[kubernetes] Pre-install NVIDIA GPU Driver

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-05 00:15:51 +00:00 · 2025-04-24 00:38:53 +02:00
85 changed files with 816 additions and 1565 deletions
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@@ -1,53 +0,0 @@
 name: Automatic Backport
 on:
  pull_request_target:
    types: [closed]   # fires when PR is closed (merged)
 concurrency:
  group: backport-${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true
 permissions:
  contents: write
  pull-requests: write
 jobs:
  backport:
    if: |
      github.event.pull_request.merged == true &&
      contains(github.event.pull_request.labels.*.name, 'backport')
    runs-on: [self-hosted]
    steps:
      # 1. Decide which maintenance branch should receive the back‑port
      - name: Determine target maintenance branch
        id: target
        uses: actions/github-script@v7
        with:
          script: |
            let rel;
            try {
              rel = await github.rest.repos.getLatestRelease({
                owner: context.repo.owner,
                repo: context.repo.repo
              });
            } catch (e) {
              core.setFailed('No existing releases found; cannot determine backport target.');
              return;
            }
            const [maj, min] = rel.data.tag_name.replace(/^v/, '').split('.');
            const branch = `release-${maj}.${min}`;
            core.setOutput('branch', branch);
            console.log(`Latest release ${rel.data.tag_name}; backporting to ${branch}`);
      # 2. Checkout (required by backport‑action)
      - name: Checkout repository
        uses: actions/checkout@v4
      # 3. Create the back‑port pull request
      - name: Create back‑port PR
        uses: korthout/backport-action@v3
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          label_pattern: '' # don't read labels for targets
          target_branches: ${{ steps.target.outputs.branch }}
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -1,26 +1,21 @@
 name: Pre-Commit Checks
 on:
-  pull_request_target:
+  push:
-    types: [labeled, opened, synchronize, reopened]
+    branches:
      - main
  pull_request:
    paths-ignore:
      - '**.md'
 concurrency:
  group: pre-commit-${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true
 jobs:
  pre-commit:
    runs-on: ubuntu-22.04
    steps:
-      - name: Checkout code (PR branch)
+      - name: Checkout code
        uses: actions/checkout@v3
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          ref:        ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
-          fetch-tags:  true
+          fetch-tags: true
      - name: Set up Python
        uses: actions/setup-python@v4
--- a/.github/workflows/pull-requests-release.yaml
+++ b/.github/workflows/pull-requests-release.yaml
@@ -1,13 +1,9 @@
 name: Releasing PR
 on:
-  pull_request_target:
+  pull_request:
    types: [labeled, opened, synchronize, reopened, closed]
 concurrency:
  group: pull-requests-release-${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true
 jobs:
  verify:
    name: Test Release
@@ -16,19 +12,17 @@ jobs:
      contents: read
      packages: write
    # Run only when the PR carries the "release" label and not closed.
    if: |
      contains(github.event.pull_request.labels.*.name, 'ok-to-test') &&
      contains(github.event.pull_request.labels.*.name, 'release') &&
      github.event.action != 'closed'
    steps:
-      - name: Checkout code (PR branch)
+      - name: Checkout code
        uses: actions/checkout@v4
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          ref:        ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
-          fetch-tags:  true
+          fetch-tags: true
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
@@ -45,112 +39,38 @@ jobs:
    runs-on: [self-hosted]
    permissions:
      contents: write
-
+  
    if: |
      github.event.pull_request.merged == true &&
      contains(github.event.pull_request.labels.*.name, 'release')
-
+  
    steps:
      # Extract tag from branch name  (branch = release-X.Y.Z*)
      - name: Extract tag from branch name
        id: get_tag
        uses: actions/github-script@v7
        with:
          script: |
            const branch = context.payload.pull_request.head.ref;
-            const m = branch.match(/^release-(\d+\.\d+\.\d+(?:[-\w\.]+)?)$/);
+            const match = branch.match(/^release-(\d+\.\d+\.\d+(?:[-\w\.]+)?)$/);
            if (!m) {
              core.setFailed(`Branch '${branch}' does not match 'release-X.Y.Z[-suffix]'`);
              return;
            }
            const tag = `v${m[1]}`;
            core.setOutput('tag', tag);
            console.log(`✅ Tag to publish: ${tag}`);
-      # Checkout merged commit (default ref -> merge SHA)
+            if (!match) {
              core.setFailed(`Branch '${branch}' does not match expected format 'release-X.Y.Z[-suffix]'`);
            } else {
              const tag = `v${match[1]}`;
              core.setOutput('tag', tag);
              console.log(`✅ Extracted tag: ${tag}`);
            }
      - name: Checkout repo
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-
+  
-      - name: Create tag on merge commit
+      - name: Create tag on merged commit
        run: |
-          git tag -f ${{ steps.get_tag.outputs.tag }} ${{ github.sha }}
+          git tag ${{ steps.get_tag.outputs.tag }} ${{ github.sha }} --force
-          git push -f origin ${{ steps.get_tag.outputs.tag }}
+          git push origin ${{ steps.get_tag.outputs.tag }} --force
-
+  
      # Ensure maintenance branch release-X.Y
      - name: Ensure maintenance branch release-X.Y
        uses: actions/github-script@v7
        with:
          script: |
            const tag = '${{ steps.get_tag.outputs.tag }}';  // e.g. v0.1.3 or v0.1.3-rc3
            const match = tag.match(/^v(\d+)\.(\d+)\.\d+(?:[-\w\.]+)?$/);
            if (!match) {
              core.setFailed(`❌ tag '${tag}' must match 'vX.Y.Z' or 'vX.Y.Z-suffix'`);
              return;
            }
            const line = `${match[1]}.${match[2]}`;
            const branch = `release-${line}`;
            try {
              await github.rest.repos.getBranch({
                owner: context.repo.owner,
                repo:  context.repo.repo,
                branch
              });
              console.log(`Branch '${branch}' already exists`);
            } catch (_) {
              await github.rest.git.createRef({
                owner: context.repo.owner,
                repo:  context.repo.repo,
                ref:   `refs/heads/${branch}`,
                sha:   context.sha
              });
              console.log(`✅ Branch '${branch}' created at ${context.sha}`);
            }
      # Get the latest published release
      - name: Get the latest published release
        id: latest_release
        uses: actions/github-script@v7
        with:
          script: |
            try {
              const rel = await github.rest.repos.getLatestRelease({
                owner: context.repo.owner,
                repo:  context.repo.repo
              });
              core.setOutput('tag', rel.data.tag_name);
            } catch (_) {
              core.setOutput('tag', '');
            }
      # Compare current tag vs latest using semver-utils
      - name: Semver compare
        id: semver
        uses: madhead/semver-utils@v4.3.0
        with:
          version:    ${{ steps.get_tag.outputs.tag }}
          compare-to: ${{ steps.latest_release.outputs.tag }}
      # Derive flags: prerelease?  make_latest?
      - name: Calculate publish flags
        id: flags
        uses: actions/github-script@v7
        with:
          script: |
            const tag = '${{ steps.get_tag.outputs.tag }}';              // v0.31.5-rc1
            const m = tag.match(/^v(\d+\.\d+\.\d+)(-rc\d+)?$/);
            if (!m) {
              core.setFailed(`❌ tag '${tag}' must match 'vX.Y.Z' or 'vX.Y.Z-rcN'`);
              return;
            }
            const version = m[1] + (m[2] ?? '');                         // 0.31.5‑rc1
            const isRc    = Boolean(m[2]);
            core.setOutput('is_rc',      isRc);
            const outdated = '${{ steps.semver.outputs.comparison-result }}' === '<';
            core.setOutput('make_latest', isRc || outdated ? 'false' : 'legacy');
      # Publish draft release with correct flags
      - name: Publish draft release
        uses: actions/github-script@v7
        with:
@@ -158,17 +78,19 @@ jobs:
            const tag = '${{ steps.get_tag.outputs.tag }}';
            const releases = await github.rest.repos.listReleases({
              owner: context.repo.owner,
-              repo:  context.repo.repo
+              repo: context.repo.repo
            });
-            const draft = releases.data.find(r => r.tag_name === tag && r.draft);
+  
-            if (!draft) throw new Error(`Draft release for ${tag} not found`);
+            const release = releases.data.find(r => r.tag_name === tag && r.draft);
            if (!release) {
              throw new Error(`Draft release with tag ${tag} not found`);
            }
            await github.rest.repos.updateRelease({
-              owner:       context.repo.owner,
+              owner: context.repo.owner,
-              repo:        context.repo.repo,
+              repo: context.repo.repo,
-              release_id:  draft.id,
+              release_id: release.id,
-              draft:       false,
+              draft: false
              prerelease:  ${{ steps.flags.outputs.is_rc }},
              make_latest: '${{ steps.flags.outputs.make_latest }}'
            });
-
+  
-            console.log(`🚀 Published release for ${tag}`);
+            console.log(`✅ Published release for ${tag}`);
--- a/.github/workflows/pull-requests.yaml
+++ b/.github/workflows/pull-requests.yaml
@@ -1,13 +1,9 @@
 name: Pull Request
 on:
-  pull_request_target:
+  pull_request:
    types: [labeled, opened, synchronize, reopened]
 concurrency:
  group: pull-requests-${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true
 jobs:
  e2e:
    name: Build and Test
@@ -16,18 +12,16 @@ jobs:
      contents: read
      packages: write
    # Never run when the PR carries the "release" label.
    if: |
      contains(github.event.pull_request.labels.*.name, 'ok-to-test') &&
      !contains(github.event.pull_request.labels.*.name, 'release')
    steps:
-      - name: Checkout code (PR branch)
+      - name: Checkout code
        uses: actions/checkout@v4
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          ref:        ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
-          fetch-tags:  true
+          fetch-tags: true
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
@@ -36,8 +30,10 @@ jobs:
          password: ${{ secrets.GITHUB_TOKEN }}
          registry: ghcr.io
-      - name: Build
+      - name: make build
-        run: make build
+        run: |
          make build
-      - name: Test
+      - name: make test
-        run: make test
+        run: |
          make test
--- a/.github/workflows/tags.yaml
+++ b/.github/workflows/tags.yaml
@@ -1,13 +1,10 @@
 name: Versioned Tag
 on:
  # Trigger on push if it includes a tag like vX.Y.Z
  push:
    tags:
-      - 'v*.*.*' # vX.Y.Z or vX.Y.Z-rcN
+      - 'v*.*.*'
 concurrency:
  group: tags-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 jobs:
  prepare-release:
@@ -19,7 +16,7 @@ jobs:
      pull-requests: write
    steps:
-      # Check if a non-draft release with this tag already exists
+      # 1) Check if a non-draft release with this tag already exists
      - name: Check if release already exists
        id: check_release
        uses: actions/github-script@v7
@@ -28,67 +25,57 @@ jobs:
            const tag = context.ref.replace('refs/tags/', '');
            const releases = await github.rest.repos.listReleases({
              owner: context.repo.owner,
-              repo:  context.repo.repo
+              repo: context.repo.repo
            });
-            const exists = releases.data.some(r => r.tag_name === tag && !r.draft);
+            const existing = releases.data.find(r => r.tag_name === tag && !r.draft);
-            core.setOutput('skip', exists);
+            if (existing) {
-            console.log(exists ? `Release ${tag} already published` : `No published release ${tag}`);
+              core.setOutput('skip', 'true');
            } else {
              core.setOutput('skip', 'false');
            }
      # If a published release already exists, skip the rest of the workflow
      - name: Skip if release already exists
        if: steps.check_release.outputs.skip == 'true'
        run: echo "Release already exists, skipping workflow."
-      # Parse tag meta‑data (rc?, maintenance line, etc.)
+      # 2) Determine the base branch from which the tag was pushed
      - name: Parse tag
        if: steps.check_release.outputs.skip == 'false'
        id: tag
        uses: actions/github-script@v7
        with:
          script: |
            const ref = context.ref.replace('refs/tags/', '');           // e.g. v0.31.5-rc1
            const m = ref.match(/^v(\d+\.\d+\.\d+)(-rc\d+)?$/);
            if (!m) {
              core.setFailed(`❌ tag '${ref}' must match 'vX.Y.Z' or 'vX.Y.Z-rcN'`);
              return;
            }
            const version = m[1] + (m[2] ?? '');                         // 0.31.5‑rc1
            const isRc    = Boolean(m[2]);
            const [maj, min] = m[1].split('.');
            core.setOutput('tag',     ref);
            core.setOutput('version', version);
            core.setOutput('is_rc',   isRc);
            core.setOutput('line',    `${maj}.${min}`);                  // 0.31
      # Detect base branch (main or release‑X.Y) the tag was pushed from
      - name: Get base branch
        if: steps.check_release.outputs.skip == 'false'
        id: get_base
        uses: actions/github-script@v7
        with:
          script: |
            /*
              For a push event with a tag, GitHub sets context.payload.base_ref 
              if the tag was pushed from a branch.
              If it's empty, we can't determine the correct base branch and must fail.
            */
            const baseRef = context.payload.base_ref;
            if (!baseRef) {
-              core.setFailed(`❌ base_ref is empty. Push the tag via 'git push origin HEAD:refs/tags/<tag>'.`);
+              core.setFailed(`❌ base_ref is empty. Make sure you push the tag from a branch (e.g. 'git push origin HEAD:refs/tags/vX.Y.Z').`);
              return;
            }
            const branch = baseRef.replace('refs/heads/', '');
            const ok     = branch === 'main' || /^release-\d+\.\d+$/.test(branch);
            if (!ok) {
              core.setFailed(`❌ Tagged commit must belong to 'main' or 'release-X.Y'. Got '${branch}'`);
              return;
            }
            core.setOutput('branch', branch);
-      # Checkout & login once
+            const shortBranch = baseRef.replace("refs/heads/", "");
            const releasePattern = /^release-\d+\.\d+$/;
            if (shortBranch !== "main" && !releasePattern.test(shortBranch)) {
              core.setFailed(`❌ Tagged commit must belong to branch 'main' or 'release-X.Y'. Got '${shortBranch}'`);
              return;
            }
            core.setOutput('branch', shortBranch);
      # 3) Checkout full git history and tags
      - name: Checkout code
        if: steps.check_release.outputs.skip == 'false'
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          fetch-tags:  true
+          fetch-tags: true
-      - name: Login to GHCR
+      # 4) Login to GitHub Container Registry
      - name: Login to GitHub Container Registry
        if: steps.check_release.outputs.skip == 'false'
        uses: docker/login-action@v3
        with:
@@ -96,129 +83,113 @@ jobs:
          password: ${{ secrets.GITHUB_TOKEN }}
          registry: ghcr.io
-      # Build project artifacts
+      # 5) Build project artifacts
      - name: Build
        if: steps.check_release.outputs.skip == 'false'
        run: make build
-      # Commit built artifacts
+      # 6) Optionally commit built artifacts to the repository
      - name: Commit release artifacts
        if: steps.check_release.outputs.skip == 'false'
        env:
          GIT_AUTHOR_NAME: ${{ github.actor }}
          GIT_AUTHOR_EMAIL: ${{ github.actor }}@users.noreply.github.com
        run: |
-          git config user.name  "github-actions"
+          git config user.name "github-actions"
          git config user.email "github-actions@github.com"
          git add .
