[apps] Update the backup and restore documentation for managed apps

Signed-off-by: Nick Volynkin <nick.volynkin@gmail.com>

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,24 @@
+<!-- Thank you for making a contribution! Here are some tips for you:
+- Start the PR title with the [label] of Cozystack component:
+  - For system components: [platform], [system], [linstor], [cilium], [kube-ovn], [dashboard], [cluster-api], etc.
+  - For managed apps: [apps], [tenant], [kubernetes], [postgres], [virtual-machine] etc.
+  - For development and maintenance: [tests], [ci], [docs], [maintenance].
+- If it's a work in progress, consider creating this PR as a draft.
+- Don't hesistate to ask for opinion and review in the community chats, even if it's still a draft.
+- Add the label `backport` if it's a bugfix that needs to be backported to a previous version.
+-->
+
+## What this PR does
+
+
+### Release note
+
+<!--  Write a release note:
+- Explain what has changed internally and for users.
+- Start with the same [label] as in the PR title
+- Follow the guidelines at https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
+-->
+
+```release-note
+[]
+```

.github/workflows/pull-requests-release.yaml

@@ -1,100 +1,15 @@
-name: Releasing PR
+name: "Releasing PR"
 
 on:
   pull_request:
-    types: [labeled, opened, synchronize, reopened, closed]
+    types: [closed]
 
+# Cancel in‑flight runs for the same PR when a new push arrives.
 concurrency:
-  group: pull-requests-release-${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: pr-${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
 jobs:
-  verify:
-    name: Test Release
-    runs-on: [self-hosted]
-    permissions:
-      contents: read
-      packages: write
-
-    if: |
-      contains(github.event.pull_request.labels.*.name, 'release') &&
-      github.event.action != 'closed'
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          fetch-tags: true
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-          registry: ghcr.io
-
-      - name: Extract tag from PR branch
-        id: get_tag
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const branch = context.payload.pull_request.head.ref;
-            const m = branch.match(/^release-(\d+\.\d+\.\d+(?:[-\w\.]+)?)$/);
-            if (!m) {
-              core.setFailed(`❌ Branch '${branch}' does not match 'release-X.Y.Z[-suffix]'`);
-              return;
-            }
-            const tag = `v${m[1]}`;
-            core.setOutput('tag', tag);
-
-      - name: Find draft release and get asset IDs
-        id: fetch_assets
-        uses: actions/github-script@v7
-        with:
-          github-token: ${{ secrets.GH_PAT }}
-          script: |
-            const tag = '${{ steps.get_tag.outputs.tag }}';
-            const releases = await github.rest.repos.listReleases({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              per_page: 100
-            });
-            const draft = releases.data.find(r => r.tag_name === tag && r.draft);
-            if (!draft) {
-              core.setFailed(`Draft release '${tag}' not found`);
-              return;
-            }
-            const findAssetId = (name) =>
-              draft.assets.find(a => a.name === name)?.id;
-            const installerId = findAssetId("cozystack-installer.yaml");
-            const diskId = findAssetId("nocloud-amd64.raw.xz");
-            if (!installerId || !diskId) {
-              core.setFailed("Missing required assets");
-              return;
-            }
-            core.setOutput("installer_id", installerId);
-            core.setOutput("disk_id", diskId);
-      
-      - name: Download assets from GitHub API
-        run: |
-          mkdir -p _out/assets
-          curl -sSL \
-            -H "Authorization: token ${GH_PAT}" \
-            -H "Accept: application/octet-stream" \
-            -o _out/assets/cozystack-installer.yaml \
-            "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/assets/${{ steps.fetch_assets.outputs.installer_id }}"
-          curl -sSL \
-            -H "Authorization: token ${GH_PAT}" \
-            -H "Accept: application/octet-stream" \
-            -o _out/assets/nocloud-amd64.raw.xz \
-            "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/assets/${{ steps.fetch_assets.outputs.disk_id }}"
-        env:
-          GH_PAT: ${{ secrets.GH_PAT }}
-
-      - name: Run tests
-        run: make test
-
   finalize:
     name: Finalize Release
     runs-on: [self-hosted]

.github/workflows/pull-requests.yaml

@@ -4,8 +4,9 @@ on:
   pull_request:
     types: [labeled, opened, synchronize, reopened]
 
+# Cancel in‑flight runs for the same PR when a new push arrives.
 concurrency:
-  group: pull-requests-${{ github.workflow }}-${{ github.event.pull_request.number }}
+  group: pr-${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
 jobs:
@@ -55,93 +56,193 @@ jobs:
         with:
           name: talos-image
           path: _out/assets/nocloud-amd64.raw.xz
- 
-  prepare_env:
-    name: Prepare environment
-    runs-on: [self-hosted]
-    needs: build
 
-    # Never run when the PR carries the "release" label.
-    if: |
-      !contains(github.event.pull_request.labels.*.name, 'release')
+  resolve_assets:
+    name: "Resolve assets"
+    runs-on: ubuntu-latest
+    if: contains(github.event.pull_request.labels.*.name, 'release')
+    outputs:
+     installer_id: ${{ steps.fetch_assets.outputs.installer_id }}
+     disk_id:      ${{ steps.fetch_assets.outputs.disk_id }}
 
     steps:
       - name: Checkout code
+        if: contains(github.event.pull_request.labels.*.name, 'release')
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
           fetch-tags: true
 
-      - name: Download installer
-        uses: actions/download-artifact@v4
+      - name: Extract tag from PR branch (release PR)
+        if: contains(github.event.pull_request.labels.*.name, 'release')
+        id: get_tag
+        uses: actions/github-script@v7
         with:
-          name: cozystack-installer
-          path: _out/assets/
+          script: |
+            const branch = context.payload.pull_request.head.ref;
+            const m = branch.match(/^release-(\d+\.\d+\.\d+(?:[-\w\.]+)?)$/);
+            if (!m) {
+              core.setFailed(`❌ Branch '${branch}' does not match 'release-X.Y.Z[-suffix]'`);
+              return;
+            }
+            core.setOutput('tag', `v${m[1]}`);
 
-      - name: Download Talos image
+      - name: Find draft release & asset IDs (release PR)
+        if: contains(github.event.pull_request.labels.*.name, 'release')
+        id: fetch_assets
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GH_PAT }}
+          script: |
+            const tag = '${{ steps.get_tag.outputs.tag }}';
+            const releases = await github.rest.repos.listReleases({
+              owner: context.repo.owner,
+              repo:  context.repo.repo,
+              per_page: 100
+            });
+            const draft = releases.data.find(r => r.tag_name === tag && r.draft);
+            if (!draft) {
+              core.setFailed(`Draft release '${tag}' not found`);
+              return;
+            }
+            const find = (n) => draft.assets.find(a => a.name === n)?.id;
+            const installerId = find('cozystack-installer.yaml');
+            const diskId      = find('nocloud-amd64.raw.xz');
+            if (!installerId || !diskId) {
+              core.setFailed('Required assets missing in draft release');
+              return;
+            }
+            core.setOutput('installer_id', installerId);
+            core.setOutput('disk_id',      diskId);
+
+
+  prepare_env:
+    name: "Prepare environment"
+    runs-on: [self-hosted]
+    permissions:
+      contents: read
+      packages: read
+    needs: ["build", "resolve_assets"]
+    if: ${{ always() && (needs.build.result == 'success' || needs.resolve_assets.result == 'success') }}
+
+    steps:
+      # ▸ Regular PR path – download artefacts produced by the *build* job
+      - name: "Download Talos image (regular PR)"
+        if: "!contains(github.event.pull_request.labels.*.name, 'release')"
         uses: actions/download-artifact@v4
         with:
           name: talos-image
-          path: _out/assets/
+          path: _out/assets
 
+
+      # ▸ Release PR path – fetch artefacts from the corresponding draft release
+      - name: Download assets from draft release (release PR)
+        if: contains(github.event.pull_request.labels.*.name, 'release')
+        run: |
+          curl -sSL -H "Authorization: token ${GH_PAT}" -H "Accept: application/octet-stream" \
+            -o _out/assets/nocloud-amd64.raw.xz \
+            "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/assets/${{ needs.resolve_assets.outputs.disk_id }}"
+        env:
+          GH_PAT: ${{ secrets.GH_PAT }}
+
+      # ▸ Start actual job steps
       - name: Set sandbox ID
         run: echo "SANDBOX_NAME=cozy-e2e-sandbox-$(echo "${GITHUB_REPOSITORY}:${GITHUB_WORKFLOW}:${GITHUB_REF}" | sha256sum | cut -c1-10)" >> $GITHUB_ENV
 
+      - name: Prepare workspace
+        run: |
+          cd ..
+          rm -rf /tmp/$SANDBOX_NAME
+          cp -r cozystack /tmp/$SANDBOX_NAME
+          sudo systemctl stop "rm-workspace-$SANDBOX_NAME.timer" "rm-workspace-$SANDBOX_NAME.service" 2>/dev/null || true
+          sudo systemctl reset-failed "rm-workspace-$SANDBOX_NAME.timer" "rm-workspace-$SANDBOX_NAME.service" 2>/dev/null || true
+          sudo systemctl daemon-reexec
+          sudo systemd-run \
+            --on-calendar="$(date -d 'now + 24 hours' '+%Y-%m-%d %H:%M:%S')" \
+            --unit=rm-workspace-$SANDBOX_NAME \
+            rm -rf /tmp/$SANDBOX_NAME
+            
       - name: Prepare environment
-        run: make SANDBOX_NAME=$SANDBOX_NAME prepare-env
+        run: |
+          cd /tmp/$SANDBOX_NAME
+          make SANDBOX_NAME=$SANDBOX_NAME prepare-env
 
   install_cozystack:
-    name: Install Cozystack
+    name: "Install Cozystack"
     runs-on: [self-hosted]
-    needs: prepare_env
-
-    # Never run when the PR carries the "release" label.
-    if: |
-      !contains(github.event.pull_request.labels.*.name, 'release')
+    permissions:
+      contents: read
+      packages: read
+    needs: ["prepare_env", "resolve_assets"]
+    if: ${{ always() && needs.prepare_env.result == 'success' }}
 
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          fetch-tags: true
+      - name: Prepare _out/assets directory
+        run: mkdir -p _out/assets
 
+      # ▸ Regular PR path – download artefacts produced by the *build* job
+      - name: "Download installer (regular PR)"
+        if: "!contains(github.event.pull_request.labels.*.name, 'release')"
+        uses: actions/download-artifact@v4
+        with:
+          name: cozystack-installer
+          path: _out/assets
+
+      # ▸ Release PR path – fetch artefacts from the corresponding draft release
+      - name: Download assets from draft release (release PR)
+        if: contains(github.event.pull_request.labels.*.name, 'release')
+        run: |
+          curl -sSL -H "Authorization: token ${GH_PAT}" -H "Accept: application/octet-stream" \
+            -o _out/assets/cozystack-installer.yaml \
+            "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/assets/${{ needs.resolve_assets.outputs.installer_id }}"
+        env:
+          GH_PAT: ${{ secrets.GH_PAT }}
+ 
+      # ▸ Start actual job steps
       - name: Set sandbox ID
         run: echo "SANDBOX_NAME=cozy-e2e-sandbox-$(echo "${GITHUB_REPOSITORY}:${GITHUB_WORKFLOW}:${GITHUB_REF}" | sha256sum | cut -c1-10)" >> $GITHUB_ENV
 
-      - name: Install Cozystack
-        run: make -C packages/core/testing SANDBOX_NAME=$SANDBOX_NAME install-cozystack
+      - name: Install Cozystack into sandbox
+        run: |
+          cd /tmp/$SANDBOX_NAME
+          make -C packages/core/testing SANDBOX_NAME=$SANDBOX_NAME install-cozystack
 
-  test_apps:
-    name: Test applications
-    runs-on: [self-hosted]
-    needs: install_cozystack
-
-    # Never run when the PR carries the "release" label.
-    if: |
-      !contains(github.event.pull_request.labels.*.name, 'release')
+  detect_test_matrix:
+    name: "Detect e2e test matrix"
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set.outputs.matrix }}
 
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          fetch-tags: true
+      - uses: actions/checkout@v4
+      - id: set
+        run: |
+          apps=$(find hack/e2e-apps -maxdepth 1 -mindepth 1 -name '*.bats' | \
+            awk -F/ '{sub(/\..+/, "", $NF); print $NF}' | jq -R . | jq -cs .)
+          echo "matrix={\"app\":$apps}" >> "$GITHUB_OUTPUT"
 
+  test_apps:
+    strategy:
+      matrix: ${{ fromJson(needs.detect_test_matrix.outputs.matrix) }}
+    name: Test ${{ matrix.app }}
+    runs-on: [self-hosted]
+    needs: [install_cozystack,detect_test_matrix]
+    if: ${{ always() && (needs.install_cozystack.result == 'success' && needs.detect_test_matrix.result == 'success') }}
+
+    steps:
       - name: Set sandbox ID
         run: echo "SANDBOX_NAME=cozy-e2e-sandbox-$(echo "${GITHUB_REPOSITORY}:${GITHUB_WORKFLOW}:${GITHUB_REF}" | sha256sum | cut -c1-10)" >> $GITHUB_ENV
 
       - name: E2E Apps
-        run: make -C packages/core/testing SANDBOX_NAME=$SANDBOX_NAME test-apps
+        run: |
+          cd /tmp/$SANDBOX_NAME
+          make -C packages/core/testing SANDBOX_NAME=$SANDBOX_NAME test-apps-${{ matrix.app }}
 
   cleanup:
     name: Tear down environment
     runs-on: [self-hosted]
     needs: test_apps
-
-    # Never run when the PR carries the "release" label.
-    if: |
-      !contains(github.event.pull_request.labels.*.name, 'release')
+    if: ${{ always() && needs.test_apps.result == 'success' }}
 
     steps:
       - name: Checkout code
@@ -153,5 +254,16 @@ jobs:
       - name: Set sandbox ID
         run: echo "SANDBOX_NAME=cozy-e2e-sandbox-$(echo "${GITHUB_REPOSITORY}:${GITHUB_WORKFLOW}:${GITHUB_REF}" | sha256sum | cut -c1-10)" >> $GITHUB_ENV
 
-      - name: E2E Apps
+      - name: Tear down sandbox
         run: make -C packages/core/testing SANDBOX_NAME=$SANDBOX_NAME delete
+
+      - name: Remove workspace
+        run: rm -rf /tmp/$SANDBOX_NAME
+
+      - name: Tear down timers
+        run: |
+          sudo systemctl stop "rm-workspace-$SANDBOX_NAME.timer" "rm-workspace-$SANDBOX_NAME.service" 2>/dev/null || true
+          sudo systemctl reset-failed "rm-workspace-$SANDBOX_NAME.timer" "rm-workspace-$SANDBOX_NAME.service" 2>/dev/null || true
+          sudo systemctl stop "teardown-$SANDBOX_NAME.timer" "teardown-$SANDBOX_NAME.service" 2>/dev/null || true
+          sudo systemctl reset-failed "teardown-$SANDBOX_NAME.timer" "teardown-$SANDBOX_NAME.service" 2>/dev/null || true
+          sudo systemctl daemon-reexec

Makefile

@@ -9,7 +9,6 @@ build-deps:
 
 build: build-deps
 	make -C packages/apps/http-cache image
-	make -C packages/apps/postgres image
 	make -C packages/apps/mysql image
 	make -C packages/apps/clickhouse image
 	make -C packages/apps/kubernetes image

docs/changelogs/v0.32.0.md

@@ -0,0 +1,71 @@
+Cozystack v0.32.0 is a significant release that brings new features, key fixes, and updates to underlying components.
+
+## Major Features and Improvements
+
+* [platform] Use `cozypkg` instead of Helm (@kvaps in https://github.com/cozystack/cozystack/pull/1057)
+* [platform] Introduce the HelmRelease reconciler for system components. (@kvaps in https://github.com/cozystack/cozystack/pull/1033)
+* [kubernetes] Enable using container registry mirrors by tenant Kubernetes clusters. Configure containerd for tenant Kubernetes clusters. (@klinch0 in https://github.com/cozystack/cozystack/pull/979, patched by @lllamnyp in https://github.com/cozystack/cozystack/pull/1032)
+* [platform] Allow users to specify CPU requests in VCPUs. Use a library chart for resource management. (@lllamnyp in https://github.com/cozystack/cozystack/pull/972 and https://github.com/cozystack/cozystack/pull/1025)
+* [platform] Annotate all child objects of apps with uniform labels for tracking by WorkloadMonitors. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1018 and https://github.com/cozystack/cozystack/pull/1024)
+* [platform] Introduce `cluster-domain` option and un-hardcode `cozy.local`. (@kvaps in https://github.com/cozystack/cozystack/pull/1039)
+* [platform] Get instance type when reconciling WorkloadMonitor (https://github.com/cozystack/cozystack/pull/1030)
+* [virtual-machine] Add RBAC rules to allow port forwarding in KubeVirt for SSH via `virtctl`. (@mattia-eleuteri in https://github.com/cozystack/cozystack/pull/1027, patched by @klinch0 in https://github.com/cozystack/cozystack/pull/1028)
+* [monitoring] Add events and audit inputs (@kevin880202 in https://github.com/cozystack/cozystack/pull/948)
+
+## Security
+
+* Resolve a security problem that allowed tenant administrator to gain enhanced privileges outside the tenant. (@kvaps in https://github.com/cozystack/cozystack/pull/1062)
+
+## Fixes
+
+* [dashboard] Fix a number of issues in the Cozystack Dashboard (@kvaps in https://github.com/cozystack/cozystack/pull/1042)
+* [kafka] Specify minimal working resource presets. (@kvaps in https://github.com/cozystack/cozystack/pull/1040)
+* [cilium] Fixed Gateway API manifest. (@zdenekjanda in https://github.com/cozystack/cozystack/pull/1016)
+* [platform] Fix RBAC for annotating namespaces. (@kvaps in https://github.com/cozystack/cozystack/pull/1031)
+* [platform] Fix dependencies for paas-hosted bundle. (@kvaps in https://github.com/cozystack/cozystack/pull/1034)
+* [platform] Reduce system resource consumption by using lesser resource presets for VerticalPodAutoscaler, SeaweedFS, and KubeOVN. (@klinch0 in https://github.com/cozystack/cozystack/pull/1054)
+* [virtual-machine] Fix handling of cloudinit and ssh-key input for `virtual-machine` and `vm-instance` applications. (@gwynbleidd2106 in https://github.com/cozystack/cozystack/pull/1019 and https://github.com/cozystack/cozystack/pull/1020)
+* [apps] Fix Clickhouse version parsing. (@kvaps in https://github.com/cozystack/cozystack/commit/28302e776e9d2bb8f424cf467619fa61d71ac49a)
+* [apps] Add resource quotas for PostgreSQL jobs and fix application readme generation check in CI. (@klinch0 in https://github.com/cozystack/cozystack/pull/1051)
+* [kube-ovn] Enable database health check. (@kvaps in https://github.com/cozystack/cozystack/pull/1047)
+* [kubernetes] Fix upstream issue by updating Kubevirt-CCM. (@kvaps in https://github.com/cozystack/cozystack/pull/1052)
+* [kubernetes] Fix resources and introduce a migration when upgrading tenant Kubernetes to v0.32.4. (@kvaps in https://github.com/cozystack/cozystack/pull/1073)
+* [cluster-api] Add a missing migration for `capi-providers`. (@kvaps in https://github.com/cozystack/cozystack/pull/1072)
+
+## Dependencies
+
+* Introduce cozykpg, update to v1.1.0. (@kvaps in https://github.com/cozystack/cozystack/pull/1057 and https://github.com/cozystack/cozystack/pull/1063)
+* Update flux-operator to 0.22.0, Flux to 2.6.x. (@kingdonb in https://github.com/cozystack/cozystack/pull/1035)
+* Update Talos Linux to v1.10.3. (@kvaps in https://github.com/cozystack/cozystack/pull/1006)
+* Update Cilium to v1.17.4. (@kvaps in https://github.com/cozystack/cozystack/pull/1046)
+* Update MetalLB to v0.15.2. (@kvaps in https://github.com/cozystack/cozystack/pull/1045)
+* Update Kube-OVN to v1.13.13. (@kvaps in https://github.com/cozystack/cozystack/pull/1047)
+
+## Documentation
+
+* [Oracle Cloud Infrastructure installation guide](https://cozystack.io/docs/operations/talos/installation/oracle-cloud/). (@kvaps, @lllamnyp, and @NickVolynkin in https://github.com/cozystack/website/pull/168)
+* [Cluster configuration with `talosctl`](https://cozystack.io/docs/operations/talos/configuration/talosctl/). (@NickVolynkin in https://github.com/cozystack/website/pull/211)
+* [Configuring container registry mirrors for tenant Kubernetes clusters](https://cozystack.io/docs/operations/talos/configuration/air-gapped/#5-configure-container-registry-mirrors-for-tenant-kubernetes). (@klinch0 in https://github.com/cozystack/website/pull/210)
+* [Explain application management strategies and available versions for managed applications.](https://cozystack.io/docs/guides/applications/). (@NickVolynkin in https://github.com/cozystack/website/pull/219)
+* [How to clean up etcd state](https://cozystack.io/docs/operations/faq/#how-to-clean-up-etcd-state). (@gwynbleidd2106 in https://github.com/cozystack/website/pull/214)
+* [State that Cozystack is a CNCF Sandbox project](https://github.com/cozystack/cozystack?tab=readme-ov-file#cozystack). (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1055)
+
+## Development, Testing, and CI/CD
+
+* [tests] Add tests for applications `virtual-machine`, `vm-disk`, `vm-instance`, `postgresql`, `mysql`, and `clickhouse`. (@gwynbleidd2106 in https://github.com/cozystack/cozystack/pull/1048, patched by @kvaps in https://github.com/cozystack/cozystack/pull/1074)
+* [tests] Fix concurrency for the `docker login` action. (@kvaps in https://github.com/cozystack/cozystack/pull/1014)
+* [tests] Increase QEMU system disk size in tests. (@kvaps in https://github.com/cozystack/cozystack/pull/1011)
+* [tests] Increase the waiting timeout for VMs in tests. (@kvaps in https://github.com/cozystack/cozystack/pull/1038)
+* [ci] Separate build and testing jobs in CI. (@kvaps in https://github.com/cozystack/cozystack/pull/1005 and https://github.com/cozystack/cozystack/pull/1010)
+* [ci] Fix the release assets. (@kvaps in https://github.com/cozystack/cozystack/pull/1006 and https://github.com/cozystack/cozystack/pull/1009)
+
+## New Contributors
+
+* @kevin880202 made their first contribution in https://github.com/cozystack/cozystack/pull/948
+* @mattia-eleuteri made their first contribution in https://github.com/cozystack/cozystack/pull/1027
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.31.0...v0.32.0
+
+<!-- 
+HEAD https://github.com/cozystack/cozystack/commit/3ce6dbe8
+-->

