Release v0.32.0 (#1074)

This PR prepares the release `v0.32.0`.

.github/workflows/pre-commit.yml

@@ -30,12 +30,13 @@ jobs:
         run: |
           sudo apt update
           sudo apt install curl -y
-          curl -fsSL https://deb.nodesource.com/setup_16.x | sudo -E bash -
           sudo apt install nodejs -y
-          git clone https://github.com/bitnami/readme-generator-for-helm
+          sudo apt install npm -y
+
+          git clone --branch 2.7.0 --depth 1 https://github.com/bitnami/readme-generator-for-helm.git
           cd ./readme-generator-for-helm
           npm install
-          npm install -g pkg
+          npm install -g @yao-pkg/pkg
           pkg . -o /usr/local/bin/readme-generator
 
       - name: Run pre-commit hooks

README.md

@@ -12,11 +12,15 @@
 
 **Cozystack** is a free PaaS platform and framework for building clouds.
 
+Cozystack is a [CNCF Sandbox Level Project](https://www.cncf.io/sandbox-projects/) that was originally built and sponsored by [Ænix](https://aenix.io/).
+
 With Cozystack, you can transform a bunch of servers into an intelligent system with a simple REST API for spawning Kubernetes clusters,
 Database-as-a-Service, virtual machines, load balancers, HTTP caching services, and other services with ease.
 
 Use Cozystack to build your own cloud or provide a cost-effective development environment.  
 
+![Cozystack user interface](https://cozystack.io/img/screenshot.png)
+
 ## Use-Cases
 
 * [**Using Cozystack to build a public cloud**](https://cozystack.io/docs/guides/use-cases/public-cloud/)  
@@ -28,9 +32,6 @@ You can use Cozystack as a platform to build a private cloud powered by Infrastr
 * [**Using Cozystack as a Kubernetes distribution**](https://cozystack.io/docs/guides/use-cases/kubernetes-distribution/)  
 You can use Cozystack as a Kubernetes distribution for Bare Metal
 
-## Screenshot
-
-![Cozystack screenshot](https://cozystack.io/img/screenshot.png)
 
 ## Documentation
 
@@ -59,7 +60,10 @@ Commits are used to generate the changelog, and their author will be referenced
 
 If you have **Feature Requests** please use the [Discussion's Feature Request section](https://github.com/cozystack/cozystack/discussions/categories/feature-requests).
 
-You are welcome to join our weekly community meetings (just add this events to your [Google Calendar](https://calendar.google.com/calendar?cid=ZTQzZDIxZTVjOWI0NWE5NWYyOGM1ZDY0OWMyY2IxZTFmNDMzZTJlNjUzYjU2ZGJiZGE3NGNhMzA2ZjBkMGY2OEBncm91cC5jYWxlbmRhci5nb29nbGUuY29t) or [iCal](https://calendar.google.com/calendar/ical/e43d21e5c9b45a95f28c5d649c2cb1e1f433e2e653b56dbbda74ca306f0d0f68%40group.calendar.google.com/public/basic.ics)) or [Telegram group](https://t.me/cozystack).
+## Community
+
+You are welcome to join our [Telegram group](https://t.me/cozystack) and come to our weekly community meetings.
+Add them to your [Google Calendar](https://calendar.google.com/calendar?cid=ZTQzZDIxZTVjOWI0NWE5NWYyOGM1ZDY0OWMyY2IxZTFmNDMzZTJlNjUzYjU2ZGJiZGE3NGNhMzA2ZjBkMGY2OEBncm91cC5jYWxlbmRhci5nb29nbGUuY29t) or [iCal](https://calendar.google.com/calendar/ical/e43d21e5c9b45a95f28c5d649c2cb1e1f433e2e653b56dbbda74ca306f0d0f68%40group.calendar.google.com/public/basic.ics) for convenience.
 
 ## License
 

cmd/cozystack-controller/main.go

@@ -194,7 +194,15 @@ func main() {
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),
 	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "Workload")
+		setupLog.Error(err, "unable to create controller", "controller", "TenantHelmReconciler")
+		os.Exit(1)
+	}
+
+	if err = (&controller.CozystackConfigReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "CozystackConfigReconciler")
 		os.Exit(1)
 	}
 

go.mod

@@ -37,6 +37,7 @@ require (
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fluxcd/pkg/apis/kustomize v1.6.1 // indirect
@@ -91,14 +92,14 @@ require (
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.28.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/oauth2 v0.23.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/sys v0.26.0 // indirect
-	golang.org/x/term v0.25.0 // indirect
-	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/term v0.27.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
 	golang.org/x/tools v0.26.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect

go.sum

@@ -26,8 +26,8 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/evanphx/json-patch v0.5.2 h1:xVCHIVMUu1wtM/VkR9jVZ45N3FhZfYMMYGorLCR8P3k=
-github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
+github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
+github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -212,8 +212,8 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -222,26 +222,26 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
 golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
-golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
-golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
 golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

hack/e2e-apps.bats

@@ -1,4 +1,5 @@
 #!/usr/bin/env bats
+
 # -----------------------------------------------------------------------------
 # Cozystack end‑to‑end provisioning test (Bats)
 # -----------------------------------------------------------------------------
@@ -90,5 +91,249 @@ EOF
   kubectl wait tcp -n tenant-test kubernetes-test --timeout=2m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
   kubectl wait deploy --timeout=4m --for=condition=available -n tenant-test kubernetes-test kubernetes-test-cluster-autoscaler kubernetes-test-kccm kubernetes-test-kcsi-controller
   kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=1m --for=jsonpath='{.status.replicas}'=2
-  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=5m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
+  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=10m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
+}
+
+@test "Create a VM Disk" {
+  name='test'
+  kubectl create -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: VMDisk
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  source:
+    http:
+      url: https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img
+  optical: false
+  storage: 5Gi
+  storageClass: replicated
+EOF
+  sleep 5
+  kubectl -n tenant-test wait hr vm-disk-$name --timeout=5s --for=condition=ready
+  kubectl -n tenant-test annotate pvc vm-disk-test cdi.kubevirt.io/storage.bind.immediate.requested=true
+  kubectl -n tenant-test wait dv vm-disk-$name --timeout=100s --for=condition=ready
+  kubectl -n tenant-test wait pvc vm-disk-$name --timeout=100s --for=jsonpath='{.status.phase}'=Bound
+}
+
+@test "Create a VM Instance" {
+  diskName='test'
+  name='test'
+  kubectl create -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: VMInstance
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  external: false
+  externalMethod: PortList
+  externalPorts:
+  - 22
+  running: true
+  instanceType: "u1.medium"
+  instanceProfile: ubuntu
+  disks:
+    - name: $diskName
+  gpus: []
+  resources:
+    cpu: ""
+    memory: ""
+  sshKeys:
+  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF
+    test@test
+  cloudInit: |
+    #cloud-config
+    users:
+      - name: test
+        shell: /bin/bash
+        sudo: ['ALL=(ALL) NOPASSWD: ALL']
+        groups: sudo
+        ssh_authorized_keys:
+          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF test@test
+  cloudInitSeed: ""
+EOF
+  sleep 5
+  timeout 20 sh -ec "until kubectl -n tenant-test get vmi vm-instance-$name -o jsonpath='{.status.interfaces[0].ipAddress}' | grep -q '[0-9]'; do sleep 5; done"
+  kubectl -n tenant-test wait hr vm-instance-$name --timeout=5s --for=condition=ready
+  kubectl -n tenant-test wait vm vm-instance-$name --timeout=20s --for=condition=ready
+}
+
+@test "Create a Virtual Machine" {
+  name='test'
+  kubectl create -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: VirtualMachine
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  external: false
+  externalMethod: PortList
+  externalPorts:
+  - 22
+  instanceType: "u1.medium"
+  instanceProfile: ubuntu
+  systemDisk:
+    image: ubuntu
+    storage: 5Gi
+    storageClass: replicated
+  gpus: []
+  resources:
+    cpu: ""
+    memory: ""
+  sshKeys:
+  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF
+    test@test
+  cloudInit: |
+    #cloud-config
+    users:
+      - name: test
+        shell: /bin/bash
+        sudo: ['ALL=(ALL) NOPASSWD: ALL']
+        groups: sudo
+        ssh_authorized_keys:
+          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPht0dPk5qQ+54g1hSX7A6AUxXJW5T6n/3d7Ga2F8gTF test@test
+  cloudInitSeed: ""
+EOF
+  sleep 5
+  kubectl -n tenant-test wait hr virtual-machine-$name --timeout=10s --for=condition=ready
+  kubectl -n tenant-test wait dv virtual-machine-$name --timeout=100s --for=condition=ready
+  kubectl -n tenant-test wait pvc virtual-machine-$name --timeout=100s --for=jsonpath='{.status.phase}'=Bound
+  kubectl -n tenant-test wait vm virtual-machine-$name --timeout=100s --for=condition=ready
+  timeout 120 sh -ec "until kubectl -n tenant-test get vmi virtual-machine-$name -o jsonpath='{.status.interfaces[0].ipAddress}' | grep -q '[0-9]'; do sleep 10; done"
+}
+
+@test "Create DB PostgreSQL" {
+  name='test'
+  kubectl create -f - <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: Postgres
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  external: false
+  size: 10Gi
+  replicas: 2
+  storageClass: ""
+  postgresql:
+    parameters:
+      max_connections: 100
+  quorum:
+    minSyncReplicas: 0
+    maxSyncReplicas: 0
+  users:
+    testuser:
+      password: xai7Wepo
+  databases:
+    testdb:
+      roles:
+        admin:
+        - testuser
+  backup:
+    enabled: false
+    s3Region: us-east-1
+    s3Bucket: s3.example.org/postgres-backups
+    schedule: "0 2 * * *"
+    cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+    s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
+    s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
+    resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
+  resources: {}
+  resourcesPreset: "nano"
+EOF
+  sleep 5
+  kubectl -n tenant-test wait hr postgres-$name --timeout=50s --for=condition=ready
+  kubectl -n tenant-test wait job.batch postgres-$name-init-job --timeout=50s --for=condition=Complete
+  timeout 40 sh -ec "until kubectl -n tenant-test get svc postgres-$name-r -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
+  timeout 40 sh -ec "until kubectl -n tenant-test get svc postgres-$name-ro -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
+  timeout 40 sh -ec "until kubectl -n tenant-test get svc postgres-$name-rw -o jsonpath='{.spec.ports[0].port}' | grep -q '5432'; do sleep 10; done"
+  timeout 120 sh -ec "until kubectl -n tenant-test get endpoints postgres-$name-r -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
+  timeout 120 sh -ec "until kubectl -n tenant-test get endpoints postgres-$name-ro -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
+  timeout 120 sh -ec "until kubectl -n tenant-test get endpoints postgres-$name-rw -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
+}
+
+@test "Create DB MySQL" {
+  name='test'
+  kubectl create -f- <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: MySQL
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  external: false
+  size: 10Gi
+  replicas: 2
+  storageClass: ""
+  users:
+    testuser:
+      maxUserConnections: 1000
+      password: xai7Wepo
+  databases:
+    testdb:
+      roles:
+        admin:
+        - testuser
+  backup:
+    enabled: false
+    s3Region: us-east-1
+    s3Bucket: s3.example.org/postgres-backups
+    schedule: "0 2 * * *"
+    cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+    s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
+    s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
+    resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
+  resources: {}
+  resourcesPreset: "nano"
+EOF
+  sleep 5
+  kubectl -n tenant-test wait hr mysql-$name --timeout=30s --for=condition=ready
+  timeout 80 sh -ec "until kubectl -n tenant-test get svc mysql-$name -o jsonpath='{.spec.ports[0].port}' | grep -q '3306'; do sleep 10; done"
+  timeout 40 sh -ec "until kubectl -n tenant-test get endpoints mysql-$name -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
+  kubectl -n tenant-test wait statefulset.apps/mysql-$name --timeout=110s --for=jsonpath='{.status.replicas}'=2
+  timeout 80 sh -ec "until kubectl -n tenant-test get svc mysql-$name-metrics -o jsonpath='{.spec.ports[0].port}' | grep -q '9104'; do sleep 10; done"
+  timeout 40 sh -ec "until kubectl -n tenant-test get endpoints mysql-$name-metrics -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
+  kubectl -n tenant-test wait deployment.apps/mysql-$name-metrics --timeout=90s --for=jsonpath='{.status.replicas}'=1
+}
+
+@test "Create DB ClickHouse" {
+  name='test'
+  kubectl create -f- <<EOF
+apiVersion: apps.cozystack.io/v1alpha1
+kind: ClickHouse
+metadata:
+  name: $name
+  namespace: tenant-test
+spec:
+  size: 10Gi
+  logStorageSize: 2Gi
+  shards: 1
+  replicas: 2
+  storageClass: ""
+  logTTL: 15
+  users:
+    testuser:
+      password: xai7Wepo
+  backup:
+    enabled: false
+    s3Region: us-east-1
+    s3Bucket: s3.example.org/clickhouse-backups
+    schedule: "0 2 * * *"
+    cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+    s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
+    s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
+    resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
+  resources: {}
+  resourcesPreset: "nano"
+EOF
+  sleep 5
+  kubectl -n tenant-test wait hr clickhouse-$name --timeout=20s --for=condition=ready
+  timeout 100 sh -ec "until kubectl -n tenant-test get svc chendpoint-clickhouse-$name -o jsonpath='{.spec.ports[*].port}' | grep -q '8123 9000'; do sleep 10; done"
+  kubectl -n tenant-test wait statefulset.apps/chi-clickhouse-$name-clickhouse-0-0 --timeout=120s --for=jsonpath='{.status.replicas}'=2
+  timeout 80 sh -ec "until kubectl -n tenant-test get endpoints chi-clickhouse-$name-clickhouse-0-0 -o jsonpath='{.subsets[*].addresses[*].ip}' | grep -q '[0-9]'; do sleep 10; done"
+  timeout 100 sh -ec "until kubectl -n tenant-test get svc chi-clickhouse-$name-clickhouse-0-0 -o jsonpath='{.spec.ports[0].port}' | grep -q '9000 8123 9009'; do sleep 10; done"
+  kubectl -n tenant-test wait statefulset.apps/chi-clickhouse-$name-clickhouse-0-1 --timeout=140s --for=jsonpath='{.status.replicas}'=2
 }