          git commit -m "Prepare release ${GITHUB_REF#refs/tags/}" -s || echo "No changes to commit"
          git push origin HEAD || true
-      # Get `latest_version` from latest published release 
+      # 7) Create a release branch like release-X.Y.Z
      - name: Get latest published release
        if: steps.check_release.outputs.skip == 'false'
        id: latest_release
        uses: actions/github-script@v7
        with:
          script: |
            try {
              const rel = await github.rest.repos.getLatestRelease({
                owner: context.repo.owner,
                repo:  context.repo.repo
              });
              core.setOutput('tag', rel.data.tag_name);
            } catch (_) {
              core.setOutput('tag', '');
            }
      # Compare tag (A) with latest (B)
      - name: Semver compare
        if: steps.check_release.outputs.skip == 'false'
        id: semver
        uses: madhead/semver-utils@v4.3.0
        with:
          version:     ${{ steps.tag.outputs.tag }}            # A
          compare-to:  ${{ steps.latest_release.outputs.tag }} # B
      # Create or reuse DRAFT GitHub Release
      - name: Create / reuse draft release
        if: steps.check_release.outputs.skip == 'false'
        id: release
        uses: actions/github-script@v7
        with:
          script: |
            const tag        = '${{ steps.tag.outputs.tag }}';
            const isRc       = ${{ steps.tag.outputs.is_rc }};
            const outdated   = '${{ steps.semver.outputs.comparison-result }}' === '<';
            const makeLatest = outdated ? false : 'legacy';
            const releases   = await github.rest.repos.listReleases({
              owner: context.repo.owner,
              repo:  context.repo.repo
            });
            let rel          = releases.data.find(r => r.tag_name === tag);
            if (!rel) {
              rel = await github.rest.repos.createRelease({
                owner: context.repo.owner,
                repo:  context.repo.repo,
                tag_name:    tag,
                name:        tag,
                draft:       true,
                prerelease:  isRc,
                make_latest: makeLatest
              });
              console.log(`Draft release created for ${tag}`);
            } else {
              console.log(`Re‑using existing release ${tag}`);
            }
            core.setOutput('upload_url', rel.upload_url);
      # Build + upload assets (optional)
      - name: Build & upload assets
        if: steps.check_release.outputs.skip == 'false'
        run: |
          make assets
          make upload_assets VERSION=${{ steps.tag.outputs.tag }}
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # Create release‑X.Y.Z branch and push (force‑update)
      - name: Create release branch
        if: steps.check_release.outputs.skip == 'false'
        run: |
-          BRANCH="release-${GITHUB_REF#refs/tags/v}"
+          BRANCH_NAME="release-${GITHUB_REF#refs/tags/v}"
-          git branch -f "$BRANCH"
+          git branch -f "$BRANCH_NAME"
-          git push -f origin "$BRANCH"
+          git push origin "$BRANCH_NAME" --force
-      # Create pull request into original base branch (if absent)
+      # 8) Create a pull request from release-X.Y.Z to the original base branch
      - name: Create pull request if not exists
        if: steps.check_release.outputs.skip == 'false'
        uses: actions/github-script@v7
        with:
          script: |
            const version = context.ref.replace('refs/tags/v', '');
-            const base    = '${{ steps.get_base.outputs.branch }}';
+            const base = '${{ steps.get_base.outputs.branch }}';
-            const head    = `release-${version}`;
+            const head = `release-${version}`;
            const prs = await github.rest.pulls.list({
              owner: context.repo.owner,
-              repo:  context.repo.repo,
+              repo: context.repo.repo,
-              head:  `${context.repo.owner}:${head}`,
+              head: `${context.repo.owner}:${head}`,
              base
            });
            if (prs.data.length === 0) {
-              const pr = await github.rest.pulls.create({
+              const newPr = await github.rest.pulls.create({
                owner: context.repo.owner,
-                repo:  context.repo.repo,
+                repo: context.repo.repo,
                head,
                base,
                title: `Release v${version}`,
-                body:  `This PR prepares the release \`v${version}\`.`,
+                body:
                  `This PR prepares the release \`v${version}\`.\n` +
                  `(Please merge it before releasing draft)`,
                draft: false
              });
              console.log(`Created pull request #${newPr.data.number} from ${head} to ${base}`);
              await github.rest.issues.addLabels({
                owner: context.repo.owner,
-                repo:  context.repo.repo,
+                repo: context.repo.repo,
-                issue_number: pr.data.number,
+                issue_number: newPr.data.number,
                labels: ['release']
              });
              console.log(`Created PR #${pr.data.number}`);
            } else {
-              console.log(`PR already exists from ${head} to ${base}`);
+              console.log(`Pull request already exists from ${head} to ${base}`);
            }
      # 9) Create or reuse an existing draft GitHub release for this tag
      - name: Create or reuse draft release
        if: steps.check_release.outputs.skip == 'false'
        id: create_release
        uses: actions/github-script@v7
        with:
          script: |
            const tag = context.ref.replace('refs/tags/', '');
            const releases = await github.rest.repos.listReleases({
              owner: context.repo.owner,
              repo: context.repo.repo
            });
            let release = releases.data.find(r => r.tag_name === tag);
            if (!release) {
              release = await github.rest.repos.createRelease({
                owner: context.repo.owner,
                repo: context.repo.repo,
                tag_name: tag,
                name: `${tag}`,
                draft: true,
                prerelease: false
              });
            }
            core.setOutput('upload_url', release.upload_url);
      # 10) Build additional assets for the release (if needed)
      - name: Build assets
        if: steps.check_release.outputs.skip == 'false'
        run: make assets
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # 11) Upload assets to the draft release
      - name: Upload assets
        if: steps.check_release.outputs.skip == 'false'
        run: make upload_assets VERSION=${GITHUB_REF#refs/tags/}
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # 12) Run tests
      - name: Run tests
        if: steps.check_release.outputs.skip == 'false'
        run: make test
--- a/hack/e2e.sh
+++ b/hack/e2e.sh
@@ -60,7 +60,7 @@ done
 # Prepare system drive
 if [ ! -f nocloud-amd64.raw ]; then
-  wget https://github.com/cozystack/cozystack/releases/latest/download/nocloud-amd64.raw.xz -O nocloud-amd64.raw.xz --show-progress --output-file /dev/stdout --progress=dot:giga 2>/dev/null
+  wget https://github.com/cozystack/cozystack/releases/latest/download/nocloud-amd64.raw.xz -O nocloud-amd64.raw.xz
  rm -f nocloud-amd64.raw
  xz --decompress nocloud-amd64.raw.xz
 fi
@@ -234,8 +234,8 @@ sleep 5
 kubectl get hr -A | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n " $1 " hr/" $2 " &"} END{print "wait"}' | sh -x
 # Wait for Cluster-API providers
-timeout 60 sh -c 'until kubectl get deploy -n cozy-cluster-api capi-controller-manager capi-kamaji-controller-manager capi-kubeadm-bootstrap-controller-manager capi-operator-cluster-api-operator capk-controller-manager; do sleep 1; done'
+timeout 30 sh -c 'until kubectl get deploy -n cozy-cluster-api capi-controller-manager capi-kamaji-controller-manager capi-kubeadm-bootstrap-controller-manager capi-operator-cluster-api-operator capk-controller-manager; do sleep 1; done'
-kubectl wait deploy --timeout=1m --for=condition=available -n cozy-cluster-api capi-controller-manager capi-kamaji-controller-manager capi-kubeadm-bootstrap-controller-manager capi-operator-cluster-api-operator capk-controller-manager
+kubectl wait deploy --timeout=30s --for=condition=available -n cozy-cluster-api capi-controller-manager capi-kamaji-controller-manager capi-kubeadm-bootstrap-controller-manager capi-operator-cluster-api-operator capk-controller-manager
 # Wait for linstor controller
 kubectl wait deploy --timeout=5m --for=condition=available -n cozy-linstor linstor-controller
@@ -357,5 +357,5 @@ kubectl patch -n cozy-system cm/cozystack --type=merge -p '{"data":{
  "oidc-enabled": "true"
 }}'
-timeout 120 sh -c 'until kubectl get hr -n cozy-keycloak keycloak keycloak-configure keycloak-operator; do sleep 1; done'
+timeout 60 sh -c 'until kubectl get hr -n cozy-keycloak keycloak keycloak-configure keycloak-operator; do sleep 1; done'
 kubectl wait --timeout=10m --for=condition=ready -n cozy-keycloak hr keycloak keycloak-configure keycloak-operator
--- a/packages/apps/kubernetes/Chart.yaml
+++ b/packages/apps/kubernetes/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.19.0
+version: 0.18.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/kubernetes/Makefile
+++ b/packages/apps/kubernetes/Makefile
@@ -1,4 +1,4 @@
-KUBERNETES_VERSION = v1.32
+UBUNTU_CONTAINER_DISK_TAG = v1.30.1
 KUBERNETES_PKG_TAG = $(shell awk '$$1 == "version:" {print $$2}' Chart.yaml)
 include ../../../scripts/common-envs.mk
@@ -6,26 +6,21 @@ include ../../../scripts/package.mk
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
 	yq -o json -i '.properties.controlPlane.properties.apiServer.properties.resourcesPreset.enum = ["none","nano","micro","small","medium","large","xlarge","2xlarge"]' values.schema.json
 	yq -o json -i '.properties.controlPlane.properties.controllerManager.properties.resourcesPreset.enum = ["none","nano","micro","small","medium","large","xlarge","2xlarge"]' values.schema.json
 	yq -o json -i '.properties.controlPlane.properties.scheduler.properties.resourcesPreset.enum = ["none","nano","micro","small","medium","large","xlarge","2xlarge"]' values.schema.json
 	yq -o json -i '.properties.controlPlane.properties.konnectivity.properties.server.properties.resourcesPreset.enum = ["none","nano","micro","small","medium","large","xlarge","2xlarge"]' values.schema.json
 image: image-ubuntu-container-disk image-kubevirt-cloud-provider image-kubevirt-csi-driver image-cluster-autoscaler
 image-ubuntu-container-disk:
 	docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 images/ubuntu-container-disk \
 		--provenance false \
-		--build-arg KUBERNETES_VERSION=${KUBERNETES_VERSION} \
+		--tag $(REGISTRY)/ubuntu-container-disk:$(call settag,$(UBUNTU_CONTAINER_DISK_TAG)) \
-		--tag $(REGISTRY)/ubuntu-container-disk:$(call settag,$(KUBERNETES_VERSION)) \
+		--tag $(REGISTRY)/ubuntu-container-disk:$(call settag,$(UBUNTU_CONTAINER_DISK_TAG)-$(TAG)) \
 		--tag $(REGISTRY)/ubuntu-container-disk:$(call settag,$(KUBERNETES_VERSION)-$(TAG)) \
 		--cache-from type=registry,ref=$(REGISTRY)/ubuntu-container-disk:latest \
 		--cache-to type=inline \
 		--metadata-file images/ubuntu-container-disk.json \
 		--push=$(PUSH) \
 		--label "org.opencontainers.image.source=https://github.com/cozystack/cozystack" \
 		--load=$(LOAD)
-	echo "$(REGISTRY)/ubuntu-container-disk:$(call settag,$(KUBERNETES_VERSION))@$$(yq e '."containerimage.digest"' images/ubuntu-container-disk.json -o json -r)" \
+	echo "$(REGISTRY)/ubuntu-container-disk:$(call settag,$(UBUNTU_CONTAINER_DISK_TAG))@$$(yq e '."containerimage.digest"' images/ubuntu-container-disk.json -o json -r)" \
 		> images/ubuntu-container-disk.tag
 	rm -f images/ubuntu-container-disk.json
--- a/packages/apps/kubernetes/README.md
+++ b/packages/apps/kubernetes/README.md
@@ -27,46 +27,20 @@ How to access to deployed cluster:
 kubectl get secret -n <namespace> kubernetes-<clusterName>-admin-kubeconfig -o go-template='{{ printf "%s\n" (index .data "super-admin.conf" | base64decode) }}' > test
 ```
-## Parameters
+# Series
-### Common parameters
+<!-- source: https://github.com/kubevirt/common-instancetypes/blob/main/README.md -->
-| Name                    | Description                                                                                                                            | Value        |
+.                           |  U  |  O  |  CX  |  M  |  RT
-| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------------ |
+----------------------------|-----|-----|------|-----|------
-| `host`                  | The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host). | `""`         |
+*Has GPUs*                  |     |     |      |     |
-| `controlPlane.replicas` | Number of replicas for Kubernetes control-plane components                                                                             | `2`          |
+*Hugepages*                 |     |     |  ✓   |  ✓  |  ✓
-| `storageClass`          | StorageClass used to store user data                                                                                                   | `replicated` |
+*Overcommitted Memory*      |     |  ✓  |      |     |
-| `nodeGroups`            | nodeGroups configuration                                                                                                               | `{}`         |
+*Dedicated CPU*             |     |     |  ✓   |     |  ✓
-
+*Burstable CPU performance* |  ✓  |  ✓  |      |  ✓  |
-### Cluster Addons
+*Isolated emulator threads* |     |     |  ✓   |     |  ✓
-
+*vNUMA*                     |     |     |  ✓   |     |  ✓
-| Name                                          | Description                                                                                                                                                       | Value   |
+*vCPU-To-Memory Ratio*      | 1:4 | 1:4 |  1:2 | 1:8 | 1:4
 | --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
 | `addons.certManager.enabled`                  | Enables the cert-manager                                                                                                                                          | `false` |
 | `addons.certManager.valuesOverride`           | Custom values to override                                                                                                                                         | `{}`    |
 | `addons.ingressNginx.enabled`                 | Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role)                                                                                          | `false` |
 | `addons.ingressNginx.valuesOverride`          | Custom values to override                                                                                                                                         | `{}`    |
 | `addons.ingressNginx.hosts`                   | List of domain names that should be passed through to the cluster by upper cluster                                                                                | `[]`    |
 | `addons.gpuOperator.enabled`                  | Enables the gpu-operator                                                                                                                                          | `false` |
 | `addons.gpuOperator.valuesOverride`           | Custom values to override                                                                                                                                         | `{}`    |
 | `addons.fluxcd.enabled`                       | Enables Flux CD                                                                                                                                                   | `false` |
 | `addons.fluxcd.valuesOverride`                | Custom values to override                                                                                                                                         | `{}`    |
 | `addons.monitoringAgents.enabled`             | Enables MonitoringAgents (fluentbit, vmagents for sending logs and metrics to storage) if tenant monitoring enabled, send to tenant storage, else to root storage | `false` |
 | `addons.monitoringAgents.valuesOverride`      | Custom values to override                                                                                                                                         | `{}`    |
 | `addons.verticalPodAutoscaler.valuesOverride` | Custom values to override                                                                                                                                         | `{}`    |
 ### Kubernetes control plane configuration
 | Name                                               | Description                                                                                                                                                                                                       | Value   |
 | -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
 | `controlPlane.apiServer.resourcesPreset`           | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` |
 | `controlPlane.apiServer.resources`                 | Resources                                                                                                                                                                                                         | `{}`    |
 | `controlPlane.controllerManager.resources`         | Resources                                                                                                                                                                                                         | `{}`    |
 | `controlPlane.controllerManager.resourcesPreset`   | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` |
 | `controlPlane.scheduler.resourcesPreset`           | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` |
 | `controlPlane.scheduler.resources`                 | Resources                                                                                                                                                                                                         | `{}`    |
 | `controlPlane.konnectivity.server.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` |
 | `controlPlane.konnectivity.server.resources`       | Resources                                                                                                                                                                                                         | `{}`    |
 ## U Series
--- a/packages/apps/kubernetes/images/ubuntu-container-disk/Dockerfile
+++ b/packages/apps/kubernetes/images/ubuntu-container-disk/Dockerfile
@@ -1,4 +1,3 @@
 # TODO: Here we use ubuntu:22.04, as guestfish has some network issues running in ubuntu:24.04
 FROM ubuntu:22.04 as guestfish
 ARG DEBIAN_FRONTEND=noninteractive
@@ -6,7 +5,6 @@ RUN apt-get update \
 && apt-get -y install \
     libguestfs-tools \
     linux-image-generic \
     wget \
     make \
     bash-completion \
 && apt-get clean
@@ -15,13 +13,13 @@ WORKDIR /build
 FROM guestfish as builder
-# noble is a code name for the Ubuntu 24.04 LTS release
+RUN wget -O image.img https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img
 RUN wget -O image.img https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img --show-progress --output-file /dev/stdout --progress=dot:giga 2>/dev/null
 ARG KUBERNETES_VERSION
 RUN qemu-img resize image.img 5G \
 && eval "$(guestfish --listen --network)" \
 && guestfish --remote set-backend direct \
 && guestfish --remote set-memsize 2048 \
 && guestfish --remote set-smp 4 \
 && guestfish --remote add-drive image.img \
 && guestfish --remote run \
 && guestfish --remote mount /dev/sda1 / \
@@ -31,8 +29,8 @@ RUN qemu-img resize image.img 5G \
 && guestfish --remote sh "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" \
 && guestfish --remote sh 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list' \
 # kubernetes repo
- && guestfish --remote sh "curl -fsSL https://pkgs.k8s.io/core:/stable:/${KUBERNETES_VERSION}/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" \
+ && guestfish --remote sh "curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.30/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" \
- && guestfish --remote sh "echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/${KUBERNETES_VERSION}/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list" \
+ && guestfish --remote sh "echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list" \
 # install containerd
 && guestfish --remote command "apt-get update -y" \
 && guestfish --remote command "apt-get install -y containerd.io" \
@@ -42,6 +40,9 @@ RUN qemu-img resize image.img 5G \
 && guestfish --remote command "sed -i '/SystemdCgroup/ s/=.*/= true/' /etc/containerd/config.toml" \
 # install kubernetes
 && guestfish --remote command "apt-get install -y kubelet kubeadm" \
 # install nvidia driver
 && guestfish --remote command "apt-get install -y nvidia-dkms-570-server-open" \
 && guestfish --remote sh "printf 'blacklist %s\n' nvidia nvidia_uvm nvidia_drm nvidia_modeset > /etc/modprobe.d/blacklist-nvidia.conf" \
 # clean apt cache
 && guestfish --remote sh 'apt-get clean && rm -rf /var/lib/apt/lists/*' \
 # write system configuration
--- a/packages/apps/kubernetes/templates/cluster.yaml
+++ b/packages/apps/kubernetes/templates/cluster.yaml
@@ -39,13 +39,6 @@ spec:
              sockets: 1
            {{- end }}
            devices:
              {{- if .group.gpus }}
              gpus:
              {{- range $i, $gpu := .group.gpus }}
              - name: gpu{{ add $i 1 }}
                deviceName: {{ $gpu.name }}
              {{- end }}
              {{- end }}
              disks:
              - name: system
                disk:
@@ -110,22 +103,22 @@ metadata:
    kamaji.clastix.io/kubeconfig-secret-key: "super-admin.svc"
 spec:
  apiServer:
-    {{- if .Values.controlPlane.apiServer.resources }}
+    {{- if .Values.kamajiControlPlane.apiServer.resources }}
-    resources: {{- toYaml .Values.controlPlane.apiServer.resources | nindent 6 }}
+    resources: {{- toYaml .Values.kamajiControlPlane.apiServer.resources | nindent 6 }}
-    {{- else if ne .Values.controlPlane.apiServer.resourcesPreset "none" }}
+    {{- else if ne .Values.kamajiControlPlane.apiServer.resourcesPreset "none" }}
-    resources: {{- include "resources.preset" (dict "type" .Values.controlPlane.apiServer.resourcesPreset "Release" .Release) | nindent 6 }}
+    resources: {{- include "resources.preset" (dict "type" .Values.kamajiControlPlane.apiServer.resourcesPreset "Release" .Release) | nindent 6 }}
    {{- end }}
  controllerManager:
-    {{- if .Values.controlPlane.controllerManager.resources }}
+    {{- if .Values.kamajiControlPlane.controllerManager.resources }}
-    resources: {{- toYaml .Values.controlPlane.controllerManager.resources | nindent 6 }}
+    resources: {{- toYaml .Values.kamajiControlPlane.controllerManager.resources | nindent 6 }}
-    {{- else if ne .Values.controlPlane.controllerManager.resourcesPreset "none" }}
+    {{- else if ne .Values.kamajiControlPlane.controllerManager.resourcesPreset "none" }}
-    resources: {{- include "resources.preset" (dict "type" .Values.controlPlane.controllerManager.resourcesPreset "Release" .Release) | nindent 6 }}