hack/e2e-apps.bats

@@ -1,353 +0,0 @@
-#!/usr/bin/env bats
-
-# -----------------------------------------------------------------------------
-# Cozystack end‑to‑end provisioning test (Bats)
-# -----------------------------------------------------------------------------
-
-@test "Create tenant with isolated mode enabled" {
-  kubectl -n tenant-root get tenants.apps.cozystack.io test || 
-  kubectl create -f - <<EOF
-apiVersion: apps.cozystack.io/v1alpha1
-kind: Tenant
-metadata:
-  name: test
-  namespace: tenant-root
-spec:
-  etcd: false
-  host: ""
-  ingress: false
-  isolated: true
-  monitoring: false
-  resourceQuotas: {}
-  seaweedfs: false
-EOF
-  kubectl wait hr/tenant-test -n tenant-root --timeout=1m --for=condition=ready
-  kubectl wait namespace tenant-test --timeout=20s --for=jsonpath='{.status.phase}'=Active
-}
-
-@test "Create a tenant Kubernetes control plane" {
-  kubectl -n tenant-test get kuberneteses.apps.cozystack.io test || 
-  kubectl create -f - <<EOF
-apiVersion: apps.cozystack.io/v1alpha1
-kind: Kubernetes
-metadata:
-  name: test
-  namespace: tenant-test
-spec:
-  addons:
-    certManager:
-      enabled: false
-      valuesOverride: {}
-    cilium:
-      valuesOverride: {}
-    fluxcd:
-      enabled: false
-      valuesOverride: {}
-    gatewayAPI:
-      enabled: false
-    gpuOperator:
-      enabled: false
-      valuesOverride: {}
-    ingressNginx:
-      enabled: true
-      hosts: []
-      valuesOverride: {}
-    monitoringAgents:
-      enabled: false
-      valuesOverride: {}
-    verticalPodAutoscaler:
-      valuesOverride: {}
-  controlPlane:
-    apiServer:
-      resources: {}
-      resourcesPreset: small
-    controllerManager:
-      resources: {}
-      resourcesPreset: micro
-    konnectivity:
-      server:
-        resources: {}
-        resourcesPreset: micro
-    replicas: 2
-    scheduler:
-      resources: {}
-      resourcesPreset: micro
-  host: ""
-  nodeGroups:
-    md0:
-      ephemeralStorage: 20Gi
-      gpus: []
-      instanceType: u1.medium
-      maxReplicas: 10
-      minReplicas: 0
-      resources:
-        cpu: ""
-        memory: ""
-      roles:
-      - ingress-nginx
-  storageClass: replicated
-EOF
-  kubectl wait namespace tenant-test --timeout=20s --for=jsonpath='{.status.phase}'=Active
-  timeout 10 sh -ec 'until kubectl get kamajicontrolplane -n tenant-test kubernetes-test; do sleep 1; done'
-  kubectl wait --for=condition=TenantControlPlaneCreated kamajicontrolplane -n tenant-test kubernetes-test --timeout=4m
-  kubectl wait tcp -n tenant-test kubernetes-test --timeout=2m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
-  kubectl wait deploy --timeout=4m --for=condition=available -n tenant-test kubernetes-test kubernetes-test-cluster-autoscaler kubernetes-test-kccm kubernetes-test-kcsi-controller
-  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=1m --for=jsonpath='{.status.replicas}'=2
-  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=10m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
-  kubectl -n tenant-test delete kuberneteses.apps.cozystack.io test
-}
-
-@test "Create a VM Disk" {
-  name='test'
-  kubectl -n tenant-test get vmdisks.apps.cozystack.io $name || 
-  kubectl create -f - <<EOF
-apiVersion: apps.cozystack.io/v1alpha1
-kind: VMDisk
-metadata:
-  name: $name
-  namespace: tenant-test
-spec:
-  source:
-    http:
-      url: https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img
-  optical: false
-  storage: 5Gi
-  storageClass: replicated
-EOF
-  sleep 5
-  kubectl -n tenant-test wait hr vm-disk-$name --timeout=5s --for=condition=ready
-  kubectl -n tenant-test wait dv vm-disk-$name --timeout=150s --for=condition=ready
-  kubectl -n tenant-test wait pvc vm-disk-$name --timeout=100s --for=jsonpath='{.status.phase}'=Bound
-}
-
-@test "Create a VM Instance" {
-  diskName='test'
-  name='test'
-  kubectl -n tenant-test get vminstances.apps.cozystack.io $name || 
-  kubectl create -f - <<EOF
-apiVersion: apps.cozystack.io/v1alpha1
-kind: VMInstance
-metadata:
-  name: $name
-  namespace: tenant-test
-spec:
-  external: false
-  externalMethod: PortList
-  externalPorts:
-  - 22
-  running: true
-  instanceType: "u1.medium"
-  instanceProfile: ubuntu
-  disks:
-    - name: $diskName
-  gpus: []
-  resources:
-    cpu: ""
-    memory: ""
-  sshKeys:
-  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF
-    test@test
-  cloudInit: |
-    #cloud-config
-    users:
-      - name: test
-        shell: /bin/bash
-        sudo: ['ALL=(ALL) NOPASSWD: ALL']
-        groups: sudo
-        ssh_authorized_keys:
-          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF test@test
-  cloudInitSeed: ""
-EOF
-  sleep 5
-  timeout 20 sh -ec "until kubectl -n tenant-test get vmi vm-instance-$name -o jsonpath='{.status.interfaces[0].ipAddress}' | grep -q '[0-9]'; do sleep 5; done"
-  kubectl -n tenant-test wait hr vm-instance-$name --timeout=5s --for=condition=ready
-  kubectl -n tenant-test wait vm vm-instance-$name --timeout=20s --for=condition=ready
-  kubectl -n tenant-test delete vminstances.apps.cozystack.io $name 
-  kubectl -n tenant-test delete vmdisks.apps.cozystack.io $diskName 
-}
-
-@test "Create a Virtual Machine" {
-  name='test'
-  kubectl -n tenant-test get virtualmachines.apps.cozystack.io $name || 
-  kubectl create -f - <<EOF
-apiVersion: apps.cozystack.io/v1alpha1
-kind: VirtualMachine
-metadata:
-  name: $name
-  namespace: tenant-test
-spec:
-  external: false
-  externalMethod: PortList
-  externalPorts:
-  - 22
-  instanceType: "u1.medium"
-  instanceProfile: ubuntu
-  systemDisk:
-    image: ubuntu
-    storage: 5Gi
-    storageClass: replicated
-  gpus: []
-  resources:
-    cpu: ""
-    memory: ""
-  sshKeys:
-  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF
-    test@test
-  cloudInit: |
-    #cloud-config
-    users:
-      - name: test
-        shell: /bin/bash
-        sudo: ['ALL=(ALL) NOPASSWD: ALL']
-        groups: sudo
-        ssh_authorized_keys:
-          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF test@test
-  cloudInitSeed: ""
-EOF
-  sleep 5
-  kubectl -n tenant-test wait hr virtual-machine-$name --timeout=10s --for=condition=ready
-  kubectl -n tenant-test wait dv virtual-machine-$name --timeout=150s --for=condition=ready
-  kubectl -n tenant-test wait pvc virtual-machine-$name --timeout=100s --for=jsonpath='{.status.phase}'=Bound
-  kubectl -n tenant-test wait vm virtual-machine-$name --timeout=100s --for=condition=ready
-  timeout 120 sh -ec "until kubectl -n tenant-test get vmi virtual-machine-$name -o jsonpath='{.status.interfaces[0].ipAddress}' | grep -q '[0-9]'; do sleep 10; done"
-  kubectl -n tenant-test delete virtualmachines.apps.cozystack.io $name 
-}
-
-@test "Create DB PostgreSQL" {
-  name='test'
-  kubectl -n tenant-test get postgreses.apps.cozystack.io $name || 
-  kubectl create -f - <<EOF
-apiVersion: apps.cozystack.io/v1alpha1
-kind: Postgres
-metadata:
-  name: $name
-  namespace: tenant-test
-spec:
-  external: false
-  size: 10Gi
-  replicas: 2
-  storageClass: ""
-  postgresql:
-    parameters:
-      max_connections: 100
-  quorum:
-    minSyncReplicas: 0
-    maxSyncReplicas: 0
-  users:
-    testuser:
-      password: xai7Wepo
-  databases:
-    testdb:
-      roles:
-        admin:
-        - testuser
-  backup:
-    enabled: false
-    s3Region: us-east-1
-    s3Bucket: s3.example.org/postgres-backups
-    schedule: "0 2 * * *"
-    cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
-    s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
-    s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
-    resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
-  resources: {}
-  resourcesPreset: "nano"
-EOF
-  sleep 5
-  kubectl -n tenant-test wait hr postgres-$name --timeout=100s --for=condition=ready
-  kubectl -n tenant-test wait job.batch postgres-$name-init-job --timeout=50s --for=condition=Complete
-  timeout 40 sh -ec "until kubectl -n tenant-test get svc postgres-$name-r -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
-  timeout 40 sh -ec "until kubectl -n tenant-test get svc postgres-$name-ro -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
-  timeout 40 sh -ec "until kubectl -n tenant-test get svc postgres-$name-rw -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
-  timeout 120 sh -ec "until kubectl -n tenant-test get endpoints postgres-$name-r -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
-  timeout 120 sh -ec "until kubectl -n tenant-test get endpoints postgres-$name-ro -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
-  timeout 120 sh -ec "until kubectl -n tenant-test get endpoints postgres-$name-rw -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
-  kubectl -n tenant-test delete postgreses.apps.cozystack.io $name
-}
-
-@test "Create DB MySQL" {
-  name='test'
-  kubectl -n tenant-test get mysqls.apps.cozystack.io $name || 
-  kubectl create -f- <<EOF
-apiVersion: apps.cozystack.io/v1alpha1
-kind: MySQL
-metadata:
-  name: $name
-  namespace: tenant-test
-spec:
-  external: false
-  size: 10Gi
-  replicas: 2
-  storageClass: ""
-  users:
-    testuser:
-      maxUserConnections: 1000
-      password: xai7Wepo
-  databases:
-    testdb:
-      roles:
-        admin:
-        - testuser
-  backup:
-    enabled: false
-    s3Region: us-east-1
-    s3Bucket: s3.example.org/postgres-backups
-    schedule: "0 2 * * *"
-    cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
-    s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
-    s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
-    resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
-  resources: {}
-  resourcesPreset: "nano"
-EOF
-  sleep 5
-  kubectl -n tenant-test wait hr mysql-$name --timeout=30s --for=condition=ready
-  timeout 80 sh -ec "until kubectl -n tenant-test get svc mysql-$name -o jsonpath='{.spec.ports[0].port}' | grep -q '3306'; do sleep 10; done"
-  timeout 80 sh -ec "until kubectl -n tenant-test get endpoints mysql-$name -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
-  kubectl -n tenant-test wait statefulset.apps/mysql-$name --timeout=110s --for=jsonpath='{.status.replicas}'=2
-  timeout 80 sh -ec "until kubectl -n tenant-test get svc mysql-$name-metrics -o jsonpath='{.spec.ports[0].port}' | grep -q '9104'; do sleep 10; done"
-  timeout 40 sh -ec "until kubectl -n tenant-test get endpoints mysql-$name-metrics -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
-  kubectl -n tenant-test wait deployment.apps/mysql-$name-metrics --timeout=90s --for=jsonpath='{.status.replicas}'=1
-  kubectl -n tenant-test delete mysqls.apps.cozystack.io $name
-}
-
-@test "Create DB ClickHouse" {
-  name='test'
-  kubectl -n tenant-test get clickhouses.apps.cozystack.io $name || 
-  kubectl create -f- <<EOF
-apiVersion: apps.cozystack.io/v1alpha1
-kind: ClickHouse
-metadata:
-  name: $name
-  namespace: tenant-test
-spec:
-  size: 10Gi
-  logStorageSize: 2Gi
-  shards: 1
-  replicas: 2
-  storageClass: ""
-  logTTL: 15
-  users:
-    testuser:
-      password: xai7Wepo
-  backup:
-    enabled: false
-    s3Region: us-east-1
-    s3Bucket: s3.example.org/clickhouse-backups
-    schedule: "0 2 * * *"
-    cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
-    s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
-    s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
-    resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
-  resources: {}
-  resourcesPreset: "nano"
-EOF
-  sleep 5
-  kubectl -n tenant-test wait hr clickhouse-$name --timeout=20s --for=condition=ready
-  timeout 180 sh -ec "until kubectl -n tenant-test get svc chendpoint-clickhouse-$name -o jsonpath='{.spec.ports[*].port}' | grep -q '8123 9000'; do sleep 10; done"
-  kubectl -n tenant-test wait statefulset.apps/chi-clickhouse-$name-clickhouse-0-0 --timeout=120s --for=jsonpath='{.status.replicas}'=1
-  timeout 80 sh -ec "until kubectl -n tenant-test get endpoints chi-clickhouse-$name-clickhouse-0-0 -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
-  timeout 100 sh -ec "until kubectl -n tenant-test get svc chi-clickhouse-$name-clickhouse-0-0 -o jsonpath='{.spec.ports[*].port}' | grep -q '9000 8123 9009'; do sleep 10; done"
-  timeout 80 sh -ec "until kubectl -n tenant-test get sts chi-clickhouse-$name-clickhouse-0-1 ; do sleep 10; done"
-  kubectl -n tenant-test wait statefulset.apps/chi-clickhouse-$name-clickhouse-0-1 --timeout=140s --for=jsonpath='{.status.replicas}'=1
-}

hack/e2e-apps/clickhouse.bats

@@ -0,0 +1,42 @@
+#!/usr/bin/env bats
+
+@test "Create DB ClickHouse" {
+  name='test'
+  kubectl -n tenant-test get clickhouses.apps.cozystack.io $name || 
+  kubectl create -f- <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: ClickHouse
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  size: 10Gi
+  logStorageSize: 2Gi
+  shards: 1
+  replicas: 2
+  storageClass: ""
+  logTTL: 15
+  users:
+    testuser:
+      password: xai7Wepo
+  backup:
+    enabled: false
+    s3Region: us-east-1
+    s3Bucket: s3.example.org/clickhouse-backups
+    schedule: "0 2 * * *"
+    cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+    s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
+    s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
+    resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
+  resources: {}
+  resourcesPreset: "nano"
+EOF
+  sleep 5
+  kubectl -n tenant-test wait hr clickhouse-$name --timeout=20s --for=condition=ready
+  timeout 180 sh -ec "until kubectl -n tenant-test get svc chendpoint-clickhouse-$name -o jsonpath='{.spec.ports[*].port}' | grep -q '8123 9000'; do sleep 10; done"
+  kubectl -n tenant-test wait statefulset.apps/chi-clickhouse-$name-clickhouse-0-0 --timeout=120s --for=jsonpath='{.status.replicas}'=1
+  timeout 80 sh -ec "until kubectl -n tenant-test get endpoints chi-clickhouse-$name-clickhouse-0-0 -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
+  timeout 100 sh -ec "until kubectl -n tenant-test get svc chi-clickhouse-$name-clickhouse-0-0 -o jsonpath='{.spec.ports[*].port}' | grep -q '9000 8123 9009'; do sleep 10; done"
+  timeout 80 sh -ec "until kubectl -n tenant-test get sts chi-clickhouse-$name-clickhouse-0-1 ; do sleep 10; done"
+  kubectl -n tenant-test wait statefulset.apps/chi-clickhouse-$name-clickhouse-0-1 --timeout=140s --for=jsonpath='{.status.replicas}'=1
+}

hack/e2e-apps/kafka.bats

@@ -0,0 +1,51 @@
+#!/usr/bin/env bats
+
+@test "Create Kafka" {
+  name='test'
+  kubectl create -f- <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: Kafka
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  external: false
+  kafka:
+    size: 10Gi
+    replicas: 2
+    storageClass: ""
+    resources: {}
+    resourcesPreset: "nano"
+  zookeeper:
+    size: 5Gi
+    replicas: 2
+    storageClass: ""
+    resources:
+    resourcesPreset: "nano"
+  topics:
+    - name: testResults
+      partitions: 1
+      replicas: 2
+      config:
+        min.insync.replicas: 2
+    - name: testOrders
+      config:
+        cleanup.policy: compact
+        segment.ms: 3600000
+        max.compaction.lag.ms: 5400000
+        min.insync.replicas: 2
+      partitions: 1
+      replicas: 2
+EOF
+  sleep 5
+  kubectl -n tenant-test wait hr kafka-$name --timeout=30s --for=condition=ready
+  kubectl wait kafkas -n tenant-test test --timeout=60s --for=condition=ready
+  timeout 60 sh -ec "until kubectl -n tenant-test get pvc data-kafka-$name-zookeeper-0; do sleep 10; done"
+  kubectl -n tenant-test wait pvc data-kafka-$name-zookeeper-0 --timeout=50s --for=jsonpath='{.status.phase}'=Bound
+  timeout 40 sh -ec "until kubectl -n tenant-test get svc kafka-$name-zookeeper-client -o jsonpath='{.spec.ports[0].port}' | grep -q '2181'; do sleep 10; done"
+  timeout 40 sh -ec "until kubectl -n tenant-test get svc kafka-$name-zookeeper-nodes -o jsonpath='{.spec.ports[*].port}' | grep -q '2181 2888 3888'; do sleep 10; done"
+  timeout 80 sh -ec "until kubectl -n tenant-test get endpoints kafka-$name-zookeeper-nodes -o jsonpath='{.subsets[*].addresses[0].ip}' | grep -q '[0-9]'; do sleep 10; done"
+  kubectl -n tenant-test delete kafka.apps.cozystack.io $name
+  kubectl -n tenant-test delete pvc data-kafka-$name-zookeeper-0
+  kubectl -n tenant-test delete pvc data-kafka-$name-zookeeper-1
+}

