Adds fleet-event-monitor

`fleet-event-monitor` is a separate binary, Docker image, and Helm chart containing **read-only monitoring controllers**. These controllers:

- Mirror the exact watch configuration of Fleet's production controllers (same `SetupWithManager` logic)
- Log detailed diffs (spec, status, annotations, labels) when controllers are triggered
- Perform **no reconciliation or write operations**
- Are enabled/disabled per controller via environment variables or Helm values
- Use read-only RBAC permissions (only `get`, `list`, `watch` — except leases for leader election)

**Problem solved**: Understanding why Fleet controllers are triggered repeatedly or what specific changes cause reconciliation loops, without impacting production workloads.

---

```
fleet/
├── cmd/fleeteventmonitor/main.go                          # Entry point
├── internal/cmd/monitor/
│   ├── root.go                                       # CLI / cobra setup, env var parsing
│   ├── operator.go                                   # controller-runtime manager, reconciler wiring
│   └── reconciler/
│       ├── monitor.go                                # Shared logging utilities (logSpecChange, logStatusChange, etc.)
│       ├── stats.go                                  # EventType constants, StatsTracker, Summary (JSON)
│       ├── filter.go                                 # EventTypeFilters struct, ResourceFilter, ShouldLog/ShouldLogTrigger logic
│       ├── cache.go                                  # ObjectCache (thread-safe, namespace/name keyed)
│       ├── predicate.go                              # TypedResourceVersionUnchangedPredicate
│       ├── bundle_monitor.go                         # Bundle controller (watches BD + Cluster)
│       ├── bundle_query.go                           # BundleQuery interface + impl (cluster→bundle mapping)
│       ├── cluster_monitor.go                        # Cluster controller (watches BD)
│       ├── bundledeployment_monitor.go               # BundleDeployment controller
│       ├── gitrepo_monitor.go                        # GitRepo controller (watches Job)
│       └── helmop_monitor.go                         # HelmOp controller
├── package/Dockerfile.event-monitor                  # Multi-arch Docker image (BCI 15.7, non-root)
├── charts/fleet-event-monitor/
│   ├── Chart.yaml
│   ├── values.yaml
│   └── templates/
│       ├── _helpers.tpl
│       ├── deployment.yaml
│       └── rbac.yaml
└── .goreleaser.yaml                                  # Build/release config (fleet-event-monitor added)
```

**Original production controllers (for watch pattern reference)**:
- `internal/cmd/controller/reconciler/bundle_controller.go`
- `internal/cmd/controller/reconciler/cluster_controller.go`
- `internal/cmd/controller/reconciler/bundledeployment_controller.go`
- `internal/cmd/controller/gitops/reconciler/gitjob_controller.go`
- `internal/cmd/controller/helmops/reconciler/helmapp_controller.go`

---

Each monitor controller:
1. Copies `SetupWithManager()` from the original controller (identical watches, predicates, event filters)
2. Replaces `Reconcile()` with logging-only logic
3. Uses an in-memory `ObjectCache` to detect changes between events

1. Reconcile triggered by watch event
2. `Get()` current object from Kubernetes API
3. Look up previous version from `ObjectCache`
4. If first time → log "create", cache object, return
5. If seen before → compare and log: spec diff, status diff, annotation/label/resourceVersion changes
6. Update cache with new version

| Controller | Primary Watch | Secondary Watches |
|---|---|---|
| Bundle | Bundle | BundleDeployment (status changes), Cluster (all changes) |
| Cluster | Cluster | BundleDeployment (spec/status changes) |
| BundleDeployment | BundleDeployment | — |
| GitRepo | GitRepo | Job (status changes) |
| HelmOp | HelmOp | — |

---

Each controller independently operates in one of two modes, controlled by a per-controller `detailed` flag:

| Mode | `detailed` value | Behavior |
|---|---|---|
| **Summary** (default) | `false` | Counts events; prints periodic JSON summaries. No per-event log lines. |
| **Detailed** | `true` | Emits a structured log line for every event with diffs included. |

The summary printer **always runs** regardless of mode, so you always get aggregate statistics. Setting `detailed=true` adds verbose per-event logs on top.

**Default**: all controllers default to `false` (summary only).

| Environment Variable | Helm Value | Default |
|---|---|---|
| `FLEET_EVENT_MONITOR_BUNDLE_DETAILED` | `logging.bundle.detailed` | `false` |
| `FLEET_EVENT_MONITOR_BUNDLEDEPLOYMENT_DETAILED` | `logging.bundleDeployment.detailed` | `false` |
| `FLEET_EVENT_MONITOR_CLUSTER_DETAILED` | `logging.cluster.detailed` | `false` |
| `FLEET_EVENT_MONITOR_GITREPO_DETAILED` | `logging.gitRepo.detailed` | `false` |
| `FLEET_EVENT_MONITOR_HELMOP_DETAILED` | `logging.helmOp.detailed` | `false` |

> **Note**: The wrangler command framework does not parse boolean env vars automatically. They are manually parsed in `root.go` using `strconv.ParseBool()`. Valid values: `true`/`false`, `1`/`0`, `True`/`False`, `TRUE`/`FALSE`.