+    resources: {{- include "resources.preset" (dict "type" .Values.kamajiControlPlane.controllerManager.resourcesPreset "Release" .Release) | nindent 6 }}
    {{- end }}
  scheduler:
-    {{- if .Values.controlPlane.scheduler.resources }}
+    {{- if .Values.kamajiControlPlane.scheduler.resources }}
-    resources: {{- toYaml .Values.controlPlane.scheduler.resources | nindent 6 }}
+    resources: {{- toYaml .Values.kamajiControlPlane.scheduler.resources | nindent 6 }}
-    {{- else if ne .Values.controlPlane.scheduler.resourcesPreset "none" }}
+    {{- else if ne .Values.kamajiControlPlane.scheduler.resourcesPreset "none" }}
-    resources: {{- include "resources.preset" (dict "type" .Values.controlPlane.scheduler.resourcesPreset "Release" .Release) | nindent 6 }}
+    resources: {{- include "resources.preset" (dict "type" .Values.kamajiControlPlane.scheduler.resourcesPreset "Release" .Release) | nindent 6 }}
    {{- end }}
  dataStoreName: "{{ $etcd }}"
  addons:
@@ -135,10 +128,10 @@ spec:
    konnectivity:
      server:
        port: 8132
-        {{- if .Values.controlPlane.konnectivity.server.resources }}
+        {{- if .Values.kamajiControlPlane.addons.konnectivity.server.resources }}
-        resources: {{- toYaml .Values.controlPlane.konnectivity.server.resources | nindent 10 }}
+        resources: {{- toYaml .Values.kamajiControlPlane.addons.konnectivity.server.resources | nindent 10 }}
-        {{- else if ne .Values.controlPlane.konnectivity.server.resourcesPreset "none" }}
+        {{- else if ne .Values.kamajiControlPlane.addons.konnectivity.server.resourcesPreset "none" }}
-        resources: {{- include "resources.preset" (dict "type" .Values.controlPlane.konnectivity.server.resourcesPreset "Release" .Release) | nindent 10 }}
+        resources: {{- include "resources.preset" (dict "type" .Values.kamajiControlPlane.addons.konnectivity.server.resourcesPreset "Release" .Release) | nindent 10 }}
        {{- end }}
  kubelet:
    cgroupfs: systemd
@@ -283,7 +276,7 @@ spec:
        kind: KubevirtMachineTemplate
        name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }}
        namespace: {{ $.Release.Namespace }}
-      version: v1.32.3
+      version: v1.30.1
 ---
 apiVersion: cluster.x-k8s.io/v1beta1
 kind: MachineHealthCheck
--- a/packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml
@@ -4,7 +4,7 @@ metadata:
  name: {{ .Release.Name }}-cert-manager-crds
  labels:
    cozystack.io/repository: system
-    cozystack.io/target-cluster-name: {{ .Release.Name }}
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
  interval: 5m
  releaseName: cert-manager-crds
--- a/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml
@@ -5,7 +5,7 @@ metadata:
  name: {{ .Release.Name }}-cert-manager
  labels:
    cozystack.io/repository: system
-    cozystack.io/target-cluster-name: {{ .Release.Name }}
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
  interval: 5m
  releaseName: cert-manager
@@ -30,9 +30,11 @@ spec:
  upgrade:
    remediation:
      retries: -1
-  {{- with .Values.addons.certManager.valuesOverride }}
+  {{- if .Values.addons.certManager.valuesOverride }}
-  values:
+  valuesFrom:
-    {{- toYaml . | nindent 4 }}
+  - kind: Secret
    name: {{ .Release.Name }}-cert-manager-values-override
    valuesKey: values
  {{- end }}
  dependsOn:
@@ -45,3 +47,13 @@ spec:
  - name: {{ .Release.Name }}-cert-manager-crds
    namespace: {{ .Release.Namespace }}
 {{- end }}
 {{- if .Values.addons.certManager.valuesOverride }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ .Release.Name }}-cert-manager-values-override
 stringData:
  values: |
    {{- toYaml .Values.addons.certManager.valuesOverride | nindent 4 }}
 {{- end }}
--- a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml
@@ -4,7 +4,7 @@ metadata:
  name: {{ .Release.Name }}-cilium
  labels:
    cozystack.io/repository: system
-    cozystack.io/target-cluster-name: {{ .Release.Name }}
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
  interval: 5m
  releaseName: cilium
--- a/packages/apps/kubernetes/templates/helmreleases/csi.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/csi.yaml
@@ -4,7 +4,7 @@ metadata:
  name: {{ .Release.Name }}-csi
  labels:
    cozystack.io/repository: system
-    cozystack.io/target-cluster-name: {{ .Release.Name }}
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
  interval: 5m
  releaseName: csi
--- a/packages/apps/kubernetes/templates/helmreleases/delete.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/delete.yaml
@@ -20,7 +20,7 @@ spec:
          effect: "NoSchedule"
      containers:
        - name: kubectl
-          image: docker.io/clastix/kubectl:v1.32
+          image: docker.io/clastix/kubectl:v1.30.1
          command:
            - /bin/sh
            - -c
@@ -38,7 +38,6 @@ spec:
                {{ .Release.Name }}-ingress-nginx
                {{ .Release.Name }}-fluxcd-operator
                {{ .Release.Name }}-fluxcd
                {{ .Release.Name }}-gpu-operator
                -p '{"spec": {"suspend": true}}'
                --type=merge --field-manager=flux-client-side-apply || true
 ---
@@ -77,7 +76,6 @@ rules:
      - {{ .Release.Name }}-ingress-nginx
      - {{ .Release.Name }}-fluxcd-operator
      - {{ .Release.Name }}-fluxcd
      - {{ .Release.Name }}-gpu-operator
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
--- a/packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml
@@ -5,7 +5,7 @@ metadata:
  name: {{ .Release.Name }}-fluxcd-operator
  labels:
    cozystack.io/repository: system
-    cozystack.io/target-cluster-name: {{ .Release.Name }}
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
  interval: 5m
  releaseName: fluxcd-operator
@@ -49,7 +49,7 @@ metadata:
  name: {{ .Release.Name }}-fluxcd
  labels:
    cozystack.io/repository: system
-    cozystack.io/target-cluster-name: {{ .Release.Name }}
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
  interval: 5m
  releaseName: fluxcd
@@ -73,9 +73,11 @@ spec:
  upgrade:
    remediation:
      retries: -1
-  {{- with .Values.addons.fluxcd.valuesOverride }}
+  {{- if .Values.addons.fluxcd.valuesOverride }}
-  values:
+  valuesFrom:
-    {{- toYaml . | nindent 4 }}
+  - kind: Secret
    name: {{ .Release.Name }}-fluxcd-values-override
    valuesKey: values
  {{- end }}
  dependsOn:
  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
@@ -87,3 +89,14 @@ spec:
  - name: {{ .Release.Name }}-fluxcd-operator
    namespace: {{ .Release.Namespace }}
 {{- end }}
 {{- if .Values.addons.fluxcd.valuesOverride }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ .Release.Name }}-fluxcd-values-override
 stringData:
  values: |
    {{- toYaml .Values.addons.fluxcd.valuesOverride | nindent 4 }}
 {{- end }}
--- a/packages/apps/kubernetes/templates/helmreleases/gpu-operator.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/gpu-operator.yaml
@@ -1,45 +0,0 @@
 {{- if .Values.addons.gpuOperator.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: {{ .Release.Name }}-gpu-operator
  labels:
    cozystack.io/repository: system
    cozystack.io/target-cluster-name: {{ .Release.Name }}
 spec:
  interval: 5m
  releaseName: gpu-operator
  chart:
    spec:
      chart: cozy-gpu-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  kubeConfig:
    secretRef:
      name: {{ .Release.Name }}-admin-kubeconfig
      key: super-admin.svc
  targetNamespace: cozy-gpu-operator
  storageNamespace: cozy-gpu-operator
  install:
    createNamespace: true
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  {{- with .Values.addons.gpuOperator.valuesOverride }}
  values:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  dependsOn:
  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
  - name: {{ .Release.Name }}
    namespace: {{ .Release.Namespace }}
  {{- end }}
  - name: {{ .Release.Name }}-cilium
    namespace: {{ .Release.Namespace }}
 {{- end }}
--- a/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml
@@ -1,15 +1,3 @@
 {{- define "cozystack.defaultIngressValues" -}}
 ingress-nginx:
  fullnameOverride: ingress-nginx
  controller:
    kind: DaemonSet
    hostNetwork: true
    service:
      enabled: false
  nodeSelector:
    node-role.kubernetes.io/ingress-nginx: ""
 {{- end }}
 {{- if .Values.addons.ingressNginx.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
@@ -17,7 +5,7 @@ metadata:
  name: {{ .Release.Name }}-ingress-nginx
  labels:
    cozystack.io/repository: system
-    cozystack.io/target-cluster-name: {{ .Release.Name }}
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
  interval: 5m
  releaseName: ingress-nginx
@@ -43,7 +31,21 @@ spec:
    remediation:
      retries: -1
  values:
-    {{- toYaml (deepCopy .Values.addons.ingressNginx.valuesOverride | mergeOverwrite (fromYaml (include "cozystack.defaultIngressValues" .))) | nindent 4 }}
+    ingress-nginx:
      fullnameOverride: ingress-nginx
      controller:
        kind: DaemonSet
        hostNetwork: true
        service:
          enabled: false
      nodeSelector:
        node-role.kubernetes.io/ingress-nginx: ""
  {{- if .Values.addons.ingressNginx.valuesOverride }}
  valuesFrom:
  - kind: Secret
    name: {{ .Release.Name }}-ingress-nginx-values-override
    valuesKey: values
  {{- end }}
  dependsOn:
  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
  - name: {{ .Release.Name }}
@@ -52,3 +54,14 @@ spec:
  - name: {{ .Release.Name }}-cilium
    namespace: {{ .Release.Namespace }}
 {{- end }}
 {{- if .Values.addons.ingressNginx.valuesOverride }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ .Release.Name }}-ingress-nginx-values-override
 stringData:
  values: |
    {{- toYaml .Values.addons.ingressNginx.valuesOverride | nindent 4 }}
 {{- end }}
--- a/packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml
@@ -7,7 +7,7 @@ metadata:
  name: {{ .Release.Name }}-monitoring-agents
  labels:
    cozystack.io/repository: system
-    cozystack.io/target-cluster-name: {{ .Release.Name }}
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
  interval: 5m
  releaseName: cozy-monitoring-agents
--- a/packages/apps/kubernetes/templates/helmreleases/vertical-pod-autoscaler-crds.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/vertical-pod-autoscaler-crds.yaml
@@ -5,7 +5,7 @@ metadata:
  name: {{ .Release.Name }}-vertical-pod-autoscaler-crds
  labels:
    cozystack.io/repository: system
-    cozystack.io/target-cluster-name: {{ .Release.Name }}
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
  interval: 5m
  releaseName: vertical-pod-autoscaler-crds
--- a/packages/apps/kubernetes/templates/helmreleases/vertical-pod-autoscaler.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/vertical-pod-autoscaler.yaml
@@ -1,28 +1,5 @@
 {{- define "cozystack.defaultVPAValues" -}}
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $targetTenant := index $myNS.metadata.annotations "namespace.cozystack.io/monitoring" }}
 vertical-pod-autoscaler:
  recommender:
    extraArgs:
      container-name-label: container
      container-namespace-label: namespace
      container-pod-name-label: pod
      storage: prometheus
      memory-saver: true
      pod-label-prefix: label_
      metric-for-pod-labels: kube_pod_labels{job="kube-state-metrics", tenant="{{ .Release.Namespace }}", cluster="{{ .Release.Name }}"}[8d]
      pod-name-label: pod
      pod-namespace-label: namespace
      prometheus-address: http://vmselect-shortterm.{{ $targetTenant }}.svc.cozy.local:8481/select/0/prometheus/
      prometheus-cadvisor-job-name: cadvisor
    resources:
      limits:
        memory: 1600Mi
      requests:
        cpu: 100m
        memory: 1600Mi
 {{- end }}
 {{- if .Values.addons.monitoringAgents.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
@@ -30,7 +7,7 @@ metadata:
  name: {{ .Release.Name }}-vertical-pod-autoscaler
  labels:
    cozystack.io/repository: system
-    cozystack.io/target-cluster-name: {{ .Release.Name }}
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
  interval: 5m
  releaseName: vertical-pod-autoscaler
@@ -56,7 +33,32 @@ spec:
    remediation:
      retries: -1
  values:
-    {{- toYaml (deepCopy .Values.addons.verticalPodAutoscaler.valuesOverride | mergeOverwrite (fromYaml (include "cozystack.defaultVPAValues" .))) | nindent 4 }}
+    vertical-pod-autoscaler:
      recommender:
        extraArgs:
          container-name-label: container
          container-namespace-label: namespace
          container-pod-name-label: pod
          storage: prometheus
          memory-saver: true
          pod-label-prefix: label_
          metric-for-pod-labels: kube_pod_labels{job="kube-state-metrics", tenant="{{ .Release.Namespace }}", cluster="{{ .Release.Name }}"}[8d]
          pod-name-label: pod
          pod-namespace-label: namespace
          prometheus-address: http://vmselect-shortterm.{{ $targetTenant }}.svc.cozy.local:8481/select/0/prometheus/
          prometheus-cadvisor-job-name: cadvisor
        resources:
          limits:
            memory: 1600Mi
          requests:
            cpu: 100m
            memory: 1600Mi
  {{- if .Values.addons.verticalPodAutoscaler.valuesOverride }}
  valuesFrom:
  - kind: Secret
    name: {{ .Release.Name }}-vertical-pod-autoscaler-values-override
    valuesKey: values
  {{- end }}
  dependsOn:
  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
  - name: {{ .Release.Name }}
--- a/packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml
@@ -5,7 +5,7 @@ metadata:
  name: {{ .Release.Name }}-cozy-victoria-metrics-operator
  labels:
    cozystack.io/repository: system
-    cozystack.io/target-cluster-name: {{ .Release.Name }}
+    coztstack.io/target-cluster-name: {{ .Release.Name }}
 spec:
  interval: 5m
  releaseName: cozy-victoria-metrics-operator
--- a/packages/apps/kubernetes/values.schema.json
+++ b/packages/apps/kubernetes/values.schema.json
@@ -1,227 +1,97 @@
 {
-  "title": "Chart Values",
+    "title": "Chart Values",
-  "type": "object",
+    "type": "object",
-  "properties": {
+    "properties": {
-    "host": {
+        "host": {
-      "type": "string",
+            "type": "string",
-      "description": "The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host).",
+            "description": "The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host).",
-      "default": ""
+            "default": ""
    },
    "controlPlane": {
      "type": "object",
      "properties": {
        "replicas": {
          "type": "number",
          "description": "Number of replicas for Kubernetes control-plane components",
          "default": 2
        },
-        "apiServer": {
+        "controlPlane": {
-          "type": "object",
+            "type": "object",
-          "properties": {
+            "properties": {
-            "resourcesPreset": {
+                "replicas": {
-              "type": "string",
+                    "type": "number",
-              "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
+                    "description": "Number of replicas for Kubernetes contorl-plane components",
-              "default": "small",
+                    "default": 2
-              "enum": [
+                }
-                "none",
+            }
-                "nano",
+        },
-                "micro",
+        "storageClass": {
-                "small",
+            "type": "string",
-                "medium",
+            "description": "StorageClass used to store user data",
-                "large",
+            "default": "replicated"
-                "xlarge",
+        },
-                "2xlarge"
+        "addons": {
-              ]
+            "type": "object",
-            },
+            "properties": {
-            "resources": {
+                "certManager": {
-              "type": "object",
+                    "type": "object",
-              "description": "Resources",
+                    "properties": {
-              "default": {}
+                        "enabled": {
-            }
+                            "type": "boolean",
-          }
+                            "description": "Enables the cert-manager",
-        },
+                            "default": false
-        "controllerManager": {
+                        },
-          "type": "object",
+                        "valuesOverride": {
-          "properties": {
+                            "type": "object",
-            "resources": {
+                            "description": "Custom values to override",
-              "type": "object",
+                            "default": {}
-              "description": "Resources",
+                        }
-              "default": {}
+                    }
-            },
+                },
-            "resourcesPreset": {
+                "ingressNginx": {
-              "type": "string",
+                    "type": "object",
-              "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
+                    "properties": {
-              "default": "micro",
+                        "enabled": {
-              "enum": [
+                            "type": "boolean",
-                "none",
+                            "description": "Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role)",
-                "nano",
+                            "default": false
-                "micro",
+                        },
-                "small",
+                        "valuesOverride": {
-                "medium",
+                            "type": "object",
-                "large",
+                            "description": "Custom values to override",
-                "xlarge",
+                            "default": {}
-                "2xlarge"
+                        },
-              ]
+                        "hosts": {
-            }
+                            "type": "array",
-          }
+                            "description": "List of domain names that should be passed through to the cluster by upper cluster",
-        },
+                            "default": [],
-        "scheduler": {
+                            "items": {}
-          "type": "object",
+                        }
-          "properties": {
+                    }
-            "resourcesPreset": {
+                },
-              "type": "string",
+                "fluxcd": {
-              "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
+                    "type": "object",
-              "default": "micro",
+                    "properties": {
-              "enum": [
+                        "enabled": {
-                "none",
+                            "type": "boolean",
-                "nano",
+                            "description": "Enables Flux CD",
-                "micro",
+                            "default": false
-                "small",
+                        },
-                "medium",
+                        "valuesOverride": {
-                "large",
+                            "type": "object",
-                "xlarge",
+                            "description": "Custom values to override",
-                "2xlarge"
+                            "default": {}
-              ]
+                        }
-            },
+                    }
-            "resources": {
+                },
-              "type": "object",
+                "monitoringAgents": {
-              "description": "Resources",
+                    "type": "object",
-              "default": {}
+                    "properties": {
-            }
+                        "enabled": {
-          }
+                            "type": "boolean",
-        },
+                            "description": "Enables MonitoringAgents (fluentbit, vmagents for sending logs and metrics to storage) if tenant monitoring enabled, send to tenant storage, else to root storage",
-        "konnectivity": {
+                            "default": false
-          "type": "object",
+                        },
-          "properties": {
+                        "valuesOverride": {
-            "server": {
+                            "type": "object",
-              "type": "object",
+                            "description": "Custom values to override",
-              "properties": {
+                            "default": {}
-                "resourcesPreset": {
+                        }
-                  "type": "string",
+                    }
                  "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
                  "default": "micro",
                  "enum": [
                    "none",
                    "nano",
                    "micro",
                    "small",
                    "medium",
                    "large",
                    "xlarge",
                    "2xlarge"
                  ]
                },
                "resources": {
                  "type": "object",
                  "description": "Resources",
                  "default": {}
                }
              }
            }
          }
        }
      }
    },
    "storageClass": {
      "type": "string",
      "description": "StorageClass used to store user data",
      "default": "replicated"
    },
    "addons": {
      "type": "object",
      "properties": {
        "certManager": {
          "type": "object",
          "properties": {
            "enabled": {
              "type": "boolean",
              "description": "Enables the cert-manager",
              "default": false
            },
            "valuesOverride": {
              "type": "object",
              "description": "Custom values to override",
              "default": {}
            }
          }
        },
        "ingressNginx": {
          "type": "object",
          "properties": {
            "enabled": {
              "type": "boolean",
              "description": "Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role)",
              "default": false
            },
            "valuesOverride": {
              "type": "object",
              "description": "Custom values to override",
              "default": {}
            },
            "hosts": {
              "type": "array",
              "description": "List of domain names that should be passed through to the cluster by upper cluster",
              "default": [],
              "items": {}
            }
          }
        },
        "gpuOperator": {
          "type": "object",
          "properties": {
            "enabled": {
              "type": "boolean",
              "description": "Enables the gpu-operator",
              "default": false
            },
            "valuesOverride": {
              "type": "object",
              "description": "Custom values to override",
              "default": {}
            }
          }
        },
        "fluxcd": {
          "type": "object",
          "properties": {
            "enabled": {
              "type": "boolean",
              "description": "Enables Flux CD",
              "default": false
            },
            "valuesOverride": {
              "type": "object",
              "description": "Custom values to override",
              "default": {}
            }
          }
        },
        "monitoringAgents": {
          "type": "object",
          "properties": {
            "enabled": {
              "type": "boolean",
              "description": "Enables MonitoringAgents (fluentbit, vmagents for sending logs and metrics to storage) if tenant monitoring enabled, send to tenant storage, else to root storage",
