Azure
diff --git a/‎.github/workflows/chart.yml‎
Lines changed: 46 additions & 44 deletions b/‎.github/workflows/chart.yml‎
Lines changed: 46 additions & 44 deletions
diff --git a/‎.github/workflows/setup-release.yml‎
Lines changed: 44 additions & 0 deletions b/‎.github/workflows/setup-release.yml‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎apis/cluster/v1beta1/internalmembercluster_types.go‎
Lines changed: 8 additions & 0 deletions b/‎apis/cluster/v1beta1/internalmembercluster_types.go‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎apis/cluster/v1beta1/zz_generated.deepcopy.go‎
Lines changed: 7 additions & 0 deletions b/‎apis/cluster/v1beta1/zz_generated.deepcopy.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎charts/hub-agent/README.md‎
Lines changed: 12 additions & 7 deletions b/‎charts/hub-agent/README.md‎
Lines changed: 12 additions & 7 deletions
diff --git a/‎charts/hub-agent/values.yaml‎
Lines changed: 2 additions & 2 deletions b/‎charts/hub-agent/values.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎charts/member-agent/templates/deployment.yaml‎
Lines changed: 1 addition & 1 deletion b/‎charts/member-agent/templates/deployment.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎charts/member-agent/values.yaml‎
Lines changed: 4 additions & 4 deletions b/‎charts/member-agent/values.yaml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎cmd/memberagent/main.go‎
Lines changed: 4 additions & 1 deletion b/‎cmd/memberagent/main.go‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎config/crd/bases/cluster.kubernetes-fleet.io_internalmemberclusters.yaml‎
Lines changed: 10 additions & 0 deletions b/‎config/crd/bases/cluster.kubernetes-fleet.io_internalmemberclusters.yaml‎
Lines changed: 10 additions & 0 deletions
@@ -2,15 +2,14 @@ name: Helm Chart Publisher
 
 on:
   push:
-    branches:
-      - main
-    paths:
-      - ".github/workflows/chart.yml"
-      - "charts/**"
-  create:
-    # Publish semver tags as releases.
-    tags: [ 'v*.*.*' ]
-
+    tags:
+      - "v*.*.*"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Release tag (e.g., v1.0.0)"
+        required: true
+        type: string
 permissions:
   contents: write
   packages: write
@@ -19,7 +18,13 @@ env:
   REGISTRY: ghcr.io
 
 jobs:
+  export-registry:
+    uses: ./.github/workflows/setup-release.yml
+    with:
+      tag: ${{ inputs.tag || github.ref_name }}
+
   publish-github-pages:
+    needs: export-registry
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6.0.2
@@ -35,51 +40,48 @@ jobs:
           linting: on
 