| Environment Variable | Helm Value | Default | Description |
|---|---|---|---|
| `FLEET_EVENT_MONITOR_SUMMARY_INTERVAL` | `logging.summary.interval` | `"30s"` | How often to print the JSON summary |
| `FLEET_EVENT_MONITOR_SUMMARY_RESET` | `logging.summary.resetOnPrint` | `false` | Reset counters after each print (false = cumulative) |

| Event Type | Env var suffix / Helm key | Description |
|---|---|---|
| `generation-change` | `GENERATION_CHANGE` / `generationChange` | Spec modifications (generation bump) |
| `status-change` | `STATUS_CHANGE` / `statusChange` | Status field updates |
| `annotation-change` | `ANNOTATION_CHANGE` / `annotationChange` | Annotation modifications |
| `label-change` | `LABEL_CHANGE` / `labelChange` | Label modifications |
| `resourceversion-change` | `RESVER_CHANGE` / `resourceVersionChange` | Cache sync / metadata updates (finalizers, ownerRefs, managedFields) |
| `triggered-by` | `TRIGGERED_BY` / `triggeredBy` | Trigger source breakdown by resource type |
| `deletion` | `DELETION` / `deletion` | Resource being deleted |
| `not-found` | `NOT_FOUND` / `notFound` | Resource not found (likely deleted) |
| `create` | `CREATE` / `create` | First observation of resource |

```json
{
  "timestamp": "2026-02-09T10:00:30Z",
  "interval_seconds": 30,
  "summary": {
    "Bundle": {
      "fleet-local/test-bundle": {
        "generation-change": 5,
        "status-change": 20,
        "triggered-by": { "BundleDeployment": 12, "Cluster": 3 },
        "total_events": 41
      }
    }
  },
  "totals": { "total_resources_monitored": 3, "total_events": 63 }
}
```

```bash
kubectl logs -n cattle-fleet-system deploy/fleet-event-monitor | \
  grep "Fleet Monitor Summary" | tail -1 | \
  jq -r '.summary.Bundle | to_entries[] | select(.value.total_events > 50) | "\(.key): \(.value.total_events) events"'

kubectl logs -n cattle-fleet-system deploy/fleet-event-monitor | \
  grep "Fleet Monitor Summary" | tail -1 | \
  jq '.summary.Bundle["fleet-local/test-bundle"]["triggered-by"]'

kubectl logs -n cattle-fleet-system deploy/fleet-event-monitor | \
  grep "Fleet Monitor Summary" | tail -1 | \
  jq -r '.summary | to_entries[] | .key as $t | .value | to_entries[] | select(.value["status-change"] > 0) | "\($t)/\(.key): \(.value["status-change"]) status changes"'

kubectl logs -n cattle-fleet-system deploy/fleet-event-monitor | grep "parsed per-controller"

kubectl logs -n cattle-fleet-system deploy/fleet-event-monitor | grep "registered monitor controller"
```

---

When a controller is in detailed mode (`detailed=true`), event type filters let you restrict which event types produce a log line. **Statistics are always tracked** regardless of filters — filters only affect the verbosity of the per-event log output.

**Default behavior**: if all event filter flags are `false`, **all event types are logged** (backwards compatible). To restrict output, set the specific types you want to `true`. Any `true` flag activates selective filtering.

`EventTypeFilters.IsEmpty()` returns true when all fields are false → `ShouldLog()` returns true for every event type. Once any field is set to `true`, only enabled types pass through.

The env var pattern is:
- Bundle: `FLEET_EVENT_MONITOR_BUNDLE_EVENT_<TYPE>`
- BundleDeployment: `FLEET_EVENT_MONITOR_BD_EVENT_<TYPE>`
- Cluster: `FLEET_EVENT_MONITOR_CLUSTER_EVENT_<TYPE>`
- GitRepo: `FLEET_EVENT_MONITOR_GITREPO_EVENT_<TYPE>`
- HelmOp: `FLEET_EVENT_MONITOR_HELMOP_EVENT_<TYPE>`

Where `<TYPE>` is one of: `GENERATION_CHANGE`, `STATUS_CHANGE`, `ANNOTATION_CHANGE`, `LABEL_CHANGE`, `RESVER_CHANGE`, `DELETION`, `NOT_FOUND`, `CREATE`, `TRIGGERED_BY`.

```yaml
logging:
  bundle:
    detailed: true   # Must be true for event filters to have any effect
    eventFilters:
      generationChange: false      # Set true to see spec diffs
      statusChange: false          # Set true to see status diffs
      annotationChange: false
      labelChange: false
      resourceVersionChange: false # Set true to see cache-sync/metadata events
      deletion: false
      notFound: false
      create: false
      triggeredBy: false           # Set true to see which resource triggered reconciliation
```

The same structure applies for `bundleDeployment`, `cluster`, `gitRepo`, and `helmOp`.