hack/e2e-cluster.bats

@@ -102,7 +102,7 @@ EOF
 
 @test "Boot QEMU VMs" {
   for i in 1 2 3; do
-    qemu-system-x86_64 -machine type=pc,accel=kvm -cpu host -smp 8 -m 16384 \
+    qemu-system-x86_64 -machine type=pc,accel=kvm -cpu host -smp 8 -m 24576 \
       -device virtio-net,netdev=net0,mac=52:54:00:12:34:5${i} \
       -netdev tap,id=net0,ifname=cozy-srv${i},script=no,downscript=no \
       -drive file=srv${i}/system.img,if=virtio,format=raw \

internal/controller/system_helm_reconciler.go

@@ -0,0 +1,139 @@
+package controller
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"sort"
+	"time"
+
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	corev1 "k8s.io/api/core/v1"
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+)
+
+type CozystackConfigReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+var configMapNames = []string{"cozystack", "cozystack-branding", "cozystack-scheduling"}
+
+const configMapNamespace = "cozy-system"
+const digestAnnotation = "cozystack.io/cozy-config-digest"
+const forceReconcileKey = "reconcile.fluxcd.io/forceAt"
+const requestedAt = "reconcile.fluxcd.io/requestedAt"
+
+func (r *CozystackConfigReconciler) Reconcile(ctx context.Context, _ ctrl.Request) (ctrl.Result, error) {
+	log := log.FromContext(ctx)
+
+	digest, err := r.computeDigest(ctx)
+	if err != nil {
+		log.Error(err, "failed to compute config digest")
+		return ctrl.Result{}, nil
+	}
+
+	var helmList helmv2.HelmReleaseList
+	if err := r.List(ctx, &helmList); err != nil {
+		return ctrl.Result{}, fmt.Errorf("failed to list HelmReleases: %w", err)
+	}
+
+	now := time.Now().Format(time.RFC3339Nano)
+	updated := 0
+
+	for _, hr := range helmList.Items {
+		isSystemApp := hr.Labels["cozystack.io/system-app"] == "true"
+		isTenantRoot := hr.Namespace == "tenant-root" && hr.Name == "tenant-root"
+		if !isSystemApp && !isTenantRoot {
+			continue
+		}
+
+		if hr.Annotations == nil {
+			hr.Annotations = map[string]string{}
+		}
+
+		if hr.Annotations[digestAnnotation] == digest {
+			continue
+		}
+
+		patch := client.MergeFrom(hr.DeepCopy())
+		hr.Annotations[digestAnnotation] = digest
+		hr.Annotations[forceReconcileKey] = now
+		hr.Annotations[requestedAt] = now
+
+		if err := r.Patch(ctx, &hr, patch); err != nil {
+			log.Error(err, "failed to patch HelmRelease", "name", hr.Name, "namespace", hr.Namespace)
+			continue
+		}
+		updated++
+		log.Info("patched HelmRelease with new config digest", "name", hr.Name, "namespace", hr.Namespace)
+	}
+
+	log.Info("finished reconciliation", "updatedHelmReleases", updated)
+	return ctrl.Result{}, nil
+}
+
+func (r *CozystackConfigReconciler) computeDigest(ctx context.Context) (string, error) {
+	hash := sha256.New()
+
+	for _, name := range configMapNames {
+		var cm corev1.ConfigMap
+		err := r.Get(ctx, client.ObjectKey{Namespace: configMapNamespace, Name: name}, &cm)
+		if err != nil {
+			if kerrors.IsNotFound(err) {
+				continue // ignore missing
+			}
+			return "", err
+		}
+
+		// Sort keys for consistent hashing
+		var keys []string
+		for k := range cm.Data {
+			keys = append(keys, k)
+		}
+		sort.Strings(keys)
+
+		for _, k := range keys {
+			v := cm.Data[k]
+			fmt.Fprintf(hash, "%s:%s=%s\n", name, k, v)
+		}
+	}
+
+	return hex.EncodeToString(hash.Sum(nil)), nil
+}
+
+func (r *CozystackConfigReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		WithEventFilter(predicate.Funcs{
+			UpdateFunc: func(e event.UpdateEvent) bool {
+				cm, ok := e.ObjectNew.(*corev1.ConfigMap)
+				return ok && cm.Namespace == configMapNamespace && contains(configMapNames, cm.Name)
+			},
+			CreateFunc: func(e event.CreateEvent) bool {
+				cm, ok := e.Object.(*corev1.ConfigMap)
+				return ok && cm.Namespace == configMapNamespace && contains(configMapNames, cm.Name)
+			},
+			DeleteFunc: func(e event.DeleteEvent) bool {
+				cm, ok := e.Object.(*corev1.ConfigMap)
+				return ok && cm.Namespace == configMapNamespace && contains(configMapNames, cm.Name)
+			},
+		}).
+		For(&corev1.ConfigMap{}).
+		Complete(r)
+}
+
+func contains(slice []string, val string) bool {
+	for _, s := range slice {
+		if s == val {
+			return true
+		}
+	}
+	return false
+}

internal/controller/workloadmonitor_controller.go

@@ -248,15 +248,24 @@ func (r *WorkloadMonitorReconciler) reconcilePodForMonitor(
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      fmt.Sprintf("pod-%s", pod.Name),
 			Namespace: pod.Namespace,
+			Labels:    map[string]string{},
 		},
 	}
 
+	metaLabels := r.getWorkloadMetadata(&pod)
 	_, err := ctrl.CreateOrUpdate(ctx, r.Client, workload, func() error {
 		// Update owner references with the new monitor
 		updateOwnerReferences(workload.GetObjectMeta(), monitor)
 
 		// Copy labels from the Pod if needed
-		workload.Labels = pod.Labels
+		for k, v := range pod.Labels {
+			workload.Labels[k] = v
+		}
+
+		// Add workload meta to labels
+		for k, v := range metaLabels {
+			workload.Labels[k] = v
+		}
 
 		// Fill Workload status fields:
 		workload.Status.Kind = monitor.Spec.Kind
@@ -433,3 +442,12 @@ func mapObjectToMonitor[T client.Object](_ T, c client.Client) func(ctx context.
 		return requests
 	}
 }
+
+func (r *WorkloadMonitorReconciler) getWorkloadMetadata(obj client.Object) map[string]string {
+	labels := make(map[string]string)
+	annotations := obj.GetAnnotations()
+	if instanceType, ok := annotations["kubevirt.io/cluster-instancetype-name"]; ok {
+		labels["workloads.cozystack.io/kubevirt-vmi-instance-type"] = instanceType
+	}
+	return labels
+}

packages/apps/bucket/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.0"
+appVersion: "0.2.0"

packages/apps/bucket/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/bucket/templates/dashboard-resourcemap.yaml

@@ -18,3 +18,14 @@ rules:
   resourceNames:
   - {{ .Release.Name }}-ui
   verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io

packages/apps/clickhouse/Chart.yaml

@@ -16,15 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.0
+version: 0.10.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "24.9.2"
-
-dependencies:
-  - name: cozy-lib
-    version: 0.1.0
-    repository: "http://cozystack.cozy-system.svc/repos/library"

packages/apps/clickhouse/Makefile

@@ -1,4 +1,4 @@
-CLICKHOUSE_BACKUP_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
+CLICKHOUSE_BACKUP_TAG = $(shell awk '$$0 ~ /^version:/ {print $$2}' Chart.yaml)
 
 include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk

packages/apps/clickhouse/README.md

@@ -1,32 +1,35 @@
 # Managed Clickhouse Service
 
+ClickHouse is an open source high-performance and column-oriented SQL database management system (DBMS).
+It is used for online analytical processing (OLAP).
+Cozystack platform uses Altinity operator to provide ClickHouse.
+
 ### How to restore backup:
 
-find snapshot:
-```
-restic -r s3:s3.example.org/clickhouse-backups/table_name snapshots
-```
+1. Find a snapshot:
+    ```
+    restic -r s3:s3.example.org/clickhouse-backups/table_name snapshots
+    ```
 
-restore:
-```
-restic -r s3:s3.example.org/clickhouse-backups/table_name restore latest --target /tmp/
-```
+2.  Restore it:
+    ```
+    restic -r s3:s3.example.org/clickhouse-backups/table_name restore latest --target /tmp/
+    ```
 
-more details:
-- https://itnext.io/restic-effective-backup-from-stdin-4bc1e8f083c1
+For more details, read [Restic: Effective Backup from Stdin](https://blog.aenix.io/restic-effective-backup-from-stdin-4bc1e8f083c1).
 
 ## Parameters
 
 ### Common parameters
 
-| Name             | Description                         | Value  |
-| ---------------- | ----------------------------------- | ------ |
-| `size`           | Persistent Volume size              | `10Gi` |
-| `logStorageSize` | Persistent Volume for logs size     | `2Gi`  |
-| `shards`         | Number of Clickhouse replicas       | `1`    |
-| `replicas`       | Number of Clickhouse shards         | `2`    |
-| `storageClass`   | StorageClass used to store the data | `""`   |
-| `logTTL`         | for query_log and query_thread_log  | `15`   |
+| Name             | Description                                              | Value  |
+| ---------------- | -------------------------------------------------------- | ------ |
+| `size`           | Size of Persistent Volume for data                       | `10Gi` |
+| `logStorageSize` | Size of Persistent Volume for logs                       | `2Gi`  |
+| `shards`         | Number of Clickhouse shards                              | `1`    |
+| `replicas`       | Number of Clickhouse replicas                            | `2`    |
+| `storageClass`   | StorageClass used to store the data                      | `""`   |
+| `logTTL`         | TTL (expiration time) for query_log and query_thread_log | `15`   |
 
 ### Configuration parameters
 
@@ -36,15 +39,32 @@ more details:
 
 ### Backup parameters
 
-| Name                     | Description                                                                                                                                                                                                       | Value                                                  |
-| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
-| `backup.enabled`         | Enable pereiodic backups                                                                                                                                                                                          | `false`                                                |
-| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                                                                                                        | `us-east-1`                                            |
-| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                                                                                                            | `s3.example.org/clickhouse-backups`                    |
-| `backup.schedule`        | Cron schedule for automated backups                                                                                                                                                                               | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                                                                                                          | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                                                                                                    | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                                                                                                    | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | The password for Restic backup encryption                                                                                                                                                                         | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Resources                                                                                                                                                                                                         | `{}`                                                   |
-| `resourcesPreset`        | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`                                                 |
+| Name                     | Description                                                                 | Value                                                  |
+| ------------------------ | --------------------------------------------------------------------------- | ------------------------------------------------------ |
+| `backup.enabled`         | Enable periodic backups                                                     | `false`                                                |
+| `backup.s3Region`        | AWS S3 region where backups are stored                                      | `us-east-1`                                            |
+| `backup.s3Bucket`        | S3 bucket used for storing backups                                          | `s3.example.org/clickhouse-backups`                    |
+| `backup.schedule`        | Cron schedule for automated backups                                         | `0 2 * * *`                                            |
+| `backup.cleanupStrategy` | Retention strategy for cleaning up old backups                              | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.s3AccessKey`     | Access key for S3, used for authentication                                  | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3SecretKey`     | Secret key for S3, used for authentication                                  | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.resticPassword`  | Password for Restic backup encryption                                       | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
+| `resources`              | Explicit CPU/memory resource requests and limits for the Clickhouse service | `{}`                                                   |
+| `resourcesPreset`        | Use a common resources preset when `resources` is not set explicitly.       | `nano`                                                 |
+
+
+In production environments, it's recommended to set `resources` explicitly.
+Example of `resources`:
+
+```yaml
+resources:
+  limits:
+    cpu: 4000m
+    memory: 4Gi
+  requests:
+    cpu: 100m
+    memory: 512Mi
+```
+
+Allowed values for `resourcesPreset` are `none`, `nano`, `micro`, `small`, `medium`, `large`, `xlarge`, `2xlarge`.
+This value is ignored if `resources` value is set. 