hack/e2e-apps/kubernetes.bats

@@ -0,0 +1,73 @@
+#!/usr/bin/env bats
+
+@test "Create a tenant Kubernetes control plane" {
+  kubectl -n tenant-test get kuberneteses.apps.cozystack.io test || 
+  kubectl create -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: Kubernetes
+metadata:
+  name: test
+  namespace: tenant-test
+spec:
+  addons:
+    certManager:
+      enabled: false
+      valuesOverride: {}
+    cilium:
+      valuesOverride: {}
+    fluxcd:
+      enabled: false
+      valuesOverride: {}
+    gatewayAPI:
+      enabled: false
+    gpuOperator:
+      enabled: false
+      valuesOverride: {}
+    ingressNginx:
+      enabled: true
+      hosts: []
+      valuesOverride: {}
+    monitoringAgents:
+      enabled: false
+      valuesOverride: {}
+    verticalPodAutoscaler:
+      valuesOverride: {}
+  controlPlane:
+    apiServer:
+      resources: {}
+      resourcesPreset: small
+    controllerManager:
+      resources: {}
+      resourcesPreset: micro
+    konnectivity:
+      server:
+        resources: {}
+        resourcesPreset: micro
+    replicas: 2
+    scheduler:
+      resources: {}
+      resourcesPreset: micro
+  host: ""
+  nodeGroups:
+    md0:
+      ephemeralStorage: 20Gi
+      gpus: []
+      instanceType: u1.medium
+      maxReplicas: 10
+      minReplicas: 0
+      resources:
+        cpu: ""
+        memory: ""
+      roles:
+      - ingress-nginx
+  storageClass: replicated
+EOF
+  kubectl wait namespace tenant-test --timeout=20s --for=jsonpath='{.status.phase}'=Active
+  timeout 10 sh -ec 'until kubectl get kamajicontrolplane -n tenant-test kubernetes-test; do sleep 1; done'
+  kubectl wait --for=condition=TenantControlPlaneCreated kamajicontrolplane -n tenant-test kubernetes-test --timeout=4m
+  kubectl wait tcp -n tenant-test kubernetes-test --timeout=2m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
+  kubectl wait deploy --timeout=4m --for=condition=available -n tenant-test kubernetes-test kubernetes-test-cluster-autoscaler kubernetes-test-kccm kubernetes-test-kcsi-controller
+  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=1m --for=jsonpath='{.status.replicas}'=2
+  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=10m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
+  kubectl -n tenant-test delete kuberneteses.apps.cozystack.io test
+}

hack/e2e-apps/mysql.bats

@@ -0,0 +1,47 @@
+#!/usr/bin/env bats
+
+@test "Create DB MySQL" {
+  name='test'
+  kubectl -n tenant-test get mysqls.apps.cozystack.io $name || 
+  kubectl create -f- <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: MySQL
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  external: false
+  size: 10Gi
+  replicas: 2
+  storageClass: ""
+  users:
+    testuser:
+      maxUserConnections: 1000
+      password: xai7Wepo
+  databases:
+    testdb:
+      roles:
+        admin:
+        - testuser
+  backup:
+    enabled: false
+    s3Region: us-east-1
+    s3Bucket: s3.example.org/postgres-backups
+    schedule: "0 2 * * *"
+    cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+    s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
+    s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
+    resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
+  resources: {}
+  resourcesPreset: "nano"
+EOF
+  sleep 5
+  kubectl -n tenant-test wait hr mysql-$name --timeout=30s --for=condition=ready
+  timeout 80 sh -ec "until kubectl -n tenant-test get svc mysql-$name -o jsonpath='{.spec.ports[0].port}' | grep -q '3306'; do sleep 10; done"
+  timeout 80 sh -ec "until kubectl -n tenant-test get endpoints mysql-$name -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
+  kubectl -n tenant-test wait statefulset.apps/mysql-$name --timeout=110s --for=jsonpath='{.status.replicas}'=2
+  timeout 80 sh -ec "until kubectl -n tenant-test get svc mysql-$name-metrics -o jsonpath='{.spec.ports[0].port}' | grep -q '9104'; do sleep 10; done"
+  timeout 40 sh -ec "until kubectl -n tenant-test get endpoints mysql-$name-metrics -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
+  kubectl -n tenant-test wait deployment.apps/mysql-$name-metrics --timeout=90s --for=jsonpath='{.status.replicas}'=1
+  kubectl -n tenant-test delete mysqls.apps.cozystack.io $name
+}

hack/e2e-apps/postgres.bats

@@ -0,0 +1,55 @@
+#!/usr/bin/env bats
+
+@test "Create DB PostgreSQL" {
+  name='test'
+  kubectl -n tenant-test get postgreses.apps.cozystack.io $name || 
+  kubectl create -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: Postgres
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  external: false
+  size: 10Gi
+  replicas: 2
+  storageClass: ""
+  postgresql:
+    parameters:
+      max_connections: 100
+  quorum:
+    minSyncReplicas: 0
+    maxSyncReplicas: 0
+  users:
+    testuser:
+      password: xai7Wepo
+  databases:
+    testdb:
+      roles:
+        admin:
+        - testuser
+  backup:
+    enabled: false
+    s3Region: us-east-1
+    s3Bucket: s3.example.org/postgres-backups
+    schedule: "0 2 * * *"
+    cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+    s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
+    s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
+    resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
+  resources: {}
+  resourcesPreset: "nano"
+EOF
+  sleep 5
+  kubectl -n tenant-test wait hr postgres-$name --timeout=100s --for=condition=ready
+  kubectl -n tenant-test wait job.batch postgres-$name-init-job --timeout=50s --for=condition=Complete
+  timeout 40 sh -ec "until kubectl -n tenant-test get svc postgres-$name-r -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
+  timeout 40 sh -ec "until kubectl -n tenant-test get svc postgres-$name-ro -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
+  timeout 40 sh -ec "until kubectl -n tenant-test get svc postgres-$name-rw -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
+  timeout 120 sh -ec "until kubectl -n tenant-test get endpoints postgres-$name-r -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
+  # for some reason it takes longer for the read-only endpoint to be ready
+  #timeout 120 sh -ec "until kubectl -n tenant-test get endpoints postgres-$name-ro -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
+  timeout 120 sh -ec "until kubectl -n tenant-test get endpoints postgres-$name-rw -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
+  kubectl -n tenant-test delete postgreses.apps.cozystack.io $name
+  kubectl -n tenant-test delete job.batch/postgres-$name-init-job
+}

hack/e2e-apps/redis.bats

@@ -0,0 +1,26 @@
+#!/usr/bin/env bats
+
+@test "Create Redis" {
+  name='test'
+  kubectl create -f- <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: Redis
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  external: false
+  size: 1Gi
+  replicas: 2
+  storageClass: ""
+  authEnabled: true
+  resources: {}
+  resourcesPreset: "nano"
+EOF
+  sleep 5
+  kubectl -n tenant-test wait hr redis-$name --timeout=20s --for=condition=ready
+  kubectl -n tenant-test wait pvc redisfailover-persistent-data-rfr-redis-$name-0 --timeout=50s --for=jsonpath='{.status.phase}'=Bound
+  kubectl -n tenant-test wait deploy rfs-redis-$name --timeout=90s --for=condition=available
+  kubectl -n tenant-test wait sts rfr-redis-$name --timeout=90s --for=jsonpath='{.status.replicas}'=2
+  kubectl -n tenant-test delete redis.apps.cozystack.io $name
+}

hack/e2e-apps/virtualmachine.bats

@@ -0,0 +1,48 @@
+#!/usr/bin/env bats
+
+@test "Create a Virtual Machine" {
+  name='test'
+  kubectl -n tenant-test get virtualmachines.apps.cozystack.io $name || 
+  kubectl create -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: VirtualMachine
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  external: false
+  externalMethod: PortList
+  externalPorts:
+  - 22
+  instanceType: "u1.medium"
+  instanceProfile: ubuntu
+  systemDisk:
+    image: ubuntu
+    storage: 5Gi
+    storageClass: replicated
+  gpus: []
+  resources:
+    cpu: ""
+    memory: ""
+  sshKeys:
+  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF
+    test@test
+  cloudInit: |
+    #cloud-config
+    users:
+      - name: test
+        shell: /bin/bash
+        sudo: ['ALL=(ALL) NOPASSWD: ALL']
+        groups: sudo
+        ssh_authorized_keys:
+          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF test@test
+  cloudInitSeed: ""
+EOF
+  sleep 5
+  kubectl -n tenant-test wait hr virtual-machine-$name --timeout=10s --for=condition=ready
+  kubectl -n tenant-test wait dv virtual-machine-$name --timeout=150s --for=condition=ready
+  kubectl -n tenant-test wait pvc virtual-machine-$name --timeout=100s --for=jsonpath='{.status.phase}'=Bound
+  kubectl -n tenant-test wait vm virtual-machine-$name --timeout=100s --for=condition=ready
+  timeout 120 sh -ec "until kubectl -n tenant-test get vmi virtual-machine-$name -o jsonpath='{.status.interfaces[0].ipAddress}' | grep -q '[0-9]'; do sleep 10; done"
+  kubectl -n tenant-test delete virtualmachines.apps.cozystack.io $name 
+}

hack/e2e-apps/vminstance.bats

@@ -0,0 +1,70 @@
+#!/usr/bin/env bats
+
+@test "Create a VM Disk" {
+  name='test'
+  kubectl -n tenant-test get vmdisks.apps.cozystack.io $name || 
+  kubectl create -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: VMDisk
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  source:
+    http:
+      url: https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img
+  optical: false
+  storage: 5Gi
+  storageClass: replicated
+EOF
+  sleep 5
+  kubectl -n tenant-test wait hr vm-disk-$name --timeout=5s --for=condition=ready
+  kubectl -n tenant-test wait dv vm-disk-$name --timeout=150s --for=condition=ready
+  kubectl -n tenant-test wait pvc vm-disk-$name --timeout=100s --for=jsonpath='{.status.phase}'=Bound
+}
+
+@test "Create a VM Instance" {
+  diskName='test'
+  name='test'
+  kubectl -n tenant-test get vminstances.apps.cozystack.io $name || 
+  kubectl create -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: VMInstance
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  external: false
+  externalMethod: PortList
+  externalPorts:
+  - 22
+  running: true
+  instanceType: "u1.medium"
+  instanceProfile: ubuntu
+  disks:
+    - name: $diskName
+  gpus: []
+  resources:
+    cpu: ""
+    memory: ""
+  sshKeys:
+  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF
+    test@test
+  cloudInit: |
+    #cloud-config
+    users:
+      - name: test
+        shell: /bin/bash
+        sudo: ['ALL=(ALL) NOPASSWD: ALL']
+        groups: sudo
+        ssh_authorized_keys:
+          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF test@test
+  cloudInitSeed: ""
+EOF
+  sleep 5
+  timeout 20 sh -ec "until kubectl -n tenant-test get vmi vm-instance-$name -o jsonpath='{.status.interfaces[0].ipAddress}' | grep -q '[0-9]'; do sleep 5; done"
+  kubectl -n tenant-test wait hr vm-instance-$name --timeout=5s --for=condition=ready
+  kubectl -n tenant-test wait vm vm-instance-$name --timeout=20s --for=condition=ready
+  kubectl -n tenant-test delete vminstances.apps.cozystack.io $name 
+  kubectl -n tenant-test delete vmdisks.apps.cozystack.io $diskName 
+}

hack/e2e-cluster.bats

@@ -1,391 +0,0 @@
-#!/usr/bin/env bats
-# -----------------------------------------------------------------------------
-# Cozystack end‑to‑end provisioning test (Bats)
-# -----------------------------------------------------------------------------
-
-@test "Required installer assets exist" {
-  if [ ! -f _out/assets/cozystack-installer.yaml ]; then
-    echo "Missing: _out/assets/cozystack-installer.yaml" >&2
-    exit 1
-  fi
-
-  if [ ! -f _out/assets/nocloud-amd64.raw.xz ]; then
-    echo "Missing: _out/assets/nocloud-amd64.raw.xz" >&2
-    exit 1
-  fi
-}
-
-@test "IPv4 forwarding is enabled" {
-  if [ "$(cat /proc/sys/net/ipv4/ip_forward)" != 1 ]; then
-    echo "IPv4 forwarding is disabled!" >&2
-    echo >&2
-    echo "Enable it with:" >&2
-    echo "  echo 1 > /proc/sys/net/ipv4/ip_forward" >&2
-    exit 1
-  fi
-}
-
-@test "Clean previous VMs" {
- kill $(cat srv1/qemu.pid srv2/qemu.pid srv3/qemu.pid 2>/dev/null) 2>/dev/null || true
- rm -rf srv1 srv2 srv3
-}
-
-@test "Prepare networking and masquerading" {
-  ip link del cozy-br0 2>/dev/null || true
-  ip link add cozy-br0 type bridge
-  ip link set cozy-br0 up
-  ip address add 192.168.123.1/24 dev cozy-br0
-
-  # Masquerading rule – idempotent (delete first, then add)
-  iptables -t nat -D POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE 2>/dev/null || true
-  iptables -t nat -A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
-}
-
-@test "Prepare cloud‑init drive for VMs" {
-  mkdir -p srv1 srv2 srv3
-
-  # Generate cloud‑init ISOs
-  for i in 1 2 3; do
-    echo "hostname: srv${i}" > "srv${i}/meta-data"
-
-    cat > "srv${i}/user-data" <<'EOF'
-#cloud-config
-EOF
-
-    cat > "srv${i}/network-config" <<EOF
-version: 2
-ethernets:
-  eth0:
-    dhcp4: false
-    addresses:
-      - "192.168.123.1${i}/26"
-    gateway4: "192.168.123.1"
-    nameservers:
-      search: [cluster.local]
-      addresses: [8.8.8.8]
-EOF
-
-    ( cd "srv${i}" && genisoimage \
-        -output seed.img \
-        -volid cidata -rational-rock -joliet \
-        user-data meta-data network-config )
-  done
-}
-
-@test "Use Talos NoCloud image from assets" {
-  if [ ! -f _out/assets/nocloud-amd64.raw.xz ]; then
-    echo "Missing _out/assets/nocloud-amd64.raw.xz" 2>&1
-    exit 1
-  fi
-
-  rm -f nocloud-amd64.raw
-  cp _out/assets/nocloud-amd64.raw.xz .
-  xz --decompress nocloud-amd64.raw.xz
-}
-
-@test "Prepare VM disks" {
-  for i in 1 2 3; do
-    cp nocloud-amd64.raw srv${i}/system.img
-    qemu-img resize srv${i}/system.img 50G
-    qemu-img create srv${i}/data.img 100G
-  done
-}
-
-@test "Create tap devices" {
-  for i in 1 2 3; do
-    ip link del cozy-srv${i} 2>/dev/null || true
-    ip tuntap add dev cozy-srv${i} mode tap
-    ip link set cozy-srv${i} up
-    ip link set cozy-srv${i} master cozy-br0
-  done
-}
-
-@test "Boot QEMU VMs" {
-  for i in 1 2 3; do
-    qemu-system-x86_64 -machine type=pc,accel=kvm -cpu host -smp 8 -m 24576 \
-      -device virtio-net,netdev=net0,mac=52:54:00:12:34:5${i} \
-      -netdev tap,id=net0,ifname=cozy-srv${i},script=no,downscript=no \
-      -drive file=srv${i}/system.img,if=virtio,format=raw \
-      -drive file=srv${i}/seed.img,if=virtio,format=raw \
-      -drive file=srv${i}/data.img,if=virtio,format=raw \
-      -display none -daemonize -pidfile srv${i}/qemu.pid
-  done
-
-  # Give qemu a few seconds to start up networking
-  sleep 5
-}
-
-@test "Wait until Talos API port 50000 is reachable on all machines" {
-  timeout 60 sh -ec 'until nc -nz 192.168.123.11 50000 && nc -nz 192.168.123.12 50000 && nc -nz 192.168.123.13 50000; do sleep 1; done'
-}
-
-@test "Generate Talos cluster configuration" {
-  # Cluster‑wide patches
-  cat > patch.yaml <<'EOF'
-machine:
-  kubelet:
-    nodeIP:
-      validSubnets:
-      - 192.168.123.0/24
-    extraConfig:
-      maxPods: 512
-  kernel:
-    modules:
-    - name: openvswitch
-    - name: drbd
-      parameters:
-        - usermode_helper=disabled
-    - name: zfs
-    - name: spl
-  registries:
-    mirrors:
-      docker.io:
-        endpoints:
-        - https://mirror.gcr.io
-  files:
-  - content: |
-      [plugins]
-        [plugins."io.containerd.cri.v1.runtime"]
-          device_ownership_from_security_context = true
-    path: /etc/cri/conf.d/20-customization.part
-    op: create
-
-cluster:
-  apiServer:
-    extraArgs:
-      oidc-issuer-url: "https://keycloak.example.org/realms/cozy"
-      oidc-client-id: "kubernetes"
-      oidc-username-claim: "preferred_username"
-      oidc-groups-claim: "groups"
-  network:
-    cni:
-      name: none
-    dnsDomain: cozy.local
-    podSubnets:
-    - 10.244.0.0/16
-    serviceSubnets:
-    - 10.96.0.0/16
-EOF
-
-  # Control‑plane‑only patches
-  cat > patch-controlplane.yaml <<'EOF'
-machine:
-  nodeLabels:
-    node.kubernetes.io/exclude-from-external-load-balancers:
-      $patch: delete
-  network:
-    interfaces:
-    - interface: eth0
-      vip:
-        ip: 192.168.123.10
-cluster:
-  allowSchedulingOnControlPlanes: true
-  controllerManager:
-    extraArgs:
-      bind-address: 0.0.0.0
-  scheduler:
-    extraArgs:
-      bind-address: 0.0.0.0
-  apiServer:
-    certSANs:
-    - 127.0.0.1
-  proxy:
-    disabled: true
-  discovery:
-    enabled: false
-  etcd:
-    advertisedSubnets:
-    - 192.168.123.0/24
-EOF
-
-  # Generate secrets once
-  if [ ! -f secrets.yaml ]; then
-    talosctl gen secrets
-  fi
-
-  rm -f controlplane.yaml worker.yaml talosconfig kubeconfig
-  talosctl gen config --with-secrets secrets.yaml cozystack https://192.168.123.10:6443 \
-           --config-patch=@patch.yaml --config-patch-control-plane @patch-controlplane.yaml
-}
-
-@test "Apply Talos configuration to the node" {
-  # Apply the configuration to all three nodes
-  for node in 11 12 13; do
-    talosctl apply -f controlplane.yaml -n 192.168.123.${node} -e 192.168.123.${node} -i
-  done
-
-  # Wait for Talos services to come up again
-  timeout 60 sh -ec 'until nc -nz 192.168.123.11 50000 && nc -nz 192.168.123.12 50000 && nc -nz 192.168.123.13 50000; do sleep 1; done'
-}
-
-@test "Bootstrap Talos cluster" {
-  # Bootstrap etcd on the first node
-  timeout 10 sh -ec 'until talosctl bootstrap -n 192.168.123.11 -e 192.168.123.11; do sleep 1; done'
-
-  # Wait until etcd is healthy
-  timeout 180 sh -ec 'until talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 >/dev/null 2>&1; do sleep 1; done'
-  timeout 60 sh -ec 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep -q "rpc error"; do sleep 1; done'
-
-  # Retrieve kubeconfig
-  rm -f kubeconfig
-  talosctl kubeconfig kubeconfig -e 192.168.123.10 -n 192.168.123.10
-
-  # Wait until all three nodes register in Kubernetes
-  timeout 60 sh -ec 'until [ $(kubectl get node --no-headers | wc -l) -eq 3 ]; do sleep 1; done'
-}
-
-@test "Install Cozystack" {
-  # Create namespace & configmap required by installer
-  kubectl create namespace cozy-system --dry-run=client -o yaml | kubectl apply -f -
-  kubectl create configmap cozystack -n cozy-system \
-          --from-literal=bundle-name=paas-full \
-          --from-literal=ipv4-pod-cidr=10.244.0.0/16 \
-          --from-literal=ipv4-pod-gateway=10.244.0.1 \
-          --from-literal=ipv4-svc-cidr=10.96.0.0/16 \
-          --from-literal=ipv4-join-cidr=100.64.0.0/16 \
-          --from-literal=root-host=example.org \
-          --from-literal=api-server-endpoint=https://192.168.123.10:6443 \
-          --dry-run=client -o yaml | kubectl apply -f -
-
-  # Apply installer manifests from file
-  kubectl apply -f _out/assets/cozystack-installer.yaml
-
-  # Wait for the installer deployment to become available
-  kubectl wait deployment/cozystack -n cozy-system --timeout=1m --for=condition=Available
-
-  # Wait until HelmReleases appear & reconcile them
-  timeout 60 sh -ec 'until kubectl get hr -A | grep -q cozys; do sleep 1; done'
-  sleep 5
-  kubectl get hr -A | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n "$1" hr/"$2" &"} END {print "wait"}' | sh -ex
-
-  # Fail the test if any HelmRelease is not Ready
-  if kubectl get hr -A | grep -v " True " | grep -v NAME; then
-    kubectl get hr -A
-    fail "Some HelmReleases failed to reconcile"
-  fi
-}
-
-@test "Wait for Cluster‑API provider deployments" {
-  # Wait for Cluster‑API provider deployments
-  timeout 60 sh -ec 'until kubectl get deploy -n cozy-cluster-api capi-controller-manager capi-kamaji-controller-manager capi-kubeadm-bootstrap-controller-manager capi-operator-cluster-api-operator capk-controller-manager >/dev/null 2>&1; do sleep 1; done'
-  kubectl wait deployment/capi-controller-manager deployment/capi-kamaji-controller-manager deployment/capi-kubeadm-bootstrap-controller-manager deployment/capi-operator-cluster-api-operator deployment/capk-controller-manager -n cozy-cluster-api --timeout=1m --for=condition=available
-}
-
-@test "Wait for LINSTOR and configure storage" {
-  # Linstor controller and nodes
-  kubectl wait deployment/linstor-controller -n cozy-linstor --timeout=5m --for=condition=available
-  timeout 60 sh -ec 'until [ $(kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor node list | grep -c Online) -eq 3 ]; do sleep 1; done'
-
-  for node in srv1 srv2 srv3; do
-    kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs ${node} /dev/vdc --pool-name data --storage-pool data
-  done
-
-  # Storage classes
-  kubectl apply -f - <<'EOF'
----
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: local
-  annotations:
-    storageclass.kubernetes.io/is-default-class: "true"
-provisioner: linstor.csi.linbit.com
-parameters:
-  linstor.csi.linbit.com/storagePool: "data"
-  linstor.csi.linbit.com/layerList: "storage"
-  linstor.csi.linbit.com/allowRemoteVolumeAccess: "false"
-volumeBindingMode: WaitForFirstConsumer
-allowVolumeExpansion: true
----
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: replicated
-provisioner: linstor.csi.linbit.com
-parameters:
-  linstor.csi.linbit.com/storagePool: "data"
-  linstor.csi.linbit.com/autoPlace: "3"
-  linstor.csi.linbit.com/layerList: "drbd storage"
-  linstor.csi.linbit.com/allowRemoteVolumeAccess: "true"
-  property.linstor.csi.linbit.com/DrbdOptions/auto-quorum: suspend-io
-  property.linstor.csi.linbit.com/DrbdOptions/Resource/on-no-data-accessible: suspend-io
-  property.linstor.csi.linbit.com/DrbdOptions/Resource/on-suspended-primary-outdated: force-secondary
-  property.linstor.csi.linbit.com/DrbdOptions/Net/rr-conflict: retry-connect
-volumeBindingMode: WaitForFirstConsumer
-allowVolumeExpansion: true
-EOF
-}
-
-@test "Wait for MetalLB and configure address pool" {
-  # MetalLB address pool
-  kubectl apply -f - <<'EOF'
----
-apiVersion: metallb.io/v1beta1
-kind: L2Advertisement
-metadata:
-  name: cozystack
-  namespace: cozy-metallb
-spec:
-  ipAddressPools: [cozystack]
----
-apiVersion: metallb.io/v1beta1
-kind: IPAddressPool
-metadata:
-  name: cozystack
-  namespace: cozy-metallb
-spec:
-  addresses: [192.168.123.200-192.168.123.250]
-  autoAssign: true
-  avoidBuggyIPs: false
-EOF
-}
-
-@test "Check Cozystack API service" {
-  kubectl wait --for=condition=Available apiservices/v1alpha1.apps.cozystack.io --timeout=2m
-}
-
-@test "Configure Tenant and wait for applications" {
-  # Patch root tenant and wait for its releases
-  kubectl patch tenants/root -n tenant-root --type merge -p '{"spec":{"host":"example.org","ingress":true,"monitoring":true,"etcd":true,"isolated":true}}'
-
-  timeout 60 sh -ec 'until kubectl get hr -n tenant-root etcd ingress monitoring tenant-root >/dev/null 2>&1; do sleep 1; done'
-  kubectl wait hr/etcd hr/ingress hr/tenant-root -n tenant-root --timeout=2m --for=condition=ready
-
-  if ! kubectl wait hr/monitoring -n tenant-root --timeout=2m --for=condition=ready; then
-    flux reconcile hr monitoring -n tenant-root --force
-    kubectl wait hr/monitoring -n tenant-root --timeout=2m --for=condition=ready
-  fi
-
-  # Expose Cozystack services through ingress
-  kubectl patch configmap/cozystack -n cozy-system --type merge -p '{"data":{"expose-services":"api,dashboard,cdi-uploadproxy,vm-exportproxy,keycloak"}}'
-
-  # NGINX ingress controller
-  timeout 60 sh -ec 'until kubectl get deploy root-ingress-controller -n tenant-root >/dev/null 2>&1; do sleep 1; done'
-  kubectl wait deploy/root-ingress-controller -n tenant-root --timeout=5m --for=condition=available
-
-  # etcd statefulset
-  kubectl wait sts/etcd -n tenant-root --for=jsonpath='{.status.readyReplicas}'=3 --timeout=5m
-
-  # VictoriaMetrics components
-  kubectl wait vmalert/vmalert-shortterm vmalertmanager/alertmanager -n tenant-root --for=jsonpath='{.status.updateStatus}'=operational --timeout=5m
-  kubectl wait vlogs/generic -n tenant-root --for=jsonpath='{.status.updateStatus}'=operational --timeout=5m
-  kubectl wait vmcluster/shortterm vmcluster/longterm -n tenant-root --for=jsonpath='{.status.clusterStatus}'=operational --timeout=5m
-
-  # Grafana
-  kubectl wait clusters.postgresql.cnpg.io/grafana-db -n tenant-root --for=condition=ready --timeout=5m
-  kubectl wait deploy/grafana-deployment -n tenant-root --for=condition=available --timeout=5m
-
-  # Verify Grafana via ingress
-  ingress_ip=$(kubectl get svc root-ingress-controller -n tenant-root -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-  if ! curl -sS -k "https://${ingress_ip}" -H 'Host: grafana.example.org' --max-time 30 | grep -q Found; then
-    echo "Failed to access Grafana via ingress at ${ingress_ip}" >&2
-    exit 1
-  fi
-}
-
-@test "Keycloak OIDC stack is healthy" {
-  kubectl patch configmap/cozystack -n cozy-system --type merge -p '{"data":{"oidc-enabled":"true"}}'
-
-  timeout 120 sh -ec 'until kubectl get hr -n cozy-keycloak keycloak keycloak-configure keycloak-operator >/dev/null 2>&1; do sleep 1; done'
-  kubectl wait hr/keycloak hr/keycloak-configure hr/keycloak-operator -n cozy-keycloak --timeout=10m --for=condition=ready
-}

