manager-kubeconfig           Opaque              1      3h48m
+k8s-126-datastore-certificate                   Opaque              3      3h48m
+k8s-126-datastore-config                        Opaque              4      3h48m
+k8s-126-front-proxy-ca-certificate              Opaque              2      3h48m
+k8s-126-front-proxy-client-certificate          Opaque              2      12s
+k8s-126-konnectivity-certificate                kubernetes.io/tls   2      11s
+k8s-126-konnectivity-kubeconfig                 Opaque              1      3h48m
+k8s-126-sa-certificate                          Opaque              2      3h48m
+k8s-126-scheduler-kubeconfig                    Opaque              1      3h48m
+```
+
+You can notice the secrets have been automatically created back, as well as a TenantControlPlane rollout with the updated certificates.
+
+```
+$: kubectl get pods
+NAME                       READY   STATUS    RESTARTS   AGE
+k8s-126-76768bdf89-82w8g   4/4     Running   0          58s
+k8s-126-76768bdf89-fwltl   4/4     Running   0          58s
+```
+
+The same occurs with the `kubeconfig` ones.
+
+```
+$: kubectl delete secret -l kamaji.clastix.io/certificate_lifecycle_controller=kubeconfig
+secret "k8s-126-admin-kubeconfig" deleted
+secret "k8s-126-controller-manager-kubeconfig" deleted
+secret "k8s-126-konnectivity-kubeconfig" deleted
+secret "k8s-126-scheduler-kubeconfig" deleted
+
+$: kubectl get pods
+NAME                       READY   STATUS    RESTARTS   AGE
+k8s-126-576c775b5d-2gr9h   4/4     Running   0          50s
+k8s-126-576c775b5d-jmvlm   4/4     Running   0          50s
+```
+
+## Automatic certificates rotation
+
+The Kamaji operator will run a controller which processes all the Secrets to determine their expiration, both for the `kubeconfig`, as well as for the certificates.
+
+The controller, named `CertificateLifecycle`, will extract the certificates from the _Secret_ objects notifying the `TenantControlPlaneReconciler` controller which will start a new certificate rotation.
+The rotation will occur the day before their expiration. 
+
+> Nota Bene:
+>
+> Kamaji is responsible for creating the `etcd` client certificate, and the generation of a new one will occur.
+> For other Datastore drivers, such as MySQL, PostgreSQL, or NATS, the referenced Secret will always be deleted by the Controller to trigger the rotation:
+> the PKI management, since it's offloaded externally, must provide the renewed certificates.
+
+## Certificate Authority rotation
+
+Kamaji is also taking care of your Tenant Clusters Certificate Authority.
+
+This can be rotated manually by deleting the following secret.
+
+```
+$: kubectl delete secret k8s-126-ca
+secret "k8s-126-ca" deleted
+```
+
+Once this occurs the TenantControlPlane will enter in the `CertificateAuthorityRotating` status.
+
+```
+$: kubectl get tcp -w
+NAME      VERSION   STATUS   CONTROL-PLANE ENDPOINT   KUBECONFIG                 DATASTORE   AGE
+k8s-126   v1.26.0   Ready    172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+k8s-126   v1.26.0   CertificateAuthorityRotating   172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+k8s-126   v1.26.0   CertificateAuthorityRotating   172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+k8s-126   v1.26.0   CertificateAuthorityRotating   172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+k8s-126   v1.26.0   CertificateAuthorityRotating   172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+k8s-126   v1.26.0   CertificateAuthorityRotating   172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+k8s-126   v1.26.0   CertificateAuthorityRotating   172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+k8s-126   v1.26.0   CertificateAuthorityRotating   172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+k8s-126   v1.26.0   CertificateAuthorityRotating   172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+k8s-126   v1.26.0   CertificateAuthorityRotating   172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+k8s-126   v1.26.0   CertificateAuthorityRotating   172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+k8s-126   v1.26.0   CertificateAuthorityRotating   172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+k8s-126   v1.26.0   Ready                          172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+k8s-126   v1.26.0   Ready                          172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+k8s-126   v1.26.0   Ready                          172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+k8s-126   v1.26.0   Ready                          172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+k8s-126   v1.26.0   Ready                          172.18.255.200:6443      k8s-126-admin-kubeconfig   default     3h58m
+```
+
+This operation is intended to be performed manually since a new Certificate Authority requires the restart of all the components, as well as of the nodes:
+in such case, you will need to distribute the new Certificate Authority and the new nodes certificates.
+
+Given the sensibility of such operation, the `Secret` controller will not check the _CA_, which is offering validity of 10 years as `kubeadm` default values. 
--- a/docs/content/guides/cluster-api.md
+++ b/docs/content/guides/cluster-api.md
@@ -0,0 +1,6 @@
+# Cluster APIs Support
+
+The [Cluster API](https://github.com/kubernetes-sigs/cluster-api) brings declarative, Kubernetes-style APIs to creation of Kubernetes clusters, including configuration and management.
+
+Kamaji offers seamless integration with the most popular Cluster API Infrastructure Providers. Check the currently supported providers and the roadmap on the related [reposistory](https://github.com/clastix/cluster-api-control-plane-provider-kamaji).
+
--- a/docs/content/guides/console.md
+++ b/docs/content/guides/console.md
@@ -0,0 +1,92 @@
+# Kamaji Console
+This guide will introduce you to the basics of the Kamaji Console, a web UI to help you to view and control your Kamaji setup.
+
+## Install with Helm
+The Kamaji Console is a web interface running on the Kamaji Management Cluster that you can install with Helm. Check the Helm Chart [documentation](https://github.com/clastix/kamaji-console) for all the available settings.
+
+The Kamaji Console requires a Secret in the Kamaji Management Cluster that contains the configuration and credentials to access the console from the browser. You can have the Helm Chart generate it for you, or create it yourself and provide the name of the Secret during installation. Before to install the Kamaji Console, access your workstation, replace the placeholders with actual values, and execute the following command:
+
+```bash
+# The secret is required, otherwise the installation will fail
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: kamaji-console
+  namespace: kamaji-system
+data:
+  # Credentials to login into console
+  ADMIN_EMAIL: <email>
+  ADMIN_PASSWORD: <password>
+  # Secret used to sign the browser session
+  JWT_SECRET: <jwtSecret>
+  # URL where the console is accessible: https://<hostname>/ui
+  NEXTAUTH_URL: <nextAuthUrl>
+EOF
+```
+
+Install the Chart with the release name `console` in the `kamaji-system` namespace:
+
+```
+helm repo add clastix https://clastix.github.io/charts
+helm repo update
+helm -n kamaji-system install console clastix/kamaji-console
+```
+
+Show the status:
+
+```
+helm status console -n kamaji-system
+```
+
+## Access the Kamaji Console
+Once installed, forward the console service to the local machine:
+
+```
+kubectl -n kamaji-system port-forward service/console-kamaji-console 8080:80
+Forwarding from 127.0.0.1:8080 -> 3000
+Forwarding from [::1]:8080 -> 3000
+```
+
+and point the browser to `http://127.0.0.1:8080/ui` to access the console. Login with credentials you stored into the secret.
+
+!!! note "Expose with Ingress"
+     The Kamaji Console can be exposed with an ingress. Refer the Helm Chart documentation on how to configure it properly.
+
+## Explore the Kamaji Console
+The Kamaji Console provides a high level view of all Tenant Control Planes configured in your Kamaji setup. When you login to the console you are brought to the Tenant Control Planes view, which allows you to quickly understand the state of your Kamaji setup at a glance. It shows summary information about all the Tenant Control Plane objects, including: name, namespace, status, endpoint, version, and datastore.
+
+![Console Tenant Control Plane List](../images/console-tcp-list.png)
+
+From this view, you can also create a new Tenant Control Plane from a basic placeholder in yaml format:
+
+![Console Tenant Control Plane Create](../images/console-tcp-create.png)
+
+### Working with Tenant Control Plane
+From the main view, clicking on a Tenant Control Plane row will bring you to the detailed view. This view shows you all the details about the selected Tenant Control Plane, including all child components: pods, deployment, service, config maps, and secrets. From this view, you can also view, copy, and download the `kubeconfig` to access the Tenant Control Plane as tenant admin. 
+
+![Console Tenant Control Plane View](../images/console-tcp-view.png)
+
+### Working with Datastore
+
+From the menu bar on the left, clicking on the Datastores item, you can access the list of provisioned Datastores.
+It shows a summary about datastores, including name and the used driver, i.e. `etcd`, `MySQL`, `PostgreSQL`, and `NATS`.
+
+![Console Datastore List](../images/console-ds-list.png)
+
+From this view, you can also create, delete, edit, and inspect the single datastore. 
+
+### Additional Operations
+The Kamaji Console offers additional capabilities as part of the commercial edition Clastix Operating Platform:
+
+- Infrastructure Drivers Management
+- Applications Delivery via GitOps Operators
+- Centralized Authentication and Access Control
+- Auditing and Logging
+- Monitoring
+- Backup & Restore
+
+!!! note "Ready for more?"
+    To purchase entitlement to Clastix Operating Platform please contact hello@clastix.io.
+
--- a/docs/content/guides/datastore-migration.md
+++ b/docs/content/guides/datastore-migration.md
@@ -1,6 +1,7 @@
 # Datastore Migration