packages/apps/clickhouse/images/clickhouse-backup.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/clickhouse-backup:0.9.0@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205
+ghcr.io/cozystack/cozystack/clickhouse-backup:0.10.0@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205

packages/apps/clickhouse/templates/clickhouse.yaml

@@ -1,3 +1,5 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
 {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
 {{- $passwords := dict }}
 {{- $users := .Values.users }}
@@ -32,7 +34,7 @@ kind: "ClickHouseInstallation"
 metadata:
   name: "{{ .Release.Name }}"
 spec:
-  namespaceDomainPattern:  "%s.svc.cozy.local"
+  namespaceDomainPattern:  "%s.svc.{{ $clusterDomain }}"
   defaults:
     templates:
       dataVolumeClaimTemplate: data-volume-template
@@ -92,6 +94,9 @@ spec:
   templates:
     volumeClaimTemplates:
       - name: data-volume-template
+        metadata:
+          labels:
+            app.kubernetes.io/instance: {{ .Release.Name }}
         spec:
           accessModes:
             - ReadWriteOnce
@@ -99,6 +104,9 @@ spec:
             requests:
               storage: {{ .Values.size }}
       - name: log-volume-template
+        metadata:
+          labels:
+            app.kubernetes.io/instance: {{ .Release.Name }}
         spec:
           accessModes:
             - ReadWriteOnce
@@ -107,6 +115,9 @@ spec:
               storage: {{ .Values.logStorageSize }}
     podTemplates:
       - name: clickhouse-per-host
+        metadata:
+          labels:
+            app.kubernetes.io/instance: {{ .Release.Name }}
         spec:
           affinity:
             podAntiAffinity:
@@ -133,6 +144,9 @@ spec:
                   mountPath: /var/log/clickhouse-server
     serviceTemplates:
       - name: svc-template
+        metadata:
+          labels:
+            app.kubernetes.io/instance: {{ .Release.Name }}
         generateName: chendpoint-{chi}
         spec:
           ports:

packages/apps/clickhouse/templates/dashboard-resourcemap.yaml

@@ -24,3 +24,14 @@ rules:
   resourceNames:
   - {{ .Release.Name }}
   verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io

packages/apps/clickhouse/templates/workloadmonitor.yaml

@@ -9,5 +9,5 @@ spec:
   kind: clickhouse
   type: clickhouse
   selector:
-    clickhouse.altinity.com/chi: {{ $.Release.Name }}
+    app.kubernetes.io/instance: {{ $.Release.Name }}
   version: {{ $.Chart.Version }}

packages/apps/clickhouse/values.schema.json

@@ -4,22 +4,22 @@
     "properties": {
         "size": {
             "type": "string",
-            "description": "Persistent Volume size",
+            "description": "Size of Persistent Volume for data",
             "default": "10Gi"
         },
         "logStorageSize": {
             "type": "string",
-            "description": "Persistent Volume for logs size",
+            "description": "Size of Persistent Volume for logs",
             "default": "2Gi"
         },
         "shards": {
             "type": "number",
-            "description": "Number of Clickhouse replicas",
+            "description": "Number of Clickhouse shards",
             "default": 1
         },
         "replicas": {
             "type": "number",
-            "description": "Number of Clickhouse shards",
+            "description": "Number of Clickhouse replicas",
             "default": 2
         },
         "storageClass": {
@@ -29,7 +29,7 @@
         },
         "logTTL": {
             "type": "number",
-            "description": "for query_log and query_thread_log",
+            "description": "TTL (expiration time) for query_log and query_thread_log",
             "default": 15
         },
         "backup": {
@@ -37,17 +37,17 @@
             "properties": {
                 "enabled": {
                     "type": "boolean",
-                    "description": "Enable pereiodic backups",
+                    "description": "Enable periodic backups",
                     "default": false
                 },
                 "s3Region": {
                     "type": "string",
-                    "description": "The AWS S3 region where backups are stored",
+                    "description": "AWS S3 region where backups are stored",
                     "default": "us-east-1"
                 },
                 "s3Bucket": {
                     "type": "string",
-                    "description": "The S3 bucket used for storing backups",
+                    "description": "S3 bucket used for storing backups",
                     "default": "s3.example.org/clickhouse-backups"
                 },
                 "schedule": {
@@ -57,34 +57,34 @@
                 },
                 "cleanupStrategy": {
                     "type": "string",
-                    "description": "The strategy for cleaning up old backups",
+                    "description": "Retention strategy for cleaning up old backups",
                     "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
                 },
                 "s3AccessKey": {
                     "type": "string",
-                    "description": "The access key for S3, used for authentication",
+                    "description": "Access key for S3, used for authentication",
                     "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
                 },
                 "s3SecretKey": {
                     "type": "string",
-                    "description": "The secret key for S3, used for authentication",
+                    "description": "Secret key for S3, used for authentication",
                     "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
                 },
                 "resticPassword": {
                     "type": "string",
-                    "description": "The password for Restic backup encryption",
+                    "description": "Password for Restic backup encryption",
                     "default": "ChaXoveekoh6eigh4siesheeda2quai0"
                 }
             }
         },
         "resources": {
             "type": "object",
-            "description": "Resources",
+            "description": "Explicit CPU/memory resource requests and limits for the Clickhouse service",
             "default": {}
         },
         "resourcesPreset": {
             "type": "string",
-            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
+            "description": "Use a common resources preset when `resources` is not set explicitly.",
             "default": "nano"
         }
     }

packages/apps/clickhouse/values.yaml

@@ -1,11 +1,11 @@
 ## @section Common parameters
 
-## @param size Persistent Volume size
-## @param logStorageSize Persistent Volume for logs size
-## @param shards Number of Clickhouse replicas
-## @param replicas Number of Clickhouse shards
+## @param size Size of Persistent Volume for data
+## @param logStorageSize Size of Persistent Volume for logs
+## @param shards Number of Clickhouse shards
+## @param replicas Number of Clickhouse replicas
 ## @param storageClass StorageClass used to store the data
-## @param logTTL for query_log and query_thread_log
+## @param logTTL TTL (expiration time) for query_log and query_thread_log
 ##
 size: 10Gi
 logStorageSize: 2Gi
@@ -29,14 +29,14 @@ users: {}
 
 ## @section Backup parameters
 
-## @param backup.enabled Enable pereiodic backups
-## @param backup.s3Region The AWS S3 region where backups are stored
-## @param backup.s3Bucket The S3 bucket used for storing backups
+## @param backup.enabled Enable periodic backups
+## @param backup.s3Region AWS S3 region where backups are stored
+## @param backup.s3Bucket S3 bucket used for storing backups
 ## @param backup.schedule Cron schedule for automated backups
-## @param backup.cleanupStrategy The strategy for cleaning up old backups
-## @param backup.s3AccessKey The access key for S3, used for authentication
-## @param backup.s3SecretKey The secret key for S3, used for authentication
-## @param backup.resticPassword The password for Restic backup encryption
+## @param backup.cleanupStrategy Retention strategy for cleaning up old backups
+## @param backup.s3AccessKey Access key for S3, used for authentication
+## @param backup.s3SecretKey Secret key for S3, used for authentication
+## @param backup.resticPassword Password for Restic backup encryption
 backup:
   enabled: false
   s3Region: us-east-1
@@ -47,7 +47,7 @@ backup:
   s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
   resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
 
-## @param resources Resources
+## @param resources Explicit CPU/memory resource requests and limits for the Clickhouse service
 resources: {}
  # resources:
  #   limits:
@@ -56,6 +56,6 @@ resources: {}
  #   requests:
  #     cpu: 100m
  #     memory: 512Mi
- 
-## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+
+## @param resourcesPreset Use a common resources preset when `resources` is not set explicitly.
 resourcesPreset: "nano"

packages/apps/ferretdb/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.7.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/ferretdb/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/ferretdb/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/postgres-backup:0.12.0@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f
+ghcr.io/cozystack/cozystack/postgres-backup:0.14.0@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f

packages/apps/ferretdb/templates/dashboard-resourcemap.yaml

@@ -24,3 +24,14 @@ rules:
   resourceNames:
   - {{ .Release.Name }}
   verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io

packages/apps/ferretdb/templates/external-svc.yaml

@@ -2,6 +2,8 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ .Release.Name }}
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
 spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   {{- if .Values.external }}

packages/apps/ferretdb/templates/ferretdb.yaml

@@ -12,6 +12,7 @@ spec:
     metadata:
       labels:
         app: {{ .Release.Name }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
     spec:
       containers:
       - name: ferretdb

packages/apps/ferretdb/templates/postgres.yaml

@@ -19,9 +19,9 @@ spec:
   minSyncReplicas: {{ .Values.quorum.minSyncReplicas }}
   maxSyncReplicas: {{ .Values.quorum.maxSyncReplicas }}
   {{- if .Values.resources }}
-  resources: {{- toYaml .Values.resources | nindent 4 }}
+  resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 4 }}
   {{- else if ne .Values.resourcesPreset "none" }}
-  resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 4 }}
+  resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 4 }}
   {{- end }}
   monitoring:
     enablePodMonitor: true
@@ -35,6 +35,7 @@ spec:
   inheritedMetadata:
     labels:
       policy.cozystack.io/allow-to-apiserver: "true"
+      app.kubernetes.io/instance: {{ .Release.Name }}
 
   {{- if .Values.users }}
   managed:

packages/apps/ferretdb/templates/workloadmonitor.yaml

@@ -9,5 +9,5 @@ spec:
   kind: ferretdb
   type: ferretdb
   selector:
-    app: {{ $.Release.Name }}
+    app.kubernetes.io/instance: {{ $.Release.Name }}
   version: {{ $.Chart.Version }}

packages/apps/http-cache/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0
+version: 0.5.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/http-cache/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/http-cache/images/nginx-cache.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.5.0@sha256:99cd04f09f80eb0c60cc0b2f6bc8180ada7ada00cb594606447674953dfa1b67
+ghcr.io/cozystack/cozystack/nginx-cache:0.5.1@sha256:50ac1581e3100bd6c477a71161cb455a341ffaf9e5e2f6086802e4e25271e8af

packages/apps/http-cache/templates/haproxy/deployment.yaml

@@ -34,9 +34,9 @@ spec:
       - image: haproxy:latest
         name: haproxy
         {{- if .Values.haproxy.resources }}
-        resources: {{- toYaml .Values.haproxy.resources | nindent 10 }}
+        resources: {{- include "cozy-lib.resources.sanitize" (list .Values.haproxy.resources $) | nindent 10 }}
         {{- else if ne .Values.haproxy.resourcesPreset "none" }}
-        resources: {{- include "resources.preset" (dict "type" .Values.haproxy.resourcesPreset "Release" .Release) | nindent 10 }}
+        resources: {{- include "cozy-lib.resources.preset" (list .Values.haproxy.resourcesPreset $) | nindent 10 }}
         {{- end }}
         ports:
         - containerPort: 8080

packages/apps/http-cache/templates/nginx/deployment.yaml

@@ -53,9 +53,9 @@ spec:
       containers:
       - name: nginx
         {{- if $.Values.nginx.resources }}
-        resources: {{- toYaml $.Values.nginx.resources | nindent 10 }}
+        resources: {{- include "cozy-lib.resources.sanitize" (list $.Values.nginx.resources $) | nindent 10 }}
         {{- else if ne $.Values.nginx.resourcesPreset "none" }}
-        resources: {{- include "resources.preset" (dict "type" $.Values.nginx.resourcesPreset "Release" $.Release) | nindent 10 }}
+        resources: {{- include "cozy-lib.resources.preset" (list $.Values.nginx.resourcesPreset $) | nindent 10 }}
         {{- end }}
         image: "{{ $.Files.Get "images/nginx-cache.tag" | trim }}"
         readinessProbe:

packages/apps/http-cache/templates/workloadmonitor.yaml

@@ -0,0 +1,39 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-haproxy
+spec:
+  replicas: {{ .Values.haproxy.replicas }}
+  minReplicas: 1
+  kind: http-cache
+  type: http-cache
+  selector:
+    app: {{ $.Release.Name }}-haproxy
+  version: {{ $.Chart.Version }}
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}-nginx
+spec:
+  replicas: {{ .Values.nginx.replicas }}
+  minReplicas: 1
+  kind: http-cache
+  type: http-cache
+  selector:
+    app: {{ $.Release.Name }}-nginx-cache
+  version: {{ $.Chart.Version }}
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: 1
+  kind: http-cache
+  type: http-cache
+  selector:
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+  version: {{ $.Chart.Version }}

packages/apps/kafka/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.7.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kafka/README.md