**Example 1: Only watch generation changes (spec diffs) for Bundle**
```bash
helm upgrade fleet-event-monitor ./charts/fleet-event-monitor \
  --set logging.bundle.detailed=true \
  --set logging.bundle.eventFilters.generationChange=true
```

**Example 2: Focus on reconciliation trigger sources only**
```bash
helm upgrade fleet-event-monitor ./charts/fleet-event-monitor \
  --set logging.bundle.detailed=true \
  --set logging.bundle.eventFilters.triggeredBy=true
```

**Example 3: See everything for Bundle (all filters false = log all)**
```bash
helm upgrade fleet-event-monitor ./charts/fleet-event-monitor \
  --set logging.bundle.detailed=true
```

**Example 4: Via environment variables**
```bash
FLEET_EVENT_MONITOR_BUNDLE_DETAILED=true \
FLEET_EVENT_MONITOR_BUNDLE_EVENT_GENERATION_CHANGE=true \
FLEET_EVENT_MONITOR_BUNDLE_EVENT_TRIGGERED_BY=true \
./fleeteventmonitor --kubeconfig ~/.kube/config
```

**Example 5: Debug only cache-sync/metadata noise**
```bash
helm upgrade fleet-event-monitor ./charts/fleet-event-monitor \
  --set logging.cluster.detailed=true \
  --set logging.cluster.eventFilters.resourceVersionChange=true
```

---

Resource filters allow you to restrict monitoring to a specific subset of resources by namespace and/or name. This is useful in large deployments (100+ bundles) where you only care about specific resources and want to reduce log volume.

**Filters apply to both detailed logs AND statistics** — filtered-out resources do not appear in the JSON summary either.

At the top of each controller's `Reconcile()`, the resource namespace and name are tested against the compiled regex patterns. Resources that do not match are skipped entirely — no logs, no statistics.

- Both patterns are **regular expressions** (Go `regexp` syntax)
- An **empty pattern matches all** values for that field (backwards compatible)
- Patterns are compiled at startup; an **invalid regex causes the binary to exit** with a clear error message
- Namespace and name patterns are ANDed — a resource must match both to be monitored
- Filters are orthogonal to event type filtering — both can be combined

| Controller | Namespace Pattern | Name Pattern |
|---|---|---|
| Bundle | `FLEET_EVENT_MONITOR_BUNDLE_RESOURCE_FILTER_NAMESPACE` | `FLEET_EVENT_MONITOR_BUNDLE_RESOURCE_FILTER_NAME` |
| BundleDeployment | `FLEET_EVENT_MONITOR_BUNDLEDEPLOYMENT_RESOURCE_FILTER_NAMESPACE` | `FLEET_EVENT_MONITOR_BUNDLEDEPLOYMENT_RESOURCE_FILTER_NAME` |
| Cluster | `FLEET_EVENT_MONITOR_CLUSTER_RESOURCE_FILTER_NAMESPACE` | `FLEET_EVENT_MONITOR_CLUSTER_RESOURCE_FILTER_NAME` |
| GitRepo | `FLEET_EVENT_MONITOR_GITREPO_RESOURCE_FILTER_NAMESPACE` | `FLEET_EVENT_MONITOR_GITREPO_RESOURCE_FILTER_NAME` |
| HelmOp | `FLEET_EVENT_MONITOR_HELMOP_RESOURCE_FILTER_NAMESPACE` | `FLEET_EVENT_MONITOR_HELMOP_RESOURCE_FILTER_NAME` |

```yaml
logging:
  bundle:
    resourceFilter:
      namespace: ""  # Regular expression for namespace matching (e.g., "^fleet-local$")
      name: ""       # Regular expression for name matching (e.g., "^test-.*")
```

The same structure applies for `bundleDeployment`, `cluster`, `gitRepo`, and `helmOp`.

**Example 1: Monitor only a specific bundle**
```bash
helm upgrade fleet-event-monitor ./charts/fleet-event-monitor \
  --set logging.bundle.detailed=true \
  --set "logging.bundle.resourceFilter.namespace=^fleet-local$" \
  --set "logging.bundle.resourceFilter.name=^my-app$"
```

**Example 2: Monitor all bundles in a namespace**
```bash
helm upgrade fleet-event-monitor ./charts/fleet-event-monitor \
  --set logging.bundle.detailed=true \
  --set "logging.bundle.resourceFilter.namespace=^fleet-local$"
```

**Example 3: Monitor bundles matching a name prefix**
```bash
helm upgrade fleet-event-monitor ./charts/fleet-event-monitor \
  --set logging.bundle.detailed=true \
  --set "logging.bundle.resourceFilter.name=^payment-.*"
```

**Example 4: Via environment variables**
```bash
FLEET_EVENT_MONITOR_BUNDLE_DETAILED=true \
FLEET_EVENT_MONITOR_BUNDLE_RESOURCE_FILTER_NAMESPACE="^fleet-local$" \
FLEET_EVENT_MONITOR_BUNDLE_RESOURCE_FILTER_NAME="^my-app$" \
./fleeteventmonitor --kubeconfig ~/.kube/config
```

**Example 5: Combine resource filter with event type filter**
```bash
FLEET_EVENT_MONITOR_BUNDLE_DETAILED=true \
FLEET_EVENT_MONITOR_BUNDLE_RESOURCE_FILTER_NAMESPACE="^fleet-local$" \
FLEET_EVENT_MONITOR_BUNDLE_RESOURCE_FILTER_NAME="^my-app$" \
FLEET_EVENT_MONITOR_BUNDLE_EVENT_STATUS_CHANGE=true \
./fleeteventmonitor --kubeconfig ~/.kube/config
```

---

The Bundle monitor's Cluster watch handler queries which bundles are affected by a cluster change, logging the correct bundle name and namespace in trigger events.

