diff --git a/internal/lineagecontrollerwebhook/webhook.go b/internal/lineagecontrollerwebhook/webhook.go
index ae4d1ea1..94a0fce4 100644
--- a/internal/lineagecontrollerwebhook/webhook.go
+++ b/internal/lineagecontrollerwebhook/webhook.go
@@ -135,18 +135,18 @@ func (h *LineageControllerWebhook) computeLabels(ctx context.Context, o *unstruc
 	}
 	cfg := h.config.Load().(*runtimeConfig)
 	crd := cfg.appCRDMap[appRef{gv.Group, obj.GetKind()}]
-	if matchLabelsToExcludeInclude(o.GetLabels(), crd.Spec.Secrets.Exclude, crd.Spec.Secrets.Include) {
-		labels["internal.cozystack.io/tenantsecret"] = ""
-	}
+
+	// TODO: expand this to work with other resources than Secrets
+	labels["apps.cozystack.io/tenantresource"] = func(b bool) string {
+		if b {
+			return "true"
+		}
+		return "false"
+	}(matchLabelsToExcludeInclude(o.GetLabels(), crd.Spec.Secrets.Exclude, crd.Spec.Secrets.Include))
 	return labels, err
 }
 
 func (h *LineageControllerWebhook) applyLabels(o *unstructured.Unstructured, labels map[string]string) {
-	if o.GetAPIVersion() == "operator.victoriametrics.com/v1beta1" && o.GetKind() == "VMCluster" {
-		unstructured.SetNestedStringMap(o.Object, labels, "spec", "managedMetadata", "labels")
-		return
-	}
-
 	existing := o.GetLabels()
 	if existing == nil {
 		existing = make(map[string]string)
diff --git a/packages/core/installer/images/cozystack/Dockerfile b/packages/core/installer/images/cozystack/Dockerfile
index a268c401..85ae9c08 100644
--- a/packages/core/installer/images/cozystack/Dockerfile
+++ b/packages/core/installer/images/cozystack/Dockerfile
@@ -32,7 +32,7 @@ RUN make repos
 
 FROM alpine:3.22
 
-RUN wget -O- https://github.com/cozystack/cozypkg/raw/refs/heads/main/hack/install.sh | sh -s -- -v 1.1.0
+RUN wget -O- https://github.com/cozystack/cozypkg/raw/refs/heads/main/hack/install.sh | sh -s -- -v 1.2.0
 