@@ -14,9 +14,9 @@
 | `zookeeper.replicas`        | Number of ZooKeeper replicas                                                                                                                                                                                      | `3`     |
 | `zookeeper.storageClass`    | StorageClass used to store the ZooKeeper data                                                                                                                                                                     | `""`    |
 | `kafka.resources`           | Resources                                                                                                                                                                                                         | `{}`    |
-| `kafka.resourcesPreset`     | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
+| `kafka.resourcesPreset`     | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` |
 | `zookeeper.resources`       | Resources                                                                                                                                                                                                         | `{}`    |
-| `zookeeper.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
+| `zookeeper.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` |
 
 ### Configuration parameters
 

packages/apps/kafka/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/kafka/templates/dashboard-resourcemap.yaml

@@ -25,3 +25,14 @@ rules:
   - {{ .Release.Name }}
   - {{ $.Release.Name }}-zookeeper
   verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io

packages/apps/kafka/templates/kafka.yaml

@@ -9,9 +9,9 @@ spec:
   kafka:
     replicas: {{ .Values.kafka.replicas }}
     {{- if .Values.kafka.resources }}
-    resources: {{- toYaml .Values.kafka.resources | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.sanitize" (list .Values.kafka.resources $) | nindent 6 }}
     {{- else if ne .Values.kafka.resourcesPreset "none" }}
-    resources: {{- include "resources.preset" (dict "type" .Values.kafka.resourcesPreset "Release" .Release) | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.preset" (list .Values.kafka.resourcesPreset $) | nindent 6 }}
     {{- end }}
     listeners:
       - name: plain
@@ -71,9 +71,9 @@ spec:
   zookeeper:
     replicas: {{ .Values.zookeeper.replicas }}
     {{- if .Values.zookeeper.resources }}
-    resources: {{- toYaml .Values.zookeeper.resources | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.sanitize" (list .Values.zookeeper.resources $) | nindent 6 }}
     {{- else if ne .Values.zookeeper.resourcesPreset "none" }}
-    resources: {{- include "resources.preset" (dict "type" .Values.zookeeper.resourcesPreset "Release" .Release) | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.preset" (list .Values.zookeeper.resourcesPreset $) | nindent 6 }}
     {{- end }}
     storage:
       type: persistent-claim

packages/apps/kafka/values.schema.json

@@ -33,7 +33,7 @@
                 "resourcesPreset": {
                     "type": "string",
                     "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-                    "default": "nano"
+                    "default": "small"
                 }
             }
         },
@@ -63,7 +63,7 @@
                 "resourcesPreset": {
                     "type": "string",
                     "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-                    "default": "nano"
+                    "default": "micro"
                 }
             }
         },

packages/apps/kafka/values.yaml

@@ -25,7 +25,7 @@ kafka:
   #     memory: 512Mi
   
   ## @param kafka.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
-  resourcesPreset: "nano"
+  resourcesPreset: "small"
 
 zookeeper:
   size: 5Gi
@@ -42,7 +42,7 @@ zookeeper:
   #     memory: 512Mi
   
   ## @param zookeeper.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
-  resourcesPreset: "nano"
+  resourcesPreset: "micro"
 
 ## @section Configuration parameters
 

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.21.0
+version: 0.24.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/README.md

@@ -81,12 +81,13 @@ See the reference for components utilized in this service:
 
 ### Common Parameters
 
-| Name                    | Description                                                                                                       | Value        |
-| ----------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------ |
-| `host`                  | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `""`         |
-| `controlPlane.replicas` | Number of replicas for Kubernetes control-plane components.                                                       | `2`          |
-| `storageClass`          | StorageClass used to store user data.                                                                             | `replicated` |
-| `nodeGroups`            | nodeGroups configuration                                                                                          | `{}`         |
+| Name                                | Description                                                                                                       | Value        |
+| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------ |
+| `host`                              | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `""`         |
+| `controlPlane.replicas`             | Number of replicas for Kubernetes control-plane components.                                                       | `2`          |
+| `storageClass`                      | StorageClass used to store user data.                                                                             | `replicated` |
+| `useCustomSecretForPatchContainerd` | if true, for patch containerd will be used secret: {{ .Release.Name }}-patch-containerd                           | `false`      |
+| `nodeGroups`                        | nodeGroups configuration                                                                                          | `{}`         |
 
 ### Cluster Addons
 
@@ -109,16 +110,16 @@ See the reference for components utilized in this service:
 
 ### Kubernetes Control Plane Configuration
 
-| Name                                               | Description                                                                  | Value   |
-| -------------------------------------------------- | ---------------------------------------------------------------------------- | ------- |
-| `controlPlane.apiServer.resources`                 | Explicit CPU/memory resource requests and limits for the API server.         | `{}`    |
-| `controlPlane.apiServer.resourcesPreset`           | Use a common resources preset when `resources` is not set explicitly.        | `small` |
-| `controlPlane.controllerManager.resources`         | Explicit CPU/memory resource requests and limits for the controller manager. | `{}`    |
-| `controlPlane.controllerManager.resourcesPreset`   | Use a common resources preset when `resources` is not set explicitly.        | `micro` |
-| `controlPlane.scheduler.resources`                 | Explicit CPU/memory resource requests and limits for the scheduler.          | `{}`    |
-| `controlPlane.scheduler.resourcesPreset`           | Use a common resources preset when `resources` is not set explicitly.        | `micro` |
-| `controlPlane.konnectivity.server.resources`       | Explicit CPU/memory resource requests and limits for the Konnectivity.       | `{}`    |
-| `controlPlane.konnectivity.server.resourcesPreset` | Use a common resources preset when `resources` is not set explicitly.        | `micro` |
+| Name                                               | Description                                                                  | Value    |
+| -------------------------------------------------- | ---------------------------------------------------------------------------- | -------- |
+| `controlPlane.apiServer.resources`                 | Explicit CPU/memory resource requests and limits for the API server.         | `{}`     |
+| `controlPlane.apiServer.resourcesPreset`           | Use a common resources preset when `resources` is not set explicitly.        | `medium` |
+| `controlPlane.controllerManager.resources`         | Explicit CPU/memory resource requests and limits for the controller manager. | `{}`     |
+| `controlPlane.controllerManager.resourcesPreset`   | Use a common resources preset when `resources` is not set explicitly.        | `micro`  |
+| `controlPlane.scheduler.resources`                 | Explicit CPU/memory resource requests and limits for the scheduler.          | `{}`     |
+| `controlPlane.scheduler.resourcesPreset`           | Use a common resources preset when `resources` is not set explicitly.        | `micro`  |
+| `controlPlane.konnectivity.server.resources`       | Explicit CPU/memory resource requests and limits for the Konnectivity.       | `{}`     |
+| `controlPlane.konnectivity.server.resourcesPreset` | Use a common resources preset when `resources` is not set explicitly.        | `micro`  |
 
 In production environments, it's recommended to set `resources` explicitly.
 Example of `controlPlane.*.resources`:

packages/apps/kubernetes/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/kubernetes/images/cluster-autoscaler.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.21.0@sha256:7315850634728a5864a3de3150c12f0e1454f3f1ce33cdf21a278f57611dd5e9
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.24.0@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e

packages/apps/kubernetes/images/kubevirt-cloud-provider.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.21.0@sha256:6962bdf51ab2ff40b420b9cff7c850aeea02187da2a65a67f10e0471744649d7
+ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.24.0@sha256:b478952fab735f85c3ba15835012b1de8af5578b33a8a2670eaf532ffc17681e

packages/apps/kubernetes/images/kubevirt-cloud-provider/Dockerfile

@@ -8,7 +8,7 @@ ENV GOARCH=$TARGETARCH
 
 RUN git clone https://github.com/kubevirt/cloud-provider-kubevirt /go/src/kubevirt.io/cloud-provider-kubevirt \
  && cd /go/src/kubevirt.io/cloud-provider-kubevirt \
- && git checkout 443a1fe
+ && git checkout a0acf33
 
 WORKDIR /go/src/kubevirt.io/cloud-provider-kubevirt
 

packages/apps/kubernetes/images/kubevirt-cloud-provider/patches/341.diff

@@ -37,7 +37,7 @@ index 74166b5d9..4e744f8de 100644
  	klog.Infof("Initializing kubevirtEPSController")
  
 diff --git a/pkg/controller/kubevirteps/kubevirteps_controller.go b/pkg/controller/kubevirteps/kubevirteps_controller.go
-index 6f6e3d322..b56882c12 100644
+index 53388eb8e..b56882c12 100644
 --- a/pkg/controller/kubevirteps/kubevirteps_controller.go
 +++ b/pkg/controller/kubevirteps/kubevirteps_controller.go
 @@ -54,10 +54,10 @@ type Controller struct {
@@ -286,22 +286,6 @@ index 6f6e3d322..b56882c12 100644
  	for _, eps := range slicesToDelete {
  		err := c.infraClient.DiscoveryV1().EndpointSlices(eps.Namespace).Delete(context.TODO(), eps.Name, metav1.DeleteOptions{})
  		if err != nil {
-@@ -474,11 +538,11 @@ func (c *Controller) reconcileByAddressType(service *v1.Service, tenantSlices []
- 	// Create the desired port configuration
- 	var desiredPorts []discovery.EndpointPort
- 
--	for _, port := range service.Spec.Ports {
-+	for i := range service.Spec.Ports {
- 		desiredPorts = append(desiredPorts, discovery.EndpointPort{
--			Port:     &port.TargetPort.IntVal,
--			Protocol: &port.Protocol,
--			Name:     &port.Name,
-+			Port:     &service.Spec.Ports[i].TargetPort.IntVal,
-+			Protocol: &service.Spec.Ports[i].Protocol,
-+			Name:     &service.Spec.Ports[i].Name,
- 		})
- 	}
- 
 @@ -588,55 +652,114 @@ func ownedBy(endpointSlice *discovery.EndpointSlice, svc *v1.Service) bool {
  	return false
  }
@@ -437,18 +421,10 @@ index 6f6e3d322..b56882c12 100644
  
  	return nil
 diff --git a/pkg/controller/kubevirteps/kubevirteps_controller_test.go b/pkg/controller/kubevirteps/kubevirteps_controller_test.go
-index 1fb86e25f..14d92d340 100644
+index 1c97035b4..14d92d340 100644
 --- a/pkg/controller/kubevirteps/kubevirteps_controller_test.go
 +++ b/pkg/controller/kubevirteps/kubevirteps_controller_test.go
-@@ -13,6 +13,7 @@ import (
- 	"k8s.io/apimachinery/pkg/runtime"
- 	"k8s.io/apimachinery/pkg/runtime/schema"
- 	"k8s.io/apimachinery/pkg/util/intstr"
-+	"k8s.io/apimachinery/pkg/util/sets"
- 	dfake "k8s.io/client-go/dynamic/fake"
- 	"k8s.io/client-go/kubernetes/fake"
- 	"k8s.io/client-go/testing"
-@@ -189,7 +190,7 @@ func setupTestKubevirtEPSController() *testKubevirtEPSController {
+@@ -190,7 +190,7 @@ func setupTestKubevirtEPSController() *testKubevirtEPSController {
  		}: "VirtualMachineInstanceList",
  	})
  