-On the admin cluster, you can deploy one or more multi-tenant datastores as `etcd`, `PostgreSQL`, and `MySQL` to save the state of the tenant clusters. A Tenant Control Plane can be migrated from a datastore to another one without service disruption or without complex and error prone backup & restore procedures.
+On the Management Cluster, you can deploy one or more multi-tenant datastores as `etcd`, `PostgreSQL`, `MySQL`, and `NATS` to save the state of the Tenant Clusters.
+A Tenant Control Plane can be migrated from a datastore to another one without service disruption or without complex and error-prone backup & restore procedures.

 This guide will assist you to live migrate Tenant's data from a datastore to another one having the same `etcd` driver.

@@ -80,7 +81,7 @@ helm install dedicated clastix/kamaji-etcd -n dedicated --create-namespace --set
 You should end up with a new datastore `dedicated` provided by an `etcd` cluster:

 ```yaml
-kubectl get datastore dedicated -o yaml
+# kubectl get datastore dedicated -o yaml
 apiVersion: kamaji.clastix.io/v1alpha1
 kind: DataStore
 metadata:
@@ -169,3 +170,6 @@ admission webhook "catchall.migrate.kamaji.clastix.io" denied the request
 After a while, depending on the amount of data to migrate, the Tenant Control Plane is put back in full operating mode by the Kamaji controller.

 > Please, note the datastore migration leaves the data on the default datastore, so you have to remove it manually.
+
+## Post migration
+After migrating data to the new datastore, complete the migration procedure by restarting the `kubelet.service` on all the tenant worker nodes.
--- a/docs/content/guides/kamaji-azure-deployment.md
+++ b/docs/content/guides/kamaji-azure-deployment.md
@@ -13,7 +13,7 @@ The guide requires:
 ## Summary

  * [Prepare the bootstrap workspace](#prepare-the-bootstrap-workspace)
-  * [Access Admin cluster](#access-admin-cluster)
+  * [Access Management Cluster](#access-management-cluster)
  * [Install Cert Manager](#install-cert-manager)
  * [Install Kamaji controller](#install-kamaji-controller)
  * [Create Tenant Cluster](#create-tenant-cluster)
@@ -43,8 +43,8 @@ az login
 ```


-## Access Admin cluster
-In Kamaji, an Admin Cluster is a regular Kubernetes cluster which hosts zero to many Tenant Cluster Control Planes. The admin cluster acts as management cluster for all the Tenant clusters and implements Monitoring, Logging, and Governance of all the Kamaji setup, including all Tenant clusters. For this guide, we're going to use an instance of Azure Kubernetes Service (AKS) as Admin Cluster.
+## Access Management Cluster
+In Kamaji, a Management Cluster is a regular Kubernetes cluster which hosts zero to many Tenant Cluster Control Planes. The Management Cluster acts as cockpit for all the Tenant clusters and implements Monitoring, Logging, and Governance of all the Kamaji setup, including all Tenant Clusters. For this guide, we're going to use an instance of Azure Kubernetes Service (AKS) as Management Cluster.

 Throughout the following instructions, shell variables are used to indicate values that you should adjust to your own Azure environment:

@@ -114,7 +114,7 @@ helm install \

 ## Install Kamaji Controller

-Installing Kamaji via Helm charts is the preferred way. The Kamaji controller needs to access a Datastore in order to save data of the tenants' clusters. The Kamaji Helm Chart provides the installation of a basic unamanaged `etcd` as datastore, out of box. 
+Installing Kamaji via Helm charts is the preferred way. The Kamaji controller needs to access a Datastore in order to save data of the tenants' clusters. The Kamaji Helm Chart provides the installation of a basic unmanaged `etcd` as datastore, out of box. 

 Install Kamaji with `helm` using an unmanaged `etcd` as default datastore:

@@ -125,7 +125,7 @@ helm install kamaji clastix/kamaji -n kamaji-system --create-namespace
 ```

 !!! note "A managed datastore is highly recommended in production"
-     The [kamaji-etcd](https://github.com/clastix/kamaji-etcd) project provides the code to setup a multi-tenant `etcd` running as StatefulSet made of three replicas. Optionally, Kamaji offers support for a more robust storage system, as `MySQL` or `PostgreSQL` compatible database, thanks to the native [kine](https://github.com/k3s-io/kine) integration.
+     The [kamaji-etcd](https://github.com/clastix/kamaji-etcd) project provides the code to setup a multi-tenant `etcd` running as StatefulSet made of three replicas. Optionally, Kamaji offers support for a more robust storage system, as `MySQL`, `PostgreSQL`, or `NATS` compatible database, thanks to the native [kine](https://github.com/k3s-io/kine) integration.

 ## Create Tenant Cluster

@@ -144,6 +144,8 @@ kind: TenantControlPlane
 metadata:
  name: ${TENANT_NAME}
  namespace: ${TENANT_NAMESPACE}
+  labels:
+    tenant.clastix.io: ${TENANT_NAME}
 spec:
  dataStore: default
  controlPlane:
@@ -272,12 +274,13 @@ NAME         ENDPOINTS           AGE
 kubernetes   10.240.0.100:6443   57m
 ```

-### Prepare worker nodes to join
+### Join worker nodes

-Currently Kamaji does not provide any helper for creation of tenant worker nodes. You should get a set of machines from your infrastructure provider, turn them into worker nodes, and then join to the tenant control plane with the `kubeadm`. 
+The Tenant Control Plane is made of pods running in the Kamaji Management Cluster. At this point, the Tenant Cluster has no worker nodes. So, the next step is to join some worker nodes to the Tenant Control Plane.

-!!! note "Cluster APIs support"
-     In the future, we'll provide creation of tenant clusters through Cluster APIs.
+Kamaji does not provide any helper for creation of tenant worker nodes, instead it leverages the [Cluster Management API](https://github.com/kubernetes-sigs/cluster-api). This allows you to create the Tenant Clusters, including worker nodes, in a completely declarative way. Currently, a Cluster API `ControlPlane` provider for Azure is not yet available: check the road-map on the [official repository](https://github.com/clastix/cluster-api-control-plane-provider-kamaji). 
+
+An alternative approach to create and join worker nodes in Azure is to manually create the VMs, turn them into Kubernetes worker nodes and then join through the `kubeadm` command.

 Create an Azure VM Stateful Set to host worker nodes

@@ -295,7 +298,6 @@ az vmss create \
   --vnet-name $KAMAJI_VNET_NAME \
   --subnet $TENANT_SUBNET_NAME \
   --computer-name-prefix $TENANT_NAME- \
-   --custom-data ./tenant-cloudinit.yaml \
   --load-balancer "" \
   --instance-count 0

@@ -310,15 +312,20 @@ az vmss scale \
   --new-capacity 3
 ```

-### Join worker nodes
-The current approach for joining nodes is to use `kubeadm` and therefore, we will create a bootstrap token to perform the action. In order to facilitate the step, we will store the entire command of joining in a variable:
+Once all the machines are ready, follow the related [documentation](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/) in order to:
+
+- install `containerd` as container runtime
+- install `crictl`, the command line for working with `containerd`
+- install `kubectl`, `kubelet`, and `kubeadm` in the desired version
+
+After the installation is complete on all the nodes, store the entire command of joining in a variable:

 ```bash
 TENANT_ADDR=$(kubectl -n ${TENANT_NAMESPACE} get svc ${TENANT_NAME} -o json | jq -r ."spec.loadBalancerIP")
 JOIN_CMD=$(echo "sudo kubeadm join ${TENANT_ADDR}:6443 ")$(kubeadm --kubeconfig=${TENANT_NAMESPACE}-${TENANT_NAME}.kubeconfig token create --print-join-command |cut -d" " -f4-)
 ```

-A bash loop will be used to join all the available nodes.
+Use a loop to log in to and run the join command on each node:

 ```bash
 VMIDS=($(az vmss list-instances \
@@ -363,7 +370,7 @@ As per [documentation](https://projectcalico.docs.tigera.io/reference/public-clo
 - `CALICO_IPV4POOL_IPIP="Never"`
 - `CALICO_IPV4POOL_VXLAN="Always"`

-Apply to the tenant cluster:
+Apply to the Tenant Cluster:

 ```bash
 kubectl --kubeconfig=${TENANT_NAMESPACE}-${TENANT_NAME}.kubeconfig apply -f calico.yaml
--- a/docs/content/guides/kamaji-gitops-flux.md
+++ b/docs/content/guides/kamaji-gitops-flux.md
@@ -1,14 +1,14 @@
-# Manage tenant resources GitOps-way from the admin cluster
+# Manage Tenant Control Planes with GitOps

 This guide describe a declarative way to deploy Kubernetes add-ons across multiple Tenant Clusters, the GitOps-way. An admin may need to apply a specific workload into Tenant Clusters and ensure is constantly reconciled, no matter what the tenants will do in their clusters. Examples include installing monitoring agents, ensuring specific policies, installing infrastructure operators like Cert Manager and so on.

-This way the tenant resources can be ensured from a single pane of glass, from the *admin cluster*.
+This way the tenant resources can be ensured from a single pane of glass, from the *Management Cluster*.

 ## Flux as the GitOps operator

 As GitOps ensures a constant reconciliation to a Git-versioned desired state, [Flux](https://fluxcd.io) can satisfy the requirement of those scenarios. In particular, the controllers that reconcile [resources](https://fluxcd.io/flux/concepts/#reconciliation) support communicating to external clusters.

-In this scenario the Flux toolkit would run in the *admin cluster*, with reconcile controllers reconciling resources into *tenant clusters*.
+In this scenario the Flux toolkit would run in the *Management Cluster*, with reconcile controllers reconciling resources into *Tenant Clusters*.

 ![Architecture](../images/kamaji-flux.png)

@@ -29,7 +29,7 @@ tenant1   v1.25.1   Ready    172.18.0.2:31443         tenant1-admin-kubeconfig

 > As the *admin* user has *cluster-admin* `ClusterRole` it will have the necessary privileges to operate on Custom Resources too.

-Given that Flux it's installed in the *admin cluster* - guide [here](https://fluxcd.io/flux/installation/) - resources can be ensured for specifics tenant clusters, by filling the `spec.kubeConfig` field of the Flux reconciliation resource.
+Given that Flux it's installed in the *Management Cluster* - guide [here](https://fluxcd.io/flux/installation/) - resources can be ensured for specifics Tenant Clusters, by filling the `spec.kubeConfig` field of the Flux reconciliation resource.

 For example, it might be needed to ensure [cert-manager](https://cert-manager.io/) is installed into a *tenant1* cluster with Helm. It can be done by declaring an `HelmRelease` as follows:

@@ -69,7 +69,7 @@ spec:
    replicaCount: 2
 ```

-and applying it in the *admin cluster*, alongside the related *jetstack* `HelmRepository`, in the *tenants* `Namespace`.
+and applying it in the *Management Cluster*, alongside the related *jetstack* `HelmRepository`, in the *tenants* `Namespace`.

 The result would be having Cert Manager installed in the *default* `Namespace` of the tenant *tenant1*'s cluster:

@@ -82,7 +82,7 @@ tenant1-cert-manager-cainjector   1/1     1            1           4m3s
 tenant1-cert-manager-webhook      1/1     1            1           4m3s
 ```

-No matter what the tenant users will do on the *tenant cluster*, the Flux reconciliation controllers wirunning in the *admin cluster* will ensure the desired state declared by the reconciliation resources applied existing in the *admin cluster*, will be reconciled in the *tenant cluster*.
+No matter what the tenant users will do on the *Tenant Cluster*, the Flux reconciliation controllers wirunning in the *Management Cluster* will ensure the desired state declared by the reconciliation resources applied existing in the *Management Cluster*, will be reconciled in the *Tenant Cluster*.

-Furthermore, this approach does not need to have in each tenant cluster nor Flux neither applied the related reconciliation Custom Resorces.
+Furthermore, this approach does not need to have in each Tenant Cluster nor Flux neither applied the related reconciliation Custom Resorces.

--- a/docs/content/guides/upgrade.md
+++ b/docs/content/guides/upgrade.md
@@ -1,5 +1,5 @@
 # Tenant Cluster Upgrade
-The process of upgrading a _“tenant cluster”_ consists in two steps:
+The process of upgrading a _“Tenant Cluster”_ consists in two steps:

 1. Upgrade the Tenant Control Plane
 2. Upgrade of Tenant Worker Nodes
@@ -14,6 +14,8 @@ apiVersion: kamaji.clastix.io/v1alpha1
 kind: TenantControlPlane
 metadata:
  name: tenant-00
+  labels:
+    tenant.clastix.io: tenant-00
 spec:
  controlPlane:
    deployment:
@@ -27,6 +29,9 @@ spec:
 ```

 ## Upgrade of Tenant Worker Nodes
-As currently Kamaji is not providing any helpers for Tenant Worker Nodes, you should make sure to upgrade them manually, for example, with the help of `kubeadm`. Refer to the official [documentation](https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/#upgrade-worker-nodes).

-> We have in roadmap, the Cluster APIs support so that you can upgrade _“tenant clusters”_ in a fully declarative way.
+As currently Kamaji is not providing any helpers for Tenant Worker Nodes, you should make sure to upgrade them manually, for example, with the help of `kubeadm`.
+Refer to the official [documentation](https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/#upgrade-worker-nodes).
+
+Kamaji is offering a [Cluster API Control Plane provider](https://github.com/clastix/cluster-api-control-plane-provider-kamaji), thus integrating with the Kubernetes clusters declarative management approach.
+You can refer to the official [Cluster API documentation](https://cluster-api.sigs.k8s.io/).
--- a/docs/content/images/architecture.png
+++ b/docs/content/images/architecture.png
--- a/docs/content/images/console-ds-list.png
+++ b/docs/content/images/console-ds-list.png
--- a/docs/content/images/console-tcp-create.png
+++ b/docs/content/images/console-tcp-create.png
--- a/docs/content/images/console-tcp-list.png
+++ b/docs/content/images/console-tcp-list.png
--- a/docs/content/images/console-tcp-view.png
+++ b/docs/content/images/console-tcp-view.png
--- a/docs/content/index.md
+++ b/docs/content/index.md
@@ -1,20 +1,48 @@
 # Kamaji

-**Kamaji** deploys and operates Kubernetes at scale with a fraction of the operational burden. 
+**Kamaji** is a **Kubernetes Control Plane Manager**. It operates Kubernetes at scale with a fraction of the operational burden.

 ## How it works
-Kamaji turns any Kubernetes cluster into an _“admin cluster”_ to orchestrate other Kubernetes clusters called _“tenant clusters”_. Kamaji is special because the Control Plane components are running in a single pod instead of dedicated machines. This solution makes running multiple Control Planes cheaper and easier to deploy and operate. 
+Kamaji turns any Kubernetes cluster into a _“Management Cluster”_ to orchestrate other Kubernetes clusters called _“Tenant Clusters”_. Kamaji is special because the Control Plane components are running inside pods instead of dedicated machines. This solution makes running multiple Control Planes cheaper and easier to deploy and operate. 

 <img src="images/architecture.png"  width="600">

 View [Concepts](concepts.md) for a deeper understanding of principles behind Kamaji's design.

 !!! info "CNCF Compliance"
-    All the tenant clusters built with Kamaji are fully compliant [CNCF Certified Kubernetes](https://www.cncf.io/certification/software-conformance/) and are compatible with the standard toolchains everybody knows and loves.
+    All the Tenant Clusters built with Kamaji are fully compliant [CNCF Certified Kubernetes](https://www.cncf.io/certification/software-conformance/) and are compatible with the standard toolchains everybody knows and loves.

 ## Getting started

 Please refer to the [Getting Started guide](getting-started.md) to deploy a minimal setup of Kamaji.