              "default": false
            },
            "valuesOverride": {
              "type": "object",
              "description": "Custom values to override",
              "default": {}
            }
          }
        },
        "verticalPodAutoscaler": {
          "type": "object",
          "properties": {
            "valuesOverride": {
              "type": "object",
              "description": "Custom values to override",
              "default": {}
            }
          }
        }
      }
    }
  }
 }
--- a/packages/apps/kubernetes/values.yaml
+++ b/packages/apps/kubernetes/values.yaml
@@ -1,10 +1,12 @@
 ## @section Common parameters
 ## @param host The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host).
-## @param controlPlane.replicas Number of replicas for Kubernetes control-plane components
+## @param controlPlane.replicas Number of replicas for Kubernetes contorl-plane components
 ## @param storageClass StorageClass used to store user data
 ##
 host: ""
 controlPlane:
  replicas: 2
 storageClass: replicated
 ## @param nodeGroups [object] nodeGroups configuration
@@ -22,14 +24,6 @@ nodeGroups:
      cpu: ""
      memory: ""
    ## List of GPUs to attach (WARN: NVIDIA driver requires at least 4 GiB of RAM)
    ## e.g:
    ## instanceType: "u1.xlarge"
    ## gpus:
    ## - name: nvidia.com/AD102GL_L40S
    gpus: []
 ## @section Cluster Addons
 ##
 addons:
@@ -58,14 +52,6 @@ addons:
    hosts: []
    valuesOverride: {}
  ## GPU-operator: NVIDIA GPU Operator
  ##
  gpuOperator:
    ## @param addons.gpuOperator.enabled Enables the gpu-operator
    ## @param addons.gpuOperator.valuesOverride Custom values to override
    enabled: false
    valuesOverride: {}
  ## Flux CD
  ##
  fluxcd:
@@ -91,42 +77,62 @@ addons:
    ##
    valuesOverride: {}
-## @section Kubernetes control plane configuration
+## @section Kamaji control plane
 ##
-
+kamajiControlPlane:
 controlPlane:
  replicas: 2
  apiServer:
-    ## @param controlPlane.apiServer.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+    ## @param kamajiControlPlane.apiServer.resources Resources
    ## @param controlPlane.apiServer.resources Resources
    ## e.g:
    ## resources:
    ##   limits:
    ##     cpu: 4000m
    ##     memory: 4Gi
    ##   requests:
    ##     cpu: 100m
    ##     memory: 512Mi
    ##
    resourcesPreset: "small"
    resources: {}
    # resources:
    #   limits:
    #     cpu: 4000m
    #     memory: 4Gi
    #   requests:
    #     cpu: 100m
    #     memory: 512Mi
    ## @param kamajiControlPlane.apiServer.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
    resourcesPreset: "small"
  controllerManager:
-    ## @param controlPlane.controllerManager.resources Resources
+    ## @param kamajiControlPlane.controllerManager.resources Resources
    ## @param controlPlane.controllerManager.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
    resourcesPreset: "micro"
    resources: {}
-
+    # resources:
    #   limits:
    #     cpu: 4000m
    #     memory: 4Gi
    #   requests:
    #     cpu: 100m
    #     memory: 512Mi
    ## @param kamajiControlPlane.controllerManager.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
    resourcesPreset: "micro"
  scheduler:
-    ## @param controlPlane.scheduler.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+    ## @param kamajiControlPlane.scheduler.resources Resources
    ## @param controlPlane.scheduler.resources Resources
    resourcesPreset: "micro"
    resources: {}
-
+    # resources:
-  konnectivity:
+    #   limits:
-    server:
+    #     cpu: 4000m
-      ## @param controlPlane.konnectivity.server.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+    #     memory: 4Gi
-      ## @param controlPlane.konnectivity.server.resources Resources
+    #   requests:
-      resourcesPreset: "micro"
+    #     cpu: 100m
-      resources: {}
+    #     memory: 512Mi
    ## @param kamajiControlPlane.scheduler.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
    resourcesPreset: "micro"
  addons:
    konnectivity:
      server:
        ## @param kamajiControlPlane.addons.konnectivity.server.resources Resources
        resources: {}
        # resources:
        #   limits:
        #     cpu: 4000m
        #     memory: 4Gi
        #   requests:
        #     cpu: 100m
        #     memory: 512Mi
        ## @param kamajiControlPlane.addons.konnectivity.server.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
        resourcesPreset: "micro"
--- a/packages/apps/postgres/Chart.yaml
+++ b/packages/apps/postgres/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.10.1
+version: 0.10.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/postgres/templates/backup-cronjob.yaml
+++ b/packages/apps/postgres/templates/backup-cronjob.yaml
@@ -13,6 +13,9 @@ spec:
  jobTemplate:
    spec:
      backoffLimit: 2
      template:
        spec:
          restartPolicy: OnFailure
      template:
        metadata:
          annotations:
@@ -21,7 +24,7 @@ spec:
        spec:
          imagePullSecrets:
          - name: {{ .Release.Name }}-regsecret
-          restartPolicy: OnFailure
+          restartPolicy: Never
          containers:
          - name: pgdump
            image: "{{ $.Files.Get "images/postgres-backup.tag" | trim }}"
--- a/packages/apps/tenant/Chart.yaml
+++ b/packages/apps/tenant/Chart.yaml
@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 type: application
-version: 1.9.2
+version: 1.9.1
--- a/packages/apps/tenant/templates/configuration-hash.yaml
+++ b/packages/apps/tenant/templates/configuration-hash.yaml
@@ -0,0 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: cozy-tenant-configuration-hash
  namespace: {{ include "tenant.name" . }}
 data:
  cozyTenantConfigurationHash: {{ sha256sum (toJson .Values) | quote }}
--- a/packages/apps/tenant/templates/networkpolicy.yaml
+++ b/packages/apps/tenant/templates/networkpolicy.yaml
@@ -24,7 +24,6 @@ spec:
  ingress:
  - fromEntities:
      - world
      - cluster
  egress:
  - toEntities:
      - world
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -59,7 +59,7 @@ kubernetes 0.16.0 077045b0
 kubernetes 0.17.0 1fbbfcd0
 kubernetes 0.17.1 fd240701
 kubernetes 0.18.0 721c12a7
-kubernetes 0.19.0 HEAD
+kubernetes 0.18.1 HEAD
 mysql 0.1.0 263e47be
 mysql 0.2.0 c24a103f
 mysql 0.3.0 53f2365e
@@ -89,8 +89,7 @@ postgres 0.7.0 4b90bf5a
 postgres 0.7.1 1ec10165
 postgres 0.8.0 4e68e65c
 postgres 0.9.0 8267072d
-postgres 0.10.0 721c12a7
+postgres 0.10.0 HEAD
 postgres 0.10.1 HEAD
 rabbitmq 0.1.0 263e47be
 rabbitmq 0.2.0 53f2365e
 rabbitmq 0.3.0 6c5cf5bf
@@ -131,8 +130,7 @@ tenant 1.6.8 bc95159a
 tenant 1.7.0 24fa7222
 tenant 1.8.0 160e4e2a
 tenant 1.9.0 728743db
-tenant 1.9.1 721c12a7
+tenant 1.9.1 HEAD
 tenant 1.9.2 HEAD
 virtual-machine 0.1.4 f2015d65
 virtual-machine 0.1.5 263e47be
 virtual-machine 0.2.0 c0685f43
@@ -145,8 +143,7 @@ virtual-machine 0.7.1 0ab39f20
 virtual-machine 0.8.0 3fa4dd3a
 virtual-machine 0.8.1 93c46161
 virtual-machine 0.8.2 de19450f
-virtual-machine 0.9.0 721c12a7
+virtual-machine 0.9.0 HEAD
 virtual-machine 0.9.1 HEAD
 vm-disk 0.1.0 d971f2ff
 vm-disk 0.1.1 HEAD
 vm-instance 0.1.0 1ec10165
@@ -156,8 +153,7 @@ vm-instance 0.4.0 e23286a3
 vm-instance 0.4.1 0ab39f20
 vm-instance 0.5.0 3fa4dd3a
 vm-instance 0.5.1 de19450f
-vm-instance 0.6.0 721c12a7
+vm-instance 0.6.0 HEAD
 vm-instance 0.6.1 HEAD
 vpn 0.1.0 263e47be
 vpn 0.2.0 53f2365e
 vpn 0.3.0 6c5cf5bf
--- a/packages/apps/virtual-machine/Chart.yaml
+++ b/packages/apps/virtual-machine/Chart.yaml
@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.1
+version: 0.9.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/virtual-machine/templates/vm.yaml
+++ b/packages/apps/virtual-machine/templates/vm.yaml
@@ -74,8 +74,7 @@ spec:
          {{- if .Values.gpus }}
          gpus:
          {{- range $i, $gpu := .Values.gpus }}
-          - name: gpu{{ add $i 1 }}
+          - deviceName: {{ $gpu.name }}
            deviceName: {{ $gpu.name }}
          {{- end }}
          {{- end }}
          disks:
--- a/packages/apps/vm-instance/Chart.yaml
+++ b/packages/apps/vm-instance/Chart.yaml
@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.1
+version: 0.6.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/vm-instance/templates/vm.yaml
+++ b/packages/apps/vm-instance/templates/vm.yaml
@@ -46,8 +46,7 @@ spec:
          {{- if .Values.gpus }}
          gpus:
          {{- range $i, $gpu := .Values.gpus }}
-          - name: gpu{{ add $i 1 }}
+          - deviceName: {{ $gpu.name }}
            deviceName: {{ $gpu.name }}
          {{- end }}
          {{- end }}
          disks:
--- a/packages/core/platform/templates/apps.yaml
+++ b/packages/core/platform/templates/apps.yaml
@@ -54,6 +54,12 @@ spec:
        namespace: cozy-public
  values:
    host: "{{ $host }}"
  valuesFrom:
  - kind: ConfigMap
    name: "cozy-system-configuration-hash"
    valuesKey: "cozyTenantConfigurationHash"
    targetPath: "cozyTenantConfigurationHash"
    optional: true
  dependsOn:
  {{- range $x := $bundle.releases }}
  {{- if has $x.name (list "cilium" "kubeovn") }}
--- a/packages/core/platform/templates/configuration-hash.yaml
+++ b/packages/core/platform/templates/configuration-hash.yaml
@@ -0,0 +1,14 @@
 {{- $rootTenantConfiguration := dict "values" .Values }}
 {{- $cozyConfig     := index (lookup "v1" "ConfigMap" "cozy-system" "cozystack"           ) "data" }}
 {{- $cozyScheduling := index (lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling") "data" }}
 {{- $cozyBranding   := index (lookup "v1" "ConfigMap" "cozy-system" "cozystack-branding"  ) "data" }}
 {{- $_ := set $rootTenantConfiguration "config" $cozyConfig }}
 {{- $_ := set $rootTenantConfiguration "scheduling" $cozyScheduling }}
 {{- $_ := set $rootTenantConfiguration "branding" $cozyBranding }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: cozy-system-configuration-hash
  namespace: tenant-root
 data:
  cozyTenantConfigurationHash: {{ sha256sum (toJson $rootTenantConfiguration) | quote }}
--- a/packages/extra/ingress/Chart.yaml
+++ b/packages/extra/ingress/Chart.yaml
@@ -3,4 +3,4 @@ name: ingress
 description: NGINX Ingress Controller
 icon: /logos/ingress-nginx.svg
 type: application
-version: 1.5.0
+version: 1.4.0
--- a/packages/extra/ingress/README.md
+++ b/packages/extra/ingress/README.md
@@ -4,13 +4,12 @@
 ### Common parameters
-| Name              | Description                                                       | Value   |
+| Name             | Description                                                       | Value   |
-| ----------------- | ----------------------------------------------------------------- | ------- |
+| ---------------- | ----------------------------------------------------------------- | ------- |
-| `replicas`        | Number of ingress-nginx replicas                                  | `2`     |
+| `replicas`       | Number of ingress-nginx replicas                                  | `2`     |
-| `externalIPs`     | List of externalIPs for service.                                  | `[]`    |
+| `externalIPs`    | List of externalIPs for service.                                  | `[]`    |
-| `whitelist`       | List of client networks                                           | `[]`    |
+| `whitelist`      | List of client networks                                           | `[]`    |
-| `clouflareProxy`  | Restoring original visitor IPs when Cloudflare proxied is enabled | `false` |
+| `clouflareProxy` | Restoring original visitor IPs when Cloudflare proxied is enabled | `false` |
-| `dashboard`       | Should ingress serve Cozystack service dashboard                  | `false` |
+| `dashboard`      | Should ingress serve Cozystack service dashboard                  | `false` |
-| `cdiUploadProxy`  | Should ingress serve CDI upload proxy                             | `false` |
+| `cdiUploadProxy` | Should ingress serve CDI upload proxy                             | `false` |
 | `virtExportProxy` | Should ingress serve KubeVirt export proxy                        | `false` |
--- a/packages/extra/ingress/values.schema.json
+++ b/packages/extra/ingress/values.schema.json
@@ -35,11 +35,6 @@
            "type": "boolean",
            "description": "Should ingress serve CDI upload proxy",
            "default": false
        },
        "virtExportProxy": {
            "type": "boolean",
            "description": "Should ingress serve KubeVirt export proxy",
            "default": false
        }
    }
 }
--- a/packages/extra/ingress/values.yaml
+++ b/packages/extra/ingress/values.yaml
@@ -30,6 +30,3 @@ dashboard: false
 ## @param cdiUploadProxy Should ingress serve CDI upload proxy
 cdiUploadProxy: false
 ## @param virtExportProxy Should ingress serve KubeVirt export proxy
 virtExportProxy: false
--- a/packages/extra/ingress/vm-exportproxy.yaml
+++ b/packages/extra/ingress/vm-exportproxy.yaml
@@ -1,37 +0,0 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
 {{- if .Values.virtExportProxy }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    cert-manager.io/cluster-issuer: letsencrypt-prod
    {{- if eq $issuerType "cloudflare" }} 
    {{- else }}
    acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}
    {{- end }}
  name: virt-exportproxy-{{ .Release.Namespace }}
  namespace: cozy-kubevirt
 spec:
  ingressClassName: {{ .Release.Namespace }}
  rules:
  - host: virt-exportproxy.{{ $host }}
    http:
      paths:
      - backend:
          service:
            name: virt-exportproxy
            port:
              number: 443
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    virt-exportproxy.{{ $host }}
    secretName: virt-exportproxy-{{ .Release.Namespace }}-tls
 {{- end }}
--- a/packages/extra/versions_map
+++ b/packages/extra/versions_map
@@ -16,8 +16,7 @@ ingress 1.0.0 d7cfa53c
 ingress 1.1.0 5bbc488e
 ingress 1.2.0 28fca4ef
 ingress 1.3.0 fde4bcfa
-ingress 1.4.0 fd240701
+ingress 1.4.0 HEAD
 ingress 1.5.0 HEAD
 monitoring 1.0.0 d7cfa53c
 monitoring 1.1.0 25221fdc
 monitoring 1.2.0 f81be075
--- a/packages/system/capi-operator/charts/cluster-api-operator/Chart.yaml
+++ b/packages/system/capi-operator/charts/cluster-api-operator/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 0.19.0
+appVersion: 0.18.1
 description: Cluster API Operator
 name: cluster-api-operator
 type: application
-version: 0.19.0
+version: 0.18.1
--- a/packages/system/capi-operator/charts/cluster-api-operator/templates/addon.yaml
+++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/addon.yaml
@@ -1,8 +1,26 @@
 # Addon provider
-{{- range $name, $addon := $.Values.addon }}
+{{- if .Values.addon }}