@@ -457,83 +433,87 @@ index 1fb86e25f..14d92d340 100644
  
  	err := controller.Init()
  	if err != nil {
-@@ -686,5 +687,229 @@ var _ = g.Describe("KubevirtEPSController", g.Ordered, func() {
- 				return false, err
- 			}).Should(BeTrue(), "EndpointSlice in infra cluster should be recreated by the controller after deletion")
- 		})
-+
-+		g.It("Should correctly handle multiple unique ports in EndpointSlice", func() {
-+			// Create a VMI in the infra cluster
-+			createAndAssertVMI("worker-0-test", "ip-10-32-5-13", "123.45.67.89")
-+
-+			// Create an EndpointSlice in the tenant cluster
-+			createAndAssertTenantSlice("test-epslice", "tenant-service-name", discoveryv1.AddressTypeIPv4,
-+				*createPort("http", 80, v1.ProtocolTCP),
-+				[]discoveryv1.Endpoint{*createEndpoint("123.45.67.89", "worker-0-test", true, true, false)})
-+
+@@ -697,51 +697,43 @@ var _ = g.Describe("KubevirtEPSController", g.Ordered, func() {
+ 				*createPort("http", 80, v1.ProtocolTCP),
+ 				[]discoveryv1.Endpoint{*createEndpoint("123.45.67.89", "worker-0-test", true, true, false)})
+ 
+-			// Define several unique ports for the Service
 +			// Define multiple ports for the Service
-+			servicePorts := []v1.ServicePort{
-+				{
+ 			servicePorts := []v1.ServicePort{
+ 				{
+-					Name:        "client",
+-					Protocol:    v1.ProtocolTCP,
+-					Port:        10001,
+-					TargetPort:  intstr.FromInt(30396),
+-					NodePort:    30396,
+-					AppProtocol: nil,
 +					Name:       "client",
 +					Protocol:   v1.ProtocolTCP,
 +					Port:       10001,
 +					TargetPort: intstr.FromInt(30396),
 +					NodePort:   30396,
-+				},
-+				{
+ 				},
+ 				{
+-					Name:        "dashboard",
+-					Protocol:    v1.ProtocolTCP,
+-					Port:        8265,
+-					TargetPort:  intstr.FromInt(31003),
+-					NodePort:    31003,
+-					AppProtocol: nil,
 +					Name:       "dashboard",
 +					Protocol:   v1.ProtocolTCP,
 +					Port:       8265,
 +					TargetPort: intstr.FromInt(31003),
 +					NodePort:   31003,
-+				},
-+				{
+ 				},
+ 				{
+-					Name:        "metrics",
+-					Protocol:    v1.ProtocolTCP,
+-					Port:        8080,
+-					TargetPort:  intstr.FromInt(30452),
+-					NodePort:    30452,
+-					AppProtocol: nil,
 +					Name:       "metrics",
 +					Protocol:   v1.ProtocolTCP,
 +					Port:       8080,
 +					TargetPort: intstr.FromInt(30452),
 +					NodePort:   30452,
-+				},
-+			}
-+
-+			createAndAssertInfraServiceLB("infra-multiport-service", "tenant-service-name", "test-cluster",
+ 				},
+ 			}
+ 
+-			// Create a Service with the first port
+ 			createAndAssertInfraServiceLB("infra-multiport-service", "tenant-service-name", "test-cluster",
+-				servicePorts[0],
+-				v1.ServiceExternalTrafficPolicyLocal)
 +				servicePorts[0], v1.ServiceExternalTrafficPolicyLocal)
-+
-+			svc, err := testVals.infraClient.CoreV1().Services(infraNamespace).Get(context.TODO(), "infra-multiport-service", metav1.GetOptions{})
-+			Expect(err).To(BeNil())
-+
-+			svc.Spec.Ports = servicePorts
-+			_, err = testVals.infraClient.CoreV1().Services(infraNamespace).Update(context.TODO(), svc, metav1.UpdateOptions{})
-+			Expect(err).To(BeNil())
-+
-+			var epsListMultiPort *discoveryv1.EndpointSliceList
-+
-+			Eventually(func() (bool, error) {
-+				epsListMultiPort, err = testVals.infraClient.DiscoveryV1().EndpointSlices(infraNamespace).List(context.TODO(), metav1.ListOptions{})
-+				if len(epsListMultiPort.Items) != 1 {
-+					return false, err
-+				}
-+
-+				createdSlice := epsListMultiPort.Items[0]
-+				expectedPortNames := []string{"client", "dashboard", "metrics"}
-+				foundPortNames := []string{}
-+
-+				for _, port := range createdSlice.Ports {
-+					if port.Name != nil {
-+						foundPortNames = append(foundPortNames, *port.Name)
-+					}
-+				}
-+
-+				if len(foundPortNames) != len(expectedPortNames) {
-+					return false, err
-+				}
-+
-+				portSet := sets.NewString(foundPortNames...)
-+				expectedPortSet := sets.NewString(expectedPortNames...)
-+				return portSet.Equal(expectedPortSet), err
-+			}).Should(BeTrue(), "EndpointSlice should contain all unique ports from the Service without duplicates")
-+		})
-+
+ 
+-			// Update the Service by adding the remaining ports
+ 			svc, err := testVals.infraClient.CoreV1().Services(infraNamespace).Get(context.TODO(), "infra-multiport-service", metav1.GetOptions{})
+ 			Expect(err).To(BeNil())
+ 
+ 			svc.Spec.Ports = servicePorts
+-
+ 			_, err = testVals.infraClient.CoreV1().Services(infraNamespace).Update(context.TODO(), svc, metav1.UpdateOptions{})
+ 			Expect(err).To(BeNil())
+ 
+ 			var epsListMultiPort *discoveryv1.EndpointSliceList
+ 
+-			// Verify that the EndpointSlice is created with correct unique ports
+ 			Eventually(func() (bool, error) {
+ 				epsListMultiPort, err = testVals.infraClient.DiscoveryV1().EndpointSlices(infraNamespace).List(context.TODO(), metav1.ListOptions{})
+ 				if len(epsListMultiPort.Items) != 1 {
+@@ -758,7 +750,6 @@ var _ = g.Describe("KubevirtEPSController", g.Ordered, func() {
+ 					}
+ 				}
+ 
+-				// Verify that all expected ports are present and without duplicates
+ 				if len(foundPortNames) != len(expectedPortNames) {
+ 					return false, err
+ 				}
+@@ -769,5 +760,156 @@ var _ = g.Describe("KubevirtEPSController", g.Ordered, func() {
+ 			}).Should(BeTrue(), "EndpointSlice should contain all unique ports from the Service without duplicates")
+ 		})
+ 
 +		g.It("Should not panic when Service changes to have a non-nil selector, causing EndpointSlice deletion with no new slices to create", func() {
 +			createAndAssertVMI("worker-0-test", "ip-10-32-5-13", "123.45.67.89")
 +			createAndAssertTenantSlice("test-epslice", "tenant-service-name", discoveryv1.AddressTypeIPv4,

packages/apps/kubernetes/images/kubevirt-cloud-provider/patches/354.diff

@@ -0,0 +1,142 @@
+diff --git a/pkg/controller/kubevirteps/kubevirteps_controller.go b/pkg/controller/kubevirteps/kubevirteps_controller.go
+index 53388eb8e..28644236f 100644
+--- a/pkg/controller/kubevirteps/kubevirteps_controller.go
++++ b/pkg/controller/kubevirteps/kubevirteps_controller.go
+@@ -12,7 +12,6 @@ import (
+ 	apiequality "k8s.io/apimachinery/pkg/api/equality"
+ 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+ 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+ 	"k8s.io/apimachinery/pkg/runtime"
+ 	"k8s.io/apimachinery/pkg/runtime/schema"
+ 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+@@ -669,35 +668,50 @@ func (c *Controller) getDesiredEndpoints(service *v1.Service, tenantSlices []*di
+ 		for _, slice := range tenantSlices {
+ 			for _, endpoint := range slice.Endpoints {
+ 				// find all unique nodes that correspond to an endpoint in a tenant slice
++				if endpoint.NodeName == nil {
++					klog.Warningf("Skipping endpoint without NodeName in slice %s/%s", slice.Namespace, slice.Name)
++					continue
++				}
+ 				nodeSet.Insert(*endpoint.NodeName)
+ 			}
+ 		}
+ 
+-		klog.Infof("Desired nodes for service %s in namespace %s: %v", service.Name, service.Namespace, sets.List(nodeSet))
++		klog.Infof("Desired nodes for service %s/%s: %v", service.Namespace, service.Name, sets.List(nodeSet))
+ 
+ 		for _, node := range sets.List(nodeSet) {
+ 			// find vmi for node name
+-			obj := &unstructured.Unstructured{}
+-			vmi := &kubevirtv1.VirtualMachineInstance{}
+-
+-			obj, err := c.infraDynamic.Resource(kubevirtv1.VirtualMachineInstanceGroupVersionKind.GroupVersion().WithResource("virtualmachineinstances")).Namespace(c.infraNamespace).Get(context.TODO(), node, metav1.GetOptions{})
++			obj, err := c.infraDynamic.
++				Resource(kubevirtv1.VirtualMachineInstanceGroupVersionKind.GroupVersion().WithResource("virtualmachineinstances")).
++				Namespace(c.infraNamespace).
++				Get(context.TODO(), node, metav1.GetOptions{})
+ 			if err != nil {
+-				klog.Errorf("Failed to get VirtualMachineInstance %s in namespace %s:%v", node, c.infraNamespace, err)
++				klog.Errorf("Failed to get VMI %q in namespace %q: %v", node, c.infraNamespace, err)
+ 				continue
+ 			}
+ 
++			vmi := &kubevirtv1.VirtualMachineInstance{}
+ 			err = runtime.DefaultUnstructuredConverter.FromUnstructured(obj.Object, vmi)
+ 			if err != nil {
+ 				klog.Errorf("Failed to convert Unstructured to VirtualMachineInstance: %v", err)
+-				klog.Fatal(err)
++				continue
+ 			}
+ 
++			if vmi.Status.NodeName == "" {
++				klog.Warningf("Skipping VMI %s/%s: NodeName is empty", vmi.Namespace, vmi.Name)
++				continue
++			}
++			nodeNamePtr := &vmi.Status.NodeName
++
+ 			ready := vmi.Status.Phase == kubevirtv1.Running
+ 			serving := vmi.Status.Phase == kubevirtv1.Running
+ 			terminating := vmi.Status.Phase == kubevirtv1.Failed || vmi.Status.Phase == kubevirtv1.Succeeded
+ 
+ 			for _, i := range vmi.Status.Interfaces {
+ 				if i.Name == "default" {
++					if i.IP == "" {
++						klog.Warningf("VMI %s/%s interface %q has no IP, skipping", vmi.Namespace, vmi.Name, i.Name)
++						continue
++					}
+ 					desiredEndpoints = append(desiredEndpoints, &discovery.Endpoint{
+ 						Addresses: []string{i.IP},
+ 						Conditions: discovery.EndpointConditions{
+@@ -705,9 +719,9 @@ func (c *Controller) getDesiredEndpoints(service *v1.Service, tenantSlices []*di
+ 							Serving:     &serving,
+ 							Terminating: &terminating,
+ 						},
+-						NodeName: &vmi.Status.NodeName,
++						NodeName: nodeNamePtr,
+ 					})
+-					continue
++					break
+ 				}
+ 			}
+ 		}
+diff --git a/pkg/controller/kubevirteps/kubevirteps_controller_test.go b/pkg/controller/kubevirteps/kubevirteps_controller_test.go
+index 1c97035b4..d205d0bed 100644
+--- a/pkg/controller/kubevirteps/kubevirteps_controller_test.go
++++ b/pkg/controller/kubevirteps/kubevirteps_controller_test.go
+@@ -771,3 +771,55 @@ var _ = g.Describe("KubevirtEPSController", g.Ordered, func() {
+ 
+ 	})
+ })
++
++var _ = g.Describe("getDesiredEndpoints", func() {
++	g.It("should skip endpoints without NodeName and VMIs without NodeName or IP", func() {
++		// Setup controller
++		ctrl := setupTestKubevirtEPSController().controller
++
++		// Manually inject dynamic client content (1 VMI with missing NodeName)
++		vmi := createUnstructuredVMINode("vmi-without-node", "", "10.0.0.1") // empty NodeName
++		_, err := ctrl.infraDynamic.
++			Resource(kubevirtv1.VirtualMachineInstanceGroupVersionKind.GroupVersion().WithResource("virtualmachineinstances")).
++			Namespace(infraNamespace).
++			Create(context.TODO(), vmi, metav1.CreateOptions{})
++		Expect(err).To(BeNil())
++
++		// Create service
++		svc := createInfraServiceLB("test-svc", "test-svc", "test-cluster",
++			v1.ServicePort{
++				Name:       "http",
++				Port:       80,
++				TargetPort: intstr.FromInt(8080),
++				Protocol:   v1.ProtocolTCP,
++			},
++			v1.ServiceExternalTrafficPolicyLocal,
++		)
++
++		// One endpoint has nil NodeName, another is valid
++		nodeName := "vmi-without-node"
++		tenantSlice := &discoveryv1.EndpointSlice{
++			ObjectMeta: metav1.ObjectMeta{
++				Name:      "slice",
++				Namespace: tenantNamespace,
++				Labels: map[string]string{
++					discoveryv1.LabelServiceName: "test-svc",
++				},
++			},
++			AddressType: discoveryv1.AddressTypeIPv4,
++			Endpoints: []discoveryv1.Endpoint{
++				{ // should be skipped due to nil NodeName
++					Addresses: []string{"10.1.1.1"},
++					NodeName:  nil,
++				},
++				{ // will hit VMI without NodeName and also be skipped
++					Addresses: []string{"10.1.1.2"},
++					NodeName:  &nodeName,
++				},
++			},
++		}
++
++		endpoints := ctrl.getDesiredEndpoints(svc, []*discoveryv1.EndpointSlice{tenantSlice})
++		Expect(endpoints).To(HaveLen(0), "Expected no endpoints due to missing NodeName or IP")
++	})
++})