 RUN apk add --no-cache make kubectl coreutils git jq
 
diff --git a/packages/extra/monitoring/templates/alerta/alerta.yaml b/packages/extra/monitoring/templates/alerta/alerta.yaml
index 58664e49..750e4140 100644
--- a/packages/extra/monitoring/templates/alerta/alerta.yaml
+++ b/packages/extra/monitoring/templates/alerta/alerta.yaml
@@ -232,6 +232,11 @@ kind: VMAlertmanager
 metadata:
   name: alertmanager
 spec:
+  managedMetadata:
+    labels:
+      apps.cozystack.io/application.group: apps.cozystack.io
+      apps.cozystack.io/application.kind: Monitoring
+      apps.cozystack.io/application.name: {{ $.Release.Name }}
   replicaCount: 3
   configSecret: alertmanager
   podMetadata:
diff --git a/packages/extra/monitoring/templates/vlogs/vlogs.yaml b/packages/extra/monitoring/templates/vlogs/vlogs.yaml
index 08d8d82b..a82bca00 100644
--- a/packages/extra/monitoring/templates/vlogs/vlogs.yaml
+++ b/packages/extra/monitoring/templates/vlogs/vlogs.yaml
@@ -4,6 +4,11 @@ kind: VLogs
 metadata:
   name: {{ .name }}
 spec:
+  managedMetadata:
+    labels:
+      apps.cozystack.io/application.group: apps.cozystack.io
+      apps.cozystack.io/application.kind: Monitoring
+      apps.cozystack.io/application.name: {{ $.Release.Name }}
   image:
     tag: v1.17.0-victorialogs
   storage:
diff --git a/packages/extra/monitoring/templates/vm/vmalert.yaml b/packages/extra/monitoring/templates/vm/vmalert.yaml
index 8db6a2ed..d66fc42c 100644
--- a/packages/extra/monitoring/templates/vm/vmalert.yaml
+++ b/packages/extra/monitoring/templates/vm/vmalert.yaml
@@ -5,6 +5,11 @@ kind: VMAlert
 metadata:
   name: vmalert-{{ .name }}
 spec:
+  managedMetadata:
+    labels:
+      apps.cozystack.io/application.group: apps.cozystack.io
+      apps.cozystack.io/application.kind: Monitoring
+      apps.cozystack.io/application.name: {{ $.Release.Name }}
   datasource:
     url: http://vmselect-{{ .name }}.{{ $.Release.Namespace }}.svc:8481/select/0/prometheus
   evaluationInterval: 15s
diff --git a/packages/extra/monitoring/templates/vm/vmcluster.yaml b/packages/extra/monitoring/templates/vm/vmcluster.yaml
index 344afff1..5f86afa3 100644
--- a/packages/extra/monitoring/templates/vm/vmcluster.yaml
+++ b/packages/extra/monitoring/templates/vm/vmcluster.yaml
@@ -5,6 +5,11 @@ kind: VMCluster
 metadata:
   name: {{ .name }}
 spec:
+  managedMetadata:
+    labels:
+      apps.cozystack.io/application.group: apps.cozystack.io
+      apps.cozystack.io/application.kind: Monitoring
+      apps.cozystack.io/application.name: {{ $.Release.Name }}
   replicationFactor: 2
   retentionPeriod: {{ .retentionPeriod | quote }}
   vminsert:
diff --git a/packages/system/cozystack-controller/templates/mutatingwebhookconfiguration.yaml b/packages/system/cozystack-controller/templates/mutatingwebhookconfiguration.yaml
index e2a964d6..80dbcc1d 100644
--- a/packages/system/cozystack-controller/templates/mutatingwebhookconfiguration.yaml
+++ b/packages/system/cozystack-controller/templates/mutatingwebhookconfiguration.yaml
@@ -20,14 +20,14 @@ webhooks:
         apiGroups: [""]
         apiVersions: ["v1"]
         resources: ["pods","secrets", "services", "persistentvolumeclaims"]
-      - operations: ["CREATE", "UPDATE"]
-        apiGroups: ["cozystack.io"]
-        apiVersions: ["v1alpha1"]
-        resources: ["workloadmonitors"]
       - operations: ["CREATE", "UPDATE"]
         apiGroups: ["networking.k8s.io"]
         apiVersions: ["v1"]
         resources: ["ingresses"]
+      - operations: ["CREATE", "UPDATE"]
+        apiGroups: ["cozystack.io"]
+        apiVersions: ["v1alpha1"]
+        resources: ["workloadmonitors"]
     failurePolicy: Fail
     namespaceSelector:
       matchExpressions:
diff --git a/scripts/migrations/10 b/scripts/migrations/10
old mode 100644
new mode 100755
diff --git a/scripts/migrations/15 b/scripts/migrations/15
old mode 100644
new mode 100755
diff --git a/scripts/migrations/20 b/scripts/migrations/20
index 9093c887..411bb517 100755
--- a/scripts/migrations/20
+++ b/scripts/migrations/20
@@ -4,8 +4,24 @@
 set -euo pipefail
 
 kubectl delete ingresses.networking.k8s.io --all -n cozy-dashboard --ignore-not-found
+kubectl delete cozystackresourcedefinitions --all-namespaces --all --ignore-not-found
 kubectl delete crd cozystackresourcedefinitions.cozystack.io --ignore-not-found
 
+timestamp=$(date --rfc-3339=ns)
+# Make sure webhook is upgraded first, then run migration
+cozypkg -C packages/system/cozystack-controller -n cozy-system reconcile cozystack-controller --force --with-source
+kubectl wait hr/cozystack-controller -n cozy-system --timeout=4m --for=condition=ready || exit 1
+cozypkg -C packages/system/cozystack-api -n cozy-system reconcile cozystack-api --force --with-source
+kubectl wait hr/cozystack-api -n cozy-system --timeout=4m --for=condition=ready || exit 1
+kubectl get namespace -o custom-columns=NAME:.metadata.name --no-headers |
+  grep '^tenant-' |
+  while read namespace ; do
+    (set -x; \
+    kubectl annotate \
+      pods,services,pvc,secrets,ingresses.networking.k8s.io,workloadmonitors.cozystack.io \
+      -n "$namespace" --all \
+      migration.cozystack.io="$timestamp" --overwrite)
+  done
 # Stamp version
 kubectl create configmap -n cozy-system cozystack-version \
   --from-literal=version=21 --dry-run=client -o yaml | kubectl apply -f-