-  {{- $addonNamespace := default ( printf "%s-%s" $name "addon-system" ) (get $addon "namespace") }}
+{{- $addons := split ";" .Values.addon }}
-  {{- $addonName := $name }}
+{{- $addonNamespace := "" }}
-  {{- $addonVersion := get $addon "version" }}
+{{- $addonName := "" }}
 {{- $addonVersion := "" }}
 {{- range $addon := $addons }}
 {{- $addonArgs := split ":" $addon }}
 {{- $addonArgsLen :=  len $addonArgs }}
 {{-  if eq $addonArgsLen 3 }}
  {{- $addonNamespace = $addonArgs._0 }}
  {{- $addonName = $addonArgs._1 }}
  {{- $addonVersion = $addonArgs._2 }}
 {{-  else if eq $addonArgsLen 2 }}
  {{- $addonNamespace = print $addonArgs._0 "-addon-system" }}
  {{- $addonName = $addonArgs._0 }}
  {{- $addonVersion = $addonArgs._1 }}
 {{-  else if eq $addonArgsLen 1 }}
  {{- $addonNamespace = print $addonArgs._0 "-addon-system" }}
  {{- $addonName = $addonArgs._0 }}
 {{- else }}
  {{- fail "addon provider argument should have the following format helm:v1.0.0 or mynamespace:helm:v1.0.0" }}
 {{- end }}
 ---
 apiVersion: v1
 kind: Namespace
@@ -38,24 +56,5 @@ spec:
 {{- if $.Values.secretNamespace }}
  secretNamespace: {{ $.Values.secretNamespace }}
 {{- end }}
 {{- if $addon.manifestPatches }}
  manifestPatches: {{ toYaml $addon.manifestPatches | nindent 4 }}
 {{- end }}
 {{- if $addon.additionalManifests }}
  additionalManifests:
    name: {{ $addon.additionalManifests.name }}
    {{- if $addon.additionalManifests.namespace }}
    namespace: {{ $addon.additionalManifests.namespace }}
    {{- end }} {{/* if $addon.additionalManifests.namespace */}}
 {{- end }}
 {{- if $addon.additionalManifests }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ $addon.additionalManifests.name }}
  namespace: {{ default $addonNamespace $addon.additionalManifests.namespace }}
 data:
  manifests: {{- toYaml $addon.additionalManifests.manifests | nindent 4 }}
 {{- end }}
 {{- end }} {{/* range $name, $addon := .Values.addon */}}
--- a/packages/system/capi-operator/charts/cluster-api-operator/templates/bootstrap.yaml
+++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/bootstrap.yaml
@@ -1,8 +1,26 @@
 # Bootstrap provider
-{{- range $name, $bootstrap := $.Values.bootstrap }}
+{{- if .Values.bootstrap }}
-  {{- $bootstrapNamespace := default ( printf "%s-%s" $name "bootstrap-system" ) (get $bootstrap "namespace") }}
+{{- $bootstraps := split ";" .Values.bootstrap }}
-  {{- $bootstrapName := $name }}
+{{- $bootstrapNamespace := "" }}
-  {{- $bootstrapVersion := get $bootstrap "version" }}
+{{- $bootstrapName := "" }}
 {{- $bootstrapVersion := "" }}
 {{- range $bootstrap := $bootstraps }}
 {{- $bootstrapArgs := split ":" $bootstrap }}
 {{- $bootstrapArgsLen :=  len $bootstrapArgs }}
 {{-  if eq $bootstrapArgsLen 3 }}
  {{- $bootstrapNamespace = $bootstrapArgs._0 }}
  {{- $bootstrapName = $bootstrapArgs._1 }}
  {{- $bootstrapVersion = $bootstrapArgs._2 }}
 {{-  else if eq $bootstrapArgsLen 2 }}
  {{- $bootstrapNamespace = print $bootstrapArgs._0 "-bootstrap-system" }}
  {{- $bootstrapName = $bootstrapArgs._0 }}
  {{- $bootstrapVersion = $bootstrapArgs._1 }}
 {{-  else if eq $bootstrapArgsLen 1 }}
  {{- $bootstrapNamespace = print $bootstrapArgs._0 "-bootstrap-system" }}
  {{- $bootstrapName = $bootstrapArgs._0 }}
 {{- else }}
  {{- fail "bootstrap provider argument should have the following format kubeadm:v1.0.0 or mynamespace:kubeadm:v1.0.0" }}
 {{- end }}
 ---
 apiVersion: v1
 kind: Namespace
@@ -39,24 +57,5 @@ spec:
    namespace: {{ $.Values.configSecret.namespace }}
    {{- end }}
 {{- end }}
 {{- if $bootstrap.manifestPatches }}
  manifestPatches: {{ toYaml $bootstrap.manifestPatches | nindent 4 }}
 {{- end }}
 {{- if $bootstrap.additionalManifests }}
  additionalManifests:
    name: {{ $bootstrap.additionalManifests.name }}
    {{- if $bootstrap.additionalManifests.namespace }}
    namespace: {{ $bootstrap.additionalManifests.namespace }}
    {{- end }} {{/* if $bootstrap.additionalManifests.namespace */}}
 {{- end }}
 {{- if $bootstrap.additionalManifests }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ $bootstrap.additionalManifests.name }}
  namespace: {{ default $bootstrapNamespace $bootstrap.additionalManifests.namespace }}
 data:
  manifests: {{- toYaml $bootstrap.additionalManifests.manifests | nindent 4 }}
 {{- end }}
 {{- end }} {{/* range $name, $bootstrap := .Values.bootstrap */}}
--- a/packages/system/capi-operator/charts/cluster-api-operator/templates/control-plane.yaml
+++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/control-plane.yaml
@@ -1,8 +1,26 @@
 # Control plane provider
-{{- range $name, $controlPlane := $.Values.controlPlane }}
+{{- if .Values.controlPlane }}
-  {{- $controlPlaneNamespace := default ( printf "%s-%s" $name "control-plane-system" ) (get $controlPlane "namespace") }}
+{{- $controlPlanes := split ";" .Values.controlPlane }}
-  {{- $controlPlaneName := $name }}
+{{- $controlPlaneNamespace := "" }}
-  {{- $controlPlaneVersion := get $controlPlane "version" }}
+{{- $controlPlaneName := "" }}
 {{- $controlPlaneVersion := "" }}
 {{- range $controlPlane := $controlPlanes }}
 {{- $controlPlaneArgs := split ":" $controlPlane }}
 {{- $controlPlaneArgsLen :=  len $controlPlaneArgs }}
 {{-  if eq $controlPlaneArgsLen 3 }}
  {{- $controlPlaneNamespace = $controlPlaneArgs._0 }}
  {{- $controlPlaneName = $controlPlaneArgs._1 }}
  {{- $controlPlaneVersion = $controlPlaneArgs._2 }}
 {{-  else if eq $controlPlaneArgsLen 2 }}
  {{- $controlPlaneNamespace = print $controlPlaneArgs._0 "-control-plane-system" }}
  {{- $controlPlaneName = $controlPlaneArgs._0 }}
  {{- $controlPlaneVersion = $controlPlaneArgs._1 }}
 {{-  else if eq $controlPlaneArgsLen 1 }}
  {{- $controlPlaneNamespace = print $controlPlaneArgs._0 "-control-plane-system" }}
  {{- $controlPlaneName = $controlPlaneArgs._0 }}
 {{- else }}
  {{- fail "controlplane provider argument should have the following format kubeadm:v1.0.0 or mynamespace:kubeadm:v1.0.0" }}
 {{-  end }}
 ---
 apiVersion: v1
 kind: Namespace
@@ -52,24 +70,5 @@ spec:
    namespace: {{ $.Values.configSecret.namespace }}
    {{- end }}
 {{- end }}
 {{- if $controlPlane.manifestPatches }}
  manifestPatches: {{ toYaml $controlPlane.manifestPatches | nindent 4 }}
 {{- end }}
 {{- if $controlPlane.additionalManifests }}
  additionalManifests:
    name: {{ $controlPlane.additionalManifests.name }}
    {{- if $controlPlane.additionalManifests.namespace }}
    namespace: {{ $controlPlane.additionalManifests.namespace }}
    {{- end }} {{/* if $controlPlane.additionalManifests.namespace */}}
 {{- end }}
 {{- if $controlPlane.additionalManifests }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ $controlPlane.additionalManifests.name }}
  namespace: {{ default $controlPlaneNamespace $controlPlane.additionalManifests.namespace }}
 data:
  manifests: {{- toYaml $controlPlane.additionalManifests.manifests | nindent 4 }}
 {{- end }}
 {{- end }} {{/* range $name, $controlPlane := .Values.controlPlane */}}
--- a/packages/system/capi-operator/charts/cluster-api-operator/templates/core.yaml
+++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/core.yaml
@@ -1,8 +1,25 @@
 # Core provider
-{{- range $name, $core := $.Values.core }}
+{{- if .Values.core }}
-  {{- $coreNamespace := default "capi-system" (get $core "namespace") }}
+{{- $coreArgs := split ":" .Values.core }}
-  {{- $coreName := $name }}
+{{- $coreArgsLen :=  len $coreArgs }}
-  {{- $coreVersion := get $core "version" }}
+{{- $coreVersion := "" }}
 {{- $coreNamespace := "" }}
 {{- $coreName := "" }}
 {{- $coreVersion := "" }}
 {{-  if eq $coreArgsLen 3 }}
  {{- $coreNamespace = $coreArgs._0 }}
  {{- $coreName = $coreArgs._1 }}
  {{- $coreVersion = $coreArgs._2 }}
 {{-  else if eq $coreArgsLen 2 }}
  {{- $coreNamespace = "capi-system" }}
  {{- $coreName = $coreArgs._0 }}
  {{- $coreVersion = $coreArgs._1 }}
 {{-  else if eq $coreArgsLen 1 }}
  {{- $coreNamespace = "capi-system" }}
  {{- $coreName = $coreArgs._0 }}
 {{- else }}
  {{- fail "core provider argument should have the following format cluster-api:v1.0.0 or mynamespace:cluster-api:v1.0.0" }}
 {{-  end }}
 ---
 apiVersion: v1
 kind: Namespace
@@ -48,24 +65,4 @@ spec:
    namespace: {{ $.Values.configSecret.namespace }}
    {{- end }}
 {{- end }}
 {{- if $core.manifestPatches }}
  manifestPatches: {{ toYaml $core.manifestPatches | nindent 4 }}
 {{- end }}
 {{- if $core.additionalManifests }}
  additionalManifests:
    name: {{ $core.additionalManifests.name }}
    {{- if $core.additionalManifests.namespace }}
    namespace: {{ $core.additionalManifests.namespace }}
    {{- end }}
 {{- end }}
 {{- if $core.additionalManifests }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ $core.additionalManifests.name }}
  namespace: {{ default $coreNamespace $core.additionalManifests.namespace }}
 data:
  manifests: {{- toYaml $core.additionalManifests.manifests | nindent 4 }}
 {{- end }}
 {{- end }} {{/* range $name, $core := .Values.core */}}
--- a/packages/system/capi-operator/charts/cluster-api-operator/templates/infra.yaml
+++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/infra.yaml
@@ -1,8 +1,26 @@
 # Infrastructure providers
-{{- range $name, $infra := $.Values.infrastructure }}
+{{- if .Values.infrastructure }}
-  {{- $infrastructureNamespace := default ( printf "%s-%s" $name "infrastructure-system" ) (get $infra "namespace") }}
+{{- $infrastructures := split ";" .Values.infrastructure }}
-  {{- $infrastructureName := $name }}
+{{- $infrastructureNamespace := "" }}
-  {{- $infrastructureVersion := get $infra "version" }}
+{{- $infrastructureName := "" }}
 {{- $infrastructureVersion := "" }}
 {{- range $infrastructure := $infrastructures }}
 {{- $infrastructureArgs := split ":" $infrastructure }}
 {{- $infrastructureArgsLen := len $infrastructureArgs }}
 {{-  if eq $infrastructureArgsLen 3 }}
  {{- $infrastructureNamespace = $infrastructureArgs._0 }}
  {{- $infrastructureName = $infrastructureArgs._1 }}
  {{- $infrastructureVersion = $infrastructureArgs._2 }}
 {{-  else if eq $infrastructureArgsLen 2 }}
  {{- $infrastructureNamespace = print $infrastructureArgs._0 "-infrastructure-system" }}
  {{- $infrastructureName = $infrastructureArgs._0 }}
  {{- $infrastructureVersion = $infrastructureArgs._1 }}
 {{-  else if eq $infrastructureArgsLen 1 }}
  {{- $infrastructureNamespace = print $infrastructureArgs._0 "-infrastructure-system" }}
  {{- $infrastructureName = $infrastructureArgs._0 }}
 {{- else }}
  {{- fail "infrastructure provider argument should have the following format aws:v1.0.0 or mynamespace:aws:v1.0.0" }}
 {{- end }}
 ---
 apiVersion: v1
 kind: Namespace
@@ -65,24 +83,5 @@ spec:
 {{- if $.Values.additionalDeployments }}
  additionalDeployments: {{ toYaml $.Values.additionalDeployments | nindent 4 }}
 {{- end }}
 {{- if $infra.manifestPatches }}
  manifestPatches: {{- toYaml $infra.manifestPatches | nindent 4 }}
 {{- end }} {{/* if $infra.manifestPatches */}}
 {{- if $infra.additionalManifests }}
  additionalManifests:
    name: {{ $infra.additionalManifests.name }}
    {{- if $infra.additionalManifests.namespace }}
    namespace: {{ $infra.additionalManifests.namespace }}
    {{- end }} {{/* if $infra.additionalManifests.namespace */}}
 {{- end }} {{/* if $infra.additionalManifests */}}
 {{- if $infra.additionalManifests }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ $infra.additionalManifests.name }}
  namespace: {{ default $infrastructureNamespace $infra.additionalManifests.namespace }}
 data:
  manifests: {{- toYaml $infra.additionalManifests.manifests | nindent 4 }}
 {{- end }}
-{{- end }} {{/* range $name, $infra := .Values.infrastructure */}}
+{{- end }}
--- a/packages/system/capi-operator/charts/cluster-api-operator/templates/ipam.yaml
+++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/ipam.yaml
@@ -1,8 +1,26 @@
 # IPAM providers
-{{- range $name, $ipam := $.Values.ipam }}
+{{- if .Values.ipam }}
-  {{- $ipamNamespace := default ( printf "%s-%s" $name "ipam-system" ) (get $ipam "namespace") }}
+{{- $ipams := split ";" .Values.ipam }}
-  {{- $ipamName := $name }}
+{{- $ipamNamespace := "" }}
-  {{- $ipamVersion := get $ipam "version" }}
+{{- $ipamName := "" }}
 {{- $ipamVersion := "" }}
 {{- range $ipam := $ipams }}
 {{- $ipamArgs := split ":" $ipam }}
 {{- $ipamArgsLen := len $ipamArgs }}
 {{-  if eq $ipamArgsLen 3 }}
  {{- $ipamNamespace = $ipamArgs._0 }}
  {{- $ipamName = $ipamArgs._1 }}
  {{- $ipamVersion = $ipamArgs._2 }}
 {{-  else if eq $ipamArgsLen 2 }}
  {{- $ipamNamespace = print $ipamArgs._0 "-ipam-system" }}
  {{- $ipamName = $ipamArgs._0 }}
  {{- $ipamVersion = $ipamArgs._1 }}
 {{-  else if eq $ipamArgsLen 1 }}
  {{- $ipamNamespace = print $ipamArgs._0 "-ipam-system" }}
  {{- $ipamName = $ipamArgs._0 }}
 {{- else }}
  {{- fail "ipam provider argument should have the following format in-cluster:v1.0.0 or mynamespace:in-cluster:v1.0.0" }}
 {{- end }}
 ---
 apiVersion: v1
 kind: Namespace
@@ -52,27 +70,8 @@ spec:
    namespace: {{ $.Values.configSecret.namespace }}
    {{- end }}
 {{- end }}
 {{- if $ipam.manifestPatches }}
  manifestPatches: {{ toYaml $ipam.manifestPatches | nindent 4 }}
 {{- end }}
 {{- if $.Values.additionalDeployments }}
  additionalDeployments: {{ toYaml $.Values.additionalDeployments | nindent 4 }}
 {{- end }}
 {{- if $ipam.additionalManifests }}
  additionalManifests:
    name: {{ $ipam.additionalManifests.name }}
    {{- if $ipam.additionalManifests.namespace }}
    namespace: {{ $ipam.additionalManifests.namespace }}
    {{- end }} {{/* if $ipam.additionalManifests.namespace */}}
 {{- end }}
 {{- if $ipam.additionalManifests }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ $ipam.additionalManifests.name }}
  namespace: {{ default $ipamNamespace $ipam.additionalManifests.namespace }}
 data:
  manifests: {{- toYaml $ipam.additionalManifests.manifests | nindent 4 }}
 {{- end }}
 {{- end }} {{/* range $name, $ipam := .Values.ipam */}}
--- a/packages/system/capi-operator/charts/cluster-api-operator/templates/operator-components.yaml
+++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/operator-components.yaml
@@ -1305,13 +1305,6 @@ spec:
                      description: Manager defines the properties that can be enabled
                        on the controller manager for the additional provider deployment.
                      properties:
                        additionalArgs:
                          additionalProperties:
                            type: string
                          description: |-
                            AdditionalArgs is a map of additional options that will be passed
                            in as container args to the provider's controller manager.