   publish-oci:
+    needs: export-registry
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v6.0.2
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
+        uses: docker/login-action@v3.6.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Package and push Helm charts to GHCR
+      - name: Package and push Helm charts to GHCR via Makefile
         run: |
           set -euo pipefail
-          
-          # Convert repository name to lowercase for OCI registry
-          REPO_LOWER=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
-          
-          # Determine version to use
-          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
-            # Use release tag as version (strip 'v' prefix)
-            CHART_VERSION=${GITHUB_REF#refs/tags/v}
-            echo "Using release tag version: ${CHART_VERSION}"
-          else
-            # Use version from Chart.yaml for non-tag pushes
-            CHART_VERSION=$(grep '^version:' charts/hub-agent/Chart.yaml | awk '{print $2}')
-            echo "Using Chart.yaml version: ${CHART_VERSION}"
-          fi
-          
-          # Package and push hub-agent chart
-          echo "📦 Packaging hub-agent chart..."
-          helm package charts/hub-agent --version ${CHART_VERSION} --app-version ${CHART_VERSION}
-          
-          echo "🚀 Pushing hub-agent to OCI registry..."
-          helm push hub-agent-${CHART_VERSION}.tgz oci://${{ env.REGISTRY }}/${REPO_LOWER}/charts
-          
-          # Package and push member-agent chart
-          echo "📦 Packaging member-agent chart..."
-          helm package charts/member-agent --version ${CHART_VERSION} --app-version ${CHART_VERSION}
-          
-          echo "🚀 Pushing member-agent to OCI registry..."
-          helm push member-agent-${CHART_VERSION}.tgz oci://${{ env.REGISTRY }}/${REPO_LOWER}/charts
-          
-          echo ""
-          echo "✅ Helm charts published to OCI registry!"
-          echo "📍 Hub Agent: oci://${{ env.REGISTRY }}/${REPO_LOWER}/charts/hub-agent:${CHART_VERSION}"
-          echo "📍 Member Agent: oci://${{ env.REGISTRY }}/${REPO_LOWER}/charts/member-agent:${CHART_VERSION}"
+
+          RELEASE_VERSION="${{ needs.export-registry.outputs.version }}"
+
+          OCI_REGISTRY="${{ needs.export-registry.outputs.registry }}/charts"
+          make helm-push REGISTRY="${OCI_REGISTRY}" TAG="${RELEASE_VERSION}"
+
+      - name: Verify chart appVersion matches release tag
+        run: |
+          set -euo pipefail
+
+          RELEASE_VERSION="${{ needs.export-registry.outputs.version }}"
+          CHART_VERSION="${RELEASE_VERSION}"
+          EXPECTED_APP_VERSION="${RELEASE_VERSION}"
+
+          rm -rf .helm-verify
+          mkdir -p .helm-verify
+
+          for chart in hub-agent member-agent; do
+            helm pull "oci://${{ needs.export-registry.outputs.registry }}/charts/${chart}" --version "${CHART_VERSION}" --destination .helm-verify >/dev/null
+            packaged=".helm-verify/${chart}-${CHART_VERSION}.tgz"
+            actual_app_version=$(tar -xOf "${packaged}" "${chart}/Chart.yaml" | awk -F': ' '/^appVersion:/ {gsub(/"/, "", $2); print $2}')
+            if [[ "${actual_app_version}" != "${EXPECTED_APP_VERSION}" ]]; then
+              echo "ERROR: ${chart} appVersion (${actual_app_version}) does not match release tag (${EXPECTED_APP_VERSION})"
+              exit 1
+            fi
+            echo "✅ ${chart} appVersion=${actual_app_version} matches release tag=${EXPECTED_APP_VERSION}"
+          done
+
+          rm -rf .helm-verify
@@ -0,0 +1,44 @@
+name: Setup Release
+
+on:
+    workflow_call:
+        inputs:
+            tag:
+                description: "Release tag (e.g., v1.0.0)"
+                required: true
+                type: string
+        outputs:
+            registry:
+                description: "OCI registry repository path (e.g., ghcr.io/org/repo)"
+                value: ${{ jobs.export.outputs.registry }}
+            tag:
+                description: "Release tag (e.g., v1.0.0)"
+                value: ${{ jobs.export.outputs.tag }}
+            version:
+                description: "Release version without v prefix (e.g., 1.0.0)"
+                value: ${{ jobs.export.outputs.version }}
+
+env:
+    REGISTRY: ghcr.io
+
+jobs:
+    export:
+        runs-on: ubuntu-latest
+        outputs:
+            registry: ${{ steps.setup.outputs.registry }}
+            tag: ${{ steps.setup.outputs.tag }}
+            version: ${{ steps.setup.outputs.version }}
+        steps:
+            - id: setup
+              run: |
+                  TAG="${{ inputs.tag }}"
+                  if [[ ! "${TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]]; then
+                    echo "Error: Invalid release tag '${TAG}'. Expected format: v*.*.*"
+                    exit 1
+                  fi
+
+                  # registry must be in lowercase
+                  echo "registry=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
+                  echo "tag=${TAG}" >> $GITHUB_OUTPUT
+                  echo "version=${TAG#v}" >> $GITHUB_OUTPUT
+                  echo "Release tag: ${TAG}, version: ${TAG#v}"
@@ -75,6 +75,14 @@ type InternalMemberClusterStatus struct {
 	// +optional
 	ResourceUsage ResourceUsage `json:"resourceUsage,omitempty"`
 
+	// Namespaces is a map of namespace names to their associated work names for namespaces
+	// that are managed by Fleet (i.e., have AppliedWork owner references when created).
+	// The key is the namespace name and the value is the work name from the AppliedWork owner reference.
+	// If the namespace does not have an AppliedWork owner reference, the value will be an empty string.
+	// This field is populated by the property provider when namespace collection is enabled.
+	// +optional
+	Namespaces map[string]string `json:"namespaces,omitempty"`
+
 	// AgentStatus is an array of current observed status, each corresponding to one member agent running in the member cluster.
 	// +optional
 	AgentStatus []AgentStatus `json:"agentStatus,omitempty"`
 