`internal/cmd/monitor/reconciler/bundle_query.go` — adapted from `internal/cmd/controller/target/`:

```go
type BundleQuery interface {
    BundlesForCluster(context.Context, *fleet.Cluster) ([]*fleet.Bundle, []*fleet.Bundle, error)
}
```

Supports: basic targeting, label-based cluster matching, ClusterGroups, BundleNamespaceMapping (cross-namespace), Fleet agent bundles, deduplicated results.

**Without the query**: `Bundle reconciliation triggered Bundle= Namespace= Name= TriggeredBy=Cluster:my-cluster:fleet-default`

**With the query**: `Bundle reconciliation triggered Bundle=fleet-default/my-app Namespace=fleet-default Name=my-app TriggeredBy=Cluster:my-cluster:fleet-default`

---

Full `values.yaml` structure as shipped:

```yaml
image:
  repository: rancher/fleet-event-monitor
  tag: dev
  imagePullPolicy: IfNotPresent

namespace: cattle-fleet-system

controllers:
  bundle: false
  bundledeployment: false
  cluster: false
  gitrepo: false
  helmop: false

workers:
  bundle: 5
  bundledeployment: 5
  cluster: 5
  gitrepo: 5
  helmop: 5

logFormat: json
logLevel: info
debug: false
debugLevel: 0

shardID: ""

nodeSelector: {}
tolerations: []
priorityClassName: ""

leaderElection:
  enabled: true
  leaseDuration: 30s
  retryPeriod: 10s
  renewDeadline: 25s

resources:
  limits:
    cpu: 500m
    memory: 256Mi
  requests:
    cpu: 100m
    memory: 128Mi

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  runAsGroup: 1000
  fsGroup: 1000

extraEnv: []

logging:
  bundle:
    detailed: false
    resourceFilter:
      namespace: ""
      name: ""
    eventFilters:
      generationChange: false
      statusChange: false
      annotationChange: false
      labelChange: false
      resourceVersionChange: false
      deletion: false
      notFound: false
      create: false
      triggeredBy: false

  bundleDeployment:
    detailed: false
    resourceFilter:
      namespace: ""
      name: ""
    eventFilters:
      generationChange: false
      statusChange: false
      annotationChange: false
      labelChange: false
      resourceVersionChange: true
      deletion: false
      notFound: false
      create: false
      triggeredBy: false

  cluster:
    detailed: false
    resourceFilter:
      namespace: ""
      name: ""
    eventFilters:
      generationChange: false
      statusChange: false
      annotationChange: false
      labelChange: false
      resourceVersionChange: false
      deletion: false
      notFound: false
      create: false
      triggeredBy: false

  gitRepo:
    detailed: false
    resourceFilter:
      namespace: ""
      name: ""
    eventFilters:
      # all false

  helmOp:
    detailed: false
    resourceFilter:
      namespace: ""
      name: ""
    eventFilters:
      # all false

  summary:
    interval: "30s"
    resetOnPrint: false
```

---

```bash
go build -o bin/fleeteventmonitor ./cmd/fleeteventmonitor
```

Set environment variables before running. At minimum, enable at least one controller:

```bash
export ENABLE_BUNDLE_EVENT_MONITOR=true
export NAMESPACE=cattle-fleet-system

./bin/fleeteventmonitor --kubeconfig ~/.kube/config
```

For detailed logging with filters:

```bash
export ENABLE_BUNDLE_EVENT_MONITOR=true
export NAMESPACE=cattle-fleet-system
export FLEET_EVENT_MONITOR_BUNDLE_DETAILED=true
export FLEET_EVENT_MONITOR_BUNDLE_EVENT_STATUS_CHANGE=true
export FLEET_EVENT_MONITOR_BUNDLE_EVENT_TRIGGERED_BY=true

./bin/fleeteventmonitor --kubeconfig ~/.kube/config
```

To narrow down to a specific resource:

```bash
export ENABLE_BUNDLE_EVENT_MONITOR=true
export NAMESPACE=cattle-fleet-system
export FLEET_EVENT_MONITOR_BUNDLE_DETAILED=true
export FLEET_EVENT_MONITOR_BUNDLE_RESOURCE_FILTER_NAMESPACE="^fleet-local$"
export FLEET_EVENT_MONITOR_BUNDLE_RESOURCE_FILTER_NAME="^my-app$"

./bin/fleeteventmonitor --kubeconfig ~/.kube/config
```

```bash
helm install fleet-event-monitor ./charts/fleet-event-monitor \
  --namespace cattle-fleet-system \
  --set controllers.bundle=true \
  --set controllers.bundledeployment=true \
  --set controllers.cluster=true \
  --set controllers.gitrepo=true \
  --set controllers.helmop=true

helm install fleet-event-monitor ./charts/fleet-event-monitor \
  --namespace cattle-fleet-system \
  --set controllers.bundle=true \
  --set logging.bundle.detailed=true

helm install fleet-event-monitor ./charts/fleet-event-monitor \
  --namespace cattle-fleet-system \
  --set controllers.bundle=true \
  --set logging.bundle.detailed=true \
  --set logging.bundle.eventFilters.generationChange=true \
  --set logging.bundle.eventFilters.triggeredBy=true
```

```bash
helm upgrade fleet-event-monitor ./charts/fleet-event-monitor \
  --reuse-values \
  --set logging.cluster.detailed=true \
  --set logging.cluster.eventFilters.statusChange=true
```

```bash
helm install fleet-event-monitor-shard0 ./charts/fleet-event-monitor --set shardID=shard0
helm install fleet-event-monitor-shard1 ./charts/fleet-event-monitor --set shardID=shard1
```