                          type: object
                        cacheNamespace:
                          description: |-
                            CacheNamespace if specified restricts the manager's cache to watch objects in
@@ -2843,13 +2836,6 @@ spec:
                description: Manager defines the properties that can be enabled on
                  the controller manager for the provider.
                properties:
                  additionalArgs:
                    additionalProperties:
                      type: string
                    description: |-
                      AdditionalArgs is a map of additional options that will be passed
                      in as container args to the provider's controller manager.
                    type: object
                  cacheNamespace:
                    description: |-
                      CacheNamespace if specified restricts the manager's cache to watch objects in
@@ -3062,32 +3048,27 @@ spec:
                  properties:
                    lastTransitionTime:
                      description: |-
-                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        Last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed. If that is not known, then using the time when
                        the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
-                        message is a human readable message indicating details about the transition.
+                        A human readable message indicating details about the transition.
                        This field may be empty.
                      maxLength: 10240
                      minLength: 1
                      type: string
                    reason:
                      description: |-
-                        reason is the reason for the condition's last transition in CamelCase.
+                        The reason for the condition's last transition in CamelCase.
                        The specific API may choose whether or not this field is considered a guaranteed API.
                        This field may be empty.
                      maxLength: 256
                      minLength: 1
                      type: string
                    severity:
                      description: |-
                        severity provides an explicit classification of Reason code, so the users or machines can immediately
                        understand the current situation and act accordingly.
                        The Severity field MUST be set only when Status=False.
                      maxLength: 32
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
@@ -3097,8 +3078,6 @@ spec:
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
                        can be useful (see .node.status.conditions), the ability to deconflict is important.
                      maxLength: 256
                      minLength: 1
                      type: string
                  required:
                  - lastTransitionTime
@@ -4732,32 +4711,27 @@ spec:
                  properties:
                    lastTransitionTime:
                      description: |-
-                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        Last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed. If that is not known, then using the time when
                        the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
-                        message is a human readable message indicating details about the transition.
+                        A human readable message indicating details about the transition.
                        This field may be empty.
                      maxLength: 10240
                      minLength: 1
                      type: string
                    reason:
                      description: |-
-                        reason is the reason for the condition's last transition in CamelCase.
+                        The reason for the condition's last transition in CamelCase.
                        The specific API may choose whether or not this field is considered a guaranteed API.
                        This field may be empty.
                      maxLength: 256
                      minLength: 1
                      type: string
                    severity:
                      description: |-
                        severity provides an explicit classification of Reason code, so the users or machines can immediately
                        understand the current situation and act accordingly.
                        The Severity field MUST be set only when Status=False.
                      maxLength: 32
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
@@ -4767,8 +4741,6 @@ spec:
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
                        can be useful (see .node.status.conditions), the ability to deconflict is important.
                      maxLength: 256
                      minLength: 1
                      type: string
                  required:
                  - lastTransitionTime
@@ -6071,13 +6043,6 @@ spec:
                      description: Manager defines the properties that can be enabled
                        on the controller manager for the additional provider deployment.
                      properties:
                        additionalArgs:
                          additionalProperties:
                            type: string
                          description: |-
                            AdditionalArgs is a map of additional options that will be passed
                            in as container args to the provider's controller manager.
                          type: object
                        cacheNamespace:
                          description: |-
                            CacheNamespace if specified restricts the manager's cache to watch objects in
@@ -7609,13 +7574,6 @@ spec:
                description: Manager defines the properties that can be enabled on
                  the controller manager for the provider.
                properties:
                  additionalArgs:
                    additionalProperties:
                      type: string
                    description: |-
                      AdditionalArgs is a map of additional options that will be passed
                      in as container args to the provider's controller manager.
                    type: object
                  cacheNamespace:
                    description: |-
                      CacheNamespace if specified restricts the manager's cache to watch objects in
@@ -7828,32 +7786,27 @@ spec:
                  properties:
                    lastTransitionTime:
                      description: |-
-                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        Last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed. If that is not known, then using the time when
                        the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
-                        message is a human readable message indicating details about the transition.
+                        A human readable message indicating details about the transition.
                        This field may be empty.
                      maxLength: 10240
                      minLength: 1
                      type: string
                    reason:
                      description: |-
-                        reason is the reason for the condition's last transition in CamelCase.
+                        The reason for the condition's last transition in CamelCase.
                        The specific API may choose whether or not this field is considered a guaranteed API.
                        This field may be empty.
                      maxLength: 256
                      minLength: 1
                      type: string
                    severity:
                      description: |-
                        severity provides an explicit classification of Reason code, so the users or machines can immediately
                        understand the current situation and act accordingly.
                        The Severity field MUST be set only when Status=False.
                      maxLength: 32
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
@@ -7863,8 +7816,6 @@ spec:
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
                        can be useful (see .node.status.conditions), the ability to deconflict is important.
                      maxLength: 256
                      minLength: 1
                      type: string
                  required:
                  - lastTransitionTime
@@ -9499,32 +9450,27 @@ spec:
                  properties:
                    lastTransitionTime:
                      description: |-
-                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        Last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed. If that is not known, then using the time when
                        the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
-                        message is a human readable message indicating details about the transition.
+                        A human readable message indicating details about the transition.
                        This field may be empty.
                      maxLength: 10240
                      minLength: 1
                      type: string
                    reason:
                      description: |-
-                        reason is the reason for the condition's last transition in CamelCase.
+                        The reason for the condition's last transition in CamelCase.
                        The specific API may choose whether or not this field is considered a guaranteed API.
                        This field may be empty.
                      maxLength: 256
                      minLength: 1
                      type: string
                    severity:
                      description: |-
                        severity provides an explicit classification of Reason code, so the users or machines can immediately
                        understand the current situation and act accordingly.
                        The Severity field MUST be set only when Status=False.
                      maxLength: 32
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
@@ -9534,8 +9480,6 @@ spec:
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
                        can be useful (see .node.status.conditions), the ability to deconflict is important.
                      maxLength: 256
                      minLength: 1
                      type: string
                  required:
                  - lastTransitionTime
@@ -10839,13 +10783,6 @@ spec:
                      description: Manager defines the properties that can be enabled
                        on the controller manager for the additional provider deployment.
                      properties:
                        additionalArgs:
                          additionalProperties:
                            type: string
                          description: |-
                            AdditionalArgs is a map of additional options that will be passed
                            in as container args to the provider's controller manager.
                          type: object
                        cacheNamespace:
                          description: |-
                            CacheNamespace if specified restricts the manager's cache to watch objects in
@@ -12377,13 +12314,6 @@ spec:
                description: Manager defines the properties that can be enabled on
                  the controller manager for the provider.
                properties:
                  additionalArgs:
                    additionalProperties:
                      type: string
                    description: |-
                      AdditionalArgs is a map of additional options that will be passed
                      in as container args to the provider's controller manager.
                    type: object
                  cacheNamespace:
                    description: |-
                      CacheNamespace if specified restricts the manager's cache to watch objects in
@@ -12597,32 +12527,27 @@ spec:
                  properties:
                    lastTransitionTime:
                      description: |-
-                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        Last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed. If that is not known, then using the time when
                        the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
-                        message is a human readable message indicating details about the transition.
+                        A human readable message indicating details about the transition.
                        This field may be empty.
                      maxLength: 10240
                      minLength: 1
                      type: string
                    reason:
                      description: |-
-                        reason is the reason for the condition's last transition in CamelCase.
+                        The reason for the condition's last transition in CamelCase.
                        The specific API may choose whether or not this field is considered a guaranteed API.
                        This field may be empty.
                      maxLength: 256
                      minLength: 1
                      type: string
                    severity:
                      description: |-
                        severity provides an explicit classification of Reason code, so the users or machines can immediately
                        understand the current situation and act accordingly.
                        The Severity field MUST be set only when Status=False.
                      maxLength: 32
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
@@ -12632,8 +12557,6 @@ spec:
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
                        can be useful (see .node.status.conditions), the ability to deconflict is important.
                      maxLength: 256
                      minLength: 1
                      type: string
                  required:
                  - lastTransitionTime
@@ -14267,32 +14190,27 @@ spec:
                  properties:
                    lastTransitionTime:
                      description: |-
-                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        Last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed. If that is not known, then using the time when
                        the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
-                        message is a human readable message indicating details about the transition.
+                        A human readable message indicating details about the transition.
                        This field may be empty.
                      maxLength: 10240
                      minLength: 1
                      type: string
                    reason:
                      description: |-
-                        reason is the reason for the condition's last transition in CamelCase.
+                        The reason for the condition's last transition in CamelCase.
                        The specific API may choose whether or not this field is considered a guaranteed API.
                        This field may be empty.
                      maxLength: 256
                      minLength: 1
                      type: string
                    severity:
                      description: |-
                        severity provides an explicit classification of Reason code, so the users or machines can immediately
                        understand the current situation and act accordingly.
                        The Severity field MUST be set only when Status=False.
                      maxLength: 32
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
@@ -14302,8 +14220,6 @@ spec:
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
                        can be useful (see .node.status.conditions), the ability to deconflict is important.
                      maxLength: 256
                      minLength: 1
                      type: string
                  required:
                  - lastTransitionTime
@@ -15606,13 +15522,6 @@ spec:
                      description: Manager defines the properties that can be enabled
                        on the controller manager for the additional provider deployment.
                      properties:
                        additionalArgs:
                          additionalProperties:
                            type: string
                          description: |-
                            AdditionalArgs is a map of additional options that will be passed
                            in as container args to the provider's controller manager.
                          type: object
                        cacheNamespace:
                          description: |-
                            CacheNamespace if specified restricts the manager's cache to watch objects in
@@ -17144,13 +17053,6 @@ spec:
                description: Manager defines the properties that can be enabled on
                  the controller manager for the provider.
                properties:
                  additionalArgs:
                    additionalProperties:
                      type: string
                    description: |-
                      AdditionalArgs is a map of additional options that will be passed
                      in as container args to the provider's controller manager.
                    type: object
                  cacheNamespace:
                    description: |-
                      CacheNamespace if specified restricts the manager's cache to watch objects in
@@ -17363,32 +17265,27 @@ spec:
                  properties:
                    lastTransitionTime:
                      description: |-
-                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        Last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed. If that is not known, then using the time when
                        the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
-                        message is a human readable message indicating details about the transition.
+                        A human readable message indicating details about the transition.
                        This field may be empty.
                      maxLength: 10240
                      minLength: 1
                      type: string
                    reason:
                      description: |-
-                        reason is the reason for the condition's last transition in CamelCase.
+                        The reason for the condition's last transition in CamelCase.
                        The specific API may choose whether or not this field is considered a guaranteed API.
                        This field may be empty.
                      maxLength: 256
                      minLength: 1
                      type: string
                    severity:
                      description: |-
                        severity provides an explicit classification of Reason code, so the users or machines can immediately
                        understand the current situation and act accordingly.
                        The Severity field MUST be set only when Status=False.
                      maxLength: 32
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
@@ -17398,8 +17295,6 @@ spec:
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
                        can be useful (see .node.status.conditions), the ability to deconflict is important.
                      maxLength: 256
                      minLength: 1
                      type: string
                  required:
                  - lastTransitionTime
@@ -19034,32 +18929,27 @@ spec:
                  properties:
                    lastTransitionTime:
                      description: |-
-                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        Last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed. If that is not known, then using the time when
                        the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
-                        message is a human readable message indicating details about the transition.
+                        A human readable message indicating details about the transition.
                        This field may be empty.
                      maxLength: 10240
                      minLength: 1
                      type: string
                    reason:
                      description: |-
-                        reason is the reason for the condition's last transition in CamelCase.
+                        The reason for the condition's last transition in CamelCase.
                        The specific API may choose whether or not this field is considered a guaranteed API.
                        This field may be empty.
                      maxLength: 256
                      minLength: 1
                      type: string
                    severity:
                      description: |-
                        severity provides an explicit classification of Reason code, so the users or machines can immediately
                        understand the current situation and act accordingly.
                        The Severity field MUST be set only when Status=False.
                      maxLength: 32
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
@@ -19069,8 +18959,6 @@ spec:
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
                        can be useful (see .node.status.conditions), the ability to deconflict is important.
                      maxLength: 256
                      minLength: 1
                      type: string
                  required:
                  - lastTransitionTime
@@ -20374,13 +20262,6 @@ spec:
                      description: Manager defines the properties that can be enabled
                        on the controller manager for the additional provider deployment.
                      properties:
                        additionalArgs:
                          additionalProperties:
                            type: string
                          description: |-
                            AdditionalArgs is a map of additional options that will be passed
                            in as container args to the provider's controller manager.
                          type: object
                        cacheNamespace:
                          description: |-
                            CacheNamespace if specified restricts the manager's cache to watch objects in
@@ -21912,13 +21793,6 @@ spec:
                description: Manager defines the properties that can be enabled on
                  the controller manager for the provider.
                properties:
                  additionalArgs:
                    additionalProperties:
                      type: string
                    description: |-
                      AdditionalArgs is a map of additional options that will be passed
                      in as container args to the provider's controller manager.
                    type: object
                  cacheNamespace:
                    description: |-
                      CacheNamespace if specified restricts the manager's cache to watch objects in
@@ -22132,32 +22006,27 @@ spec:
                  properties:
                    lastTransitionTime:
                      description: |-
-                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        Last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed. If that is not known, then using the time when
                        the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
-                        message is a human readable message indicating details about the transition.
+                        A human readable message indicating details about the transition.
                        This field may be empty.
                      maxLength: 10240
                      minLength: 1
                      type: string
                    reason:
                      description: |-
-                        reason is the reason for the condition's last transition in CamelCase.
+                        The reason for the condition's last transition in CamelCase.
                        The specific API may choose whether or not this field is considered a guaranteed API.
                        This field may be empty.
                      maxLength: 256
                      minLength: 1
                      type: string
                    severity:
                      description: |-
                        severity provides an explicit classification of Reason code, so the users or machines can immediately
                        understand the current situation and act accordingly.
                        The Severity field MUST be set only when Status=False.
                      maxLength: 32
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
@@ -22167,8 +22036,6 @@ spec:
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
                        can be useful (see .node.status.conditions), the ability to deconflict is important.
                      maxLength: 256
                      minLength: 1
                      type: string
                  required:
                  - lastTransitionTime
@@ -23504,13 +23371,6 @@ spec:
                      description: Manager defines the properties that can be enabled
                        on the controller manager for the additional provider deployment.
                      properties:
                        additionalArgs:
                          additionalProperties:
                            type: string
                          description: |-
                            AdditionalArgs is a map of additional options that will be passed
                            in as container args to the provider's controller manager.
                          type: object
                        cacheNamespace:
                          description: |-
                            CacheNamespace if specified restricts the manager's cache to watch objects in
@@ -25042,13 +24902,6 @@ spec:
                description: Manager defines the properties that can be enabled on
                  the controller manager for the provider.
                properties:
                  additionalArgs:
                    additionalProperties:
                      type: string
                    description: |-
                      AdditionalArgs is a map of additional options that will be passed
                      in as container args to the provider's controller manager.
                    type: object
                  cacheNamespace:
                    description: |-
                      CacheNamespace if specified restricts the manager's cache to watch objects in
@@ -25261,32 +25114,27 @@ spec:
                  properties:
                    lastTransitionTime:
                      description: |-
-                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        Last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed. If that is not known, then using the time when
                        the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
-                        message is a human readable message indicating details about the transition.
+                        A human readable message indicating details about the transition.
                        This field may be empty.
                      maxLength: 10240
                      minLength: 1
                      type: string
                    reason:
                      description: |-
-                        reason is the reason for the condition's last transition in CamelCase.
+                        The reason for the condition's last transition in CamelCase.
                        The specific API may choose whether or not this field is considered a guaranteed API.
                        This field may be empty.
                      maxLength: 256
                      minLength: 1
                      type: string
                    severity:
                      description: |-
                        severity provides an explicit classification of Reason code, so the users or machines can immediately
                        understand the current situation and act accordingly.
                        The Severity field MUST be set only when Status=False.
                      maxLength: 32
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
@@ -25296,8 +25144,6 @@ spec:
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
                        can be useful (see .node.status.conditions), the ability to deconflict is important.
                      maxLength: 256
                      minLength: 1
                      type: string
                  required:
                  - lastTransitionTime
@@ -26635,13 +26481,6 @@ spec:
                      description: Manager defines the properties that can be enabled
                        on the controller manager for the additional provider deployment.
                      properties:
                        additionalArgs:
                          additionalProperties:
                            type: string
                          description: |-
                            AdditionalArgs is a map of additional options that will be passed
                            in as container args to the provider's controller manager.
                          type: object
                        cacheNamespace:
                          description: |-
                            CacheNamespace if specified restricts the manager's cache to watch objects in
@@ -28173,13 +28012,6 @@ spec:
                description: Manager defines the properties that can be enabled on
                  the controller manager for the provider.
                properties:
                  additionalArgs:
                    additionalProperties:
                      type: string
                    description: |-
                      AdditionalArgs is a map of additional options that will be passed
                      in as container args to the provider's controller manager.
                    type: object
                  cacheNamespace:
                    description: |-
                      CacheNamespace if specified restricts the manager's cache to watch objects in
@@ -28393,32 +28225,27 @@ spec:
                  properties:
                    lastTransitionTime:
                      description: |-
-                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        Last time the condition transitioned from one status to another.
                        This should be when the underlying condition changed. If that is not known, then using the time when
                        the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: |-
-                        message is a human readable message indicating details about the transition.
+                        A human readable message indicating details about the transition.
                        This field may be empty.
                      maxLength: 10240
                      minLength: 1
                      type: string
                    reason:
                      description: |-
-                        reason is the reason for the condition's last transition in CamelCase.
+                        The reason for the condition's last transition in CamelCase.
                        The specific API may choose whether or not this field is considered a guaranteed API.
                        This field may be empty.
                      maxLength: 256
                      minLength: 1
                      type: string
                    severity:
                      description: |-
                        severity provides an explicit classification of Reason code, so the users or machines can immediately
                        understand the current situation and act accordingly.