hack/e2e-install-cozystack.bats

@@ -20,9 +20,9 @@
   kubectl wait deployment/cozystack -n cozy-system --timeout=1m --for=condition=Available
 
   # Wait until HelmReleases appear & reconcile them
-  timeout 60 sh -ec 'until kubectl get hr -A | grep -q cozys; do sleep 1; done'
+  timeout 60 sh -ec 'until kubectl get hr -A -l cozystack.io/system-app=true | grep -q cozys; do sleep 1; done'
   sleep 5
-  kubectl get hr -A | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n "$1" hr/"$2" &"} END {print "wait"}' | sh -ex
+  kubectl get hr -A -l cozystack.io/system-app=true | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n "$1" hr/"$2" &"} END {print "wait"}' | sh -ex
 
   # Fail the test if any HelmRelease is not Ready
   if kubectl get hr -A | grep -v " True " | grep -v NAME; then
@@ -42,7 +42,11 @@
   kubectl wait deployment/linstor-controller -n cozy-linstor --timeout=5m --for=condition=available
   timeout 60 sh -ec 'until [ $(kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor node list | grep -c Online) -eq 3 ]; do sleep 1; done'
 
+  created_pools=$(kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor sp l -s data --pastable | awk '$2 == "data" {printf " " $4} END{printf " "}')
   for node in srv1 srv2 srv3; do
+    case $created_pools in
+      *" $node "*) echo "Storage pool 'data' already exists on node $node"; continue;;
+    esac
     kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs ${node} /dev/vdc --pool-name data --storage-pool data
   done
 
@@ -155,3 +159,24 @@ EOF
   timeout 120 sh -ec 'until kubectl get hr -n cozy-keycloak keycloak keycloak-configure keycloak-operator >/dev/null 2>&1; do sleep 1; done'
   kubectl wait hr/keycloak hr/keycloak-configure hr/keycloak-operator -n cozy-keycloak --timeout=10m --for=condition=ready
 }
+
+@test "Create tenant with isolated mode enabled" {
+  kubectl -n tenant-root get tenants.apps.cozystack.io test || 
+  kubectl apply -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: Tenant
+metadata:
+  name: test
+  namespace: tenant-root
+spec:
+  etcd: false
+  host: ""
+  ingress: false
+  isolated: true
+  monitoring: false
+  resourceQuotas: {}
+  seaweedfs: false
+EOF
+  kubectl wait hr/tenant-test -n tenant-root --timeout=1m --for=condition=ready
+  kubectl wait namespace tenant-test --timeout=20s --for=jsonpath='{.status.phase}'=Active
+}

hack/e2e-prepare-cluster.bats

@@ -141,7 +141,25 @@ machine:
     mirrors:
       docker.io:
         endpoints:
-        - https://mirror.gcr.io
+        - https://dockerio.nexus.lllamnyp.su
+      cr.fluentbit.io:
+        endpoints:
+        - https://fluentbit.nexus.lllamnyp.su
+      docker-registry3.mariadb.com:
+        endpoints:
+        - https://mariadb.nexus.lllamnyp.su
+      gcr.io:
+        endpoints:
+        - https://gcr.nexus.lllamnyp.su
+      ghcr.io:
+        endpoints:
+        - https://ghcr.nexus.lllamnyp.su
+      quay.io:
+        endpoints:
+        - https://quay.nexus.lllamnyp.su
+      registry.k8s.io:
+        endpoints:
+        - https://k8s.nexus.lllamnyp.su
   files:
   - content: |
       [plugins]

packages/apps/clickhouse/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.10.0
+version: 0.10.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/clickhouse/Makefile

@@ -5,6 +5,7 @@ include ../../../scripts/package.mk
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
 
 image:
 	docker buildx build images/clickhouse-backup \

packages/apps/clickhouse/README.md

@@ -1,18 +1,19 @@
-# Managed Clickhouse Service
+# Managed ClickHouse Service
 
 ClickHouse is an open source high-performance and column-oriented SQL database management system (DBMS).
 It is used for online analytical processing (OLAP).
-Cozystack platform uses Altinity operator to provide ClickHouse.
 
-### How to restore backup:
+### How to restore backup from S3
 
-1. Find a snapshot:
-    ```
+1.  Find the snapshot:
+
+    ```bash
     restic -r s3:s3.example.org/clickhouse-backups/table_name snapshots
     ```
 
 2.  Restore it:
-    ```
+
+    ```bash
     restic -r s3:s3.example.org/clickhouse-backups/table_name restore latest --target /tmp/
     ```
 
@@ -39,32 +40,41 @@ For more details, read [Restic: Effective Backup from Stdin](https://blog.aenix.
 
 ### Backup parameters
 
-| Name                     | Description                                                                 | Value                                                  |
-| ------------------------ | --------------------------------------------------------------------------- | ------------------------------------------------------ |
-| `backup.enabled`         | Enable periodic backups                                                     | `false`                                                |
-| `backup.s3Region`        | AWS S3 region where backups are stored                                      | `us-east-1`                                            |
-| `backup.s3Bucket`        | S3 bucket used for storing backups                                          | `s3.example.org/clickhouse-backups`                    |
-| `backup.schedule`        | Cron schedule for automated backups                                         | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | Retention strategy for cleaning up old backups                              | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | Access key for S3, used for authentication                                  | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | Secret key for S3, used for authentication                                  | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | Password for Restic backup encryption                                       | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Explicit CPU/memory resource requests and limits for the Clickhouse service | `{}`                                                   |
-| `resourcesPreset`        | Use a common resources preset when `resources` is not set explicitly.       | `nano`                                                 |
+| Name                     | Description                                                                                                                             | Value                                                  |
+| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
+| `backup.enabled`         | Enable periodic backups                                                                                                                 | `false`                                                |
+| `backup.s3Region`        | AWS S3 region where backups are stored                                                                                                  | `us-east-1`                                            |
+| `backup.s3Bucket`        | S3 bucket used for storing backups                                                                                                      | `s3.example.org/clickhouse-backups`                    |
+| `backup.schedule`        | Cron schedule for automated backups                                                                                                     | `0 2 * * *`                                            |
+| `backup.cleanupStrategy` | Retention strategy for cleaning up old backups                                                                                          | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.s3AccessKey`     | Access key for S3, used for authentication                                                                                              | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3SecretKey`     | Secret key for S3, used for authentication                                                                                              | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.resticPassword`  | Password for Restic backup encryption                                                                                                   | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
+| `resources`              | Explicit CPU and memory configuration for each ClickHouse replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`                                                   |
+| `resourcesPreset`        | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.       | `small`                                                |
 
+## Parameter examples and reference
 
-In production environments, it's recommended to set `resources` explicitly.
-Example of `resources`:
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
 
 ```yaml
 resources:
-  limits:
-    cpu: 4000m
-    memory: 4Gi
-  requests:
-    cpu: 100m
-    memory: 512Mi
+  cpu: 4000m
+  memory: 4Gi
 ```
 
-Allowed values for `resourcesPreset` are `none`, `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
-This value is ignored if `resources` value is set. 
+`resourcePreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `100m` | `128Mi` |
+| `micro`     | `250m` | `256Mi` |
+| `small`     | `500m` | `512Mi` |
+| `medium`    | `500m` | `1Gi`   |
+| `large`     | `1`    | `2Gi`   |
+| `xlarge`    | `2`    | `4Gi`   |
+| `2xlarge`   | `4`    | `8Gi`   |

packages/apps/clickhouse/images/clickhouse-backup.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/clickhouse-backup:0.10.0@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205
+ghcr.io/cozystack/cozystack/clickhouse-backup:0.10.1@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205

packages/apps/clickhouse/values.schema.json

@@ -79,13 +79,23 @@
         },
         "resources": {
             "type": "object",
-            "description": "Explicit CPU/memory resource requests and limits for the Clickhouse service",
+            "description": "Explicit CPU and memory configuration for each ClickHouse replica. When left empty, the preset defined in `resourcesPreset` is applied.",
             "default": {}
         },
         "resourcesPreset": {
             "type": "string",
-            "description": "Use a common resources preset when `resources` is not set explicitly.",
-            "default": "nano"
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "default": "small",
+            "enum": [
+                "none",
+                "nano",
+                "micro",
+                "small",
+                "medium",
+                "large",
+                "xlarge",
+                "2xlarge"
+            ]
         }
     }
-}
+}

packages/apps/clickhouse/values.yaml

@@ -47,15 +47,11 @@ backup:
   s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
   resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
 
-## @param resources Explicit CPU/memory resource requests and limits for the Clickhouse service
+## @param resources Explicit CPU and memory configuration for each ClickHouse replica. When left empty, the preset defined in `resourcesPreset` is applied.
 resources: {}
  # resources:
- #   limits:
- #     cpu: 4000m
- #     memory: 4Gi
- #   requests:
- #     cpu: 100m
- #     memory: 512Mi
+ #   cpu: 4000m
+ #   memory: 4Gi
 
-## @param resourcesPreset Use a common resources preset when `resources` is not set explicitly.
-resourcesPreset: "nano"
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "small"

packages/apps/ferretdb/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: 0.7.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/ferretdb/Makefile

@@ -2,3 +2,4 @@ include ../../../scripts/package.mk
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json

packages/apps/ferretdb/README.md

@@ -1,17 +1,21 @@
 # Managed FerretDB Service
 
+FerretDB is an open source MongoDB alternative.
+It translates MongoDB wire protocol queries to SQL and can be used as a direct replacement for MongoDB 5.0+.
+Internally, FerretDB service is backed by Postgres.
+
 ## Parameters
 
 ### Common parameters
 
-| Name                     | Description                                                                                                             | Value   |
-| ------------------------ | ----------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`               | Enable external access from outside the cluster                                                                         | `false` |
-| `size`                   | Persistent Volume size                                                                                                  | `10Gi`  |
-| `replicas`               | Number of Postgres replicas                                                                                             | `2`     |
-| `storageClass`           | StorageClass used to store the data                                                                                     | `""`    |
-| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.           | `0`     |
-| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances). | `0`     |
+| Name                     | Description                                                                                                                 | Value   |
+| ------------------------ | --------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `external`               | Enable external access from outside the cluster                                                                             | `false` |
+| `size`                   | Persistent Volume size                                                                                                      | `10Gi`  |
+| `replicas`               | Number of replicas                                                                                                          | `2`     |
+| `storageClass`           | StorageClass used to store the data                                                                                         | `""`    |
+| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed                | `0`     |
+| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas) | `0`     |
 
 ### Configuration parameters
 
@@ -21,17 +25,43 @@
 
 ### Backup parameters
 
-| Name                     | Description                                                                                                                                                                                                       | Value                                                  |
-| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
-| `backup.enabled`         | Enable pereiodic backups                                                                                                                                                                                          | `false`                                                |
-| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                                                                                                        | `us-east-1`                                            |
-| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                                                                                                            | `s3.example.org/postgres-backups`                      |
-| `backup.schedule`        | Cron schedule for automated backups                                                                                                                                                                               | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                                                                                                          | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                                                                                                    | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                                                                                                    | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | The password for Restic backup encryption                                                                                                                                                                         | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Resources                                                                                                                                                                                                         | `{}`                                                   |
-| `resourcesPreset`        | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`                                                 |
+| Name                     | Description                                                                                                                           | Value                                                  |
+| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
+| `backup.enabled`         | Enable periodic backups                                                                                                               | `false`                                                |
+| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                            | `us-east-1`                                            |
+| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                                | `s3.example.org/postgres-backups`                      |
+| `backup.schedule`        | Cron schedule for automated backups                                                                                                   | `0 2 * * *`                                            |
+| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                              | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                        | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                        | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.resticPassword`  | The password for Restic backup encryption                                                                                             | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
+| `resources`              | Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`                                                   |
+| `resourcesPreset`        | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.     | `nano`                                                 |
 
 
+
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
+
+```yaml
+resources:
+  cpu: 4000m
+  memory: 4Gi
+```
+
+`resourcePreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `100m` | `128Mi` |
+| `micro`     | `250m` | `256Mi` |
+| `small`     | `500m` | `512Mi` |
+| `medium`    | `500m` | `1Gi`   |
+| `large`     | `1`    | `2Gi`   |
+| `xlarge`    | `2`    | `4Gi`   |
+| `2xlarge`   | `4`    | `8Gi`   |

packages/apps/ferretdb/values.schema.json

@@ -14,7 +14,7 @@
         },
         "replicas": {
             "type": "number",
-            "description": "Number of Postgres replicas",
+            "description": "Number of replicas",
             "default": 2
         },
         "storageClass": {
@@ -27,12 +27,12 @@
             "properties": {
                 "minSyncReplicas": {
                     "type": "number",
-                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.",
+                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed",
                     "default": 0
                 },
                 "maxSyncReplicas": {
                     "type": "number",
-                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).",
+                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas)",
                     "default": 0
                 }
             }
@@ -42,7 +42,7 @@
             "properties": {
                 "enabled": {
                     "type": "boolean",
-                    "description": "Enable pereiodic backups",
+                    "description": "Enable periodic backups",
                     "default": false
                 },
                 "s3Region": {
@@ -84,13 +84,23 @@
         },
         "resources": {
             "type": "object",
-            "description": "Resources",
+            "description": "Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied.",
             "default": {}
         },
         "resourcesPreset": {
             "type": "string",
-            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-            "default": "nano"
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "default": "nano",
+            "enum": [
+                "none",
+                "nano",
+                "micro",
+                "small",
+                "medium",
+                "large",
+                "xlarge",
+                "2xlarge"
+            ]
         }
     }
-}
+}

packages/apps/ferretdb/values.yaml

@@ -2,7 +2,7 @@
 
 ## @param external Enable external access from outside the cluster
 ## @param size Persistent Volume size
-## @param replicas Number of Postgres replicas
+## @param replicas Number of replicas
 ## @param storageClass StorageClass used to store the data
 ##
 external: false
@@ -11,8 +11,8 @@ replicas: 2
 storageClass: ""
 
 ## Configuration for the quorum-based synchronous replication
-## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.
-## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).
+## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed
+## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas)
 quorum:
   minSyncReplicas: 0
   maxSyncReplicas: 0
@@ -31,7 +31,7 @@ users: {}
 
 ## @section Backup parameters
 
-## @param backup.enabled Enable pereiodic backups
+## @param backup.enabled Enable periodic backups
 ## @param backup.s3Region The AWS S3 region where backups are stored
 ## @param backup.s3Bucket The S3 bucket used for storing backups
 ## @param backup.schedule Cron schedule for automated backups
@@ -49,15 +49,11 @@ backup:
   s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
   resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
 
-## @param resources Resources
+## @param resources Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied.
 resources: {}
  # resources:
- #   limits:
- #     cpu: 4000m
- #     memory: 4Gi
- #   requests:
- #     cpu: 100m
- #     memory: 512Mi
- 
-## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+ #   cpu: 4000m
+ #   memory: 4Gi
+
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
 resourcesPreset: "nano"

packages/apps/http-cache/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.1
+version: 0.5.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/http-cache/Makefile

@@ -23,6 +23,8 @@ image-nginx:
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 4 '.properties.haproxy.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	yq -i -o json --indent 4 '.properties.nginx.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
 
 update:
 	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/chrislim2888/IP2Location-C-Library | awk -F'[/^]' 'END{print $$3}') && \

packages/apps/http-cache/README.md

@@ -1,8 +1,9 @@
-# Managed Nginx Caching Service
+# Managed Nginx-based HTTP Cache Service
 
-The Nginx Caching Service is designed to optimize web traffic and enhance web application performance. This service combines custom-built Nginx instances with HAproxy for efficient caching and load balancing.
+The Nginx-based HTTP caching service is designed to optimize web traffic and enhance web application performance.
+This service combines custom-built Nginx instances with HAProxy for efficient caching and load balancing.
 