---

ClusterRole: `get`, `list`, `watch` on Fleet resources, core resources, RBAC resources, Jobs, Deployments.
Role (namespaced): `get`, `list`, `watch`, `create`, `update`, `patch`, `delete` on `coordination.k8s.io/leases` (leader election only).
No write access to any Fleet or Kubernetes resources.

---

| Limitation | Workaround |
|---|---|
| Controller-runtime doesn't expose which watch triggered a reconciliation | Log at fan-out mapping functions (Cluster→Bundle handler, BD→Bundle handler) |
| `TypedResourceVersionUnchangedPredicate` causes cache-sync noise | Filter using `eventFilters.resourceVersionChange=false` to suppress in detailed mode |

---

Several scripts in `dev/` help parse and visualize monitor output. They all read from stdin, a pipe, or a file argument and require `jq`.

Parses all `Fleet Monitor Summary` lines from a log stream and renders the last (or cumulative) summary as a human-readable table. Also computes the time range covered if multiple summaries are present.

```bash
kubectl logs -n cattle-fleet-system deploy/fleet-event-monitor | ./dev/format-monitor-summary.sh

./dev/format-monitor-summary.sh logs.json
```

Output example:
```
================================================================================
  FLEET MONITOR SUMMARY
================================================================================
  Timestamp:        2026-02-09T10:00:30Z
  Interval:         30s
  Total Resources:  3
  Total Events:     63
================================================================================

▼ Bundle
-------------------------------------------------------------------------------
  RESOURCE               CREATE   DELETE  N-FOUND   STATUS  GEN-CHG    ANNOT    LABEL   RESVER   EVENTS
  ---------------------- ------ -------- ------- -------- ------- ----- ----- ------ ------
  fleet-local/my-app          1        0       0       20       5       0       0       0       41
    └─ triggered-by: BundleDeployment = 12
    └─ triggered-by: Cluster = 3
================================================================================
  Time range: ...
================================================================================
```

Filters `status-change` events from detailed log output and renders each diff with colour-coded `+`/`-` lines.

Requires the controller to be running in detailed mode with `statusChange` enabled:
```bash
export FLEET_EVENT_MONITOR_BUNDLE_DETAILED=true
export FLEET_EVENT_MONITOR_BUNDLE_EVENT_STATUS_CHANGE=true
```

Usage:
```bash
kubectl logs -n cattle-fleet-system deploy/fleet-event-monitor | ./dev/parse-status-log.sh
```

Filters `resourceversion-change` events and renders each event with version numbers, change reason, metadata change list, and colour-coded diff output. Useful for identifying which SSA managers or finalizer changes are causing metadata-only reconciliation loops.

Requires the controller to be running in detailed mode with `resourceVersionChange` enabled:
```bash
export FLEET_EVENT_MONITOR_BUNDLE_DETAILED=true
export FLEET_EVENT_MONITOR_BUNDLE_EVENT_RESVER_CHANGE=true
```

Usage:
```bash
kubectl logs -n cattle-fleet-system deploy/fleet-event-monitor | ./dev/parse-resourceversion-log.sh
```

The output includes a `Changed:` line listing which metadata fields changed (`finalizers`, `ownerReferences`, `managedFields`) and, for `managedFields`, a manager-level summary (added/removed/changed SSA managers) followed by a field-level diff of their `FieldsV1` entries.

Signed-off-by: Xavi Garcia <xavi.garcia@suse.com>

Author: 0xavi0

EVENT-MONITOR.md

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: fleet-event-monitor
+version: 0.0.0
+appVersion: 0.0.0
+description: Fleet Event Monitor - Read-only monitoring for Fleet controllers
+icon: https://charts.rancher.io/assets/logos/fleet.svg
+annotations:
+  catalog.cattle.io/namespace: cattle-fleet-system
+  catalog.cattle.io/kube-version: '>= 1.28.0-0 < 1.35.0-0'

charts/fleet-event-monitor/Chart.yaml

@@ -0,0 +1,34 @@
+{{- define "fleet-event-monitor.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "fleet-event-monitor.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "fleet-event-monitor.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "fleet-event-monitor.labels" -}}
+helm.sh/chart: {{ include "fleet-event-monitor.chart" . }}
+{{ include "fleet-event-monitor.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{- define "fleet-event-monitor.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "fleet-event-monitor.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/fleet-event-monitor/templates/_helpers.tpl