                        The Severity field MUST be set only when Status=False.
                      maxLength: 32
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
@@ -28428,8 +28255,6 @@ spec:
                        type of condition in CamelCase or in foo.example.com/CamelCase.
                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
                        can be useful (see .node.status.conditions), the ability to deconflict is important.
                      maxLength: 256
                      minLength: 1
                      type: string
                  required:
                  - lastTransitionTime
--- a/packages/system/capi-operator/charts/cluster-api-operator/values.schema.json
+++ b/packages/system/capi-operator/charts/cluster-api-operator/values.schema.json
@@ -1,47 +0,0 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "type": "object",
  "properties": {
    "core": {
      "oneOf": [
        { "type": "object" },
        { "type": "null" }
      ]
    },
    "bootstrap": {
      "type": "object",
      "oneOf": [
        { "type": "object" },
        { "type": "null" }
      ]
    },
    "controlPlane": {
      "type": "object",
      "oneOf": [
        { "type": "object" },
        { "type": "null" }
      ]
    },
    "infrastructure": {
      "type": "object",
      "oneOf": [
        { "type": "object" },
        { "type": "null" }
      ]
    },
    "addon": {
      "type": "object",
      "oneOf": [
        { "type": "object" },
        { "type": "null" }
      ]
    },
    "ipam": {
      "type": "object",
      "oneOf": [
        { "type": "object" },
        { "type": "null" }
      ]
    }
  }
 }
--- a/packages/system/capi-operator/charts/cluster-api-operator/values.yaml
+++ b/packages/system/capi-operator/charts/cluster-api-operator/values.yaml
@@ -1,30 +1,12 @@
 ---
 # ---
 # Cluster API provider options
-core: {}
+core: ""
-# cluster-api: {}  # Name, required
+bootstrap: ""
-#   namespace: ""  # Optional
+controlPlane: ""
-#   version: ""    # Optional
+infrastructure: ""
-bootstrap: {}
+ipam: ""
-# kubeadm: {}      # Name, required
+addon: ""
 #   namespace: ""  # Optional
 #   version: ""    # Optional
 controlPlane: {}
 # kubeadm: {}      # Name, required
 #   namespace: ""  # Optional
 #   version: ""    # Optional
 infrastructure: {}
 # docker: {}  # Name, required
 #   namespace: ""  # Optional
 #   version: ""    # Optional
 addon: {}
 # helm: {}         # Name, required
 #   namespace: ""  # Optional
 #   version: ""    # Optional
 ipam: {}
 # in-cluster: {}   # Name, required
 #   namespace: ""  # Optional
 #   version: ""    # Optional
 manager.featureGates: {}
 fetchConfig: {}
 # ---
@@ -39,7 +21,7 @@ leaderElection:
 image:
  manager:
    repository: registry.k8s.io/capi-operator/cluster-api-operator
-    tag: v0.19.0
+    tag: v0.18.1
    pullPolicy: IfNotPresent
 env:
  manager: []
--- a/packages/system/capi-providers/templates/providers.yaml
+++ b/packages/system/capi-providers/templates/providers.yaml
@@ -5,7 +5,7 @@ metadata:
  name: cluster-api
 spec:
  # https://github.com/kubernetes-sigs/cluster-api
-  version: v1.10.0
+  version: v1.9.5
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
 kind: ControlPlaneProvider
@@ -13,7 +13,7 @@ metadata:
  name: kamaji
 spec:
  # https://github.com/clastix/cluster-api-control-plane-provider-kamaji
-  version: v0.14.2
+  version: v0.14.1
  deployment:
    containers:
    - name: manager
@@ -31,7 +31,7 @@ metadata:
  name: kubeadm
 spec:
  # https://github.com/kubernetes-sigs/cluster-api
-  version: v1.10.0
+  version: v1.9.5
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
 kind: InfrastructureProvider
@@ -39,4 +39,4 @@ metadata:
  name: kubevirt
 spec:
  # https://github.com/kubernetes-sigs/cluster-api-provider-kubevirt
-  version: v0.1.10
+  version: v0.1.9
--- a/packages/system/cilium/charts/cilium/Chart.yaml
+++ b/packages/system/cilium/charts/cilium/Chart.yaml
@@ -79,7 +79,7 @@ annotations:
    Pod IP Pool\n  description: |\n    CiliumPodIPPool defines an IP pool that can
    be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n"
 apiVersion: v2
-appVersion: 1.17.3
+appVersion: 1.17.2
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg
@@ -95,4 +95,4 @@ kubeVersion: '>= 1.21.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.17.3
+version: 1.17.2
--- a/packages/system/cilium/charts/cilium/README.md
+++ b/packages/system/cilium/charts/cilium/README.md
@@ -1,6 +1,6 @@
 # cilium
-![Version: 1.17.3](https://img.shields.io/badge/Version-1.17.3-informational?style=flat-square) ![AppVersion: 1.17.3](https://img.shields.io/badge/AppVersion-1.17.3-informational?style=flat-square)
+![Version: 1.17.2](https://img.shields.io/badge/Version-1.17.2-informational?style=flat-square) ![AppVersion: 1.17.2](https://img.shields.io/badge/AppVersion-1.17.2-informational?style=flat-square)
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -85,7 +85,7 @@ contributors across the globe, there is almost always someone available to help.
 | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
 | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true |
 | authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. |
-| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:37f7b378a29ceb4c551b1b5582e27747b855bbfaa73fa11914fe0df028dc581f","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.37.0","useDigest":true}` | init container image of SPIRE agent and server |
+| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:498a000f370d8c37927118ed80afe8adc38d1edcbfc071627d17b25c88efcab0","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.37.0","useDigest":true}` | init container image of SPIRE agent and server |
 | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into |
 | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration |
 | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations |
@@ -197,7 +197,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
 | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:98d5feaf67dd9b5d8d219ff5990de10539566eedc5412bcf52df75920896ad42","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.17.3","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.17.2","useDigest":true}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
@@ -377,7 +377,7 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.httpRetryCount | int | `3` | Maximum number of retries for each HTTP request |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:a01cadf7974409b5c5c92ace3d6afa298408468ca24cab1cb413c04f89d3d1f9","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.32.5-1744305768-f9ddca7dcd91f7ca25a505560e655c47d3dec2cf","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:377c78c13d2731f3720f931721ee309159e782d882251709cb0fac3b42c03f4b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211","useDigest":true}` | Envoy container image. |
 | envoy.initialFetchTimeoutSeconds | int | `30` | Time in seconds after which the initial fetch on an xDS stream is considered timed out |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
@@ -518,7 +518,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:f8674b5139111ac828a8818da7f2d344b4a5bfbaeb122c5dc9abed3e74000c55","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.17.3","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.17.2","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -625,7 +625,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd`, `kvstore` or `doublewrite-readkvstore` / `doublewrite-readcrd` for migrating between identity backends). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.17.3","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.17.2","useDigest":true}` | Agent container image. |
 | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -762,7 +762,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.hostNetwork | bool | `true` | HostNetwork setting |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:e9a9ab227c6e833985bde6537b4d1540b0907f21a84319de4b7d62c5302eed5c","awsDigest":"sha256:40f235111fb2bca209ee65b12f81742596e881a0a3ee4d159776d78e3091ba7f","azureDigest":"sha256:6a3294ec8a2107048254179c3ac5121866f90d20fccf12f1d70960e61f304713","genericDigest":"sha256:8bd38d0e97a955b2d725929d60df09d712fb62b60b930551a29abac2dd92e597","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.17.3","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe","awsDigest":"sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c","azureDigest":"sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0","genericDigest":"sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.17.2","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -812,7 +812,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.17.3","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.17.2","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
--- a/packages/system/cilium/charts/cilium/values.yaml
+++ b/packages/system/cilium/charts/cilium/values.yaml
@@ -191,10 +191,10 @@ image:
  # @schema
  override: ~
  repository: "quay.io/cilium/cilium"
-  tag: "v1.17.3"
+  tag: "v1.17.2"
  pullPolicy: "IfNotPresent"
  # cilium-digest
-  digest: "sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873"
+  digest: "sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1"
  useDigest: true
 # -- Scheduling configurations for cilium pods
 scheduling:
@@ -1440,9 +1440,9 @@ hubble:
      # @schema
      override: ~
      repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.17.3"
+      tag: "v1.17.2"
      # hubble-relay-digest
-      digest: "sha256:f8674b5139111ac828a8818da7f2d344b4a5bfbaeb122c5dc9abed3e74000c55"
+      digest: "sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc"
      useDigest: true
      pullPolicy: "IfNotPresent"
    # -- Specifies the resources for the hubble-relay pods
@@ -2351,9 +2351,9 @@ envoy:
    # @schema
    override: ~
    repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.32.5-1744305768-f9ddca7dcd91f7ca25a505560e655c47d3dec2cf"
+    tag: "v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211"
    pullPolicy: "IfNotPresent"
-    digest: "sha256:a01cadf7974409b5c5c92ace3d6afa298408468ca24cab1cb413c04f89d3d1f9"
+    digest: "sha256:377c78c13d2731f3720f931721ee309159e782d882251709cb0fac3b42c03f4b"
    useDigest: true
  # -- Additional containers added to the cilium Envoy DaemonSet.
  extraContainers: []
@@ -2708,15 +2708,15 @@ operator:
    # @schema
    override: ~
    repository: "quay.io/cilium/operator"
-    tag: "v1.17.3"
+    tag: "v1.17.2"
    # operator-generic-digest
-    genericDigest: "sha256:8bd38d0e97a955b2d725929d60df09d712fb62b60b930551a29abac2dd92e597"
+    genericDigest: "sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249"
    # operator-azure-digest
-    azureDigest: "sha256:6a3294ec8a2107048254179c3ac5121866f90d20fccf12f1d70960e61f304713"
+    azureDigest: "sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0"
    # operator-aws-digest
-    awsDigest: "sha256:40f235111fb2bca209ee65b12f81742596e881a0a3ee4d159776d78e3091ba7f"
+    awsDigest: "sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c"
    # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:e9a9ab227c6e833985bde6537b4d1540b0907f21a84319de4b7d62c5302eed5c"
+    alibabacloudDigest: "sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe"
    useDigest: true
    pullPolicy: "IfNotPresent"
    suffix: ""
@@ -2991,9 +2991,9 @@ preflight:
    # @schema
    override: ~
    repository: "quay.io/cilium/cilium"
-    tag: "v1.17.3"
+    tag: "v1.17.2"
    # cilium-digest
-    digest: "sha256:1782794aeac951af139315c10eff34050aa7579c12827ee9ec376bb719b82873"
+    digest: "sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1"
    useDigest: true
    pullPolicy: "IfNotPresent"
  # -- The priority class to use for the preflight pod.
@@ -3140,9 +3140,9 @@ clustermesh:
      # @schema
      override: ~
      repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.17.3"
+      tag: "v1.17.2"
      # clustermesh-apiserver-digest
-      digest: "sha256:98d5feaf67dd9b5d8d219ff5990de10539566eedc5412bcf52df75920896ad42"
+      digest: "sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398"
      useDigest: true
      pullPolicy: "IfNotPresent"
    # -- TCP port for the clustermesh-apiserver health API.
@@ -3649,7 +3649,7 @@ authentication:
          override: ~
          repository: "docker.io/library/busybox"
          tag: "1.37.0"
-          digest: "sha256:37f7b378a29ceb4c551b1b5582e27747b855bbfaa73fa11914fe0df028dc581f"
+          digest: "sha256:498a000f370d8c37927118ed80afe8adc38d1edcbfc071627d17b25c88efcab0"
          useDigest: true
          pullPolicy: "IfNotPresent"
        # SPIRE agent configuration
--- a/packages/system/cilium/images/cilium/Dockerfile
+++ b/packages/system/cilium/images/cilium/Dockerfile
@@ -1,2 +1,2 @@
-ARG VERSION=v1.17.3
+ARG VERSION=v1.17.2
 FROM quay.io/cilium/cilium:${VERSION}
--- a/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml
+++ b/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v0.4.2
+appVersion: v0.4.1
 name: etcd-operator
 type: application
-version: 0.4.2
+version: 0.4.1
--- a/packages/system/etcd-operator/charts/etcd-operator/README.md
+++ b/packages/system/etcd-operator/charts/etcd-operator/README.md
@@ -26,11 +26,6 @@
 | etcdOperator.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
 | etcdOperator.service.port | int | `9443` | Service port |
 | etcdOperator.service.type | string | `"ClusterIP"` | Service type |
 | etcdOperator.vpa.enabled | bool | `true` |  |
 | etcdOperator.vpa.maxAllowed.cpu | string | `"1000m"` |  |
 | etcdOperator.vpa.maxAllowed.memory | string | `"1Gi"` |  |
 | etcdOperator.vpa.minAllowed.cpu | string | `"100m"` |  |
 | etcdOperator.vpa.minAllowed.memory | string | `"128Mi"` |  |
 | fullnameOverride | string | `""` | Override a full name of helm release |
 | imagePullSecrets | list | `[]` |  |
 | kubeRbacProxy.args[0] | string | `"--secure-listen-address=0.0.0.0:8443"` |  |
@@ -46,11 +41,6 @@
 | kubeRbacProxy.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
 | kubeRbacProxy.service.port | int | `8443` | Service port |
 | kubeRbacProxy.service.type | string | `"ClusterIP"` | Service type |
 | kubeRbacProxy.vpa.enabled | bool | `true` |  |
 | kubeRbacProxy.vpa.maxAllowed.cpu | string | `"500m"` |  |
 | kubeRbacProxy.vpa.maxAllowed.memory | string | `"256Mi"` |  |
 | kubeRbacProxy.vpa.minAllowed.cpu | string | `"50m"` |  |
 | kubeRbacProxy.vpa.minAllowed.memory | string | `"64Mi"` |  |
 | kubernetesClusterDomain | string | `"cluster.local"` | Kubernetes cluster domain prefix |
 | nameOverride | string | `""` | Override a name of helm release |
 | nodeSelector | object | `{}` | ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ |
@@ -61,5 +51,4 @@
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | tolerations | list | `[]` | ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
 | vpa.updatePolicy | string | `"Auto"` |  |
--- a/packages/system/etcd-operator/charts/etcd-operator/templates/workload/deployment.yml
+++ b/packages/system/etcd-operator/charts/etcd-operator/templates/workload/deployment.yml
@@ -45,12 +45,10 @@ spec:
          readinessProbe:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          {{- if not .Values.etcdOperator.vpa.enabled }}
          {{- with .Values.etcdOperator.resources }}
          resources:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          {{- end }}
          {{- with .Values.etcdOperator.securityContext }}
          securityContext:
            {{- toYaml . | nindent 12 }}
@@ -89,12 +87,10 @@ spec:
          readinessProbe:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          {{- if not .Values.kubeRbacProxy.vpa.enabled }}
          {{- with .Values.kubeRbacProxy.resources }}
          resources:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          {{- end }}
          {{- with .Values.kubeRbacProxy.securityContext }}
          securityContext:
            {{- toYaml . | nindent 12 }}
--- a/packages/system/etcd-operator/charts/etcd-operator/templates/workload/vpa.yml
+++ b/packages/system/etcd-operator/charts/etcd-operator/templates/workload/vpa.yml
@@ -1,41 +0,0 @@
 {{- if or .Values.etcdOperator.vpa.enabled .Values.kubeRbacProxy.vpa.enabled }}
 apiVersion: autoscaling.k8s.io/v1
 kind: VerticalPodAutoscaler
 metadata:
  name: {{ include "etcd-operator.fullname" . }}-controller-manager
  labels:
    {{- include "etcd-operator.labels" . | nindent 4 }}
 spec:
  targetRef:
    apiVersion: "apps/v1"
    kind: Deployment
    name: {{ include "etcd-operator.fullname" . }}-controller-manager
  updatePolicy:
    updateMode: {{ .Values.vpa.updatePolicy | default "Auto" | quote }}
  resourcePolicy:
    containerPolicies:
    {{- if .Values.etcdOperator.vpa.enabled }}
      - containerName: etcd-operator
        {{- with .Values.etcdOperator.vpa.minAllowed }}
        minAllowed:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        {{- with .Values.etcdOperator.vpa.maxAllowed }}
        maxAllowed:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        controlledResources: ["cpu", "memory"]
    {{- end }}
    {{- if .Values.kubeRbacProxy.vpa.enabled }}
      - containerName: kube-rbac-proxy
        {{- with .Values.kubeRbacProxy.vpa.minAllowed }}
        minAllowed:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        {{- with .Values.kubeRbacProxy.vpa.maxAllowed }}
        maxAllowed:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        controlledResources: ["cpu", "memory"]
    {{- end }}
 {{- end }}
--- a/packages/system/etcd-operator/charts/etcd-operator/values.schema.json
+++ b/packages/system/etcd-operator/charts/etcd-operator/values.schema.json
@@ -131,36 +131,6 @@
                        }
                    },
                    "type": "object"
                },
                "vpa": {
                    "properties": {
                        "enabled": {
                            "type": "boolean"
                        },
                        "maxAllowed": {
                            "properties": {
                                "cpu": {
                                    "type": "string"
                                },
                                "memory": {
                                    "type": "string"
                                }
                            },
                            "type": "object"
                        },
                        "minAllowed": {
                            "properties": {
                                "cpu": {
                                    "type": "string"
                                },
                                "memory": {
                                    "type": "string"
                                }
                            },
                            "type": "object"
                        }
                    },
                    "type": "object"
                }
            },
            "type": "object"
@@ -257,36 +227,6 @@
                        }
                    },
                    "type": "object"
                },
                "vpa": {
                    "properties": {
                        "enabled": {
                            "type": "boolean"
                        },
                        "maxAllowed": {
                            "properties": {
                                "cpu": {
                                    "type": "string"
                                },
                                "memory": {
                                    "type": "string"
                                }
                            },
                            "type": "object"
                        },
                        "minAllowed": {
                            "properties": {
                                "cpu": {
                                    "type": "string"
                                },
                                "memory": {
                                    "type": "string"
                                }
                            },
                            "type": "object"
                        }
                    },
                    "type": "object"
                }
            },
            "type": "object"
@@ -330,14 +270,6 @@
        },
        "tolerations": {
            "type": "array"
        },
        "vpa": {
            "properties": {
                "updatePolicy": {
                    "type": "string"
                }
            },
            "type": "object"
        }
    },
    "type": "object"
--- a/packages/system/etcd-operator/charts/etcd-operator/values.yaml
+++ b/packages/system/etcd-operator/charts/etcd-operator/values.yaml
@@ -84,15 +84,6 @@ etcdOperator:
      drop:
        - ALL
  vpa:
    enabled: true
    minAllowed:
      cpu: 100m
      memory: 128Mi
    maxAllowed:
      cpu: 1000m
      memory: 1Gi
 kubeRbacProxy:
  image:
@@ -151,15 +142,6 @@ kubeRbacProxy:
      drop:
          - ALL
  vpa:
    enabled: true
    minAllowed:
      cpu: 50m
      memory: 64Mi
    maxAllowed:
      cpu: 500m
      memory: 256Mi
 # -- Kubernetes cluster domain prefix
 kubernetesClusterDomain: cluster.local
@@ -200,6 +182,3 @@ tolerations: []
 # -- ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
 affinity: {}
 vpa:
  updatePolicy: "Auto"
--- a/packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml
+++ b/packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml
@@ -8,7 +8,7 @@ annotations:
    - name: Upstream Project
      url: https://github.com/controlplaneio-fluxcd/flux-operator
 apiVersion: v2
-appVersion: v0.19.0
+appVersion: v0.18.0
 description: 'A Helm chart for deploying the Flux Operator. '
 home: https://github.com/controlplaneio-fluxcd
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
@@ -25,4 +25,4 @@ sources:
 - https://github.com/controlplaneio-fluxcd/flux-operator
 - https://github.com/controlplaneio-fluxcd/charts
 type: application
-version: 0.19.0
+version: 0.18.0
--- a/packages/system/fluxcd-operator/charts/flux-operator/README.md
+++ b/packages/system/fluxcd-operator/charts/flux-operator/README.md
@@ -1,6 +1,6 @@
 # flux-operator
-![Version: 0.19.0](https://img.shields.io/badge/Version-0.19.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.19.0](https://img.shields.io/badge/AppVersion-v0.19.0-informational?style=flat-square)
+![Version: 0.18.0](https://img.shields.io/badge/Version-0.18.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.18.0](https://img.shields.io/badge/AppVersion-v0.18.0-informational?style=flat-square)
 The [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator) provides a
 declarative API for the installation and upgrade of CNCF [Flux](https://fluxcd.io) and the
@@ -33,7 +33,6 @@ see the Flux Operator [documentation](https://fluxcd.control-plane.io/operator/)
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]}}}` | Pod affinity and anti-affinity settings. |
 | apiPriority | object | `{"enabled":false,"extraServiceAccounts":[],"level":"workload-high"}` | Kubernetes [API priority and fairness](https://kubernetes.io/docs/concepts/cluster-administration/flow-control/) settings. |
 | commonAnnotations | object | `{}` | Common annotations to add to all deployed objects including pods. |
 | commonLabels | object | `{}` | Common labels to add to all deployed objects including pods. |
 | extraArgs | list | `[]` | Container extra arguments. |
--- a/packages/system/fluxcd-operator/charts/flux-operator/templates/admin-clusterrole.yaml
+++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/admin-clusterrole.yaml
@@ -18,6 +18,6 @@ roleRef:
  name: cluster-admin
 subjects:
  - kind: ServiceAccount
-    name: {{ include "flux-operator.serviceAccountName" . }}
+    name: {{ include "flux-operator.fullname" . }}
    namespace: {{ .Release.Namespace }}
 {{- end }}
--- a/packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml
+++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml
@@ -878,18 +878,6 @@ spec:
                required:
                - name
                type: object
              skip:
                description: Skip defines whether we need to skip input provider response
                  updates.