-## Deployment infromation
+## Deployment information
 
 The Nginx instances include the following modules and features:
 
@@ -53,27 +54,67 @@ The deployment architecture is illustrated in the diagram below:
 
 ## Known issues
 
-VTS module shows wrong upstream resonse time
-- https://github.com/vozlt/nginx-module-vts/issues/198
+- VTS module shows wrong upstream response time, [github.com/vozlt/nginx-module-vts#198](https://github.com/vozlt/nginx-module-vts/issues/198)
 
 ## Parameters
 
 ### Common parameters
 
-| Name                      | Description                                                                                                                                                                                                       | Value   |
-| ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`                | Enable external access from outside the cluster                                                                                                                                                                   | `false` |
-| `size`                    | Persistent Volume size                                                                                                                                                                                            | `10Gi`  |
-| `storageClass`            | StorageClass used to store the data                                                                                                                                                                               | `""`    |
-| `haproxy.replicas`        | Number of HAProxy replicas                                                                                                                                                                                        | `2`     |
-| `nginx.replicas`          | Number of Nginx replicas                                                                                                                                                                                          | `2`     |
-| `haproxy.resources`       | Resources                                                                                                                                                                                                         | `{}`    |
-| `haproxy.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
-| `nginx.resources`         | Resources                                                                                                                                                                                                         | `{}`    |
-| `nginx.resourcesPreset`   | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
+| Name                      | Description                                                                                                                          | Value   |
+| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ------- |
+| `external`                | Enable external access from outside the cluster                                                                                      | `false` |
+| `size`                    | Persistent Volume size                                                                                                               | `10Gi`  |
+| `storageClass`            | StorageClass used to store the data                                                                                                  | `""`    |
+| `haproxy.replicas`        | Number of HAProxy replicas                                                                                                           | `2`     |
+| `nginx.replicas`          | Number of Nginx replicas                                                                                                             | `2`     |
+| `haproxy.resources`       | Explicit CPU and memory configuration for each HAProxy replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `haproxy.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.    | `nano`  |
+| `nginx.resources`         | Explicit CPU and memory configuration for each nginx replica. When left empty, the preset defined in `resourcesPreset` is applied.   | `{}`    |
+| `nginx.resourcesPreset`   | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.    | `nano`  |
 
 ### Configuration parameters
 
 | Name        | Description             | Value |
 | ----------- | ----------------------- | ----- |
 | `endpoints` | Endpoints configuration | `[]`  |
+
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
+
+```yaml
+resources:
+  cpu: 4000m
+  memory: 4Gi
+```
+
+`resourcePreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `100m` | `128Mi` |
+| `micro`     | `250m` | `256Mi` |
+| `small`     | `500m` | `512Mi` |
+| `medium`    | `500m` | `1Gi`   |
+| `large`     | `1`    | `2Gi`   |
+| `xlarge`    | `2`    | `4Gi`   |
+| `2xlarge`   | `4`    | `8Gi`   |
+
+
+### endpoints
+
+`endpoints` is a flat list of IP addresses:
+
+```yaml
+endpoints:
+  - 10.100.3.1:80
+  - 10.100.3.11:80
+  - 10.100.3.2:80
+  - 10.100.3.12:80
+  - 10.100.3.3:80
+  - 10.100.3.13:80
+```

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.5.1@sha256:50ac1581e3100bd6c477a71161cb455a341ffaf9e5e2f6086802e4e25271e8af
+ghcr.io/cozystack/cozystack/nginx-cache:0.5.2@sha256:e0a07082bb6fc6aeaae2315f335386f1705a646c72f9e0af512aebbca5cb2b15

packages/apps/http-cache/values.schema.json

@@ -27,13 +27,23 @@
                 },
                 "resources": {
                     "type": "object",
-                    "description": "Resources",
+                    "description": "Explicit CPU and memory configuration for each HAProxy replica. When left empty, the preset defined in `resourcesPreset` is applied.",
                     "default": {}
                 },
                 "resourcesPreset": {
                     "type": "string",
-                    "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-                    "default": "nano"
+                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
+                    "default": "nano",
+                    "enum": [
+                        "none",
+                        "nano",
+                        "micro",
+                        "small",
+                        "medium",
+                        "large",
+                        "xlarge",
+                        "2xlarge"
+                    ]
                 }
             }
         },
@@ -47,13 +57,23 @@
                 },
                 "resources": {
                     "type": "object",
-                    "description": "Resources",
+                    "description": "Explicit CPU and memory configuration for each nginx replica. When left empty, the preset defined in `resourcesPreset` is applied.",
                     "default": {}
                 },
                 "resourcesPreset": {
                     "type": "string",
-                    "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-                    "default": "nano"
+                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
+                    "default": "nano",
+                    "enum": [
+                        "none",
+                        "nano",
+                        "micro",
+                        "small",
+                        "medium",
+                        "large",
+                        "xlarge",
+                        "2xlarge"
+                    ]
                 }
             }
         },
@@ -64,4 +84,4 @@
             "items": {}
         }
     }
-}
+}

packages/apps/http-cache/values.yaml

@@ -12,31 +12,23 @@ size: 10Gi
 storageClass: ""
 haproxy:
   replicas: 2
-  ## @param haproxy.resources Resources
+  ## @param haproxy.resources Explicit CPU and memory configuration for each HAProxy replica. When left empty, the preset defined in `resourcesPreset` is applied.
   resources: {}
   # resources:
-  #   limits:
-  #     cpu: 4000m
-  #     memory: 4Gi
-  #   requests:
-  #     cpu: 100m
-  #     memory: 512Mi
-  
-  ## @param haproxy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+  #   cpu: 4000m
+  #   memory: 4Gi
+
+  ## @param haproxy.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
   resourcesPreset: "nano"
 nginx:
   replicas: 2
-  ## @param nginx.resources Resources
+  ## @param nginx.resources Explicit CPU and memory configuration for each nginx replica. When left empty, the preset defined in `resourcesPreset` is applied.
   resources: {}
   # resources:
-  #   limits:
-  #     cpu: 4000m
-  #     memory: 4Gi
-  #   requests:
-  #     cpu: 100m
-  #     memory: 512Mi
-  
-  ## @param nginx.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+  #   cpu: 4000m
+  #   memory: 4Gi
+
+  ## @param nginx.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
   resourcesPreset: "nano"
 
 ## @section Configuration parameters

packages/apps/kafka/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: 0.7.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kafka/Makefile

@@ -2,3 +2,5 @@ include ../../../scripts/package.mk
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 4 '.properties.kafka.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
+	yq -i -o json --indent 4 '.properties.zookeeper.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json

packages/apps/kafka/README.md

@@ -4,22 +4,68 @@
 
 ### Common parameters
 
-| Name                        | Description                                                                                                                                                                                                       | Value   |
-| --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`                  | Enable external access from outside the cluster                                                                                                                                                                   | `false` |
-| `kafka.size`                | Persistent Volume size for Kafka                                                                                                                                                                                  | `10Gi`  |
-| `kafka.replicas`            | Number of Kafka replicas                                                                                                                                                                                          | `3`     |
-| `kafka.storageClass`        | StorageClass used to store the Kafka data                                                                                                                                                                         | `""`    |
-| `zookeeper.size`            | Persistent Volume size for ZooKeeper                                                                                                                                                                              | `5Gi`   |
-| `zookeeper.replicas`        | Number of ZooKeeper replicas                                                                                                                                                                                      | `3`     |
-| `zookeeper.storageClass`    | StorageClass used to store the ZooKeeper data                                                                                                                                                                     | `""`    |
-| `kafka.resources`           | Resources                                                                                                                                                                                                         | `{}`    |
-| `kafka.resourcesPreset`     | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` |
-| `zookeeper.resources`       | Resources                                                                                                                                                                                                         | `{}`    |
-| `zookeeper.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` |
+| Name                        | Description                                                                                                                            | Value   |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `external`                  | Enable external access from outside the cluster                                                                                        | `false` |
+| `kafka.size`                | Persistent Volume size for Kafka                                                                                                       | `10Gi`  |
+| `kafka.replicas`            | Number of Kafka replicas                                                                                                               | `3`     |
+| `kafka.storageClass`        | StorageClass used to store the Kafka data                                                                                              | `""`    |
+| `zookeeper.size`            | Persistent Volume size for ZooKeeper                                                                                                   | `5Gi`   |
+| `zookeeper.replicas`        | Number of ZooKeeper replicas                                                                                                           | `3`     |
+| `zookeeper.storageClass`    | StorageClass used to store the ZooKeeper data                                                                                          | `""`    |
+| `kafka.resources`           | Explicit CPU and memory configuration for each Kafka replica. When left empty, the preset defined in `resourcesPreset` is applied.     | `{}`    |
+| `kafka.resourcesPreset`     | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.      | `small` |
+| `zookeeper.resources`       | Explicit CPU and memory configuration for each Zookeeper replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `zookeeper.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.      | `small` |
 
 ### Configuration parameters
 
 | Name     | Description          | Value |
 | -------- | -------------------- | ----- |
 | `topics` | Topics configuration | `[]`  |
+
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
+
+```yaml
+resources:
+  cpu: 4000m
+  memory: 4Gi
+```
+
+`resourcePreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `100m` | `128Mi` |
+| `micro`     | `250m` | `256Mi` |
+| `small`     | `500m` | `512Mi` |
+| `medium`    | `500m` | `1Gi`   |
+| `large`     | `1`    | `2Gi`   |
+| `xlarge`    | `2`    | `4Gi`   |
+| `2xlarge`   | `4`    | `8Gi`   |
+
+
+### topics
+
+```yaml
+topics:
+  - name: Results
+    partitions: 1
+    replicas: 3
+    config:
+      min.insync.replicas: 2
+  - name: Orders
+    config:
+      cleanup.policy: compact
+      segment.ms: 3600000
+      max.compaction.lag.ms: 5400000
+      min.insync.replicas: 2
+    partitions: 1
+    replicas: 3
+```

packages/apps/kafka/values.schema.json

@@ -27,13 +27,23 @@
                 },
                 "resources": {
                     "type": "object",
-                    "description": "Resources",
+                    "description": "Explicit CPU and memory configuration for each Kafka replica. When left empty, the preset defined in `resourcesPreset` is applied.",
                     "default": {}
                 },
                 "resourcesPreset": {
                     "type": "string",
-                    "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-                    "default": "small"
+                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
+                    "default": "small",
+                    "enum": [
+                        "none",
+                        "nano",
+                        "micro",
+                        "small",
+                        "medium",
+                        "large",
+                        "xlarge",
+                        "2xlarge"
+                    ]
                 }
             }
         },
@@ -57,13 +67,23 @@
                 },
                 "resources": {
                     "type": "object",
-                    "description": "Resources",
+                    "description": "Explicit CPU and memory configuration for each Zookeeper replica. When left empty, the preset defined in `resourcesPreset` is applied.",
                     "default": {}
                 },
                 "resourcesPreset": {
                     "type": "string",
-                    "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-                    "default": "micro"
+                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
+                    "default": "small",
+                    "enum": [
+                        "none",
+                        "nano",
+                        "micro",
+                        "small",
+                        "medium",
+                        "large",
+                        "xlarge",
+                        "2xlarge"
+                    ]
                 }
             }
         },
@@ -74,4 +94,4 @@
             "items": {}
         }
     }
-}
+}

packages/apps/kafka/values.yaml

@@ -14,35 +14,25 @@ kafka:
   size: 10Gi
   replicas: 3
   storageClass: ""
-  ## @param kafka.resources Resources
+  ## @param kafka.resources Explicit CPU and memory configuration for each Kafka replica. When left empty, the preset defined in `resourcesPreset` is applied.
   resources: {}
   # resources:
-  #   limits:
-  #     cpu: 4000m
-  #     memory: 4Gi
-  #   requests:
-  #     cpu: 100m
-  #     memory: 512Mi
-  
-  ## @param kafka.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+  #   cpu: 4000m
+  #   memory: 4Gi
+  ## @param kafka.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
   resourcesPreset: "small"
 
 zookeeper:
   size: 5Gi
   replicas: 3
   storageClass: ""
-  ## @param zookeeper.resources Resources
+  ## @param zookeeper.resources Explicit CPU and memory configuration for each Zookeeper replica. When left empty, the preset defined in `resourcesPreset` is applied.
   resources: {}
   # resources:
-  #   limits:
-  #     cpu: 4000m
-  #     memory: 4Gi
-  #   requests:
-  #     cpu: 100m
-  #     memory: 512Mi
-  
-  ## @param zookeeper.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
-  resourcesPreset: "micro"
+  #   cpu: 4000m
+  #   memory: 4Gi
+  ## @param zookeeper.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
+  resourcesPreset: "small"
 
 ## @section Configuration parameters
 

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.24.1
+version: 0.24.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/README.md

@@ -81,13 +81,12 @@ See the reference for components utilized in this service:
 
 ### Common Parameters
 
-| Name                                | Description                                                                                                       | Value        |
-| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------ |
-| `host`                              | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `""`         |
-| `controlPlane.replicas`             | Number of replicas for Kubernetes control-plane components.                                                       | `2`          |
-| `storageClass`                      | StorageClass used to store user data.                                                                             | `replicated` |
-| `useCustomSecretForPatchContainerd` | if true, for patch containerd will be used secret: {{ .Release.Name }}-patch-containerd                           | `false`      |
-| `nodeGroups`                        | nodeGroups configuration                                                                                          | `{}`         |
+| Name                    | Description                                                                                                       | Value        |
+| ----------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------ |
+| `host`                  | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `""`         |
+| `controlPlane.replicas` | Number of replicas for Kubernetes control-plane components.                                                       | `2`          |
+| `storageClass`          | StorageClass used to store user data.                                                                             | `replicated` |
+| `nodeGroups`            | nodeGroups configuration                                                                                          | `{}`         |
 
 ### Cluster Addons
 
@@ -110,34 +109,44 @@ See the reference for components utilized in this service:
 
 ### Kubernetes Control Plane Configuration
 
-| Name                                               | Description                                                                  | Value    |
-| -------------------------------------------------- | ---------------------------------------------------------------------------- | -------- |
-| `controlPlane.apiServer.resources`                 | Explicit CPU/memory resource requests and limits for the API server.         | `{}`     |
-| `controlPlane.apiServer.resourcesPreset`           | Use a common resources preset when `resources` is not set explicitly.        | `medium` |
-| `controlPlane.controllerManager.resources`         | Explicit CPU/memory resource requests and limits for the controller manager. | `{}`     |
-| `controlPlane.controllerManager.resourcesPreset`   | Use a common resources preset when `resources` is not set explicitly.        | `micro`  |
-| `controlPlane.scheduler.resources`                 | Explicit CPU/memory resource requests and limits for the scheduler.          | `{}`     |
-| `controlPlane.scheduler.resourcesPreset`           | Use a common resources preset when `resources` is not set explicitly.        | `micro`  |
-| `controlPlane.konnectivity.server.resources`       | Explicit CPU/memory resource requests and limits for the Konnectivity.       | `{}`     |
-| `controlPlane.konnectivity.server.resourcesPreset` | Use a common resources preset when `resources` is not set explicitly.        | `micro`  |
+| Name                                               | Description                                                                                                                            | Value    |
+| -------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | -------- |
+| `controlPlane.apiServer.resources`                 | Explicit CPU and memory configuration for the API Server. When left empty, the preset defined in `resourcesPreset` is applied.         | `{}`     |
+| `controlPlane.apiServer.resourcesPreset`           | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.      | `medium` |
+| `controlPlane.controllerManager.resources`         | Explicit CPU and memory configuration for the Controller Manager. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`     |
+| `controlPlane.controllerManager.resourcesPreset`   | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.      | `micro`  |
+| `controlPlane.scheduler.resources`                 | Explicit CPU and memory configuration for the Scheduler. When left empty, the preset defined in `resourcesPreset` is applied.          | `{}`     |
+| `controlPlane.scheduler.resourcesPreset`           | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.      | `micro`  |
+| `controlPlane.konnectivity.server.resources`       | Explicit CPU and memory configuration for Konnectivity. When left empty, the preset defined in `resourcesPreset` is applied.           | `{}`     |
+| `controlPlane.konnectivity.server.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.      | `micro`  |
 
-In production environments, it's recommended to set `resources` explicitly.
-Example of `controlPlane.*.resources`:
+
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
 
 ```yaml
 resources:
-  limits:
-    cpu: 4000m
-    memory: 4Gi
-  requests:
-    cpu: 100m
-    memory: 512Mi
+  cpu: 4000m
+  memory: 4Gi
 ```
 
-Allowed values for `controlPlane.*.resourcesPreset` are `none`, `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
-This value is ignored if the corresponding `resources` value is set. 
+`resourcePreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `100m` | `128Mi` |
+| `micro`     | `250m` | `256Mi` |
+| `small`     | `500m` | `512Mi` |
+| `medium`    | `500m` | `1Gi`   |
+| `large`     | `1`    | `2Gi`   |
+| `xlarge`    | `2`    | `4Gi`   |
+| `2xlarge`   | `4`    | `8Gi`   |
 
-## Resources Reference
 
 ### instanceType Resources
 

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.24.0@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.24.2@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.24.0@sha256:b478952fab735f85c3ba15835012b1de8af5578b33a8a2670eaf532ffc17681e
+ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.24.2@sha256:b478952fab735f85c3ba15835012b1de8af5578b33a8a2670eaf532ffc17681e

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.24.0@sha256:4d3728b2050d4e0adb00b9f4abbb4a020b29e1a39f24ca1447806fc81f110fa6
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.24.2@sha256:598ab20550dbf495717e8e123e6b626bb36298f88dde851664301d393ac06ca3

packages/apps/kubernetes/templates/copy-patch-containerd.yaml

@@ -1,4 +1,3 @@
-{{- if not .Values.useCustomSecretForPatchContainerd }}
 {{- $sourceSecret := lookup "v1" "Secret" "cozy-system" "patch-containerd" }}
 {{- if $sourceSecret }}
 apiVersion: v1
@@ -12,4 +11,3 @@ data:
   {{ printf "%s: %s" $key ($value | quote) | indent 2 }}
 {{- end }}
 {{- end }}
-{{- end }}

packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.addons.certManager.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -54,3 +55,4 @@ stringData:
   values: |
     {{- toYaml .Values.addons.certManager.valuesOverride | nindent 4 }}
 {{- end }}
+{{- end }}

packages/apps/kubernetes/values.schema.json

@@ -20,12 +20,12 @@
           "properties": {
             "resources": {
               "type": "object",
-              "description": "Explicit CPU/memory resource requests and limits for the API server.",
+              "description": "Explicit CPU and memory configuration for the API Server. When left empty, the preset defined in `resourcesPreset` is applied.",
               "default": {}
             },
             "resourcesPreset": {
               "type": "string",
-              "description": "Use a common resources preset when `resources` is not set explicitly.",
+              "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
               "default": "medium",
               "enum": [
                 "none",
@@ -45,12 +45,12 @@
           "properties": {
             "resources": {
               "type": "object",
-              "description": "Explicit CPU/memory resource requests and limits for the controller manager.",
+              "description": "Explicit CPU and memory configuration for the Controller Manager. When left empty, the preset defined in `resourcesPreset` is applied.",
               "default": {}
             },
             "resourcesPreset": {
               "type": "string",
-              "description": "Use a common resources preset when `resources` is not set explicitly.",
+              "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
               "default": "micro",
               "enum": [
                 "none",
@@ -70,12 +70,12 @@
           "properties": {
             "resources": {
               "type": "object",
-              "description": "Explicit CPU/memory resource requests and limits for the scheduler.",
+              "description": "Explicit CPU and memory configuration for the Scheduler. When left empty, the preset defined in `resourcesPreset` is applied.",
               "default": {}
             },
             "resourcesPreset": {
               "type": "string",
-              "description": "Use a common resources preset when `resources` is not set explicitly.",
+              "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
               "default": "micro",
               "enum": [
                 "none",
@@ -98,12 +98,12 @@
               "properties": {
                 "resources": {
                   "type": "object",
-                  "description": "Explicit CPU/memory resource requests and limits for the Konnectivity.",
+                  "description": "Explicit CPU and memory configuration for Konnectivity. When left empty, the preset defined in `resourcesPreset` is applied.",
                   "default": {}
                 },
                 "resourcesPreset": {
                   "type": "string",
-                  "description": "Use a common resources preset when `resources` is not set explicitly.",
+                  "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
                   "default": "micro",
                   "enum": [
                     "none",
@@ -127,11 +127,6 @@
       "description": "StorageClass used to store user data.",
       "default": "replicated"
     },
-    "useCustomSecretForPatchContainerd": {
-      "type": "boolean",
-      "description": "if true, for patch containerd will be used secret: {{ .Release.Name }}-patch-containerd",
-      "default": false
-    },
     "addons": {
       "type": "object",
       "properties": {

packages/apps/kubernetes/values.yaml

@@ -3,11 +3,9 @@
 ## @param host Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.
 ## @param controlPlane.replicas Number of replicas for Kubernetes control-plane components.
 ## @param storageClass StorageClass used to store user data.
-## @param useCustomSecretForPatchContainerd if true, for patch containerd will be used secret: {{ .Release.Name }}-patch-containerd
 ##
 host: ""
 storageClass: replicated
-useCustomSecretForPatchContainerd: false
 