+## FAQs
+Q. What does Kamaji mean?
+
+A. Kamaji is named as the character _Kamajī_ (釜爺, lit. "Boiler Geezer") from the Japanese movie [_Spirited Away_](https://en.wikipedia.org/wiki/Spirited_Away). Kamajī is an elderly man with six, long arms who operates the boiler room of the Bathhouse. The silent professional, whom no one sees, but who gets the hot, fragrant water to all the guests, like our Kamaji provides Kubernetes as a service!
+
+Q. Is Kamaji another Kubernetes distribution yet?
+
+A. No, Kamaji is a Kubernetes Operator you can install on top of any Kubernetes cluster to provide hundreds or thousands of managed Kubernetes clusters as a service. The tenant clusters made with Kamaji are conformant CNCF Kubernetes clusters as we leverage [`kubeadm`](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/).
+
+Q. How is Kamaji different from typical multi-cluster management solutions?
+
+A. Most of the existing multi-cluster management solutions provision specific infrastructure for the control plane, in most cases dedicated machines. Kamaji is special because the control plane of the downstream clusters are regular pods running in the management cluster. This solution makes running control plane at scale cheaper and easier to deploy and operate.
+
+Q. Is it safe to run Kubernetes control plane components in a pod instead of dedicated virtual machines?
+
+A. Yes, the tenant control plane components are packaged in the same way they are running in bare metal or virtual nodes. We leverage the `kubeadm` code to set up the control plane components as they were running on their own server. The unchanged images of upstream `kube-apiserver`, `kube-scheduler`, and `kube-controller-manager` are used, no forks!.
+
+Q. How is Kamaji different from managed Kubernetes services offered by Public Clouds?
+
+A. Kamaji gives you full control over all your Kubernetes infrastructures, offering unparalleled consistency across disparate environments: cloud, data-center, and edge while simplifying and centralizing operations, maintenance, and management tasks. Unlike other Managed Kubernetes services, Kamaji allows you to connect worker nodes from any infrastructure, providing you greater freedom, flexibility, and consistency than public Managed Kubernetes services.
+
+Q. How Kamaji differs from Cluster API?
+
+A. Kamaji and Cluster API complement each other. Kamaji's core idea is having a more efficient control plane management. Cluster API provides a declarative approach to clusters bootstrap and lifecycle management across different environments, cloud providers, and on-premises infrastructures. Thus combined together you get the best of class: Kamaji by simplifying the Control Plane management, Cluster API to abstract from the infrastructure. See supported [CAPI providers](guides/cluster-api.md) by Kamaji.
+
+Q. You already provide a Kubernetes multi-tenancy solution with [Capsule](https://capsule.clastix.io). Why does Kamaji matter?
+
+A. A multi-tenancy solution, like Capsule shares the Kubernetes control plane among all tenants keeping tenant namespaces isolated by policies. While the solution is the right choice by balancing between features and ease of usage, there are cases where a tenant user requires access to the control plane, for example, when a tenant requires to manage CRDs on his own. With Kamaji, you can provide full cluster admin permissions to the tenant.

--- a/docs/content/reference/api.md
+++ b/docs/content/reference/api.md
--- a/docs/content/reference/benchmark.md
+++ b/docs/content/reference/benchmark.md
@@ -5,7 +5,7 @@ Kamaji has been designed to operate a large scale of Kubernetes Tenant Control P
 In the Operator jargon, a manager is created to start several controllers, each one with their own responsibility.
 When a manager is started, all the underlying controllers are started, along with other "runnable" resources, like the webhook server.

-Kamaji operates several reconciliation operations, both in the admin and tenant clusters.
+Kamaji operates several reconciliation operations, both in the admin and Tenant Clusters.
 With that said, a main manager is responsible to reconcile the admin resources (Deployment, Secret, ConfigMap, etc.), for each Tenant Control Plane a new manager will be spin-up as a main manager controller.
 These Tenant Control Plane managers, named in the code base as soot managers, in turn, start and run controllers to ensure the desired state of the underlying add-ons, and required resources such as kubeadm ones.

@@ -25,7 +25,7 @@ Your mileage may vary and just want to share with the community how it has been

 ## Infrastructure

-The benchmark has been issued on a Kubernetes cluster backed by Elastic Kubernetes Service used as an Admin cluster.
+The benchmark has been issued on a Kubernetes cluster backed by Elastic Kubernetes Service used as Management Cluster.

 Two node pools have been created to avoid the noisy neighbour effect, and to increase the performances:

@@ -191,6 +191,8 @@ kind: TenantControlPlane
 metadata:
  name: benchmark$I
  namespace: $NS
+  labels:
+    tenant.clastix.io: benchmark$I
 spec:
  dataStore: $DS
  controlPlane:
@@ -236,4 +238,4 @@ If you're encountering different results, please, engage with the community to s

 # Running a thousand of Tenant Control Planes using multiple DataStores

-The next benchmark must address the use case where a Kamaji admin cluster manages up to a thousand Tenant Control Plane instances.
+The next benchmark must address the use case where a Kamaji Management Cluster manages up to a thousand Tenant Control Plane instances.
--- a/docs/content/reference/configuration.md
+++ b/docs/content/reference/configuration.md
@@ -4,22 +4,24 @@ Currently, **Kamaji** allows customization using CLI flags for the `manager` sub

 Available flags are the following:

-| Flag | Usage | Default |
-| ---- | ------ | --- |
-| `--metrics-bind-address` | The address the metric endpoint binds to. | `:8080` |
-| `--health-probe-bind-address` | The address the probe endpoint binds to. | `:8081` |
-| `--leader-elect` | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. | `true` |
-| `--tmp-directory` | Directory which will be used to work with temporary files. | `/tmp/kamaji` |
-| `--kine-image` | Container image along with tag to use for the Kine sidecar container (used only if etcd-storage-type is set to one of kine strategies). | `rancher/kine:v0.9.2-amd64` |
-| `--datastore` | The default DataStore that should be used by Kamaji to setup the required storage. | `etcd` |
-| `--migrate-image` | Specify the container image to launch when a TenantControlPlane is migrated to a new datastore. | `migrate-image` |
-| `--max-concurrent-tcp-reconciles` | Specify the number of workers for the Tenant Control Plane controller (beware of CPU consumption). | `1` |
-| `--pod-namespace` | The Kubernetes Namespace on which the Operator is running in, required for the TenantControlPlane migration jobs. | `os.Getenv("POD_NAMESPACE")` |
-| `--webhook-service-name` | The Kamaji webhook server Service name which is used to get validation webhooks, required for the TenantControlPlane migration jobs. | `kamaji-webhook-service` |
-| `--serviceaccount-name` | The Kubernetes ServiceAccount used by the Operator, required for the TenantControlPlane migration jobs. | `os.Getenv("SERVICE_ACCOUNT")` |
-| `--webhook-ca-path` | Path to the Manager webhook server CA, required for the TenantControlPlane migration jobs. | `/tmp/k8s-webhook-server/serving-certs/ca.crt` |
-| `--zap-devel`  | Development Mode (encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode (encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error).  |  `true`  |
-| `--zap-encoder`  | Zap log encoding, one of 'json' or 'console'  |  `console`  |
-| `--zap-log-level`  |  Zap Level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity |  `info`  |
-| `--zap-stacktrace-level`  | Zap Level at and above which stacktraces are captured (one of 'info', 'error', 'panic').  |  `info` |
-| `--zap-time-encoding`  |  Zap time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano') |  `epoch`  |
+| Flag                              | Usage                                                                                                                                                                              | Default                                        |
+|-----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------|
+| `--metrics-bind-address`          | The address the metric endpoint binds to.                                                                                                                                          | `:8080`                                        |
+| `--health-probe-bind-address`     | The address the probe endpoint binds to.                                                                                                                                           | `:8081`                                        |
+| `--leader-elect`                  | Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.                                                              | `true`                                         |
+| `--tmp-directory`                 | Directory which will be used to work with temporary files.                                                                                                                         | `/tmp/kamaji`                                  |
+| `--kine-image`                    | Container image along with tag to use for the Kine sidecar container (used only if etcd-storage-type is set to one of kine strategies).                                            | `rancher/kine:v0.9.2-amd64`                    |
+| `--datastore`                     | The default DataStore that should be used by Kamaji to setup the required storage.                                                                                                 | `etcd`                                         |
+| `--migrate-image`                 | Specify the container image to launch when a TenantControlPlane is migrated to a new datastore.                                                                                    | `migrate-image`                                |
+| `--max-concurrent-tcp-reconciles` | Specify the number of workers for the Tenant Control Plane controller (beware of CPU consumption).                                                                                 | `1`                                            |
+| `--pod-namespace`                 | The Kubernetes Namespace on which the Operator is running in, required for the TenantControlPlane migration jobs.                                                                  | `os.Getenv("POD_NAMESPACE")`                   |
+| `--webhook-service-name`          | The Kamaji webhook server Service name which is used to get validation webhooks, required for the TenantControlPlane migration jobs.                                               | `kamaji-webhook-service`                       |
+| `--serviceaccount-name`           | The Kubernetes ServiceAccount used by the Operator, required for the TenantControlPlane migration jobs.                                                                            | `os.Getenv("SERVICE_ACCOUNT")`                 |
+| `--webhook-ca-path`               | Path to the Manager webhook server CA, required for the TenantControlPlane migration jobs.                                                                                         | `/tmp/k8s-webhook-server/serving-certs/ca.crt` |
+| `--controller-reconcile-timeout`  | The reconciliation request timeout before the controller withdraw the external resource calls, such as dealing with the Datastore, or the Tenant Control Plane API endpoint.       | `30s`                                          |
+| `--cache-resync-period`           | The controller-runtime.Manager cache resync period.                                                                                                                                | `10h`                                          |
+| `--zap-devel`                     | Development Mode (encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode (encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error).                          | `true`                                         |
+| `--zap-encoder`                   | Zap log encoding, one of 'json' or 'console'                                                                                                                                       | `console`                                      |
+| `--zap-log-level`                 | Zap Level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity | `info`                                         |
+| `--zap-stacktrace-level`          | Zap Level at and above which stacktraces are captured (one of 'info', 'error', 'panic').                                                                                           | `info`                                         |
+| `--zap-time-encoding`             | Zap time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano')                                                                                        | `epoch`                                        |
--- a/docs/content/reference/conformance.md
+++ b/docs/content/reference/conformance.md
@@ -1,14 +1,19 @@
-# Conformance
+# CNCF Conformance
 For organizations using Kubernetes, conformance enables interoperability, consistency, and confirmability between Kubernetes installations. The Cloud Computing Native Foundation - CNCF - provides the [Certified Kubernetes Conformance Program](https://www.cncf.io/certification/software-conformance/).