@@ -89,12 +89,10 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen
 | Parameter                                 | Description                                                                                | Default                                          |
 |:------------------------------------------|:------------------------------------------------------------------------------------------|:-------------------------------------------------|
 | `replicaCount`                            | Number of hub-agent replicas to deploy                                                     | `1`                                              |
-| `image.repository`                        | Image repository                                                                           | `ghcr.io/azure/azure/fleet/hub-agent`            |
+| `image.repository`                        | Image repository                                                                           | `ghcr.io/kubefleet-dev/kubefleet/hub-agent`      |
 | `image.pullPolicy`                        | Image pull policy                                                                          | `Always`                                         |
-| `image.tag`                               | Image release tag                                                                          | `v0.1.0`                                         |
+| `image.tag`                               | Image release tag (empty uses chart `appVersion`)                                          | `""`                                            |
 | `namespace`                               | Namespace where this chart is installed                                                    | `fleet-system`                                   |
-| `serviceAccount.create`                   | Whether to create a service account                                                        | `true`                                           |
-| `serviceAccount.name`                     | Service account name                                                                       | `hub-agent-sa`                                   |
 | `resources`                               | Resource requests/limits for the container                                                 | limits: 500m CPU, 1Gi; requests: 100m CPU, 128Mi |
 | `affinity`                                | Node affinity for hub-agent pods                                                           | `{}`                                             |
 | `tolerations`                             | Tolerations for hub-agent pods                                                             | `[]`                                             |
@@ -103,15 +101,22 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen
 | `webhookServiceName`                      | Webhook service name                                                                       | `fleetwebhook`                                   |
 | `enableGuardRail`                         | Enable guard rail webhook configurations                                                   | `true`                                           |
 | `webhookClientConnectionType`             | Connection type for webhook client (service or url)                                        | `service`                                        |
-| `useCertManager`                          | Use cert-manager for webhook certificate management (requires `enableWorkload=true`) | `false`                                          |
-| `webhookCertSecretName`                   | Name of the Secret where cert-manager stores the certificate                               | `fleet-webhook-server-cert`                      |
+| `useCertManager`                          | Use cert-manager for webhook certificate management (requires `enableWorkload=true`)       | `false`                                          |
+| `webhookCertSecretName`                   | Name of the Secret where cert-manager stores the certificate (required when enabled)       | `unset`                                          |
 | `enableV1Beta1APIs`                       | Watch for v1beta1 APIs                                                                     | `true`                                           |
+| `enableClusterInventoryAPI`               | Enable cluster inventory APIs                                                               | `true`                                           |
+| `enableStagedUpdateRunAPIs`               | Enable staged update run APIs                                                              | `true`                                           |
+| `enableEvictionAPIs`                      | Enable eviction APIs                                                                        | `true`                                           |
+| `enablePprof`                             | Enable pprof endpoint                                                                       | `true`                                           |
+| `pprofPort`                               | pprof server port                                                                           | `6065`                                           |
 | `hubAPIQPS`                               | QPS for fleet-apiserver (not including events/node heartbeat)                              | `250`                                            |
 | `hubAPIBurst`                             | Burst for fleet-apiserver (not including events/node heartbeat)                            | `1000`                                           |
 | `MaxConcurrentClusterPlacement`           | Max concurrent ClusterResourcePlacement operations                                         | `100`                                            |
 | `ConcurrentResourceChangeSyncs`           | Max concurrent resourceChange reconcilers                                                  | `20`                                             |
-| `logFileMaxSize`                          | Max log file size before rotation                                                          | `1000000`                                        |
+| `logFileMaxSize`                          | Max log file size before rotation (optional)                                               | `unset`                                          |
 | `MaxFleetSizeSupported`                   | Max number of member clusters supported                                                    | `100`                                            |
+| `forceDeleteWaitTime`                     | Grace period before force-deleting resources                                                | `15m0s`                                          |
+| `clusterUnhealthyThreshold`               | Threshold duration for marking a cluster unhealthy                                          | `3m0s`                                           |
 | `resourceSnapshotCreationMinimumInterval` | The minimum interval at which resource snapshots could be created.                         | `30s`                                            |
 | `resourceChangesCollectionDuration`       | The duration for collecting resource changes into one snapshot.                            | `15s`                                            |
 | `enableWorkload`                          | Enable kubernetes builtin workload to run in hub cluster.                                  | `false`                                          |
 