 ## @param nodeGroups [object] nodeGroups configuration
 ##
@@ -112,35 +110,31 @@ controlPlane:
   replicas: 2
 
   apiServer:
-    ## @param controlPlane.apiServer.resources Explicit CPU/memory resource requests and limits for the API server.
-    ## @param controlPlane.apiServer.resourcesPreset Use a common resources preset when `resources` is not set explicitly.
+    ## @param controlPlane.apiServer.resources Explicit CPU and memory configuration for the API Server. When left empty, the preset defined in `resourcesPreset` is applied.
+    ## @param controlPlane.apiServer.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
     ## e.g:
     ## resources:
-    ##   limits:
-    ##     cpu: 4000m
-    ##     memory: 4Gi
-    ##   requests:
-    ##     cpu: 100m
-    ##     memory: 512Mi
+    ##   cpu: 4000m
+    ##   memory: 4Gi
     ##
     resourcesPreset: "medium"
     resources: {}
 
   controllerManager:
-    ## @param controlPlane.controllerManager.resources Explicit CPU/memory resource requests and limits for the controller manager.
-    ## @param controlPlane.controllerManager.resourcesPreset Use a common resources preset when `resources` is not set explicitly.
+    ## @param controlPlane.controllerManager.resources Explicit CPU and memory configuration for the Controller Manager. When left empty, the preset defined in `resourcesPreset` is applied.
+    ## @param controlPlane.controllerManager.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
     resourcesPreset: "micro"
     resources: {}
 
   scheduler:
-    ## @param controlPlane.scheduler.resources Explicit CPU/memory resource requests and limits for the scheduler.
-    ## @param controlPlane.scheduler.resourcesPreset Use a common resources preset when `resources` is not set explicitly.
+    ## @param controlPlane.scheduler.resources Explicit CPU and memory configuration for the Scheduler. When left empty, the preset defined in `resourcesPreset` is applied.
+    ## @param controlPlane.scheduler.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
     resourcesPreset: "micro"
     resources: {}
 
   konnectivity:
     server:
-      ## @param controlPlane.konnectivity.server.resources Explicit CPU/memory resource requests and limits for the Konnectivity.
-      ## @param controlPlane.konnectivity.server.resourcesPreset Use a common resources preset when `resources` is not set explicitly.
+      ## @param controlPlane.konnectivity.server.resources Explicit CPU and memory configuration for Konnectivity. When left empty, the preset defined in `resourcesPreset` is applied.
+      ## @param controlPlane.konnectivity.server.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
       resourcesPreset: "micro"
       resources: {}

packages/apps/mysql/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.0
+version: 0.8.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/mysql/Makefile

@@ -5,6 +5,7 @@ include ../../../scripts/package.mk
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
 
 image:
 	docker buildx build images/mariadb-backup \

packages/apps/mysql/README.md

@@ -1,6 +1,7 @@
 ## Managed MariaDB Service
 
-The Managed MariaDB Service offers a powerful and widely used relational database solution. This service allows you to create and manage a replicated MariaDB cluster seamlessly.
+The Managed MariaDB Service offers a powerful and widely used relational database solution.
+This service allows you to create and manage a replicated MariaDB cluster seamlessly.
 