 The standard set of conformance tests is currently those defined by the `[Conformance]` tag in the
 [kubernetes e2e](https://github.com/kubernetes/kubernetes/tree/master/test/e2e) suite.

-All the _“tenant clusters”_ built with Kamaji are CNCF conformant:
+All the _“Tenant Clusters”_ built with Kamaji are CNCF conformant:

 - [v1.23](https://github.com/cncf/k8s-conformance/pull/2194)
 - [v1.24](https://github.com/cncf/k8s-conformance/pull/2193)
 - [v1.25](https://github.com/cncf/k8s-conformance/pull/2188)
+- [v1.26](https://github.com/cncf/k8s-conformance/pull/2787)
+- [v1.27](https://github.com/cncf/k8s-conformance/pull/2786)
+- [v1.28](https://github.com/cncf/k8s-conformance/pull/2785)
+- [v1.29](https://github.com/cncf/k8s-conformance/pull/3273)
+- [v1.30](https://github.com/cncf/k8s-conformance/pull/3274)

 <p align="left" style="padding: 6px 6px">
  <img src="https://raw.githubusercontent.com/cncf/artwork/master/projects/kubernetes/certified-kubernetes/versionless/color/certified-kubernetes-color.png" width="100" />
@@ -21,13 +26,13 @@ regularly built and kept up to date to execute against all currently supported v

 Download a [binary release](https://github.com/vmware-tanzu/sonobuoy/releases) of the CLI.

-Make sure to access your tenant cluster:
+Make sure to access your Tenant Cluster:

 ```
 export KUBECONFIG=tenant.kubeconfig
 ```