packages/apps/kubernetes/images/kubevirt-csi-driver.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.21.0@sha256:b1525163cd21938ac934bb1b860f2f3151464fa463b82880ab058167aeaf3e29
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.24.0@sha256:4d3728b2050d4e0adb00b9f4abbb4a020b29e1a39f24ca1447806fc81f110fa6

packages/apps/kubernetes/images/ubuntu-container-disk.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.32@sha256:bfe568db4b768a4b6c67a8d562892bbba766d0245e140d431754589b347f0b41
+ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.32@sha256:e53f2394c7aa76ad10818ffb945e40006cd77406999e47e036d41b8b0bf094cc

packages/apps/kubernetes/templates/cluster.yaml

@@ -121,21 +121,21 @@ metadata:
 spec:
   apiServer:
     {{- if .Values.controlPlane.apiServer.resources }}
-    resources: {{- toYaml .Values.controlPlane.apiServer.resources | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.sanitize" (list .Values.controlPlane.apiServer.resources $) | nindent 6 }}
     {{- else if ne .Values.controlPlane.apiServer.resourcesPreset "none" }}
-    resources: {{- include "resources.preset" (dict "type" .Values.controlPlane.apiServer.resourcesPreset "Release" .Release) | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.preset" (list .Values.controlPlane.apiServer.resourcesPreset $) | nindent 6 }}
     {{- end }}
   controllerManager:
     {{- if .Values.controlPlane.controllerManager.resources }}
-    resources: {{- toYaml .Values.controlPlane.controllerManager.resources | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.sanitize" (list .Values.controlPlane.controllerManager.resources $) | nindent 6 }}
     {{- else if ne .Values.controlPlane.controllerManager.resourcesPreset "none" }}
-    resources: {{- include "resources.preset" (dict "type" .Values.controlPlane.controllerManager.resourcesPreset "Release" .Release) | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.preset" (list .Values.controlPlane.controllerManager.resourcesPreset $) | nindent 6 }}
     {{- end }}
   scheduler:
     {{- if .Values.controlPlane.scheduler.resources }}
-    resources: {{- toYaml .Values.controlPlane.scheduler.resources | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.sanitize" (list .Values.controlPlane.scheduler.resources $) | nindent 6 }}
     {{- else if ne .Values.controlPlane.scheduler.resourcesPreset "none" }}
-    resources: {{- include "resources.preset" (dict "type" .Values.controlPlane.scheduler.resourcesPreset "Release" .Release) | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.preset" (list .Values.controlPlane.scheduler.resourcesPreset $) | nindent 6 }}
     {{- end }}
   dataStoreName: "{{ $etcd }}"
   addons:
@@ -146,9 +146,9 @@ spec:
       server:
         port: 8132
         {{- if .Values.controlPlane.konnectivity.server.resources }}
-        resources: {{- toYaml .Values.controlPlane.konnectivity.server.resources | nindent 10 }}
+        resources: {{- include "cozy-lib.resources.sanitize" (list .Values.controlPlane.konnectivity.server.resources $) | nindent 10 }}
         {{- else if ne .Values.controlPlane.konnectivity.server.resourcesPreset "none" }}
-        resources: {{- include "resources.preset" (dict "type" .Values.controlPlane.konnectivity.server.resourcesPreset "Release" .Release) | nindent 10 }}
+        resources: {{- include "cozy-lib.resources.preset" (list .Values.controlPlane.konnectivity.server.resourcesPreset $) | nindent 10 }}
         {{- end }}
   kubelet:
     cgroupfs: systemd
@@ -211,12 +211,25 @@ spec:
       - ["LABEL=ephemeral", "/ephemeral"]
       - ["/ephemeral/kubelet", "/var/lib/kubelet", "none", "bind,nofail"]
       - ["/ephemeral/containerd", "/var/lib/containerd", "none", "bind,nofail"]
+      {{- $sec := lookup "v1" "Secret" $.Release.Namespace (printf "%s-patch-containerd" $.Release.Name) }}
+      {{- if $sec }}
+      files:
+        {{- range $key, $_ := $sec.data }}
+        - path: /etc/containerd/certs.d/{{ trimSuffix ".toml" $key }}/hosts.toml
+          contentFrom:
+            secret:
+              name: {{ $.Release.Name }}-patch-containerd
+              key: {{ $key }}
+          permissions: "0400"
+        {{- end }}
+      {{- end }}
       preKubeadmCommands:
       - sed -i 's|root:x:|root::|' /etc/passwd
       - systemctl stop containerd.service
       - mkdir -p /ephemeral/kubelet /ephemeral/containerd
       - mount -o bind /ephemeral/kubelet /var/lib/kubelet
       - mount -o bind /ephemeral/containerd /var/lib/containerd
+      - sudo sed -i '/\[plugins."io.containerd.grpc.v1.cri".registry\]/,/^\[/ s|^\(\s*config_path\s*=\s*\).*|\1"/etc/containerd/certs.d"|' /etc/containerd/config.toml
       - systemctl start containerd.service
       joinConfiguration:
         nodeRegistration:

packages/apps/kubernetes/templates/copy-patch-containerd.yaml

@@ -0,0 +1,15 @@
+{{- if not .Values.useCustomSecretForPatchContainerd }}
+{{- $sourceSecret := lookup "v1" "Secret" "cozy-system" "patch-containerd" }}
+{{- if $sourceSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-patch-containerd
+  namespace: {{ .Release.Namespace }}
+type: {{ $sourceSecret.type }}
+data:
+{{- range $key, $value := $sourceSecret.data }}
+  {{ printf "%s: %s" $key ($value | quote) | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}

packages/apps/kubernetes/templates/dashboard-resourcemap.yaml

@@ -34,3 +34,14 @@ rules:
   - {{ $.Release.Name }}-{{ $groupName }}
   {{- end }}
   verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io

packages/apps/kubernetes/templates/helmreleases/gateway-api-crds.yaml

@@ -17,6 +17,7 @@ spec:
         kind: HelmRepository
         name: cozystack-system
         namespace: cozy-system
+      version: '>= 0.0.0-0'
   kubeConfig:
     secretRef:
       name: {{ .Release.Name }}-admin-kubeconfig

packages/apps/kubernetes/templates/helmreleases/vertical-pod-autoscaler.yaml

@@ -1,4 +1,6 @@
 {{- define "cozystack.defaultVPAValues" -}}
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $targetTenant := index $myNS.metadata.annotations "namespace.cozystack.io/monitoring" }}
 vertical-pod-autoscaler:
@@ -13,7 +15,7 @@ vertical-pod-autoscaler:
       metric-for-pod-labels: kube_pod_labels{job="kube-state-metrics", tenant="{{ .Release.Namespace }}", cluster="{{ .Release.Name }}"}[8d]
       pod-name-label: pod
       pod-namespace-label: namespace
-      prometheus-address: http://vmselect-shortterm.{{ $targetTenant }}.svc.cozy.local:8481/select/0/prometheus/
+      prometheus-address: http://vmselect-shortterm.{{ $targetTenant }}.svc.{{ $clusterDomain }}:8481/select/0/prometheus/
       prometheus-cadvisor-job-name: cadvisor
     resources:
       limits:

packages/apps/kubernetes/values.schema.json

@@ -26,7 +26,7 @@
             "resourcesPreset": {
               "type": "string",
               "description": "Use a common resources preset when `resources` is not set explicitly.",
-              "default": "small",
+              "default": "medium",
               "enum": [
                 "none",
                 "nano",
@@ -127,6 +127,11 @@
       "description": "StorageClass used to store user data.",
       "default": "replicated"
     },
+    "useCustomSecretForPatchContainerd": {
+      "type": "boolean",
+      "description": "if true, for patch containerd will be used secret: {{ .Release.Name }}-patch-containerd",
+      "default": false
+    },
     "addons": {
       "type": "object",
       "properties": {

packages/apps/kubernetes/values.yaml

@@ -3,9 +3,11 @@
 ## @param host Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.
 ## @param controlPlane.replicas Number of replicas for Kubernetes control-plane components.
 ## @param storageClass StorageClass used to store user data.
+## @param useCustomSecretForPatchContainerd if true, for patch containerd will be used secret: {{ .Release.Name }}-patch-containerd
 ##
 host: ""
 storageClass: replicated
+useCustomSecretForPatchContainerd: false
 
 ## @param nodeGroups [object] nodeGroups configuration
 ##
@@ -121,7 +123,7 @@ controlPlane:
     ##     cpu: 100m
     ##     memory: 512Mi
     ##
-    resourcesPreset: "small"
+    resourcesPreset: "medium"
     resources: {}
 
   controllerManager:

packages/apps/mysql/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: 0.8.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/mysql/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/mysql/images/mariadb-backup.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/mariadb-backup:0.7.0@sha256:cfd1c37d8ad24e10681d82d6e6ce8a641b4602c1b0ffa8516ae15b4958bb12d4
+ghcr.io/cozystack/cozystack/mariadb-backup:0.8.0@sha256:cfd1c37d8ad24e10681d82d6e6ce8a641b4602c1b0ffa8516ae15b4958bb12d4

packages/apps/mysql/templates/dashboard-resourcemap.yaml

@@ -25,3 +25,14 @@ rules:
   resourceNames:
   - {{ .Release.Name }}
   verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io

packages/apps/mysql/templates/mariadb.yaml

@@ -57,6 +57,11 @@ spec:
     name: {{ .Release.Name }}-my-cnf
     key: config
 
+  service:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: {{ $.Release.Name }}
+
   storage:
     size: {{ .Values.size }}
     resizeInUseVolumes: true
@@ -74,7 +79,7 @@ spec:
   #  type: LoadBalancer
 
   {{- if .Values.resources }}
-  resources: {{- toYaml .Values.resources | nindent 4 }}
+  resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 4 }}
   {{- else if ne .Values.resourcesPreset "none" }}
-  resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 4 }}
+  resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 4 }}
   {{- end }}

packages/apps/nats/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.7.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/nats/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/nats/templates/dashboard-resourcemap.yaml

@@ -24,3 +24,14 @@ rules:
   resourceNames:
   - {{ .Release.Name }}
   verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io

packages/apps/nats/templates/nats.yaml

@@ -1,3 +1,5 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $clusterDomain := (index $cozyConfig.data "cluster-domain") | default "cozy.local" }}
 {{- $passwords := dict }}
 {{- range $user, $u := .Values.users }}
   {{- if $u.password }}
@@ -45,12 +47,15 @@ spec:
               - name: nats
                 image: nats:2.10.17-alpine
                 {{- if .Values.resources }}
-                resources: {{- toYaml .Values.resources | nindent 22 }}
+                resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 22 }}
                 {{- else if ne .Values.resourcesPreset "none" }}
-                resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 22 }}
+                resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 22 }}
                 {{- end }}
       fullnameOverride: {{ .Release.Name }}
       config:
+        cluster:
+          routeURLs:
+            k8sClusterDomain: {{ $clusterDomain }}
         {{- if or (gt (len $passwords) 0) (gt (len .Values.config.merge) 0) }}
         merge:
           {{- if gt (len $passwords) 0 }}

packages/apps/postgres/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.12.0
+version: 0.14.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/postgres/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/postgres/images/postgres-backup.tag