 ## Deployment Details
 
@@ -46,7 +47,7 @@ restic -r s3:s3.example.org/mariadb-backups/database_name restore latest --targe
 ```
 
 more details:
-- https://itnext.io/restic-effective-backup-from-stdin-4bc1e8f083c1
+- https://blog.aenix.io/restic-effective-backup-from-stdin-4bc1e8f083c1
 
 ### Known issues
 
@@ -83,16 +84,67 @@ more details:
 
 ### Backup parameters
 
-| Name                     | Description                                                                                                                                                                                                       | Value                                                  |
-| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
-| `backup.enabled`         | Enable pereiodic backups                                                                                                                                                                                          | `false`                                                |
-| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                                                                                                        | `us-east-1`                                            |
-| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                                                                                                            | `s3.example.org/postgres-backups`                      |
-| `backup.schedule`        | Cron schedule for automated backups                                                                                                                                                                               | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                                                                                                          | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                                                                                                    | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                                                                                                    | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | The password for Restic backup encryption                                                                                                                                                                         | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Resources                                                                                                                                                                                                         | `{}`                                                   |
-| `resourcesPreset`        | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`                                                 |
+| Name                     | Description                                                                                                                          | Value                                                  |
+| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------ |
+| `backup.enabled`         | Enable periodic backups                                                                                                              | `false`                                                |
+| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                           | `us-east-1`                                            |
+| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                               | `s3.example.org/postgres-backups`                      |
+| `backup.schedule`        | Cron schedule for automated backups                                                                                                  | `0 2 * * *`                                            |
+| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                             | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                       | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                       | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.resticPassword`  | The password for Restic backup encryption                                                                                            | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
+| `resources`              | Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`                                                   |
+| `resourcesPreset`        | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.    | `nano`                                                 |
 
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
+
+```yaml
+resources:
+  cpu: 4000m
+  memory: 4Gi
+```
+
+`resourcePreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `100m` | `128Mi` |
+| `micro`     | `250m` | `256Mi` |
+| `small`     | `500m` | `512Mi` |
+| `medium`    | `500m` | `1Gi`   |
+| `large`     | `1`    | `2Gi`   |
+| `xlarge`    | `2`    | `4Gi`   |
+| `2xlarge`   | `4`    | `8Gi`   |
+
+
+### users
+
+```yaml
+users:
+  user1:
+    maxUserConnections: 1000
+    password: hackme
+  user2:
+    maxUserConnections: 1000
+    password: hackme
+```
+
+
+### databases
+
+```yaml
+databases:
+  myapp1:
+    roles:
+      admin:
+      - user1
+      readonly:
+      - user2
+```

packages/apps/mysql/images/mariadb-backup.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/mariadb-backup:0.8.0@sha256:cfd1c37d8ad24e10681d82d6e6ce8a641b4602c1b0ffa8516ae15b4958bb12d4
+ghcr.io/cozystack/cozystack/mariadb-backup:0.8.1@sha256:cfd1c37d8ad24e10681d82d6e6ce8a641b4602c1b0ffa8516ae15b4958bb12d4

packages/apps/mysql/templates/mariadb.yaml

@@ -61,7 +61,9 @@ spec:
     metadata:
       labels:
         app.kubernetes.io/instance: {{ $.Release.Name }}
-
+    {{- if and .Values.external (eq (int .Values.replicas) 1) }}
+    type: LoadBalancer
+    {{- end }}
   storage:
     size: {{ .Values.size }}
     resizeInUseVolumes: true
@@ -70,7 +72,7 @@ spec:
     storageClassName: {{ . }}
     {{- end }}
 
-  {{- if .Values.external }}
+  {{- if and .Values.external (gt (int .Values.replicas) 1) }}
   primaryService:
     type: LoadBalancer
   {{- end }}

packages/apps/mysql/values.schema.json

@@ -27,7 +27,7 @@
             "properties": {
                 "enabled": {
                     "type": "boolean",
-                    "description": "Enable pereiodic backups",
+                    "description": "Enable periodic backups",
                     "default": false
                 },
                 "s3Region": {
@@ -69,13 +69,23 @@
         },
         "resources": {
             "type": "object",
-            "description": "Resources",
+            "description": "Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied.",
             "default": {}
         },
         "resourcesPreset": {
             "type": "string",
-            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-            "default": "nano"
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "default": "nano",
+            "enum": [
+                "none",
+                "nano",
+                "micro",
+                "small",
+                "medium",
+                "large",
+                "xlarge",
+                "2xlarge"
+            ]
         }
     }
-}
+}

packages/apps/mysql/values.yaml

@@ -37,7 +37,7 @@ databases: {}
 
 ## @section Backup parameters
 
-## @param backup.enabled Enable pereiodic backups
+## @param backup.enabled Enable periodic backups
 ## @param backup.s3Region The AWS S3 region where backups are stored
 ## @param backup.s3Bucket The S3 bucket used for storing backups
 ## @param backup.schedule Cron schedule for automated backups
@@ -55,15 +55,11 @@ backup:
   s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
   resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
 
-## @param resources Resources
+## @param resources Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied.
 resources: {}
  # resources:
- #   limits:
- #     cpu: 4000m
- #     memory: 4Gi
- #   requests:
- #     cpu: 100m
- #     memory: 512Mi
+ #   cpu: 4000m
+ #   memory: 4Gi
  
-## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
 resourcesPreset: "nano"

packages/apps/nats/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: 0.7.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/nats/Makefile

@@ -2,3 +2,4 @@ include ../../../scripts/package.mk
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json

packages/apps/nats/README.md

@@ -1,18 +1,48 @@
 # Managed NATS Service
 
+NATS is an open-source, simple, secure, and high performance messaging system.
+It provides a data layer for cloud native applications, IoT messaging, and microservices architectures.
+
 ## Parameters
 
 ### Common parameters
 
-| Name                | Description                                                                                                                                                                                                       | Value   |
-| ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`          | Enable external access from outside the cluster                                                                                                                                                                   | `false` |
-| `replicas`          | Persistent Volume size for NATS                                                                                                                                                                                   | `2`     |
-| `storageClass`      | StorageClass used to store the data                                                                                                                                                                               | `""`    |
-| `users`             | Users configuration                                                                                                                                                                                               | `{}`    |
-| `jetstream.size`    | Jetstream persistent storage size                                                                                                                                                                                 | `10Gi`  |
-| `jetstream.enabled` | Enable or disable Jetstream                                                                                                                                                                                       | `true`  |
-| `config.merge`      | Additional configuration to merge into NATS config                                                                                                                                                                | `{}`    |
-| `config.resolver`   | Additional configuration to merge into NATS config                                                                                                                                                                | `{}`    |
-| `resources`         | Resources                                                                                                                                                                                                         | `{}`    |
-| `resourcesPreset`   | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
+| Name                | Description                                                                                                                       | Value   |
+| ------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `external`          | Enable external access from outside the cluster                                                                                   | `false` |
+| `replicas`          | Persistent Volume size for NATS                                                                                                   | `2`     |
+| `storageClass`      | StorageClass used to store the data                                                                                               | `""`    |
+| `users`             | Users configuration                                                                                                               | `{}`    |
+| `jetstream.size`    | Jetstream persistent storage size                                                                                                 | `10Gi`  |
+| `jetstream.enabled` | Enable or disable Jetstream                                                                                                       | `true`  |
+| `config.merge`      | Additional configuration to merge into NATS config                                                                                | `{}`    |
+| `config.resolver`   | Additional configuration to merge into NATS config                                                                                | `{}`    |
+| `resources`         | Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset`   | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge. | `nano`  |
+
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
+
+```yaml
+resources:
+  cpu: 4000m
+  memory: 4Gi
+```
+
+`resourcePreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `100m` | `128Mi` |
+| `micro`     | `250m` | `256Mi` |
+| `small`     | `500m` | `512Mi` |
+| `medium`    | `500m` | `1Gi`   |
+| `large`     | `1`    | `2Gi`   |
+| `xlarge`    | `2`    | `4Gi`   |
+| `2xlarge`   | `4`    | `8Gi`   |
+

packages/apps/nats/values.schema.json

@@ -49,13 +49,23 @@
         },
         "resources": {
             "type": "object",
-            "description": "Resources",
+            "description": "Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied.",
             "default": {}
         },
         "resourcesPreset": {
             "type": "string",
-            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-            "default": "nano"
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "default": "nano",
+            "enum": [
+                "none",
+                "nano",
+                "micro",
+                "small",
+                "medium",
+                "large",
+                "xlarge",
+                "2xlarge"
+            ]
         }
     }
-}
+}

packages/apps/nats/values.yaml

@@ -62,15 +62,11 @@ config:
   ## Example see: https://github.com/nats-io/k8s/blob/main/helm/charts/nats/values.yaml#L247
   resolver: {}
 
-## @param resources Resources
+## @param resources Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied.
 resources: {}
  # resources:
- #   limits:
- #     cpu: 4000m
- #     memory: 4Gi
- #   requests:
- #     cpu: 100m
- #     memory: 512Mi
+ #   cpu: 4000m
+ #   memory: 4Gi
  
-## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
 resourcesPreset: "nano"

packages/apps/postgres/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.14.0
+version: 0.15.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/postgres/Makefile

@@ -1,24 +1,5 @@
-POSTGRES_BACKUP_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
-
-include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
-
-image:
-	docker buildx build images/postgres-backup \
-		--provenance false \
-		--builder=$(BUILDER) \
-		--platform=$(PLATFORM) \
-		--tag $(REGISTRY)/postgres-backup:$(call settag,$(POSTGRES_BACKUP_TAG)) \
-		--cache-from type=registry,ref=$(REGISTRY)/postgres-backup:latest \
-		--cache-to type=inline \
-		--metadata-file images/postgres-backup.json \
-		--push=$(PUSH) \
-		--label "org.opencontainers.image.source=https://github.com/cozystack/cozystack" \
-		--load=$(LOAD)
-	echo "$(REGISTRY)/postgres-backup:$(call settag,$(POSTGRES_BACKUP_TAG))@$$(yq e '."containerimage.digest"' images/postgres-backup.json -o json -r)" \
-		> images/postgres-backup.tag
-	cp images/postgres-backup.tag ../ferretdb/images/
-	rm -f images/postgres-backup.json
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json

packages/apps/postgres/README.md

@@ -1,6 +1,8 @@
 # Managed PostgreSQL Service
 
-PostgreSQL is currently the leading choice among relational databases, known for its robust features and performance. Our Managed PostgreSQL Service takes advantage of platform-side implementation to provide a self-healing replicated cluster. This cluster is efficiently managed using the highly acclaimed CloudNativePG operator, which has gained popularity within the community.
+PostgreSQL is currently the leading choice among relational databases, known for its robust features and performance.
+The Managed PostgreSQL Service takes advantage of platform-side implementation to provide a self-healing replicated cluster.
+This cluster is efficiently managed using the highly acclaimed CloudNativePG operator, which has gained popularity within the community.
 
 ## Deployment Details
 
@@ -11,29 +13,10 @@ This managed service is controlled by the CloudNativePG operator, ensuring effic
 
 ## HowTos
 
-### How to switch master/slave replica
+### How to switch primary/secondary replica
 
-See:
+See the CloudNativePG docs, [Rolling Updates, section Manual Updates](https://cloudnative-pg.io/documentation/1.15/rolling_update/#manual-updates-supervised).
 
-- <https://cloudnative-pg.io/documentation/1.15/rolling_update/#manual-updates-supervised>
-
-### How to restore backup
-
-find snapshot:
-
-```bash
-restic -r s3:s3.example.org/postgres-backups/database_name snapshots
-```
-
-restore:
-
-```bash
-restic -r s3:s3.example.org/postgres-backups/database_name restore latest --target /tmp/
-```
-
-more details:
-
-- <https://itnext.io/restic-effective-backup-from-stdin-4bc1e8f083c1>
 
 ## Parameters
 
@@ -58,15 +41,84 @@ more details:
 
 ### Backup parameters
 
-| Name                     | Description                                                                                                                                                                                                       | Value                                                  |
-| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
-| `backup.enabled`         | Enable pereiodic backups                                                                                                                                                                                          | `false`                                                |
-| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                                                                                                        | `us-east-1`                                            |
-| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                                                                                                            | `s3.example.org/postgres-backups`                      |
-| `backup.schedule`        | Cron schedule for automated backups                                                                                                                                                                               | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                                                                                                          | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                                                                                                    | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                                                                                                    | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | The password for Restic backup encryption                                                                                                                                                                         | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Resources                                                                                                                                                                                                         | `{}`                                                   |
-| `resourcesPreset`        | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`                                                 |
+| Name                     | Description                                                          | Value                               |
+| ------------------------ | -------------------------------------------------------------------- | ----------------------------------- |
+| `backup.enabled`         | Enable pereiodic backups                                             | `false`                             |
+| `backup.schedule`        | Cron schedule for automated backups                                  | `0 2 * * * *`                       |
+| `backup.retentionPolicy` | The retention policy                                                 | `30d`                               |
+| `backup.destinationPath` | The path where to store the backup (i.e. s3://bucket/path/to/folder) | `s3://BUCKET_NAME/`                 |
+| `backup.endpointURL`     | Endpoint to be used to upload data to the cloud                      | `http://minio-gateway-service:9000` |
+| `backup.s3AccessKey`     | The access key for S3, used for authentication                       | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`  |
+| `backup.s3SecretKey`     | The secret key for S3, used for authentication                       | `ju3eum4dekeich9ahM1te8waeGai0oog`  |
+
+### Bootstrap parameters
+
+| Name                     | Description                                                                                                                             | Value   |
+| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `bootstrap.enabled`      | Restore cluster from backup                                                                                                             | `false` |
+| `bootstrap.recoveryTime` | Time stamp up to which recovery will proceed, expressed in RFC 3339 format, if empty, will restore latest                               | `""`    |
+| `bootstrap.oldName`      | Name of cluster before deleting                                                                                                         | `""`    |
+| `resources`              | Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset`        | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.       | `micro` |
+
+
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
+
+```yaml
+resources:
+  cpu: 4000m
+  memory: 4Gi
+```
+
+`resourcePreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `100m` | `128Mi` |
+| `micro`     | `250m` | `256Mi` |
+| `small`     | `500m` | `512Mi` |
+| `medium`    | `500m` | `1Gi`   |
+| `large`     | `1`    | `2Gi`   |
+| `xlarge`    | `2`    | `4Gi`   |
+| `2xlarge`   | `4`    | `8Gi`   |
+
+
+
+### users
+
+```yaml
+users:
+  user1:
+    password: strongpassword
+  user2:
+    password: hackme
+  airflow:
+    password: qwerty123
+  debezium:
+    replication: true
+```
+
+### databases
+
+```yaml
+databases:          
+  myapp:            
+    roles:          
+      admin:        
+      - user1       
+      - debezium    
+      readonly:     
+      - user2       
+  airflow:          
+    roles:          
+      admin:        
+      - airflow     
+    extensions:     
+    - hstore        
+```

packages/apps/postgres/images/postgres-backup.tag

@@ -1 +0,0 @@
-ghcr.io/cozystack/cozystack/postgres-backup:0.14.0@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f

packages/apps/postgres/images/postgres-backup/Dockerfile

@@ -1,2 +0,0 @@
-FROM alpine:3.20
-RUN apk add --no-cache postgresql16-client uuidgen restic

packages/apps/postgres/templates/backup-cronjob.yaml

@@ -1,99 +0,0 @@
-{{- if .Values.backup.enabled }}
-{{ $image := .Files.Get "images/backup.json" | fromJson }}
-
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: {{ .Release.Name }}-backup
-spec:
-  schedule: "{{ .Values.backup.schedule }}"
-  concurrencyPolicy: Forbid
-  successfulJobsHistoryLimit: 3
-  failedJobsHistoryLimit: 3
-  jobTemplate:
-    spec:
-      backoffLimit: 2
-      template:
-        metadata:
-          annotations:
-            checksum/config: {{ include (print $.Template.BasePath "/backup-script.yaml") . | sha256sum }}
-            checksum/secret: {{ include (print $.Template.BasePath "/backup-secret.yaml") . | sha256sum }}
-        spec:
-          imagePullSecrets:
-          - name: {{ .Release.Name }}-regsecret
-          restartPolicy: OnFailure
-          containers:
-          - name: pgdump
-            image: "{{ $.Files.Get "images/postgres-backup.tag" | trim }}"
-            command:
-            - /bin/sh
-            - /scripts/backup.sh
-            env:
-            - name: REPO_PREFIX
-              value: {{ required "s3Bucket is not specified!" .Values.backup.s3Bucket | quote }}
-            - name: CLEANUP_STRATEGY
-              value: {{ required "cleanupStrategy is not specified!" .Values.backup.cleanupStrategy | quote }}
-            - name: PGUSER
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-superuser
-                  key: username
-            - name: PGPASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-superuser
-                  key: password
-            - name: PGHOST
-              value: {{ .Release.Name }}-rw
-            - name: PGPORT
-              value: "5432"
-            - name: PGDATABASE
-              value: postgres
-            - name: AWS_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-backup
-                  key: s3AccessKey
-            - name: AWS_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-backup
-                  key: s3SecretKey
-            - name: AWS_DEFAULT_REGION
-              value: {{ .Values.backup.s3Region }}
-            - name: RESTIC_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-backup
-                  key: resticPassword
-            volumeMounts:
-            - mountPath: /scripts
-              name: scripts
-            - mountPath: /tmp
-              name: tmp
-            - mountPath: /.cache
-              name: cache
-            securityContext:
-              allowPrivilegeEscalation: false
-              capabilities:
-                drop:
-                - ALL
-              privileged: false
-              readOnlyRootFilesystem: true
-              runAsNonRoot: true
-            {{- include "postgresjobs.resources" . | nindent 12 }}
-          volumes:
-          - name: scripts
-            secret:
-              secretName: {{ .Release.Name }}-backup-script
-          - name: tmp
-            emptyDir: {}
-          - name: cache
-            emptyDir: {}
-          securityContext:
-            runAsNonRoot: true
-            runAsUser: 9000
-            runAsGroup: 9000
-            seccompProfile:
-              type: RuntimeDefault
-{{- end }}

packages/apps/postgres/templates/backup-script.yaml

@@ -1,50 +0,0 @@
-{{- if .Values.backup.enabled }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-backup-script
-stringData:
-  backup.sh: |
-    #!/bin/sh
-    set -e
-    set -o pipefail
-
-    JOB_ID="job-$(uuidgen|cut -f1 -d-)"
-    DB_LIST=$(psql -Atq -c 'SELECT datname FROM pg_catalog.pg_database;' | grep -v '^\(postgres\|app\|template.*\)$')
-    echo DB_LIST=$(echo "$DB_LIST" | shuf) # shuffle list
-    echo "Job ID: $JOB_ID"
-    echo "Target repo: $REPO_PREFIX"
-    echo "Cleanup strategy: $CLEANUP_STRATEGY"
-    echo "Start backup for:"
-    echo "$DB_LIST"
-    echo
-    echo "Backup started at `date +%Y-%m-%d\ %H:%M:%S`"
-    for db in $DB_LIST; do
-      (
-        set -x
-        restic -r "s3:${REPO_PREFIX}/$db" cat config >/dev/null 2>&1 || \
-          restic -r "s3:${REPO_PREFIX}/$db" init --repository-version 2
-        restic -r "s3:${REPO_PREFIX}/$db" unlock --remove-all >/dev/null 2>&1 || true # no locks, k8s takes care of it
-        pg_dump -Z0 -Ft -d "$db" | \
-          restic -r "s3:${REPO_PREFIX}/$db" backup --tag "$JOB_ID" --stdin --stdin-filename dump.tar
-        restic -r "s3:${REPO_PREFIX}/$db" tag --tag "$JOB_ID" --set "completed"
-      )
-    done
-    echo "Backup finished at `date +%Y-%m-%d\ %H:%M:%S`"
-
-    echo
-    echo "Run cleanup:"
-    echo
-
-    echo "Cleanup started at `date +%Y-%m-%d\ %H:%M:%S`"
-    for db in $DB_LIST; do
-      (
-        set -x
-        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags --keep-tag "completed" # keep completed snapshots only
-        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags $CLEANUP_STRATEGY
-        restic prune -r "s3:${REPO_PREFIX}/$db"
-      )
-    done
-    echo "Cleanup finished at `date +%Y-%m-%d\ %H:%M:%S`"
-{{- end }}

packages/apps/postgres/templates/backup-secret.yaml

@@ -1,11 +1,10 @@
-{{- if .Values.backup.enabled }}
+{{- if or .Values.backup.enabled .Values.bootstrap.enabled }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Release.Name }}-backup
+  name: {{ .Release.Name }}-s3-creds
 stringData:
-  s3AccessKey: {{ required "s3AccessKey is not specified!" .Values.backup.s3AccessKey }}
-  s3SecretKey: {{ required "s3SecretKey is not specified!" .Values.backup.s3SecretKey }}
-  resticPassword: {{ required "resticPassword is not specified!" .Values.backup.resticPassword }}
+  AWS_ACCESS_KEY_ID: {{ required "s3AccessKey is not specified!" .Values.backup.s3AccessKey | quote }}
+  AWS_SECRET_ACCESS_KEY: {{ required "s3SecretKey is not specified!" .Values.backup.s3SecretKey | quote }}
 {{- end }}

packages/apps/postgres/templates/backup.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.backup.enabled }}
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  schedule: {{ .Values.backup.schedule | quote }}
+  backupOwnerReference: self
+  cluster:
+    name: {{ .Release.Name }}
+{{- end }}

packages/apps/postgres/templates/db.yaml

@@ -5,6 +5,43 @@ metadata:
   name: {{ .Release.Name }}
 spec:
   instances: {{ .Values.replicas }}
+  {{- if .Values.backup.enabled }}
+  backup:
+    barmanObjectStore:
+      destinationPath: {{ .Values.backup.destinationPath }}
+      endpointURL: {{ .Values.backup.endpointURL }}
+      s3Credentials:
+        accessKeyId:
+          name: {{ .Release.Name }}-s3-creds
+          key: AWS_ACCESS_KEY_ID
+        secretAccessKey:
+          name: {{ .Release.Name }}-s3-creds
+          key: AWS_SECRET_ACCESS_KEY
+    retentionPolicy: {{ .Values.backup.retentionPolicy }}
+  {{- end }}
+  
+  {{- if .Values.bootstrap.enabled }}
+  bootstrap:
+    recovery:
+      source: {{ .Values.bootstrap.oldName }}
+      {{- if .Values.bootstrap.recoveryTime }}
+      recoveryTarget:
+        targetTime: {{ .Values.bootstrap.recoveryTime }}
+      {{- end }}
+  externalClusters:
+    - name: {{ .Values.bootstrap.oldName }}
+      barmanObjectStore:
+        destinationPath: {{ .Values.backup.destinationPath }}
+        endpointURL: {{ .Values.backup.endpointURL }}
+        s3Credentials:
+          accessKeyId:
+            name: {{ .Release.Name }}-s3-creds
+            key: AWS_ACCESS_KEY_ID
+          secretAccessKey:
+            name: {{ .Release.Name }}-s3-creds
+            key: AWS_SECRET_ACCESS_KEY
+  {{- end }}
+
   {{- if .Values.resources }}
   resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 4 }}
   {{- else if ne .Values.resourcesPreset "none" }}

packages/apps/postgres/templates/init-script.yaml

@@ -41,10 +41,10 @@ stringData:
     {{- if .Values.users }}
     psql -v ON_ERROR_STOP=1 <<\EOT
     {{- range $user, $u := .Values.users }}
-    SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;'
+    SELECT 'CREATE ROLE "{{ $user }}" LOGIN INHERIT;'
     WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec
-    ALTER ROLE {{ $user }} WITH PASSWORD '{{ index $passwords $user }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
-    COMMENT ON ROLE {{ $user }} IS 'user managed by helm';
+    ALTER ROLE "{{ $user }}" WITH PASSWORD '{{ index $passwords $user }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
+    COMMENT ON ROLE "{{ $user }}" IS 'user managed by helm';
     {{- end }}
     EOT
     {{- end }}
@@ -68,15 +68,15 @@ stringData:
     {{- if .Values.databases }}
     psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
     {{- range $database, $d := .Values.databases }}
-    SELECT 'CREATE DATABASE {{ $database }}'
+    SELECT 'CREATE DATABASE "{{ $database }}"'
     WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '{{ $database }}')\gexec
-    COMMENT ON DATABASE {{ $database }} IS 'database managed by helm';
-    SELECT 'CREATE ROLE {{ $database }}_admin NOINHERIT;'
+    COMMENT ON DATABASE "{{ $database }}" IS 'database managed by helm';
+    SELECT 'CREATE ROLE "{{ $database }}_admin" NOINHERIT;'
     WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $database }}_admin')\gexec
-    COMMENT ON ROLE {{ $database }}_admin IS 'role managed by helm';
-    SELECT 'CREATE ROLE {{ $database }}_readonly NOINHERIT;'
+    COMMENT ON ROLE "{{ $database }}_admin" IS 'role managed by helm';
+    SELECT 'CREATE ROLE "{{ $database }}_readonly" NOINHERIT;'
     WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $database }}_readonly')\gexec
-    COMMENT ON ROLE {{ $database }}_readonly IS 'role managed by helm';
+    COMMENT ON ROLE "{{ $database }}_readonly" IS 'role managed by helm';
     {{- end }}
     EOT
     {{- end }}
@@ -84,8 +84,8 @@ stringData:
     echo "== grant privileges on databases to roles"
     {{- range $database, $d := .Values.databases }}
     psql -v ON_ERROR_STOP=1 --echo-all -d "{{ $database }}" <<\EOT
-    ALTER DATABASE {{ $database }} OWNER TO {{ $database }}_admin;
-    GRANT CONNECT ON DATABASE {{ $database }} TO {{ $database }}_readonly;
+    ALTER DATABASE "{{ $database }}" OWNER TO "{{ $database }}_admin";
+    GRANT CONNECT ON DATABASE "{{ $database }}" TO "{{ $database }}_readonly";
 
     DO $$
     DECLARE
@@ -165,14 +165,14 @@ stringData:
     {{- range $database, $d := .Values.databases }}
     {{- range $user, $u := $.Values.users }}
     {{- if has $user $d.roles.admin }}
-    GRANT {{ $database }}_admin TO {{ $user }};
+    GRANT "{{ $database }}_admin" TO "{{ $user }}";
     {{- else }}
-    REVOKE {{ $database }}_admin FROM {{ $user }};
+    REVOKE "{{ $database }}_admin" FROM "{{ $user }}";
     {{- end }}
     {{- if has $user $d.roles.readonly }}
-    GRANT {{ $database }}_readonly TO {{ $user }};
+    GRANT "{{ $database }}_readonly" TO "{{ $user }}";
     {{- else }}
-    REVOKE {{ $database }}_readonly FROM {{ $user }};
+    REVOKE "{{ $database }}_readonly" FROM "{{ $user }}";
     {{- end }}
     {{- end }}
     {{- end }}

packages/apps/postgres/values.schema.json

@@ -65,25 +65,25 @@
                     "description": "Enable pereiodic backups",
                     "default": false
                 },
-                "s3Region": {
-                    "type": "string",
-                    "description": "The AWS S3 region where backups are stored",
-                    "default": "us-east-1"
-                },
-                "s3Bucket": {
-                    "type": "string",
-                    "description": "The S3 bucket used for storing backups",
-                    "default": "s3.example.org/postgres-backups"
-                },
                 "schedule": {
                     "type": "string",
                     "description": "Cron schedule for automated backups",
-                    "default": "0 2 * * *"
+                    "default": "0 2 * * * *"
                 },
-                "cleanupStrategy": {
+                "retentionPolicy": {
                     "type": "string",
-                    "description": "The strategy for cleaning up old backups",