@@ -0,0 +1,243 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: fleet-event-monitor{{- if .Values.shardID }}-shard-{{ .Values.shardID }}{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "fleet-event-monitor.labels" . | nindent 4 }}
+    {{- if .Values.shardID }}
+    fleet.cattle.io/shard-id: {{ .Values.shardID }}
+    {{- end }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "fleet-event-monitor.selectorLabels" . | nindent 6 }}
+      {{- if .Values.shardID }}
+      fleet.cattle.io/shard-id: {{ .Values.shardID }}
+      {{- end }}
+  template:
+    metadata:
+      labels:
+        {{- include "fleet-event-monitor.selectorLabels" . | nindent 8 }}
+        {{- if .Values.shardID }}
+        fleet.cattle.io/shard-id: {{ .Values.shardID }}
+        {{- end }}
+    spec:
+      serviceAccountName: fleet-event-monitor
+      {{- with .Values.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: fleet-event-monitor
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.imagePullPolicy }}
+        command:
+        - fleeteventmonitor
+        {{- if .Values.shardID }}
+        - --shard-id={{ .Values.shardID }}
+        {{- end }}
+        {{- if .Values.debug }}
+        - --debug
+        - --debug-level={{ .Values.debugLevel }}
+        {{- end }}
+        env:
+        - name: NAMESPACE
+          value: {{ .Values.namespace | quote }}
+        - name: ENABLE_BUNDLE_EVENT_MONITOR
+          value: {{ .Values.controllers.bundle | quote }}
+        - name: ENABLE_BUNDLEDEPLOYMENT_EVENT_MONITOR
+          value: {{ .Values.controllers.bundledeployment | quote }}
+        - name: ENABLE_CLUSTER_EVENT_MONITOR
+          value: {{ .Values.controllers.cluster | quote }}
+        - name: ENABLE_GITREPO_EVENT_MONITOR
+          value: {{ .Values.controllers.gitrepo | quote }}
+        - name: ENABLE_HELMOP_EVENT_MONITOR
+          value: {{ .Values.controllers.helmop | quote }}
+        - name: BUNDLE_RECONCILER_WORKERS
+          value: {{ .Values.workers.bundle | quote }}
+        - name: BUNDLEDEPLOYMENT_RECONCILER_WORKERS
+          value: {{ .Values.workers.bundledeployment | quote }}
+        - name: CLUSTER_RECONCILER_WORKERS
+          value: {{ .Values.workers.cluster | quote }}
+        - name: GITREPO_RECONCILER_WORKERS
+          value: {{ .Values.workers.gitrepo | quote }}
+        - name: HELMOP_RECONCILER_WORKERS
+          value: {{ .Values.workers.helmop | quote }}
+        {{- if .Values.debug }}
+        - name: CATTLE_DEV_MODE
+          value: "true"
+        {{- end }}
+        {{- if .Values.leaderElection.enabled }}
+        - name: CATTLE_ELECTION_LEASE_DURATION
+          value: {{ .Values.leaderElection.leaseDuration | quote }}
+        - name: CATTLE_ELECTION_RETRY_PERIOD
+          value: {{ .Values.leaderElection.retryPeriod | quote }}
+        - name: CATTLE_ELECTION_RENEW_DEADLINE
+          value: {{ .Values.leaderElection.renewDeadline | quote }}
+        {{- end }}
+        # Per-controller detailed logging flags
+        - name: FLEET_EVENT_MONITOR_BUNDLE_DETAILED
+          value: {{ .Values.logging.bundle.detailed | quote }}
+        - name: FLEET_EVENT_MONITOR_BUNDLEDEPLOYMENT_DETAILED
+          value: {{ .Values.logging.bundleDeployment.detailed | quote }}
+        - name: FLEET_EVENT_MONITOR_CLUSTER_DETAILED
+          value: {{ .Values.logging.cluster.detailed | quote }}
+        - name: FLEET_EVENT_MONITOR_GITREPO_DETAILED
+          value: {{ .Values.logging.gitRepo.detailed | quote }}
+        - name: FLEET_EVENT_MONITOR_HELMOP_DETAILED
+          value: {{ .Values.logging.helmOp.detailed | quote }}
+        # Bundle resource filters
+        - name: FLEET_EVENT_MONITOR_BUNDLE_RESOURCE_FILTER_NAMESPACE
+          value: {{ .Values.logging.bundle.resourceFilter.namespace | quote }}
+        - name: FLEET_EVENT_MONITOR_BUNDLE_RESOURCE_FILTER_NAME
+          value: {{ .Values.logging.bundle.resourceFilter.name | quote }}
+        # Bundle event filters
+        - name: FLEET_EVENT_MONITOR_BUNDLE_EVENT_GENERATION_CHANGE
+          value: {{ .Values.logging.bundle.eventFilters.generationChange | quote }}
+        - name: FLEET_EVENT_MONITOR_BUNDLE_EVENT_STATUS_CHANGE