@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/postgres-backup:0.12.0@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f
+ghcr.io/cozystack/cozystack/postgres-backup:0.14.0@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f

packages/apps/postgres/templates/_postgresjobs.tpl

@@ -0,0 +1,11 @@
+{{/*
+Generate resource requirements based on ResourceQuota named as the namespace.
+*/}}
+{{- define "postgresjobs.defaultResources" }}
+cpu: "1"
+memory: 512Mi
+{{- end }}
+{{- define "postgresjobs.resources" }}
+resources:
+{{ include "cozy-lib.resources.sanitize" (list (include "postgresjobs.defaultResources" $ | fromYaml) $) | nindent 2 }}
+{{- end }}

packages/apps/postgres/templates/backup-cronjob.yaml

@@ -81,6 +81,7 @@ spec:
               privileged: false
               readOnlyRootFilesystem: true
               runAsNonRoot: true
+            {{- include "postgresjobs.resources" . | nindent 12 }}
           volumes:
           - name: scripts
             secret:

packages/apps/postgres/templates/dashboard-resourcemap.yaml

@@ -26,3 +26,14 @@ rules:
   resourceNames:
   - {{ .Release.Name }}
   verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io

packages/apps/postgres/templates/db.yaml

@@ -6,9 +6,9 @@ metadata:
 spec:
   instances: {{ .Values.replicas }}
   {{- if .Values.resources }}
-  resources: {{- toYaml .Values.resources | nindent 4 }}
+  resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 4 }}
   {{- else if ne .Values.resourcesPreset "none" }}
-  resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 4 }}
+  resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 4 }}
   {{- end }}
 
   enableSuperuserAccess: true
@@ -44,6 +44,8 @@ spec:
   inheritedMetadata:
     labels:
       policy.cozystack.io/allow-to-apiserver: "true"
+      app.kubernetes.io/name: postgres.apps.cozystack.io
+      app.kubernets.io/instance: {{ $.Release.Name }}
 ---
 apiVersion: cozystack.io/v1alpha1
 kind: WorkloadMonitor
@@ -55,6 +57,6 @@ spec:
   kind: postgres
   type: postgres
   selector:
-    cnpg.io/cluster: {{ .Release.Name }}
-    cnpg.io/podRole: instance
+    app.kubernetes.io/name: postgres.apps.cozystack.io
+    app.kubernets.io/instance: {{ $.Release.Name }}
   version: {{ $.Chart.Version }}

packages/apps/postgres/templates/init-job.yaml

@@ -50,6 +50,7 @@ spec:
           name: secret
         - mountPath: /scripts
           name: scripts
+        {{- include "postgresjobs.resources" . | nindent 8 }}
       securityContext:
         fsGroup: 26
         runAsGroup: 26

packages/apps/rabbitmq/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.7.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/rabbitmq/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/rabbitmq/templates/dashboard-resourcemap.yaml

@@ -27,3 +27,14 @@ rules:
   resourceNames:
   - {{ .Release.Name }}
   verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io

packages/apps/rabbitmq/templates/rabbitmq.yaml

@@ -12,9 +12,9 @@ spec:
     type: LoadBalancer
   {{- end }}
   {{- if .Values.resources }}
-  resources: {{- toYaml .Values.resources | nindent 4 }}
+  resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 4 }}
   {{- else if ne .Values.resourcesPreset "none" }}
-  resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 4 }}
+  resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 4 }}
   {{- end }}
   override:
     statefulSet:

packages/apps/redis/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: 0.8.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/redis/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/redis/templates/dashboard-resourcemap.yaml

@@ -28,3 +28,14 @@ rules:
   - {{ .Release.Name }}-redis
   - {{ .Release.Name }}-sentinel
   verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io

packages/apps/redis/templates/redisfailover.yaml

@@ -26,22 +26,25 @@ spec:
   sentinel:
     replicas: 3
     {{- if .Values.resources }}
-    resources: {{- toYaml .Values.resources | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 6 }}
     {{- else if ne .Values.resourcesPreset "none" }}
-    resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 6 }}
     {{- end }}
   redis:
     replicas: {{ .Values.replicas }}
     {{- if .Values.resources }}
-    resources: {{- toYaml .Values.resources | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 6 }}
     {{- else if ne .Values.resourcesPreset "none" }}
-    resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 6 }}
+    resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 6 }}
     {{- end }}
     {{- with .Values.size }}
     storage:
       persistentVolumeClaim:
         metadata:
           name: redisfailover-persistent-data
+          labels:
+            app.kubernetes.io/component: redis
+            app.kubernetes.io/instance: {{ $.Release.Name }}
         spec:
           accessModes:
             - ReadWriteOnce

packages/apps/tcp-balancer/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.4.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/tcp-balancer/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/tcp-balancer/templates/deployment.yaml

@@ -15,6 +15,7 @@ spec:
     metadata:
       labels:
         app: {{ .Release.Name }}-haproxy
+        app.kubernetes.io/instance: {{ .Release.Name }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
     spec:
@@ -34,9 +35,9 @@ spec:
       - image: haproxy:latest
         name: haproxy
         {{- if .Values.resources }}
-        resources: {{- toYaml .Values.resources | nindent 10 }}
+        resources: {{- include "cozy-lib.resources.sanitize" (list .Values.resources $) | nindent 10 }}
         {{- else if ne .Values.resourcesPreset "none" }}
-        resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 10 }}
+        resources: {{- include "cozy-lib.resources.preset" (list .Values.resourcesPreset $) | nindent 10 }}
         {{- end }}
         ports:
         {{- with .Values.httpAndHttps }}

packages/apps/tcp-balancer/templates/workloadmonitor.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: cozystack.io/v1alpha1
+kind: WorkloadMonitor
+metadata:
+  name: {{ $.Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  minReplicas: 1
+  kind: tcp-balancer
+  type: haproxy
+  selector:
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+  version: {{ $.Chart.Version }}

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.9.2
+version: 1.10.0

packages/apps/tenant/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/tenant/templates/tenant.yaml

@@ -23,8 +23,8 @@ metadata:
   namespace: {{ include "tenant.name" . }}
 rules:
 - apiGroups: [""]
-  resources: ["*"]
-  verbs: ["get", "list", "watch", "create", "update", "patch"]
+  resources: ["pods", "services", "persistentvolumes", "endpoints", "events", "resourcequotas"]
+  verbs: ["get", "list", "watch"]
 - apiGroups: ["networking.k8s.io"]
   resources: ["ingresses"]
   verbs: ["get", "list", "watch"]
@@ -94,7 +94,12 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - "*"
+      - pods
+      - services
+      - persistentvolumes
+      - endpoints
+      - events
+      - resourcequotas
     verbs:
       - get
       - list
@@ -119,24 +124,7 @@ metadata:
   name: {{ include "tenant.name" . }}-view
   namespace: {{ include "tenant.name" . }}
 subjects:
-{{- if ne .Release.Namespace "tenant-root" }}
-- kind: Group
-  name: tenant-root-view
-  apiGroup: rbac.authorization.k8s.io
-{{- end }}
-- kind: Group
-  name: {{ include "tenant.name" . }}-view
-  apiGroup: rbac.authorization.k8s.io
-{{- if hasPrefix "tenant-" .Release.Namespace }}
-{{- $parts := splitList "-" .Release.Namespace }}
-{{- range $i, $v := $parts }}
-{{- if ne $i 0 }}
-- kind: Group
-  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-view
-  apiGroup: rbac.authorization.k8s.io
-{{- end }}
-{{- end }}
-{{- end }}
+{{ include "cozy-lib.rbac.subjectsForTenant" (list "view" (include "tenant.name" .)) | nindent 2 }}
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-view
@@ -165,7 +153,12 @@ rules:
     - watch
   - apiGroups: [""]
     resources:
-    - "*"
+      - pods
+      - services
+      - persistentvolumes
+      - endpoints
+      - events
+      - resourcequotas
     verbs:
     - get
     - list
@@ -184,6 +177,12 @@ rules:
     verbs:
     - get
     - list
+  - apiGroups: ["subresources.kubevirt.io"]
+    resources:
+      - virtualmachineinstances/portforward
+    verbs:
+      - get
+      - update
   - apiGroups:
     - cozystack.io
     resources:
@@ -196,24 +195,7 @@ metadata:
   name: {{ include "tenant.name" . }}-use
   namespace: {{ include "tenant.name" . }}
 subjects:
-{{- if ne .Release.Namespace "tenant-root" }}
-- kind: Group
-  name: tenant-root-use
-  apiGroup: rbac.authorization.k8s.io
-{{- end }}
-- kind: Group
-  name: {{ include "tenant.name" . }}-use
-  apiGroup: rbac.authorization.k8s.io
-{{- if hasPrefix "tenant-" .Release.Namespace }}
-{{- $parts := splitList "-" .Release.Namespace }}
-{{- range $i, $v := $parts }}
-{{- if ne $i 0 }}
-- kind: Group
-  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-use
-  apiGroup: rbac.authorization.k8s.io
-{{- end }}
-{{- end }}
-{{- end }}
+{{ include "cozy-lib.rbac.subjectsForTenant" (list "use" (include "tenant.name" .)) | nindent 2 }}
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-use
@@ -234,7 +216,12 @@ rules:
     - get
   - apiGroups: [""]
     resources:
-    - "*"
+      - pods
+      - services
+      - persistentvolumes
+      - endpoints
+      - events
+      - resourcequotas
     verbs:
     - get
     - list
@@ -253,6 +240,12 @@ rules:
     verbs:
     - get
     - list
+  - apiGroups: ["subresources.kubevirt.io"]
+    resources:
+      - virtualmachineinstances/portforward
+    verbs:
+      - get
+      - update
   - apiGroups: ["apps.cozystack.io"]
     resources:
     - buckets
@@ -293,24 +286,7 @@ metadata:
   name: {{ include "tenant.name" . }}-admin
   namespace: {{ include "tenant.name" . }}
 subjects:
-{{- if ne .Release.Namespace "tenant-root" }}
-- kind: Group
-  name: tenant-root-admin
-  apiGroup: rbac.authorization.k8s.io
-{{- end }}
-- kind: Group
-  name: {{ include "tenant.name" . }}-admin
-  apiGroup: rbac.authorization.k8s.io
-{{- if hasPrefix "tenant-" .Release.Namespace }}
-{{- $parts := splitList "-" .Release.Namespace }}
-{{- range $i, $v := $parts }}
-{{- if ne $i 0 }}
-- kind: Group
-  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-admin
-  apiGroup: rbac.authorization.k8s.io
-{{- end }}
-{{- end }}
-{{- end }}
+{{ include "cozy-lib.rbac.subjectsForTenant" (list "admin" (include "tenant.name" .)) | nindent 2 }}
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-admin
@@ -331,7 +307,12 @@ rules:
     - get
   - apiGroups: [""]
     resources:
-    - "*"
+      - pods
+      - services
+      - persistentvolumes
+      - endpoints
+      - events
+      - resourcequotas
     verbs:
     - get
     - list
@@ -349,6 +330,12 @@ rules:
     verbs:
     - get
     - list
+  - apiGroups: ["subresources.kubevirt.io"]
+    resources:
+      - virtualmachineinstances/portforward
+    verbs:
+      - get
+      - update
   - apiGroups: ["apps.cozystack.io"]
     resources:
     - '*'
@@ -366,24 +353,7 @@ metadata:
   name: {{ include "tenant.name" . }}-super-admin
   namespace: {{ include "tenant.name" . }}
 subjects:
-{{- if ne .Release.Namespace "tenant-root" }}
-- kind: Group
-  name: tenant-root-super-admin
-  apiGroup: rbac.authorization.k8s.io
-{{- end }}
-- kind: Group
-  name: {{ include "tenant.name" . }}-super-admin
-  apiGroup: rbac.authorization.k8s.io
-{{- if hasPrefix "tenant-" .Release.Namespace }}
-{{- $parts := splitList "-" .Release.Namespace }}
-{{- range $i, $v := $parts }}
-{{- if ne $i 0 }}
-- kind: Group
-  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-super-admin
-  apiGroup: rbac.authorization.k8s.io
-{{- end }}
-{{- end }}
-{{- end }}
+{{ include "cozy-lib.rbac.subjectsForTenant" (list "super-admin" (include "tenant.name" .) ) | nindent 2 }}
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-super-admin