-Deploy a Sonobuoy pod to your tenant cluster with:
+Deploy a Sonobuoy pod to your Tenant Cluster with:

 ```
 sonobuoy run --mode=certified-conformance
--- a/docs/content/reference/versioning.md
+++ b/docs/content/reference/versioning.md
@@ -2,9 +2,20 @@

 In Kamaji, there are different components that might require independent versioning and support level:

-|Kamaji |Admin Cluster| Tenant Cluster       |
-|-------|-------------|----------------------|
-| v0.0  | v1.22+      | [v1.21.0 .. v1.23.5] |
-| v0.1  | v1.22+      | [v1.21.0 .. v1.25.0] |
-| v0.2  | v1.22+      | [v1.21.0 .. v1.27.0] |
-
+| Kamaji | Management Cluster | Tenant Cluster       |
+|--------|--------------------|----------------------|
+| v0.0   | v1.22+             | [v1.21.0 .. v1.23.5] |
+| v0.1   | v1.22+             | [v1.21.0 .. v1.25.0] |
+| v0.2   | v1.22+             | [v1.21.0 .. v1.27.0] |
+| v0.3.0 | v1.22+             | [v1.21.0 .. v1.27.0] |
+| v0.3.1 | v1.22+             | [v1.21.0 .. v1.27.3] |
+| v0.3.2 | v1.22+             | [v1.21.0 .. v1.27.3] |
+| v0.3.3 | v1.22+             | [v1.21.0 .. v1.27.3] |
+| v0.3.4 | v1.22+             | [v1.21.0 .. v1.28.1] |
+| v0.3.5 | v1.22+             | [v1.21.0 .. v1.28.1] |
+| v0.3.5 | v1.22+             | [v1.21.0 .. v1.28.1] |
+| v0.4.0 | v1.22+             | [v1.21.0 .. v1.29.0] |
+| v0.4.1 | v1.22+             | [v1.21.0 .. v1.29.1] |
+| v0.4.2 | v1.22+             | [v1.21.0 .. v1.29.1] |
+| v0.5.0 | v1.22+             | [v1.21.0 .. v1.30.0] |
+| v0.6.0 | v1.22+             | [v1.21.0 .. v1.30.1] |
--- a/docs/content/telemetry.md
+++ b/docs/content/telemetry.md
@@ -0,0 +1,49 @@
+# Telemetry
+
+This document outlines the telemetry feature within the Kamaji project, detailing the rationale behind data collection, the nature of the data collected, data handling practices, and instructions for opting out.
+
+## Why We Collect Telemetry
+
+The Kamaji project, being open source, benefits from insights into how it is used. These insights help the project maintainers make informed decisions regarding feature prioritization, test automation, and bug fixes. Without this data, decisions on feature deprecation and enhancements would be based on limited information, potentially hindering the project's evolution and maintainability. Our goal is to ensure Kamaji's development is driven by the needs of its community, and telemetry data plays a crucial role in achieving this.
+
+## What We Collect and How
+
+It's important to clarify that our interest lies in the usage patterns of Kamaji, not in personal information about its users. We collect data about Kamaji version and Tenant Control Planes.
+
+### Telemetry Payload Example
+
+Below is a simplified example of what a telemetry payload might look like:
+
+```json
+// General status
+{"uuid": "56279633-3131-436b-b8f2-9008a49a2f12", "running": 1, "sleeping": 0, "not_ready": 0, "upgrading": 0, "kamaji_version": "v0.6.1", "kubernetes_version": "v1.27.3"}
+```
+
+```json
+// Creating a TCP
+{"tcp_version": "v1.26.0", "kamaji_version": "v0.6.1", "kubernetes_version": "v1.27.3"}
+```
+
+```json
+// Modifying a TCP (n.b.: version upgrade)
+{"kamaji_version": "v0.6.1", "new_tcp_version": "v1.27.0", "old_tcp_version": "v1.26.0", "kubernetes_version": "v1.27.3"}
+```
+
+```json
+// Deleting a TCP
+{"status": "Ready", "tcp_version": "v1.27.0", "kamaji_version": "v0.6.1", "kubernetes_version": "v1.27.3"}
+```
+
+Data is collected through a component within Kamaji, which periodically sends this information to our backend. The telemetry backend, managed by the Kamaji maintainers, ensures data is stored securely and access is strictly controlled.
+
+## Telemetry Opt-Out
+We respect the privacy and autonomy of our users. If you prefer not to participate in telemetry, Kamaji provides an easy opt-out mechanism.
+
+For Helm based deployments, include the `--set telemetry.disabled=true` flag when installing or upgrading Kamaji.
+
+For manual deployments, set the flag `--disable-telemetry=true` int the Kamaji controller configuration to disable telemetry reporting.
+
+To re-enable telemetry, simply reverse the opt-out process using the appropriate method for your deployment.
+
+## Conclusion
+Telemetry in Kamaji is designed to foster a data-driven development process that aligns with the needs and preferences of our user community. Your participation helps us make Kamaji better for everyone.
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -65,6 +65,9 @@ nav:
  - guides/upgrade.md
  - guides/datastore-migration.md
  - guides/backup-and-restore.md
+  - guides/certs-lifecycle.md
+  - guides/cluster-api.md
+  - guides/console.md
 - 'Use Cases': use-cases.md
 - 'Reference':
  - reference/index.md
@@ -73,4 +76,5 @@ nav:
  - reference/conformance.md
  - reference/versioning.md
  - reference/api.md
+- 'Telemetry': telemetry.md
 - 'Contribute': contribute.md
--- a/e2e/suite_test.go
+++ b/e2e/suite_test.go
@@ -10,7 +10,7 @@ import (
 	. "github.com/onsi/gomega"
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
-	"k8s.io/utils/pointer"
+	pointer "k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -44,7 +44,7 @@ var _ = BeforeSuite(func() {

 	By("bootstrapping test environment")
 	testEnv = &envtest.Environment{
-		UseExistingCluster: pointer.Bool(true),
+		UseExistingCluster: pointer.To(true),
 	}

 	var err error
--- a/e2e/tcp_additional_resources_blocked_test.go
+++ b/e2e/tcp_additional_resources_blocked_test.go
@@ -12,6 +12,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	pointer "k8s.io/utils/ptr"

 	kamajiv1alpha1 "github.com/clastix/kamaji/api/v1alpha1"
 )
@@ -26,7 +27,7 @@ var _ = Describe("Deploy a TenantControlPlane resource with additional resources
 		Spec: kamajiv1alpha1.TenantControlPlaneSpec{
 			ControlPlane: kamajiv1alpha1.ControlPlane{
 				Deployment: kamajiv1alpha1.DeploymentSpec{
-					Replicas: 1,
+					Replicas: pointer.To(int32(1)),
 					AdditionalInitContainers: []corev1.Container{{
 						Name:  initContainerName,
 						Image: initContainerImage,
--- a/e2e/tcp_additional_resources_ready_test.go
+++ b/e2e/tcp_additional_resources_ready_test.go
@@ -15,6 +15,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
+	pointer "k8s.io/utils/ptr"

 	kamajiv1alpha1 "github.com/clastix/kamaji/api/v1alpha1"
 	"github.com/clastix/kamaji/internal/utilities"
@@ -42,7 +43,7 @@ var _ = Describe("Deploy a TenantControlPlane resource with additional options",
 		Spec: kamajiv1alpha1.TenantControlPlaneSpec{
 			ControlPlane: kamajiv1alpha1.ControlPlane{
 				Deployment: kamajiv1alpha1.DeploymentSpec{
-					Replicas: 1,
+					Replicas: pointer.To(int32(1)),
 					AdditionalInitContainers: []corev1.Container{{
 						Name:  initContainerName,
 						Image: initContainerImage,
@@ -255,7 +256,7 @@ var _ = Describe("Deploy a TenantControlPlane resource with additional options",
 				}, &deploy)).NotTo(HaveOccurred())

 				return deploy.Spec.Template.Spec.InitContainers
-			}, 10*time.Second, time.Second).Should(HaveLen(0), "Deployment should not contain anymore the init container")
+			}, 10*time.Second, time.Second).Should(BeEmpty(), "Deployment should not contain anymore the init container")

 			Eventually(func() bool {
 				deploy := appsv1.Deployment{}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Dario Tranchitella	f4c0cec4f9	chore(helm): releasing v1.0.0	2024-06-28 10:50:18 +02:00
Dario Tranchitella	db3a092d3d	chore(kustomize): releasing v1.0.0	2024-06-28 10:50:18 +02:00
bsctl	d590b9d17d	feat(docs): conformance for v1.30 Signed-off-by: bsctl <adriano@clastix.io>	2024-06-27 16:26:57 +02:00
bsctl	9147ae9977	feat(docs): conformance for v1.29 Signed-off-by: bsctl <adriano@clastix.io>	2024-06-27 16:26:57 +02:00
Dario Tranchitella	d2ff044228	chore(kustomize): enable telemetry Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-06-27 11:38:41 +02:00
bsctl	a147869944	feat(helm): enable telemetry Signed-off-by: bsctl <adriano@clastix.io> Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-06-27 11:38:41 +02:00
bsctl	056ad4002a	feat(docs): document telemetry Signed-off-by: bsctl <adriano@clastix.io> Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-06-27 11:38:41 +02:00
Dario Tranchitella	91cbf0c507	feat: telemetry Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-06-27 11:38:41 +02:00
Dario Tranchitella	d57d5b5a56	feat(deps): bumping up sigs.k8s.io/controller-runtime to v0.18.4 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-06-27 11:38:41 +02:00
Dario Tranchitella	24714d7168	chore(lease): changing lease holder name Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-06-27 11:38:41 +02:00
devopsdatacomm	422d225682	chore(adopters): adding DCloud as vendor	2024-06-27 06:52:37 +02:00
Dario Tranchitella	c57c07693f	chore(helm): releasing v0.6.1 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-06-24 18:32:02 +02:00