+          value: {{ .Values.logging.bundle.eventFilters.statusChange | quote }}
+        - name: FLEET_EVENT_MONITOR_BUNDLE_EVENT_ANNOTATION_CHANGE
+          value: {{ .Values.logging.bundle.eventFilters.annotationChange | quote }}
+        - name: FLEET_EVENT_MONITOR_BUNDLE_EVENT_LABEL_CHANGE
+          value: {{ .Values.logging.bundle.eventFilters.labelChange | quote }}
+        - name: FLEET_EVENT_MONITOR_BUNDLE_EVENT_RESVER_CHANGE
+          value: {{ .Values.logging.bundle.eventFilters.resourceVersionChange | quote }}
+        - name: FLEET_EVENT_MONITOR_BUNDLE_EVENT_DELETION
+          value: {{ .Values.logging.bundle.eventFilters.deletion | quote }}
+        - name: FLEET_EVENT_MONITOR_BUNDLE_EVENT_NOT_FOUND
+          value: {{ .Values.logging.bundle.eventFilters.notFound | quote }}
+        - name: FLEET_EVENT_MONITOR_BUNDLE_EVENT_CREATE
+          value: {{ .Values.logging.bundle.eventFilters.create | quote }}
+        - name: FLEET_EVENT_MONITOR_BUNDLE_EVENT_TRIGGERED_BY
+          value: {{ .Values.logging.bundle.eventFilters.triggeredBy | quote }}
+        # BundleDeployment resource filters
+        - name: FLEET_EVENT_MONITOR_BUNDLEDEPLOYMENT_RESOURCE_FILTER_NAMESPACE
+          value: {{ .Values.logging.bundleDeployment.resourceFilter.namespace | quote }}
+        - name: FLEET_EVENT_MONITOR_BUNDLEDEPLOYMENT_RESOURCE_FILTER_NAME
+          value: {{ .Values.logging.bundleDeployment.resourceFilter.name | quote }}
+        # BundleDeployment event filters
+        - name: FLEET_EVENT_MONITOR_BD_EVENT_GENERATION_CHANGE
+          value: {{ .Values.logging.bundleDeployment.eventFilters.generationChange | quote }}
+        - name: FLEET_EVENT_MONITOR_BD_EVENT_STATUS_CHANGE
+          value: {{ .Values.logging.bundleDeployment.eventFilters.statusChange | quote }}
+        - name: FLEET_EVENT_MONITOR_BD_EVENT_ANNOTATION_CHANGE
+          value: {{ .Values.logging.bundleDeployment.eventFilters.annotationChange | quote }}
+        - name: FLEET_EVENT_MONITOR_BD_EVENT_LABEL_CHANGE
+          value: {{ .Values.logging.bundleDeployment.eventFilters.labelChange | quote }}
+        - name: FLEET_EVENT_MONITOR_BD_EVENT_RESVER_CHANGE
+          value: {{ .Values.logging.bundleDeployment.eventFilters.resourceVersionChange | quote }}
+        - name: FLEET_EVENT_MONITOR_BD_EVENT_DELETION
+          value: {{ .Values.logging.bundleDeployment.eventFilters.deletion | quote }}
+        - name: FLEET_EVENT_MONITOR_BD_EVENT_NOT_FOUND
+          value: {{ .Values.logging.bundleDeployment.eventFilters.notFound | quote }}
+        - name: FLEET_EVENT_MONITOR_BD_EVENT_CREATE
+          value: {{ .Values.logging.bundleDeployment.eventFilters.create | quote }}
+        - name: FLEET_EVENT_MONITOR_BD_EVENT_TRIGGERED_BY
+          value: {{ .Values.logging.bundleDeployment.eventFilters.triggeredBy | quote }}
+        # Cluster resource filters
+        - name: FLEET_EVENT_MONITOR_CLUSTER_RESOURCE_FILTER_NAMESPACE
+          value: {{ .Values.logging.cluster.resourceFilter.namespace | quote }}
+        - name: FLEET_EVENT_MONITOR_CLUSTER_RESOURCE_FILTER_NAME
+          value: {{ .Values.logging.cluster.resourceFilter.name | quote }}
+        # Cluster event filters
+        - name: FLEET_EVENT_MONITOR_CLUSTER_EVENT_GENERATION_CHANGE
+          value: {{ .Values.logging.cluster.eventFilters.generationChange | quote }}
+        - name: FLEET_EVENT_MONITOR_CLUSTER_EVENT_STATUS_CHANGE
+          value: {{ .Values.logging.cluster.eventFilters.statusChange | quote }}
+        - name: FLEET_EVENT_MONITOR_CLUSTER_EVENT_ANNOTATION_CHANGE
+          value: {{ .Values.logging.cluster.eventFilters.annotationChange | quote }}
+        - name: FLEET_EVENT_MONITOR_CLUSTER_EVENT_LABEL_CHANGE
+          value: {{ .Values.logging.cluster.eventFilters.labelChange | quote }}
+        - name: FLEET_EVENT_MONITOR_CLUSTER_EVENT_RESVER_CHANGE
+          value: {{ .Values.logging.cluster.eventFilters.resourceVersionChange | quote }}
+        - name: FLEET_EVENT_MONITOR_CLUSTER_EVENT_DELETION
+          value: {{ .Values.logging.cluster.eventFilters.deletion | quote }}
+        - name: FLEET_EVENT_MONITOR_CLUSTER_EVENT_NOT_FOUND
+          value: {{ .Values.logging.cluster.eventFilters.notFound | quote }}