@@ -5,10 +5,10 @@
 replicaCount: 1
 
 image:
-  repository: ghcr.io/azure/fleet/hub-agent
+  repository: ghcr.io/kubefleet-dev/kubefleet/hub-agent
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
-  tag: main
+  tag: ""
 
 # CRD installer configuration.
 crdInstaller:
 
@@ -145,7 +145,7 @@ spec:
         {{- end }}
         {{- if not .Values.useCAAuth }}
         - name: refresh-token
-          image: "{{ .Values.refreshtoken.repository }}:{{ .Values.refreshtoken.tag }}"
+          image: "{{ .Values.refreshtoken.repository }}:{{ .Values.refreshtoken.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.refreshtoken.pullPolicy }}
           args:
             {{- $provider := .Values.config.provider }}
 
@@ -1,9 +1,9 @@
 replicaCount: 1
 
 image:
-  repository: ghcr.io/azure/fleet/member-agent
+  repository: ghcr.io/kubefleet-dev/kubefleet/member-agent
   pullPolicy: Always
-  tag: main
+  tag: ""
 
 # CRD installer configuration.
 crdInstaller:
@@ -17,9 +17,9 @@ crdInstaller:
 logVerbosity: 5
 
 refreshtoken:
-  repository: ghcr.io/azure/fleet/refresh-token
+  repository: ghcr.io/kubefleet-dev/kubefleet/refresh-token
   pullPolicy: Always
-  tag: main
+  tag: ""
 
 resources:
   limits:
 
@@ -101,6 +101,9 @@ var (
 	workApplierRequeueRateLimiterMaxFastBackoffDelaySeconds                          = flag.Float64("work-applier-requeue-rate-limiter-max-fast-backoff-delay-seconds", 900, "If set, the work applier will not back off longer than this value in seconds when it is in the fast backoff stage.")
 	workApplierRequeueRateLimiterSkipToFastBackoffForAvailableOrDiffReportedWorkObjs = flag.Bool("work-applier-requeue-rate-limiter-skip-to-fast-backoff-for-available-or-diff-reported-work-objs", true, "If set, the rate limiter will skip the slow backoff stage and start fast backoff immediately for work objects that are available or have diff reported.")
 
+	// Property feature gates when the property provider is not none.
+	enableNamespaceCollectionInPropertyProvider = flag.Bool("enable-namespace-collection-in-property-provider", false, "If set, the property provider will collect the namespaces in the member cluster.")
+
 	// Work applier priority queue settings.
 	enableWorkApplierPriorityQueue          = flag.Bool("enable-work-applier-priority-queue", false, "If set, the work applier will use a priority queue to process work objects.")
 	workApplierPriorityLinearEquationCoeffA = flag.Int("work-applier-priority-linear-equation-coeff-a", -3, "The work applier sets the priority for a Work object processing attempt using the linear equation: priority = A * (work object age in minutes) + B. This flag sets the coefficient A in the equation.")
@@ -459,7 +462,7 @@ func Start(ctx context.Context, hubCfg, memberConfig *rest.Config, hubOpts, memb
 			// the specific instance wins the leader election.
 			klog.V(1).InfoS("Property Provider is azure, loading cloud config", "cloudConfigFile", *cloudConfigFile)
 			// TODO (britaniar): load cloud config for Azure property provider.
-			pp = azure.New(region, *isAzProviderCostPropertiesEnabled, *isAzProviderAvailableResPropertiesEnabled)
+			pp = azure.New(region, *isAzProviderCostPropertiesEnabled, *isAzProviderAvailableResPropertiesEnabled, *enableNamespaceCollectionInPropertyProvider)
 		default:
 			// Fall back to not using any property provider if the provided type is none or
 			// not recognizable.
 
@@ -486,6 +486,16 @@ spec:
                   - type
                   type: object
                 type: array
+              namespaces:
+                additionalProperties:
+                  type: string
+                description: |-
+                  Namespaces is a map of namespace names to their associated work names for namespaces
+                  that are managed by Fleet (i.e., have AppliedWork owner references when created).
+                  The key is the namespace name and the value is the work name from the AppliedWork owner reference.
+                  If the namespace does not have an AppliedWork owner reference, the value will be an empty string.
+                  This field is populated by the property provider when namespace collection is enabled.
+                type: object
               properties:
                 additionalProperties:
                   description: PropertyValue is the value of a cluster property.