Dario Tranchitella	fa560446f1	chore(kustomize): releasing v0.6.1 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-06-24 18:32:02 +02:00
Dario Tranchitella	6ba4b4abac	feat: supporting k8s v1.30.2 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-06-24 18:32:02 +02:00
Dario Tranchitella	45d0869b91	feat(webhook): validating DNS service IPs on Service CIDR Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-31 12:05:09 +02:00
Dario Tranchitella	511a08889e	fix: nil pointer in datastore certificate handler Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-31 12:04:28 +02:00
Mario Valderrama	6217f2ca25	feat: add category to CRD	2024-05-24 18:01:27 +02:00
Andrei Kvapil	e51df96777	fix: removing hardcoded cluster.local domain from TCP client Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2024-05-21 22:25:00 +02:00
Dario Tranchitella	f235689bf5	chore(helm): releasing v0.16.0 chart	2024-05-19 12:09:12 +02:00
Dario Tranchitella	aed48e1bf0	docs: releasing v0.6.0 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-19 11:59:33 +02:00
Dario Tranchitella	0037e6e689	chore(helm): releasing v0.6.0 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-19 11:59:33 +02:00
Dario Tranchitella	56071434e6	chore(kustomize): releasing v0.6.0 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-19 11:59:33 +02:00
Dario Tranchitella	2d39c9ab0b	fix(ci): kamaji-etcd v0.6.0 changes Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-19 11:59:33 +02:00
Dario Tranchitella	b2fbb52361	feat: supporting k8s v1.30.1 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-19 11:59:33 +02:00
Dario Tranchitella	a2236e76cf	chore(deps): supporting k8s v1.30.1 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-19 11:59:33 +02:00
Dario Tranchitella	b1ea75f9c0	fix(psql): granting privileges to root user prior deletion Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-17 20:41:11 +02:00
lansaloni	6aea80ce45	chore(adopters): adding Sicuro Tech Labs as end-user	2024-05-16 12:08:37 +02:00
Dario Tranchitella	5ebe123994	docs(nats): missing multi-tenancy support Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-09 16:55:14 +02:00
Dario Tranchitella	d1910cd389	fix(nats): blocking reconciliation for missing multi-tenancy Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-09 16:55:01 +02:00
Dario Tranchitella	203e168397	docs: konnectivity agent tolerations support Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-09 11:36:07 +02:00
Dario Tranchitella	b29a79da36	feat(helm): konnectivity agent tolerations support Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-09 11:36:07 +02:00
Dario Tranchitella	5ec586960f	feat(kustomize): konnectivity agent tolerations support Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-09 11:36:07 +02:00
Dario Tranchitella	90aef60c18	feat: konnectivity agent tolerations support Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-09 11:36:07 +02:00
TheCodeAssassin	9ce8da0b37	feat: making DataStore TLS configuration optional Co-authored-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-09 11:34:50 +02:00
Mario Valderrama	9d73905965	fix: simplify arg parsing Signed-off-by: Mario Valderrama <mario.valderrama@ionos.com>	2024-05-08 14:16:17 +02:00
ignaziodinataliTIM	32383be1d0	chore(adopters): adding TIM as R&D early adopter	2024-05-08 14:14:00 +02:00
Dario Tranchitella	6ffd6bbdfd	feat(nats): webhook for missing multi-tenancy support Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-06 17:32:29 +02:00
Dario Tranchitella	b7169215ae	chore(go): nats dependency Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-05-06 17:32:29 +02:00
TheCodeAssassin	f8a0206785	fix(nats): noEmbed is required in newer versions of kine	2024-05-02 18:26:32 +02:00
Dario Tranchitella	1d548665ee	fix(kubeadm): version getter must return component versions Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-04-24 16:28:37 +02:00
Hamza BOUDOUCHE	37616865b4	feat: support for custom service account	2024-04-23 11:03:33 +02:00
Hamza BOUDOUCHE	d31b3eab0a	feat: pod additional metadata	2024-04-22 17:55:38 +02:00
TheCodeAssassin	28a098af21	feat: initial support for NATS as Datastore (#442 )	2024-04-22 15:31:35 +02:00
Dario Tranchitella	a849a84fd0	chore(helm): releasing v0.5.0 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-04-18 15:25:10 +02:00
Dario Tranchitella	bbfec75e7f	chore(kustomize): releasing v0.5.0 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-04-18 15:25:10 +02:00
Andrei Kvapil	ced34a50e6	Allow overriding secretKey for kubeadm kubeconfig During reconciliation, the bootstrap provider copies the content from the secret provided by Kamaji, named `<cluster>-admin-kubeconfig` into a `cluster-info` configmap of tenant cluster, which then used by kubeadm to join nodes. This change introduces a new annotation, `kamaji.clastix.io/kubeconfig-secret-key`, for the TenantControlPlane resource. This annotation instructs kamaji to read the kubeconfig from a specific key (the default one is super-admin.conf). Example: ``` kamaji.clastix.io/kubeconfig-secret-key: super-admin.svc ``` This will instruct the system to use `super-admin.svc` a kubeconfig with a local service FQDN (introduced by https://github.com/clastix/kamaji/pull/403). Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2024-04-18 10:57:16 +02:00
Dario Tranchitella	1311220b94	fix(webhook): expecting leading slash Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-04-18 10:57:05 +02:00
Dario Tranchitella	0e57b32ebc	fix(controller-runtime): bump version to v0.14.0 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-04-18 10:57:05 +02:00
Dario Tranchitella	4753c8ac8d	docs: supporting kubernetes v1.30 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-04-18 10:57:05 +02:00
Dario Tranchitella	b99639c9fa	feat: supporting kubernetes v1.30 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-04-18 10:57:05 +02:00
Dario Tranchitella	f3d95add5b	chore(go): upgrading to v1.22 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-04-18 10:57:05 +02:00
Andrey	dc3d5060ca	fix: ensure SetControllerReference to certificates Co-authored-by: Andrey Kontyakov <avkontya@mts.ru>	2024-04-03 15:04:10 +02:00
maartenkamoen	06a55f6a70	Update ADOPTERS.md	2024-03-28 16:59:25 +01:00
Dario Tranchitella	7a160cdb74	docs: releasing v0.4.2 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-03-12 09:18:50 +01:00
Dario Tranchitella	9688d288b7	chore(helm): releasing v0.4.2 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-03-12 09:18:50 +01:00
Dario Tranchitella	87c7c984de	chore(kustomize): releasing v0.4.2 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-03-12 09:18:50 +01:00
Rachid Zarouali	e5cccfe88b	chore(adopter): add sevensphere as Kamaji adopter	2024-03-05 18:28:46 +01:00
daseul cho	197518b0b4	chore(adopters): add KINX to the Adopters list	2024-03-05 07:25:29 +01:00
Jason Witkowski	7ac8e5e539	fix: kube-apiserver extra args override Co-authored-by: Jason Witkowski <jwitkowski@zscaler.com> Co-authored-by: Dario Tranchitella <dario@tranchitella.eu>	2024-03-04 11:45:27 +01:00
Jason Witkowski	cec4f9136d	fix: konnectivity extra args override Co-authored-by: Jason Witkowski <jwitkowski@zscaler.com>	2024-03-04 11:31:10 +01:00
Dario Tranchitella	4299b72d7f	docs: adding further video materials Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-03-04 11:29:47 +01:00
Mathieu Cesbron	eff68db336	fix(certificate_lifecycle_controller): blocking reconciliation in case of error Signed-off-by: Mathieu Cesbron <mathieu.cesbron@protonmail.com>	2024-02-26 21:27:17 +01:00
killianmuldoon	74a6eb6b80	feat(helm): make cfssl image configurable in helm values Signed-off-by: killianmuldoon <cilliancapi@gmail.com>	2024-02-22 19:05:05 +01:00
Aurelio Forese	21fe27935f	chore(adopters): add Netsons to the Adopters list Co-authored-by: Dario Tranchitella <dario@tranchitella.eu>	2024-02-17 13:13:28 +01:00
Andrei Kvapil	e3a8ff90da	chore(adopters): add Ænix to the adopters list Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2024-02-12 11:37:42 +01:00
Dario Tranchitella	8e6cea2d2d	feat(docs): providing adopters list Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-02-11 19:41:34 +01:00
Dario Tranchitella	1c90a4f333	docs: refactoring README.md Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-02-11 19:41:34 +01:00
Dario Tranchitella	6123d9a5a4	chore(helm): releasing v0.4.1 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-01-26 17:30:03 +01:00
Dario Tranchitella	587d3bb24e	chore(kustomize): releasing v0.4.1 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-01-26 17:30:03 +01:00
Dario Tranchitella	4465bd8449	docs: supporting k8s v1.29.1 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-01-26 17:30:03 +01:00
Dario Tranchitella	cf1f2763f6	feat: supporting k8s v1.29.1	2024-01-26 17:30:03 +01:00