+        - name: FLEET_EVENT_MONITOR_CLUSTER_EVENT_CREATE
+          value: {{ .Values.logging.cluster.eventFilters.create | quote }}
+        - name: FLEET_EVENT_MONITOR_CLUSTER_EVENT_TRIGGERED_BY
+          value: {{ .Values.logging.cluster.eventFilters.triggeredBy | quote }}
+        # GitRepo resource filters
+        - name: FLEET_EVENT_MONITOR_GITREPO_RESOURCE_FILTER_NAMESPACE
+          value: {{ .Values.logging.gitRepo.resourceFilter.namespace | quote }}
+        - name: FLEET_EVENT_MONITOR_GITREPO_RESOURCE_FILTER_NAME
+          value: {{ .Values.logging.gitRepo.resourceFilter.name | quote }}
+        # GitRepo event filters
+        - name: FLEET_EVENT_MONITOR_GITREPO_EVENT_GENERATION_CHANGE
+          value: {{ .Values.logging.gitRepo.eventFilters.generationChange | quote }}
+        - name: FLEET_EVENT_MONITOR_GITREPO_EVENT_STATUS_CHANGE
+          value: {{ .Values.logging.gitRepo.eventFilters.statusChange | quote }}
+        - name: FLEET_EVENT_MONITOR_GITREPO_EVENT_ANNOTATION_CHANGE
+          value: {{ .Values.logging.gitRepo.eventFilters.annotationChange | quote }}
+        - name: FLEET_EVENT_MONITOR_GITREPO_EVENT_LABEL_CHANGE
+          value: {{ .Values.logging.gitRepo.eventFilters.labelChange | quote }}
+        - name: FLEET_EVENT_MONITOR_GITREPO_EVENT_RESVER_CHANGE
+          value: {{ .Values.logging.gitRepo.eventFilters.resourceVersionChange | quote }}
+        - name: FLEET_EVENT_MONITOR_GITREPO_EVENT_DELETION
+          value: {{ .Values.logging.gitRepo.eventFilters.deletion | quote }}
+        - name: FLEET_EVENT_MONITOR_GITREPO_EVENT_NOT_FOUND
+          value: {{ .Values.logging.gitRepo.eventFilters.notFound | quote }}
+        - name: FLEET_EVENT_MONITOR_GITREPO_EVENT_CREATE
+          value: {{ .Values.logging.gitRepo.eventFilters.create | quote }}
+        - name: FLEET_EVENT_MONITOR_GITREPO_EVENT_TRIGGERED_BY
+          value: {{ .Values.logging.gitRepo.eventFilters.triggeredBy | quote }}
+        # HelmOp resource filters
+        - name: FLEET_EVENT_MONITOR_HELMOP_RESOURCE_FILTER_NAMESPACE
+          value: {{ .Values.logging.helmOp.resourceFilter.namespace | quote }}
+        - name: FLEET_EVENT_MONITOR_HELMOP_RESOURCE_FILTER_NAME
+          value: {{ .Values.logging.helmOp.resourceFilter.name | quote }}
+        # HelmOp event filters
+        - name: FLEET_EVENT_MONITOR_HELMOP_EVENT_GENERATION_CHANGE
+          value: {{ .Values.logging.helmOp.eventFilters.generationChange | quote }}
+        - name: FLEET_EVENT_MONITOR_HELMOP_EVENT_STATUS_CHANGE
+          value: {{ .Values.logging.helmOp.eventFilters.statusChange | quote }}
+        - name: FLEET_EVENT_MONITOR_HELMOP_EVENT_ANNOTATION_CHANGE
+          value: {{ .Values.logging.helmOp.eventFilters.annotationChange | quote }}
+        - name: FLEET_EVENT_MONITOR_HELMOP_EVENT_LABEL_CHANGE
+          value: {{ .Values.logging.helmOp.eventFilters.labelChange | quote }}
+        - name: FLEET_EVENT_MONITOR_HELMOP_EVENT_RESVER_CHANGE
+          value: {{ .Values.logging.helmOp.eventFilters.resourceVersionChange | quote }}
+        - name: FLEET_EVENT_MONITOR_HELMOP_EVENT_DELETION
+          value: {{ .Values.logging.helmOp.eventFilters.deletion | quote }}
+        - name: FLEET_EVENT_MONITOR_HELMOP_EVENT_NOT_FOUND
+          value: {{ .Values.logging.helmOp.eventFilters.notFound | quote }}
+        - name: FLEET_EVENT_MONITOR_HELMOP_EVENT_CREATE
+          value: {{ .Values.logging.helmOp.eventFilters.create | quote }}
+        - name: FLEET_EVENT_MONITOR_HELMOP_EVENT_TRIGGERED_BY
+          value: {{ .Values.logging.helmOp.eventFilters.triggeredBy | quote }}
+        # Summary configuration
+        - name: FLEET_EVENT_MONITOR_SUMMARY_INTERVAL
+          value: {{ .Values.logging.summary.interval | quote }}
+        - name: FLEET_EVENT_MONITOR_SUMMARY_RESET
+          value: {{ .Values.logging.summary.resetOnPrint | quote }}
+        {{- with .Values.extraEnv }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - ALL
+        resources:
+          {{- toYaml .Values.resources | nindent 10 }}
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
+      volumes:
+      - name: tmp
+        emptyDir: {}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}