packages/apps/versions_map

@@ -1,4 +1,5 @@
-bucket 0.1.0 HEAD
+bucket 0.1.0 632224a3
+bucket 0.2.0 HEAD
 clickhouse 0.1.0 f7eaab0a
 clickhouse 0.2.0 53f2365e
 clickhouse 0.2.1 dfbc210b
@@ -9,7 +10,9 @@ clickhouse 0.6.0 1ec10165
 clickhouse 0.6.1 c62a83a7
 clickhouse 0.6.2 8267072d
 clickhouse 0.7.0 93bdf411
-clickhouse 0.9.0 HEAD
+clickhouse 0.9.0 6130f43d
+clickhouse 0.9.2 632224a3
+clickhouse 0.10.0 HEAD
 ferretdb 0.1.0 e9716091
 ferretdb 0.1.1 91b0499a
 ferretdb 0.2.0 6c5cf5bf
@@ -18,13 +21,16 @@ ferretdb 0.4.0 b40e1b09
 ferretdb 0.4.1 1ec10165
 ferretdb 0.4.2 8267072d
 ferretdb 0.5.0 93bdf411
-ferretdb 0.6.0 HEAD
+ferretdb 0.6.0 6130f43d
+ferretdb 0.6.1 632224a3
+ferretdb 0.7.0 HEAD
 http-cache 0.1.0 263e47be
 http-cache 0.2.0 53f2365e
 http-cache 0.3.0 6c5cf5bf
 http-cache 0.3.1 0f312d5c
 http-cache 0.4.0 93bdf411
-http-cache 0.5.0 HEAD
+http-cache 0.5.0 6130f43d
+http-cache 0.5.1 HEAD
 kafka 0.1.0 f7eaab0a
 kafka 0.2.0 c0685f43
 kafka 0.2.1 dfbc210b
@@ -36,37 +42,10 @@ kafka 0.3.2 93c46161
 kafka 0.3.3 8267072d
 kafka 0.4.0 85ec09b8
 kafka 0.5.0 93bdf411
-kafka 0.6.0 HEAD
-kubernetes 0.1.0 263e47be
-kubernetes 0.2.0 53f2365e
-kubernetes 0.3.0 007d414f
-kubernetes 0.4.0 d7cfa53c
-kubernetes 0.5.0 dfbc210b
-kubernetes 0.6.0 5bbc488e
-kubernetes 0.7.0 e9716091
-kubernetes 0.8.0 ac11056e
-kubernetes 0.8.1 366bcafc
-kubernetes 0.8.2 f81be075
-kubernetes 0.9.0 6c5cf5bf
-kubernetes 0.10.0 b8e33d19
-kubernetes 0.11.0 4b90bf5a
-kubernetes 0.11.1 5fb9cfe3
-kubernetes 0.12.0 bb985806
-kubernetes 0.12.1 28fca4ef
-kubernetes 0.13.0 1ec10165
-kubernetes 0.14.0 bfbde07c
-kubernetes 0.14.1 898374b5
-kubernetes 0.15.0 4e68e65c
-kubernetes 0.15.1 160e4e2a
-kubernetes 0.15.2 8267072d
-kubernetes 0.16.0 077045b0
-kubernetes 0.17.0 1fbbfcd0
-kubernetes 0.17.1 fd240701
-kubernetes 0.18.0 721c12a7
-kubernetes 0.19.0 93bdf411
-kubernetes 0.20.0 609e7ede
-kubernetes 0.20.1 f9f8bb2f
-kubernetes 0.21.0 HEAD
+kafka 0.6.0 6130f43d
+kafka 0.6.1 632224a3
+kafka 0.7.0 HEAD
+kubernetes 0.24.0 HEAD
 mysql 0.1.0 263e47be
 mysql 0.2.0 c24a103f
 mysql 0.3.0 53f2365e
@@ -76,7 +55,9 @@ mysql 0.5.1 0f312d5c
 mysql 0.5.2 1ec10165
 mysql 0.5.3 8267072d
 mysql 0.6.0 93bdf411
-mysql 0.7.0 HEAD
+mysql 0.7.0 6130f43d
+mysql 0.7.1 632224a3
+mysql 0.8.0 HEAD
 nats 0.1.0 e9716091
 nats 0.2.0 6c5cf5bf
 nats 0.3.0 78366f19
@@ -84,7 +65,9 @@ nats 0.3.1 c62a83a7
 nats 0.4.0 898374b5
 nats 0.4.1 8267072d
 nats 0.5.0 93bdf411
-nats 0.6.0 HEAD
+nats 0.6.0 6130f43d
+nats 0.6.1 632224a3
+nats 0.7.0 HEAD
 postgres 0.1.0 263e47be
 postgres 0.2.0 53f2365e
 postgres 0.2.1 d7cfa53c
@@ -101,7 +84,9 @@ postgres 0.9.0 8267072d
 postgres 0.10.0 721c12a7
 postgres 0.10.1 93bdf411
 postgres 0.11.0 f9f8bb2f
-postgres 0.12.0 HEAD
+postgres 0.12.0 6130f43d
+postgres 0.12.1 632224a3
+postgres 0.14.0 HEAD
 rabbitmq 0.1.0 263e47be
 rabbitmq 0.2.0 53f2365e
 rabbitmq 0.3.0 6c5cf5bf
@@ -111,7 +96,8 @@ rabbitmq 0.4.2 4b90bf5a
 rabbitmq 0.4.3 1ec10165
 rabbitmq 0.4.4 8267072d
 rabbitmq 0.5.0 93bdf411
-rabbitmq 0.6.0 HEAD
+rabbitmq 0.6.0 632224a3
+rabbitmq 0.7.0 HEAD
 redis 0.1.1 263e47be
 redis 0.2.0 53f2365e
 redis 0.3.0 6c5cf5bf
@@ -119,34 +105,15 @@ redis 0.3.1 c62a83a7
 redis 0.4.0 84f3ccc0
 redis 0.5.0 4e68e65c
 redis 0.6.0 93bdf411
-redis 0.7.0 HEAD
+redis 0.7.0 6130f43d
+redis 0.7.1 632224a3
+redis 0.8.0 HEAD
 tcp-balancer 0.1.0 263e47be
 tcp-balancer 0.2.0 53f2365e
 tcp-balancer 0.3.0 93bdf411
-tcp-balancer 0.4.0 HEAD
-tenant 0.1.4 afc997ef
-tenant 0.1.5 e3ab858a
-tenant 1.0.0 263e47be
-tenant 1.1.0 c0685f43
-tenant 1.2.0 dfbc210b
-tenant 1.3.0 e9716091
-tenant 1.3.1 91b0499a
-tenant 1.4.0 71514249
-tenant 1.5.0 1ec10165
-tenant 1.6.0 df448b99
-tenant 1.6.1 c62a83a7
-tenant 1.6.2 898374b5
-tenant 1.6.3 2057bb96
-tenant 1.6.4 84f3ccc0
-tenant 1.6.5 fde4bcfa
-tenant 1.6.6 4e68e65c
-tenant 1.6.7 0ab39f20
-tenant 1.6.8 bc95159a
-tenant 1.7.0 24fa7222
-tenant 1.8.0 160e4e2a
-tenant 1.9.0 728743db
-tenant 1.9.1 721c12a7
-tenant 1.9.2 HEAD
+tcp-balancer 0.4.0 6130f43d
+tcp-balancer 0.4.1 HEAD
+tenant 1.10.0 HEAD
 virtual-machine 0.1.4 f2015d65
 virtual-machine 0.1.5 263e47be
 virtual-machine 0.2.0 c0685f43
@@ -161,9 +128,13 @@ virtual-machine 0.8.1 93c46161
 virtual-machine 0.8.2 de19450f
 virtual-machine 0.9.0 721c12a7
 virtual-machine 0.9.1 93bdf411
-virtual-machine 0.10.0 HEAD
+virtual-machine 0.10.0 6130f43d
+virtual-machine 0.10.2 632224a3
+virtual-machine 0.11.0 HEAD
 vm-disk 0.1.0 d971f2ff
-vm-disk 0.1.1 HEAD
+vm-disk 0.1.1 6130f43d
+vm-disk 0.1.2 632224a3
+vm-disk 0.2.0 HEAD
 vm-instance 0.1.0 1ec10165
 vm-instance 0.2.0 84f3ccc0
 vm-instance 0.3.0 4e68e65c
@@ -172,10 +143,14 @@ vm-instance 0.4.1 0ab39f20
 vm-instance 0.5.0 3fa4dd3a
 vm-instance 0.5.1 de19450f
 vm-instance 0.6.0 721c12a7
-vm-instance 0.7.0 HEAD
+vm-instance 0.7.0 6130f43d
+vm-instance 0.7.2 632224a3
+vm-instance 0.8.0 HEAD
 vpn 0.1.0 263e47be
 vpn 0.2.0 53f2365e
 vpn 0.3.0 6c5cf5bf
 vpn 0.3.1 1ec10165
 vpn 0.4.0 93bdf411
-vpn 0.5.0 HEAD
+vpn 0.5.0 6130f43d
+vpn 0.5.1 632224a3
+vpn 0.6.1 HEAD

packages/apps/virtual-machine/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.10.0
+version: 0.11.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 0.10.0
+appVersion: 0.11.0

packages/apps/virtual-machine/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/virtual-machine/templates/dashboard-resourcemap.yaml

@@ -11,6 +11,17 @@ rules:
   - {{ .Release.Name }}
   verbs: ["get", "list", "watch"]
 ---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io
+---
 apiVersion: cozystack.io/v1alpha1
 kind: WorkloadMonitor
 metadata:
@@ -21,5 +32,5 @@ spec:
   kind: virtual-machine
   type: virtual-machine
   selector:
-    vm.kubevirt.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
   version: {{ $.Chart.Version }}

packages/apps/virtual-machine/templates/vm.yaml

@@ -13,6 +13,7 @@ metadata:
     {{- include "virtual-machine.labels" . | nindent 4 }}
 spec:
   running: {{ .Values.running | default "true" }}
+
   {{- with .Values.instanceType }}
   instancetype:
     kind: VirtualMachineClusterInstancetype
@@ -23,9 +24,12 @@ spec:
     kind: VirtualMachineClusterPreference
     name: {{ . }}
   {{- end }}
+
   dataVolumeTemplates:
   - metadata:
       name: {{ include "virtual-machine.fullname" . }}
+      labels:
+        app.kubernetes.io/instance: {{ .Release.Name }}
     spec:
       storage:
         resources:
@@ -75,21 +79,25 @@ spec:
             deviceName: {{ $gpu.name }}
           {{- end }}
           {{- end }}
+
           disks:
           - disk:
               bus: scsi
             name: systemdisk
-          {{- if or .Values.sshKeys .Values.cloudInit }}
+          {{- if .Values.sshKeys }}
           - disk:
               bus: virtio
             name: cloudinitdisk
           {{- end }}
+
           interfaces:
           - name: default
             bridge: {}
+
         machine:
           type: ""
-      {{- with .Values.sshKeys }}
+
+      {{- if .Values.sshKeys }}
       accessCredentials:
       - sshPublicKey:
           source:
@@ -99,23 +107,37 @@ spec:
             # keys will be injected into metadata part of cloud-init disk
             noCloud: {}
       {{- end }}
+
       terminationGracePeriodSeconds: 30
+
       volumes:
-      - name: systemdisk
-        dataVolume:
-          name: {{ include "virtual-machine.fullname" . }}
-      {{- if or .Values.sshKeys .Values.cloudInit }}
-      - name: cloudinitdisk
-        cloudInitNoCloud:
-        {{- if .Values.cloudInit }}
-          secretRef:
-            name: {{ include "virtual-machine.fullname" . }}-cloud-init
+        - name: systemdisk
+          dataVolume:
+            name: {{ include "virtual-machine.fullname" . }}
+
+        {{- if and .Values.sshKeys .Values.cloudInit }}
+        - name: cloudinitdisk
+          cloudInitNoCloud:
+            secretRef:
+              name: {{ include "virtual-machine.fullname" . }}-cloud-init
+        {{- else if .Values.sshKeys }}
+        - name: cloudinitdisk
+          cloudInitNoCloud:
+            userData: |
+              {{ printf "%s" "#cloud-config" }}
+              ssh_authorized_keys:
+                {{- range .Values.sshKeys }}
+                - {{ . }}
+                {{- end }}
+              chpasswd:
+                expire: false
         {{- else }}
-          userData: |
-            #cloud-config
-            final_message: Cloud-init user-data was left blank intentionally.
+        - name: cloudinitdisk
+          cloudInitNoCloud:
+            userData: |
+              {{ printf "%s" "#cloud-config" }}
         {{- end }}
-      {{- end }}
+
       networks:
       - name: default
         pod: {}

packages/apps/vm-disk/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.1
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 0.1.1
+appVersion: 0.2.0

packages/apps/vm-disk/charts/cozy-lib

@@ -0,0 +1 @@
+../../../library/cozy-lib

packages/apps/vm-disk/templates/dashboard-resourcemap.yaml

@@ -10,3 +10,14 @@ rules:
   resourceNames:
   - {{ .Release.Name }}
   verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+subjects:
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" .Release.Namespace) }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-dashboard-resources
+  apiGroup: rbac.authorization.k8s.io

packages/apps/vm-disk/templates/dv.yaml

@@ -7,6 +7,8 @@ metadata:
     cdi.kubevirt.io/storage.bind.immediate.requested: ""
     {{- end }}
     vm-disk.cozystack.io/optical: "{{ .Values.optical }}"
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
   name: {{ .Release.Name }}
 spec:
   {{- if $existingDV }}