Dario Tranchitella	25dc19f839	feat: admin kubeconfig with local service FQDN Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2024-01-22 18:50:58 +01:00
Dario Tranchitella	1ccc1d1b1e	docs: supporting k8s v1.29 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2023-12-15 13:02:49 +01:00
Dario Tranchitella	1d96710890	chore(helm): supporting k8s v1.29 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2023-12-15 13:02:49 +01:00
Dario Tranchitella	edceda3302	chore(kustomize): supporting k8s v1.29 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2023-12-15 13:02:49 +01:00
Dario Tranchitella	755cc5bacd	refactor(golangci-lint): aligning to new linters Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2023-12-15 13:02:49 +01:00
Dario Tranchitella	e0c86d685c	feat: support for kubeadm cluster-admins rbac Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2023-12-15 13:02:49 +01:00
Dario Tranchitella	ddb700f4f0	refactor: upgrading to new dependencies Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2023-12-15 13:02:49 +01:00
Dario Tranchitella	4bdddfc695	chore(go): bumping to 1.21 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2023-12-15 13:02:49 +01:00
Dario Tranchitella	8b999f1323	feat: supporting k8s v1.28 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2023-12-15 13:02:49 +01:00
Dario Tranchitella	2571086ff3	fix(helm): minor bump	2023-12-14 19:58:06 +01:00
Dario Tranchitella	cd9d92296b	docs: releasing v0.3.6 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2023-12-14 19:55:49 +01:00
Dario Tranchitella	f24ff618a9	chore(helm): releasing v0.3.6 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2023-12-14 19:55:49 +01:00
Dario Tranchitella	4bf39149ec	chore(kustomize): releasing v0.3.6 Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2023-12-14 19:55:49 +01:00
Dario Tranchitella	045c5bbd7c	fix(migrate): preventing 63 characters pod name limit Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>	2023-12-12 12:24:22 +01:00
Adriano Pezzuto	6eb3171817	fix(docs): add a cleanup procedure for aborted installation Co-authored-by: Dario Tranchitella <dario@tranchitella.eu>	2023-12-02 16:30:56 +01:00
Emile M	289bad540c	feat: add tolerations on etcd sts (#387 )	2023-11-21 23:38:58 +01:00
Emile M	ac06447706	fix: add conditional logic for datastore (#386 ) * feat: Add conditional logic for datastore * bump helm chart version * chore: update helm chart documentation	2023-11-13 11:18:50 +01:00
Thomas Güttler	95de31d697	Fix typo in readme	2023-11-08 20:24:06 +01:00
SkalaNetworks	0037b4941c	chore(helm): update chart docs	2023-10-18 14:14:21 +02:00
SkalaNetworks	c251f57f06	chore(helm): bump chart version	2023-10-18 14:14:21 +02:00
SkalaNetworks	129cb0e6fe	fix(helm): storage class value name	2023-10-18 14:14:21 +02:00
Dario Tranchitella	73e0618ad3	chore(helm): releasing v0.3.5	2023-10-17 19:46:19 +02:00
Dario Tranchitella	6c2634b5e9	chore(kustomize): releasing v0.3.5	2023-10-17 19:46:19 +02:00
Dario Tranchitella	dac670113f	docs: supporting k8s v1.28.2	2023-10-17 19:46:19 +02:00
Dario Tranchitella	c8039cdf5c	feat: supporting k8s v1.28.2	2023-10-17 19:46:19 +02:00
maartenkamoen	a7cfc9a898	feat(helm): idempotency for the etcd component Co-authored-by: Maarten Kamoen <maarten@aknostic.com>	2023-10-10 18:18:15 +02:00
Dario Tranchitella	0f1a4f28de	fix: blocking datastore secret deletion with finalizer	2023-09-29 10:56:28 +02:00
bsctl	40f57466e2	docs: new picture for architecture	2023-09-13 10:24:53 +02:00
Dario Tranchitella	feed6634a5	chore(helm): releasing v0.3.4	2023-09-06 14:46:29 +02:00
Dario Tranchitella	c85e686283	chore(kustomize): releasing v0.3.4	2023-09-06 14:46:29 +02:00
Dario Tranchitella	05ffd6cf75	feat: supporting k8s v1.28.1	2023-09-06 14:46:29 +02:00
bsctl	e16855a1b4	docs: add conformance 1.26 1.27 1.28	2023-09-05 08:02:06 +02:00
bsctl	d21eb135fd	docs: logo in svg format	2023-09-04 21:34:40 +02:00
Dario Tranchitella	c5e12cc401	fix(migrate): stripping unrequired v prefix	2023-09-01 13:38:36 +01:00
Dario Tranchitella	dc97d69d0c	fix: tcp deployment replica to pointer	2023-09-01 09:13:00 +01:00
Adriano Pezzuto	bac5d56076	Improve project description and documentation (#365 ) * docs: improve documentation * docs: improve documentation * docs: improve documentation	2023-08-29 07:56:48 +02:00
bsctl	973392bd85	docs: add a guide for the console usage	2023-08-27 22:19:43 +02:00
bsctl	30b36ba7f4	docs: fix typos	2023-08-27 22:19:43 +02:00
Adriano Pezzuto	0db27a7335	docs: improve the nodes joining procedure (#362 )	2023-08-27 10:23:10 +02:00
Adriano Pezzuto	facf23a055	docs: update the datastore migration guide (#361 )	2023-08-27 08:56:00 +02:00
daseul cho	6674373037	chore(kustomize): tilt labels for cluster api development	2023-08-26 16:33:26 +02:00
daseul cho	72712693a2	chore(kustomize): set default datastore of the manager for cluster api development	2023-08-26 16:33:26 +02:00
daseul cho	33709005b1	feat: scaffolding tilt development environment	2023-08-26 16:33:26 +02:00
Dario Tranchitella	6ce83c551e	chore(ci): make version as source of truth for container image release	2023-08-26 16:31:19 +02:00
Dario Tranchitella	2b638fe09d	docs: supporting k8s 1.28	2023-08-22 09:35:16 +02:00
Dario Tranchitella	58a5cac9e8	feat: supporting k8s 1.28	2023-08-22 09:35:16 +02:00
Dario Tranchitella	e9d2af931a	fix(webhook): decoding delete content	2023-08-22 09:35:02 +02:00
Adriano Pezzuto	a996803db5	docs: link to supported CAPI providers	2023-08-22 09:34:43 +02:00
Dario Tranchitella	e34fc1851f	chore(helm): releasing v0.3.3	2023-08-08 12:07:30 +02:00
Dario Tranchitella	740fe9c938	chore(kustomize): releasing v0.3.3	2023-08-08 12:07:30 +02:00
Dario Tranchitella	65854721de	fix(ingress): referencing ingress port from hostname	2023-08-08 10:55:33 +02:00
geoffrey1330	adde828e03	docs: added default label to TCP resources	2023-08-08 09:56:54 +02:00
Dario Tranchitella	ffc2c7c967	fix(gh): triggering e2e upon cmd changes	2023-08-03 18:04:07 +02:00
Dario Tranchitella	0f195286a7	docs(manager): cache resync period	2023-08-03 18:04:07 +02:00
Dario Tranchitella	f768f93fe9	feat: cache resync period	2023-08-03 18:04:07 +02:00
Dario Tranchitella	05cbff1fd8	docs: kubeconfig and certificates rotation	2023-08-03 18:03:54 +02:00
Dario Tranchitella	7e94ecdbab	feat: kubeconfig and certificates rotation	2023-08-03 18:03:54 +02:00
Dario Tranchitella	648da19687	refactor: checking kubeconfig user certs validity	2023-08-03 18:03:54 +02:00
Dario Tranchitella	6c4b339c4b	fix(typo): error message for kubeconfig	2023-08-03 18:03:54 +02:00
Dario Tranchitella	eee62032de	refactor: ensuring owner reference and labels with controller label	2023-08-03 18:03:54 +02:00
Dario Tranchitella	8e8ee92fb2	docs: releasing v0.3.2	2023-08-01 19:11:32 +02:00
Dario Tranchitella	f3be9e5442	chore(helm): releasing v0.3.2	2023-08-01 19:11:32 +02:00
Dario Tranchitella	fb296267f6	chore(kustomize): releasing v0.3.2	2023-08-01 19:11:32 +02:00
Dario Tranchitella	751ce3722b	fix(capi): keys for kubeadm-bootstrap controller	2023-08-01 19:04:58 +02:00
Dario Tranchitella	d99ffb0334	chore(samples): wrong name	2023-08-01 13:51:09 +02:00
Dario Tranchitella	f831f385c4	feat(cli): controller reconcile timeout flag with 30s default value	2023-08-01 13:51:09 +02:00
Dario Tranchitella	f301c9bdc2	fix(scheme): must register defaulter funcs	2023-07-27 19:25:42 +02:00
Thomas Güttler	0909529e6b	fix(docs): typos	2023-07-12 10:33:33 +02:00
Dario Tranchitella	d0aacd03f6	chore(helm): releasing v0.3.1	2023-07-07 16:12:21 +02:00
Dario Tranchitella	f4c84946c0	chore(kustomize): releasing v0.3.1	2023-07-07 16:12:21 +02:00
Dario Tranchitella	2c72369b99	chore: releasing v0.3.1	2023-07-07 16:12:21 +02:00
Dario Tranchitella	abcc662c96	fix(datastore): replacing dash with underscore	2023-07-05 22:20:55 +02:00
Dario Tranchitella	792119d2d3	fix: validating tcp name	2023-07-04 21:55:19 +02:00
daseulcho	f0e675dea3	fix(kubelet-config): adding versioned kubelet config	2023-07-04 18:19:34 +02:00
daseulcho	4413061640	fix(kubelet-config): adding versioned kubelet config	2023-07-04 09:23:36 +02:00
Dario Tranchitella	8f57ff407e	fix(konnectivity): setting service nodeport Co-authored-by: jds <jds9090@kinx.net>	2023-07-04 07:19:37 +02:00
Dario Tranchitella	94f2d9074d	refactor: unrequired node registration for kubeadm config	2023-07-03 15:28:12 +02:00
Dario Tranchitella	fadcc219ec	docs: kubernetes 1.27.3 support	2023-07-01 00:01:32 +02:00
Dario Tranchitella	af5ac4acab	feat: kubernetes 1.27.3 support	2023-07-01 00:01:32 +02:00
Dario Tranchitella	069afd9b17	fix(kubeconfig): recreating kubeconfig upon checksum failure	2023-06-30 16:07:59 +02:00
Dario Tranchitella	6741194034	fix(gh): missing build args for docker-ci	2023-06-30 10:53:11 +02:00
Dario Tranchitella	7acba20056	fix(webhook): wrong object for migrate route	2023-06-30 10:52:52 +02:00
Dario Tranchitella	0d2cf784f5	docs: capi support	2023-06-22 16:18:29 +02:00
bsctl	4db8230912	chore(helm): update metadata	2023-06-14 06:21:59 +00:00