-                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+                    "description": "The retention policy",
+                    "default": "30d"
+                },
+                "destinationPath": {
+                    "type": "string",
+                    "description": "The path where to store the backup (i.e. s3://bucket/path/to/folder)",
+                    "default": "s3://BUCKET_NAME/"
+                },
+                "endpointURL": {
+                    "type": "string",
+                    "description": "Endpoint to be used to upload data to the cloud",
+                    "default": "http://minio-gateway-service:9000"
                 },
                 "s3AccessKey": {
                     "type": "string",
@@ -94,23 +94,48 @@
                     "type": "string",
                     "description": "The secret key for S3, used for authentication",
                     "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
+                }
+            }
+        },
+        "bootstrap": {
+            "type": "object",
+            "properties": {
+                "enabled": {
+                    "type": "boolean",
+                    "description": "Restore cluster from backup",
+                    "default": false
                 },
-                "resticPassword": {
+                "recoveryTime": {
                     "type": "string",
-                    "description": "The password for Restic backup encryption",
-                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
+                    "description": "Time stamp up to which recovery will proceed, expressed in RFC 3339 format, if empty, will restore latest",
+                    "default": ""
+                },
+                "oldName": {
+                    "type": "string",
+                    "description": "Name of cluster before deleting",
+                    "default": ""
                 }
             }
         },
         "resources": {
             "type": "object",
-            "description": "Resources",
+            "description": "Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied.",
             "default": {}
         },
         "resourcesPreset": {
             "type": "string",
-            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-            "default": "nano"
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "default": "micro",
+            "enum": [
+                "none",
+                "nano",
+                "micro",
+                "small",
+                "medium",
+                "large",
+                "xlarge",
+                "2xlarge"
+            ]
         }
     }
-}
+}

packages/apps/postgres/values.yaml

@@ -60,32 +60,38 @@ databases: {}
 ## @section Backup parameters
 
 ## @param backup.enabled Enable pereiodic backups
-## @param backup.s3Region The AWS S3 region where backups are stored
-## @param backup.s3Bucket The S3 bucket used for storing backups
 ## @param backup.schedule Cron schedule for automated backups
-## @param backup.cleanupStrategy The strategy for cleaning up old backups
+## @param backup.retentionPolicy The retention policy
+## @param backup.destinationPath The path where to store the backup (i.e. s3://bucket/path/to/folder)
+## @param backup.endpointURL Endpoint to be used to upload data to the cloud
 ## @param backup.s3AccessKey The access key for S3, used for authentication
 ## @param backup.s3SecretKey The secret key for S3, used for authentication
-## @param backup.resticPassword The password for Restic backup encryption
 backup:
   enabled: false
-  s3Region: us-east-1
-  s3Bucket: s3.example.org/postgres-backups
-  schedule: "0 2 * * *"
-  cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+  retentionPolicy: 30d
+  destinationPath: s3://BUCKET_NAME/
+  endpointURL: http://minio-gateway-service:9000
+  schedule: "0 2 * * * *"
   s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
   s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
-  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
 
-## @param resources Resources
+## @section Bootstrap parameters
+
+## @param bootstrap.enabled Restore cluster from backup
+## @param bootstrap.recoveryTime Time stamp up to which recovery will proceed, expressed in RFC 3339 format, if empty, will restore latest
+## @param bootstrap.oldName Name of cluster before deleting
+##
+bootstrap:
+  enabled: false
+  # example: 2020-11-26 15:22:00.00000+00
+  recoveryTime: ""
+  oldName: ""
+
+## @param resources Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied.
 resources: {}
  # resources:
- #   limits:
- #     cpu: 4000m
- #     memory: 4Gi
- #   requests:
- #     cpu: 100m
- #     memory: 512Mi
+ #   cpu: 4000m
+ #   memory: 4Gi
  
-## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
-resourcesPreset: "nano"
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "micro"

packages/apps/rabbitmq/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: 0.7.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/rabbitmq/Makefile

@@ -2,3 +2,4 @@ include ../../../scripts/package.mk
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json

packages/apps/rabbitmq/README.md

@@ -22,9 +22,36 @@ The service utilizes official RabbitMQ operator. This ensures the reliability an
 
 ### Configuration parameters
 
-| Name              | Description                                                                                                                                                                                                       | Value  |
-| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
-| `users`           | Users configuration                                                                                                                                                                                               | `{}`   |
-| `vhosts`          | Virtual Hosts configuration                                                                                                                                                                                       | `{}`   |
-| `resources`       | Resources                                                                                                                                                                                                         | `{}`   |
-| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` |
+| Name              | Description                                                                                                                           | Value  |
+| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------ |
+| `users`           | Users configuration                                                                                                                   | `{}`   |
+| `vhosts`          | Virtual Hosts configuration                                                                                                           | `{}`   |
+| `resources`       | Explicit CPU and memory configuration for each RabbitMQ replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`   |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.     | `nano` |
+
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
+
+```yaml
+resources:
+  cpu: 4000m
+  memory: 4Gi
+```
+
+`resourcePreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `100m` | `128Mi` |
+| `micro`     | `250m` | `256Mi` |
+| `small`     | `500m` | `512Mi` |
+| `medium`    | `500m` | `1Gi`   |
+| `large`     | `1`    | `2Gi`   |
+| `xlarge`    | `2`    | `4Gi`   |
+| `2xlarge`   | `4`    | `8Gi`   |
+

packages/apps/rabbitmq/values.schema.json

@@ -29,13 +29,23 @@
         },
         "resources": {
             "type": "object",
-            "description": "Resources",
+            "description": "Explicit CPU and memory configuration for each RabbitMQ replica. When left empty, the preset defined in `resourcesPreset` is applied.",
             "default": {}
         },
         "resourcesPreset": {
             "type": "string",
-            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-            "default": "nano"
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "default": "nano",
+            "enum": [
+                "none",
+                "nano",
+                "micro",
+                "small",
+                "medium",
+                "large",
+                "xlarge",
+                "2xlarge"
+            ]
         }
     }
-}
+}

packages/apps/rabbitmq/values.yaml

@@ -40,15 +40,11 @@ users: {}
 ##       - user3
 vhosts: {}
 
-## @param resources Resources
+## @param resources Explicit CPU and memory configuration for each RabbitMQ replica. When left empty, the preset defined in `resourcesPreset` is applied.
 resources: {}
  # resources:
- #   limits:
- #     cpu: 4000m
- #     memory: 4Gi
- #   requests:
- #     cpu: 100m
- #     memory: 512Mi
+ #   cpu: 4000m
+ #   memory: 4Gi
  
-## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
 resourcesPreset: "nano"

packages/apps/redis/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.0
+version: 0.8.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/redis/Makefile

@@ -2,3 +2,4 @@ include ../../../scripts/package.mk
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json

packages/apps/redis/README.md

@@ -13,14 +13,39 @@ Service utilizes the Spotahome Redis Operator for efficient management and orche
 
 ### Common parameters
 
-| Name              | Description                                                                                                                                                                                                       | Value   |
-| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`        | Enable external access from outside the cluster                                                                                                                                                                   | `false` |
-| `size`            | Persistent Volume size                                                                                                                                                                                            | `1Gi`   |
-| `replicas`        | Number of Redis replicas                                                                                                                                                                                          | `2`     |
-| `storageClass`    | StorageClass used to store the data                                                                                                                                                                               | `""`    |
-| `authEnabled`     | Enable password generation                                                                                                                                                                                        | `true`  |
-| `resources`       | Resources                                                                                                                                                                                                         | `{}`    |
-| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
+| Name              | Description                                                                                                                        | Value   |
+| ----------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `external`        | Enable external access from outside the cluster                                                                                    | `false` |
+| `size`            | Persistent Volume size                                                                                                             | `1Gi`   |
+| `replicas`        | Number of Redis replicas                                                                                                           | `2`     |
+| `storageClass`    | StorageClass used to store the data                                                                                                | `""`    |
+| `authEnabled`     | Enable password generation                                                                                                         | `true`  |
+| `resources`       | Explicit CPU and memory configuration for each Redis replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.  | `nano`  |
 
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
+
+```yaml
+resources:
+  cpu: 4000m
+  memory: 4Gi
+```
+
+`resourcePreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `100m` | `128Mi` |
+| `micro`     | `250m` | `256Mi` |
+| `small`     | `500m` | `512Mi` |
+| `medium`    | `500m` | `1Gi`   |
+| `large`     | `1`    | `2Gi`   |
+| `xlarge`    | `2`    | `4Gi`   |
+| `2xlarge`   | `4`    | `8Gi`   |
 

packages/apps/redis/values.schema.json

@@ -29,13 +29,23 @@
         },
         "resources": {
             "type": "object",
-            "description": "Resources",
+            "description": "Explicit CPU and memory configuration for each Redis replica. When left empty, the preset defined in `resourcesPreset` is applied.",
             "default": {}
         },
         "resourcesPreset": {
             "type": "string",
-            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-            "default": "nano"
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "default": "nano",
+            "enum": [
+                "none",
+                "nano",
+                "micro",
+                "small",
+                "medium",
+                "large",
+                "xlarge",
+                "2xlarge"
+            ]
         }
     }
-}
+}

packages/apps/redis/values.yaml

@@ -12,15 +12,11 @@ replicas: 2
 storageClass: ""
 authEnabled: true
 
-## @param resources Resources
+## @param resources Explicit CPU and memory configuration for each Redis replica. When left empty, the preset defined in `resourcesPreset` is applied.
 resources: {}
  # resources:
- #   limits:
- #     cpu: 4000m
- #     memory: 4Gi
- #   requests:
- #     cpu: 100m
- #     memory: 512Mi
+ #   cpu: 4000m
+ #   memory: 4Gi
  
-## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
 resourcesPreset: "nano"

packages/apps/tcp-balancer/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.1
+version: 0.4.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/tcp-balancer/Makefile

@@ -1,6 +1,7 @@
 include ../../../scripts/package.mk
 
 generate:
-	readme-generator -v values.yaml -s values.schema.json.tmp -r README.md
-	cat values.schema.json.tmp | jq '.properties.httpAndHttps.properties.mode.enum = ["tcp","tcp-with-proxy"]' > values.schema.json
+	readme-generator -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 2 '.properties.httpAndHttps.properties.mode.enum = ["tcp","tcp-with-proxy"]' values.schema.json
+	yq -i -o json --indent 2 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json
 	rm -f values.schema.json.tmp

packages/apps/tcp-balancer/README.md

@@ -19,13 +19,40 @@ Managed TCP Load Balancer Service efficiently utilizes HAProxy for load balancin
 
 ### Configuration parameters
 
-| Name                             | Description                                                                                                                                                                                                       | Value   |
-| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `httpAndHttps.mode`              | Mode for balancer. Allowed values: `tcp` and `tcp-with-proxy`                                                                                                                                                     | `tcp`   |
-| `httpAndHttps.targetPorts.http`  | HTTP port number.                                                                                                                                                                                                 | `80`    |
-| `httpAndHttps.targetPorts.https` | HTTPS port number.                                                                                                                                                                                                | `443`   |
-| `httpAndHttps.endpoints`         | Endpoint addresses list                                                                                                                                                                                           | `[]`    |
-| `whitelistHTTP`                  | Secure HTTP by enabling  client networks whitelisting                                                                                                                                                             | `false` |
-| `whitelist`                      | List of client networks                                                                                                                                                                                           | `[]`    |
-| `resources`                      | Resources                                                                                                                                                                                                         | `{}`    |
-| `resourcesPreset`                | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
+| Name                             | Description                                                                                                                               | Value   |
+| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `httpAndHttps.mode`              | Mode for balancer. Allowed values: `tcp` and `tcp-with-proxy`                                                                             | `tcp`   |
+| `httpAndHttps.targetPorts.http`  | HTTP port number.                                                                                                                         | `80`    |
+| `httpAndHttps.targetPorts.https` | HTTPS port number.                                                                                                                        | `443`   |
+| `httpAndHttps.endpoints`         | Endpoint addresses list                                                                                                                   | `[]`    |
+| `whitelistHTTP`                  | Secure HTTP by enabling  client networks whitelisting                                                                                     | `false` |
+| `whitelist`                      | List of client networks                                                                                                                   | `[]`    |
+| `resources`                      | Explicit CPU and memory configuration for each TCP Balancer replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset`                | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.         | `nano`  |
+
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
+
+```yaml
+resources:
+  cpu: 4000m
+  memory: 4Gi
+```
+
+`resourcePreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `100m` | `128Mi` |
+| `micro`     | `250m` | `256Mi` |
+| `small`     | `500m` | `512Mi` |
+| `medium`    | `500m` | `1Gi`   |
+| `large`     | `1`    | `2Gi`   |
+| `xlarge`    | `2`    | `4Gi`   |
+| `2xlarge`   | `4`    | `8Gi`   |
+

packages/apps/tcp-balancer/values.schema.json

@@ -60,13 +60,23 @@
     },
     "resources": {
       "type": "object",
-      "description": "Resources",
+      "description": "Explicit CPU and memory configuration for each TCP Balancer replica. When left empty, the preset defined in `resourcesPreset` is applied.",
       "default": {}
     },
     "resourcesPreset": {
       "type": "string",
-      "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-      "default": "nano"
+      "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
+      "default": "nano",
+      "enum": [
+        "none",
+        "nano",
+        "micro",
+        "small",
+        "medium",
+        "large",
+        "xlarge",
+        "2xlarge"
+      ]
     }
   }
 }

packages/apps/tcp-balancer/values.yaml

@@ -44,15 +44,11 @@ httpAndHttps:
 whitelistHTTP: false
 whitelist: []
 
-## @param resources Resources
+## @param resources Explicit CPU and memory configuration for each TCP Balancer replica. When left empty, the preset defined in `resourcesPreset` is applied.
 resources: {}
 # resources:
-#   limits:
-#     cpu: 4000m
-#     memory: 4Gi
-#   requests:
-#     cpu: 100m
-#     memory: 512Mi
+#   cpu: 4000m
+#   memory: 4Gi
 
-## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
 resourcesPreset: "nano"

packages/apps/versions_map

@@ -12,7 +12,8 @@ clickhouse 0.6.2 8267072d
 clickhouse 0.7.0 93bdf411
 clickhouse 0.9.0 6130f43d
 clickhouse 0.9.2 632224a3
-clickhouse 0.10.0 HEAD
+clickhouse 0.10.0 6358fd7a
+clickhouse 0.10.1 HEAD
 ferretdb 0.1.0 e9716091
 ferretdb 0.1.1 91b0499a
 ferretdb 0.2.0 6c5cf5bf
@@ -23,14 +24,16 @@ ferretdb 0.4.2 8267072d
 ferretdb 0.5.0 93bdf411
 ferretdb 0.6.0 6130f43d
 ferretdb 0.6.1 632224a3
-ferretdb 0.7.0 HEAD
+ferretdb 0.7.0 62cb694d
+ferretdb 0.7.1 HEAD
 http-cache 0.1.0 263e47be
 http-cache 0.2.0 53f2365e
 http-cache 0.3.0 6c5cf5bf
 http-cache 0.3.1 0f312d5c
 http-cache 0.4.0 93bdf411
 http-cache 0.5.0 6130f43d
-http-cache 0.5.1 HEAD
+http-cache 0.5.1 62cb694d
+http-cache 0.5.2 HEAD
 kafka 0.1.0 f7eaab0a
 kafka 0.2.0 c0685f43
 kafka 0.2.1 dfbc210b
@@ -44,9 +47,10 @@ kafka 0.4.0 85ec09b8
 kafka 0.5.0 93bdf411
 kafka 0.6.0 6130f43d
 kafka 0.6.1 632224a3
-kafka 0.7.0 HEAD
+kafka 0.7.0 6358fd7a
+kafka 0.7.1 HEAD
 kubernetes 0.24.0 62cb694d
-kubernetes 0.24.1 HEAD
+kubernetes 0.24.2 HEAD
 mysql 0.1.0 263e47be
 mysql 0.2.0 c24a103f
 mysql 0.3.0 53f2365e
@@ -58,7 +62,9 @@ mysql 0.5.3 8267072d
 mysql 0.6.0 93bdf411
 mysql 0.7.0 6130f43d
 mysql 0.7.1 632224a3
-mysql 0.8.0 HEAD
+mysql 0.8.0 62cb694d
+mysql 0.8.1 4369b031
+mysql 0.8.2 HEAD
 nats 0.1.0 e9716091
 nats 0.2.0 6c5cf5bf
 nats 0.3.0 78366f19
@@ -68,7 +74,8 @@ nats 0.4.1 8267072d
 nats 0.5.0 93bdf411
 nats 0.6.0 6130f43d
 nats 0.6.1 632224a3
-nats 0.7.0 HEAD
+nats 0.7.0 62cb694d
+nats 0.7.1 HEAD
 postgres 0.1.0 263e47be
 postgres 0.2.0 53f2365e
 postgres 0.2.1 d7cfa53c
@@ -87,7 +94,8 @@ postgres 0.10.1 93bdf411
 postgres 0.11.0 f9f8bb2f
 postgres 0.12.0 6130f43d
 postgres 0.12.1 632224a3
-postgres 0.14.0 HEAD
+postgres 0.14.0 62cb694d
+postgres 0.15.1 HEAD
 rabbitmq 0.1.0 263e47be
 rabbitmq 0.2.0 53f2365e
 rabbitmq 0.3.0 6c5cf5bf
@@ -98,7 +106,8 @@ rabbitmq 0.4.3 1ec10165
 rabbitmq 0.4.4 8267072d
 rabbitmq 0.5.0 93bdf411
 rabbitmq 0.6.0 632224a3
-rabbitmq 0.7.0 HEAD
+rabbitmq 0.7.0 62cb694d
+rabbitmq 0.7.1 HEAD
 redis 0.1.1 263e47be
 redis 0.2.0 53f2365e
 redis 0.3.0 6c5cf5bf
@@ -108,12 +117,14 @@ redis 0.5.0 4e68e65c
 redis 0.6.0 93bdf411
 redis 0.7.0 6130f43d
 redis 0.7.1 632224a3
-redis 0.8.0 HEAD
+redis 0.8.0 62cb694d
+redis 0.8.1 HEAD
 tcp-balancer 0.1.0 263e47be
 tcp-balancer 0.2.0 53f2365e
 tcp-balancer 0.3.0 93bdf411
 tcp-balancer 0.4.0 6130f43d
-tcp-balancer 0.4.1 HEAD
+tcp-balancer 0.4.1 62cb694d
+tcp-balancer 0.4.2 HEAD
 tenant 1.10.0 HEAD
 virtual-machine 0.1.4 f2015d65
 virtual-machine 0.1.5 263e47be
@@ -154,4 +165,5 @@ vpn 0.3.1 1ec10165
 vpn 0.4.0 93bdf411
 vpn 0.5.0 6130f43d
 vpn 0.5.1 632224a3
-vpn 0.6.1 HEAD
+vpn 0.6.1 62cb694d
+vpn 0.6.2 HEAD

packages/apps/vpn/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.1
+version: 0.6.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/vpn/Makefile

@@ -2,3 +2,4 @@ include ../../../scripts/package.mk
 
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
+	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = ["none", "nano", "micro", "small", "medium", "large", "xlarge", "2xlarge"]' values.schema.json

packages/apps/vpn/README.md

@@ -1,12 +1,16 @@
 # Managed VPN Service
 
-A Virtual Private Network (VPN) is a critical tool for ensuring secure and private communication over the internet. Managed VPN Service simplifies the deployment and management of VPN server, enabling you to establish secure connections with ease.
+A Virtual Private Network (VPN) is a critical tool for ensuring secure and private communication over the internet.
+Managed VPN Service simplifies the deployment and management of VPN server, enabling you to establish secure connections with ease.
 
-- Clients: https://shadowsocks5.github.io/en/download/clients.html
+- VPN client applications: https://shadowsocks5.github.io/en/download/clients.html
 
 ## Deployment Details
 
-The VPN Service is powered by the Outline Server, an advanced and user-friendly VPN solution. Internally known as "Shadowbox", which simplifies the process of setting up and sharing Shadowsocks servers. It operates by launching Shadowsocks instances on demand. Furthermore, Shadowbox is compatible with standard Shadowsocks clients, providing flexibility and ease of use for your VPN requirements.
+The VPN Service is powered by the Outline Server, an advanced and user-friendly VPN solution.
+Internally known as "Shadowbox", which simplifies the process of setting up and sharing Shadowsocks servers.
+It operates by launching Shadowsocks instances on demand.
+Furthermore, Shadowbox is compatible with standard Shadowsocks clients, providing flexibility and ease of use for your VPN requirements.
 
 - Docs: https://shadowsocks.org/
 - Docs: https://github.com/Jigsaw-Code/outline-server/tree/master/src/shadowbox
@@ -18,14 +22,60 @@ The VPN Service is powered by the Outline Server, an advanced and user-friendly
 | Name       | Description                                     | Value   |
 | ---------- | ----------------------------------------------- | ------- |
 | `external` | Enable external access from outside the cluster | `false` |
-| `replicas` | Number of VPN-server replicas                   | `2`     |
+| `replicas` | Number of VPN server replicas                   | `2`     |
 
 ### Configuration parameters
 
-| Name              | Description                                                                                                                                                                                                       | Value  |
-| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
-| `host`            | Host used to substitute into generated URLs                                                                                                                                                                       | `""`   |
-| `users`           | Users configuration                                                                                                                                                                                               | `{}`   |
-| `externalIPs`     | List of externalIPs for service.                                                                                                                                                                                  | `[]`   |
-| `resources`       | Resources                                                                                                                                                                                                         | `{}`   |
-| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` |
+| Name              | Description                                                                                                                             | Value  |
+| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------- | ------ |
+| `host`            | Host used to substitute into generated URLs                                                                                             | `""`   |
+| `users`           | Users configuration                                                                                                                     | `{}`   |
+| `externalIPs`     | List of externalIPs for service. Optional. If not specified will use LoadBalancer service by default.                                   | `[]`   |
+| `resources`       | Explicit CPU and memory configuration for each VPN server replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`   |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.       | `nano` |
+
+## Parameter examples and reference
+
+### resources and resourcesPreset
+
+`resources` sets explicit CPU and memory configurations for each replica.
+When left empty, the preset defined in `resourcesPreset` is applied.
+
+```yaml
+resources:
+  cpu: 4000m
+  memory: 4Gi
+```
+
+`resourcePreset` sets named CPU and memory configurations for each replica.
+This setting is ignored if the corresponding `resources` value is set.
+
+| Preset name | CPU    | memory  |
+|-------------|--------|---------|
+| `nano`      | `100m` | `128Mi` |
+| `micro`     | `250m` | `256Mi` |
+| `small`     | `500m` | `512Mi` |
+| `medium`    | `500m` | `1Gi`   |
+| `large`     | `1`    | `2Gi`   |
+| `xlarge`    | `2`    | `4Gi`   |
+| `2xlarge`   | `4`    | `8Gi`   |
+
+
+### users
+
+```yaml
+users:                              
+  user1:                            
+    password: hackme                
+  user2: {} # autogenerated password
+```
+
+
+### externalIPs
+
+```yaml
+externalIPs:       
+  - "11.22.33.44"
+  - "11.22.33.45"
+  - "11.22.33.46"
+```

packages/apps/vpn/values.schema.json

@@ -9,7 +9,7 @@
         },
         "replicas": {
             "type": "number",
-            "description": "Number of VPN-server replicas",
+            "description": "Number of VPN server replicas",
             "default": 2
         },
         "host": {
@@ -19,7 +19,7 @@
         },
         "externalIPs": {
             "type": "array",
-            "description": "List of externalIPs for service.",
+            "description": "List of externalIPs for service. Optional. If not specified will use LoadBalancer service by default.",
             "default": "[]",
             "items": {
                 "type": "string"
@@ -27,13 +27,23 @@
         },
         "resources": {
             "type": "object",
-            "description": "Resources",
+            "description": "Explicit CPU and memory configuration for each VPN server replica. When left empty, the preset defined in `resourcesPreset` is applied.",
             "default": {}
         },
         "resourcesPreset": {
             "type": "string",
-            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-            "default": "nano"
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "default": "nano",
+            "enum": [
+                "none",
+                "nano",
+                "micro",
+                "small",
+                "medium",
+                "large",
+                "xlarge",
+                "2xlarge"
+            ]
         }
     }
-}
+}

packages/apps/vpn/values.yaml

@@ -1,7 +1,7 @@
 ## @section Common parameters
 
 ## @param external Enable external access from outside the cluster
-## @param replicas Number of VPN-server replicas
+## @param replicas Number of VPN server replicas
 ##
 external: false
 replicas: 2
@@ -19,8 +19,7 @@ host: ""
 ##   user2: {} # autogenerated password
 users: {}
 
-## @param externalIPs [array] List of externalIPs for service.
-## Optional. If not specified will use LoadBalancer service by default.
+## @param externalIPs [array] List of externalIPs for service. Optional. If not specified will use LoadBalancer service by default.
 ## 
 ## e.g:
 ## externalIPs:
@@ -30,15 +29,11 @@ users: {}
 ##
 externalIPs: []
 
-## @param resources Resources
+## @param resources Explicit CPU and memory configuration for each VPN server replica. When left empty, the preset defined in `resourcesPreset` is applied.
 resources: {}
 # resources:
-#   limits:
-#     cpu: 4000m
-#     memory: 4Gi
-#   requests:
-#     cpu: 100m
-#     memory: 512Mi
+#   cpu: 4000m
+#   memory: 4Gi
 
-## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
 resourcesPreset: "nano"

packages/core/installer/values.yaml

@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.32.0@sha256:981f1a073fa654f878e448ea89ef324f50d2479f27d3228449e8b66fda7c567f
+  image: ghcr.io/cozystack/cozystack/installer:v0.32.1@sha256:9eb11a1c396d63e4235f398f5f01ec6aedea2316d6a7a9294d88191d25af309c

packages/core/testing/Makefile

@@ -32,21 +32,23 @@ image-e2e-sandbox:
 
 test: test-cluster test-apps ## Run the end-to-end tests in existing sandbox
 
-prepare-cluster:
-	docker cp ../../../_out/assets/cozystack-installer.yaml "${SANDBOX_NAME}":/workspace/_out/assets/cozystack-installer.yaml
+copy-nocloud-image:
 	docker cp ../../../_out/assets/nocloud-amd64.raw.xz "${SANDBOX_NAME}":/workspace/_out/assets/nocloud-amd64.raw.xz
+
+copy-installer-manifest:
+	docker cp ../../../_out/assets/cozystack-installer.yaml "${SANDBOX_NAME}":/workspace/_out/assets/cozystack-installer.yaml
+
+prepare-cluster: copy-nocloud-image
 	docker exec "${SANDBOX_NAME}" sh -c 'cd /workspace && hack/cozytest.sh hack/e2e-prepare-cluster.bats'
 
-install-cozystack:
+install-cozystack: copy-installer-manifest
 	docker exec "${SANDBOX_NAME}" sh -c 'cd /workspace && hack/cozytest.sh hack/e2e-install-cozystack.bats'
 
-test-cluster: ## Run the end-to-end for creating a cluster
-	docker cp ../../../_out/assets/cozystack-installer.yaml "${SANDBOX_NAME}":/workspace/_out/assets/cozystack-installer.yaml
-	docker cp ../../../_out/assets/nocloud-amd64.raw.xz "${SANDBOX_NAME}":/workspace/_out/assets/nocloud-amd64.raw.xz
+test-cluster: copy-nocloud-image copy-installer-manifest ## Run the end-to-end for creating a cluster
 	docker exec "${SANDBOX_NAME}" sh -c 'cd /workspace && hack/cozytest.sh hack/e2e-cluster.bats'
 
-test-apps: ## Run the end-to-end tests for apps
-	docker exec "${SANDBOX_NAME}" sh -c 'cd /workspace && hack/cozytest.sh hack/e2e-apps.bats'
+test-apps-%:
+	docker exec "${SANDBOX_NAME}" sh -c 'cd /workspace && hack/cozytest.sh hack/e2e-apps/$*.bats'
 
 delete: ## Remove sandbox from existing Kubernetes cluster.
 	docker rm -f "${SANDBOX_NAME}" || true

packages/core/testing/images/e2e-sandbox/Dockerfile

@@ -1,8 +1,9 @@
 FROM ubuntu:22.04
 
-ARG KUBECTL_VERSION=1.32.0
-ARG TALOSCTL_VERSION=1.9.5
-ARG HELM_VERSION=3.16.4
+ARG KUBECTL_VERSION=1.33.2
+ARG TALOSCTL_VERSION=1.10.4
+ARG HELM_VERSION=3.18.3
+ARG COZYPKG_VERSION=1.1.0
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -17,5 +18,4 @@ RUN curl -sSL "https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm
 RUN curl -sSL "https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_${TARGETOS}_${TARGETARCH}" -o /usr/local/bin/yq \
  && chmod +x /usr/local/bin/yq
 RUN curl -sSL "https://fluxcd.io/install.sh" | bash
-RUN curl -sSL "https://github.com/cozystack/cozypkg/raw/refs/heads/main/hack/install.sh" | sh -s
-RUN curl -sSL "https://github.com/cozystack/cozypkg/raw/refs/heads/main/hack/install.sh" | sh -s -- -v 1.1.0
+RUN curl -sSL "https://github.com/cozystack/cozypkg/raw/refs/heads/main/hack/install.sh" | sh -s -- -v "${COZYPKG_VERSION}"

packages/core/testing/values.yaml

@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.32.0@sha256:454d5a01c30685ca451a6cd42bda5f4c1d80195642f9dd8ccf09369932ebb531
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.32.1@sha256:b15f85e58be54529d74ab7056d5d47960944abde28f14611e88156989a19c789

packages/extra/bootbox/images/matchbox.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v0.32.0@sha256:1c5173f0c368dd14e29dae95c3d576574af63c226b6f554c78d05c5f160084b5
+ghcr.io/cozystack/cozystack/matchbox:v0.32.1@sha256:a01a26c4fa437bb2082c9d242661cddb0a8ce98a2ee66858a971f141bbe0fd35

packages/extra/monitoring/Chart.yaml

@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.11.0
+version: 1.12.0