                properties:
                  labels:
                    description: |-
                      Labels specifies list of labels to skip input provider response when any of the label conditions matched.
                      When prefixed with !, input provider response will be skipped if it does not have this label.
                    items:
                      type: string
                    type: array
                type: object
              type:
                description: Type specifies the type of the input provider.
                enum:
--- a/packages/system/fluxcd-operator/charts/flux-operator/templates/flowschema.yaml
+++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/flowschema.yaml
@@ -1,41 +0,0 @@
 {{- if .Values.apiPriority.enabled }}
 apiVersion: flowcontrol.apiserver.k8s.io/v1
 kind: FlowSchema
 metadata:
  name: {{ include "flux-operator.fullname" . }}
  annotations:
    apf.kubernetes.io/autoupdate-spec: "false"
 spec:
  distinguisherMethod:
    type: ByUser
  matchingPrecedence: 950
  priorityLevelConfiguration:
    name: {{ .Values.apiPriority.level }}
  rules:
    - nonResourceRules:
        - nonResourceURLs:
            - '*'
          verbs:
            - '*'
      resourceRules:
        - apiGroups:
            - '*'
          clusterScope: true
          namespaces:
            - '*'
          resources:
            - '*'
          verbs:
            - '*'
      subjects:
        - kind: ServiceAccount
          serviceAccount:
            name: {{ include "flux-operator.serviceAccountName" . }}
            namespace: {{ .Release.Namespace }}
        {{- range .Values.apiPriority.extraServiceAccounts }}
        - kind: ServiceAccount
          serviceAccount:
            name: {{ .name }}
            namespace: {{ .namespace }}
        {{- end }}
 {{- end }}
--- a/packages/system/fluxcd-operator/charts/flux-operator/values.schema.json
+++ b/packages/system/fluxcd-operator/charts/flux-operator/values.schema.json
@@ -63,25 +63,6 @@
            },
            "type": "object"
        },
        "apiPriority": {
            "default": {
                "enabled": false,
                "extraServiceAccounts": [],
                "level": "workload-high"
            },
            "properties": {
                "enabled": {
                    "type": "boolean"
                },
                "extraServiceAccounts": {
                    "type": "array"
                },
                "level": {
                    "type": "string"
                }
            },
            "type": "object"
        },
        "commonAnnotations": {
            "properties": {},
            "type": "object"
--- a/packages/system/fluxcd-operator/charts/flux-operator/values.yaml
+++ b/packages/system/fluxcd-operator/charts/flux-operator/values.yaml
@@ -33,16 +33,6 @@ image:
 # Recommended value is system-cluster-critical.
 priorityClassName: "" # @schema default: "system-cluster-critical"
 # -- Kubernetes [API priority and fairness](https://kubernetes.io/docs/concepts/cluster-administration/flow-control/) settings.
 apiPriority: # @schema default: {"enabled":false,"level":"workload-high","extraServiceAccounts":[]}
  enabled: false
  level: workload-high
  extraServiceAccounts: []
 #    - name: kustomize-controller
 #      namespace: flux-system
 #    - name: helm-controller
 #      namespace: flux-system
 # -- Container resources requests and limits settings.
 resources: # @schema required: true
  limits:
--- a/packages/system/fluxcd/charts/flux-instance/Chart.yaml
+++ b/packages/system/fluxcd/charts/flux-instance/Chart.yaml
@@ -8,7 +8,7 @@ annotations:
    - name: Upstream Project
      url: https://github.com/controlplaneio-fluxcd/flux-operator
 apiVersion: v2
-appVersion: v0.19.0
+appVersion: v0.18.0
 description: 'A Helm chart for deploying a Flux instance managed by Flux Operator. '
 home: https://github.com/controlplaneio-fluxcd
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
@@ -25,4 +25,4 @@ sources:
 - https://github.com/controlplaneio-fluxcd/flux-operator
 - https://github.com/controlplaneio-fluxcd/charts
 type: application
-version: 0.19.0
+version: 0.18.0
--- a/packages/system/fluxcd/charts/flux-instance/README.md
+++ b/packages/system/fluxcd/charts/flux-instance/README.md
@@ -1,6 +1,6 @@
 # flux-instance
-![Version: 0.19.0](https://img.shields.io/badge/Version-0.19.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.19.0](https://img.shields.io/badge/AppVersion-v0.19.0-informational?style=flat-square)
+![Version: 0.18.0](https://img.shields.io/badge/Version-0.18.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.18.0](https://img.shields.io/badge/AppVersion-v0.18.0-informational?style=flat-square)
 This chart is a thin wrapper around the `FluxInstance` custom resource, which is
 used by the [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator)
--- a/packages/system/kamaji/images/kamaji/patches/hardcode-port.diff
+++ b/packages/system/kamaji/images/kamaji/patches/hardcode-port.diff
@@ -0,0 +1,13 @@
 diff --git a/internal/resources/kubeadm_config.go b/internal/resources/kubeadm_config.go
 index ae4cfc0..ec7a7da 100644
 --- a/internal/resources/kubeadm_config.go
 +++ b/internal/resources/kubeadm_config.go
@@ -96,7 +96,7 @@ func (r *KubeadmConfigResource) mutate(ctx context.Context, tenantControlPlane *
 			TenantControlPlanePort:          port,
 			TenantControlPlaneName:          tenantControlPlane.GetName(),
 			TenantControlPlaneNamespace:     tenantControlPlane.GetNamespace(),
 -			TenantControlPlaneEndpoint:      r.getControlPlaneEndpoint(tenantControlPlane.Spec.ControlPlane.Ingress, address, port),
 +			TenantControlPlaneEndpoint:      r.getControlPlaneEndpoint(tenantControlPlane.Spec.ControlPlane.Ingress, address, 443),
 			TenantControlPlaneCertSANs:      tenantControlPlane.Spec.NetworkProfile.CertSANs,
 			TenantControlPlaneClusterDomain: tenantControlPlane.Spec.NetworkProfile.ClusterDomain,
 			TenantControlPlanePodCIDR:       tenantControlPlane.Spec.NetworkProfile.PodCIDR,
--- a/packages/system/kubeovn/Makefile
+++ b/packages/system/kubeovn/Makefile
@@ -1,4 +1,4 @@
-KUBEOVN_TAG=$(shell awk '$$1 == "version:" {print $$2}' charts/kube-ovn/Chart.yaml)
+KUBEOVN_TAG = v1.13.8
 export NAME=kubeovn
 export NAMESPACE=cozy-$(NAME)
@@ -13,8 +13,6 @@ update:
 	tar xzvf - --strip 1 kube-ovn-$${tag#*v}/charts
 	patch --no-backup-if-mismatch -p4 < patches/cozyconfig.diff
 	patch --no-backup-if-mismatch -p4 < patches/mtu.diff
 	version=$$(awk '$$1 == "version:" {print $$2}' charts/kube-ovn/Chart.yaml) && \
 	sed -i "s/ARG VERSION=.*/ARG VERSION=$${version}/" images/kubeovn/Dockerfile
 image:
 	docker buildx build images/kubeovn \
--- a/packages/system/kubeovn/charts/kube-ovn/Chart.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/Chart.yaml
@@ -15,12 +15,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: v1.13.10
+version: v1.13.8
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.13.10"
+appVersion: "1.13.8"
 kubeVersion: ">= 1.23.0-0"
--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml
@@ -271,10 +271,10 @@ spec:
        {{- if .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }}
        - name: local-bin
          hostPath:
-            path: {{ .Values.cni_conf.LOCAL_BIN_DIR }}
+            path: {{ .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }}
        {{- end }}
        {{- if .Values.func.ENABLE_OVN_IPSEC }}
        - name: ovs-ipsec-keys
          hostPath:
-            path: {{ .Values.OPENVSWITCH_DIR }}
+            path: /etc/origin/ovs_ipsec_keys
        {{- end }}
--- a/packages/system/kubeovn/charts/kube-ovn/values.yaml
+++ b/packages/system/kubeovn/charts/kube-ovn/values.yaml
@@ -10,7 +10,7 @@ global:
      repository: kube-ovn
      dpdkRepository: kube-ovn-dpdk
      vpcRepository: vpc-nat-gateway
-      tag: v1.13.10
+      tag: v1.13.8
      support_arm: true
      thirdparty: true
--- a/packages/system/kubeovn/images/kubeovn/Dockerfile
+++ b/packages/system/kubeovn/images/kubeovn/Dockerfile
@@ -1,5 +1,50 @@
-ARG VERSION=v1.13.10
+# syntax = docker/dockerfile:experimental
-FROM kubeovn/kube-ovn:${VERSION}
+ARG VERSION=v1.13.8
 ARG BASE_TAG=$VERSION
 FROM golang:1.23-bookworm as builder
 ARG TAG=v1.13.8
 RUN git clone --branch ${TAG} --depth 1 https://github.com/kubeovn/kube-ovn /source
 WORKDIR /source
 COPY patches /patches
 RUN git apply /patches/*.diff
 RUN make build-go
 WORKDIR /source/dist/images
 # imported from https://github.com/kubeovn/kube-ovn/blob/master/dist/images/Dockerfile
 FROM kubeovn/kube-ovn-base:$BASE_TAG AS setcap
 COPY --from=builder /source/dist/images/*.sh /kube-ovn/
 COPY --from=builder /source/dist/images/kubectl-ko /kube-ovn/kubectl-ko
 COPY --from=builder /source/dist/images/01-kube-ovn.conflist /kube-ovn/01-kube-ovn.conflist
 COPY --from=builder /source/dist/images/kube-ovn /kube-ovn/kube-ovn
 COPY --from=builder /source/dist/images/kube-ovn-cmd /kube-ovn/kube-ovn-cmd
 COPY --from=builder /source/dist/images/kube-ovn-daemon /kube-ovn/kube-ovn-daemon
 COPY --from=builder /source/dist/images/kube-ovn-controller /kube-ovn/kube-ovn-controller
 RUN ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-monitor && \
    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-speaker && \
    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-webhook && \
    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-leader-checker && \
    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-ic-controller && \
    ln -s /kube-ovn/kube-ovn-controller /kube-ovn/kube-ovn-pinger && \
    setcap CAP_NET_BIND_SERVICE+eip /kube-ovn/kube-ovn-cmd && \
    setcap CAP_NET_RAW,CAP_NET_BIND_SERVICE+eip /kube-ovn/kube-ovn-controller && \
    setcap CAP_NET_ADMIN,CAP_NET_RAW,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /kube-ovn/kube-ovn-daemon
 FROM kubeovn/kube-ovn-base:$BASE_TAG
 COPY --chmod=0644 --from=builder /source/dist/images/logrotate/* /etc/logrotate.d/
 COPY --from=builder /source/dist/images/grace_stop_ovn_controller /usr/share/ovn/scripts/grace_stop_ovn_controller
 COPY --from=setcap /kube-ovn /kube-ovn
 RUN /kube-ovn/iptables-wrapper-installer.sh --no-sanity-check
 WORKDIR /kube-ovn
 # Fix https://github.com/kubeovn/kube-ovn/issues/4526
 RUN setcap CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /usr/lib/openvswitch-switch/ovs-vswitchd \
--- a/packages/system/kubeovn/images/kubeovn/patches/disable-nm-syncer.diff
+++ b/packages/system/kubeovn/images/kubeovn/patches/disable-nm-syncer.diff
@@ -0,0 +1,14 @@
 diff --git a/pkg/daemon/controller_linux.go b/pkg/daemon/controller_linux.go
 index 07014d11..7ff19ae0 100644
 --- a/pkg/daemon/controller_linux.go
 +++ b/pkg/daemon/controller_linux.go
@@ -118,9 +118,6 @@ func (c *Controller) initRuntime() error {
 		c.k8siptables[kubeovnv1.ProtocolIPv6] = k8siptables.New(c.k8sExec, k8siptables.ProtocolIPv6)
 	}
 -	c.nmSyncer = newNetworkManagerSyncer()
 -	c.nmSyncer.Run(c.transferAddrsAndRoutes)
 -
 	return nil
 }
--- a/packages/system/kubevirt/templates/kubevirt-cr.yaml
+++ b/packages/system/kubevirt/templates/kubevirt-cr.yaml
@@ -17,7 +17,6 @@ spec:
      - AutoResourceLimitsGate
      - CPUManager
      - GPU
      - VMExport
    evictionStrategy: LiveMigrate
  customizeComponents: {}
  imagePullPolicy: IfNotPresent
--- a/packages/system/piraeus-operator/charts/piraeus/Chart.yaml
+++ b/packages/system/piraeus-operator/charts/piraeus/Chart.yaml
@@ -3,8 +3,8 @@ name: piraeus
 description: |
  The Piraeus Operator manages software defined storage clusters using LINSTOR in Kubernetes.
 type: application
-version: 2.8.1
+version: 2.7.1
-appVersion: "v2.8.1"
+appVersion: "v2.7.1"
 maintainers:
  - name: Piraeus Datastore
    url: https://piraeus.io
--- a/packages/system/piraeus-operator/charts/piraeus/templates/config.yaml
+++ b/packages/system/piraeus-operator/charts/piraeus/templates/config.yaml
@@ -17,19 +17,20 @@ data:
    #   quay.io/piraeusdatastore/piraeus-server:v1.24.2
    components:
      linstor-controller:
-        tag: v1.31.0
+        tag: v1.29.2
        image: piraeus-server
      linstor-satellite:
-        tag: v1.31.0
+        # Pin with digest to ensure we pull the version with downgraded thin-send-recv
        tag: v1.29.2
        image: piraeus-server
      linstor-csi:
-        tag: v1.7.1
+        tag: v1.6.4
        image: piraeus-csi
      drbd-reactor:
-        tag: v1.8.0
+        tag: v1.6.0
        image: drbd-reactor
      ha-controller:
-        tag: v1.3.0
+        tag: v1.2.3
        image: piraeus-ha-controller
      drbd-shutdown-guard:
        tag: v1.0.0
@@ -38,7 +39,7 @@ data:
        tag: v0.11
        image: ktls-utils
      drbd-module-loader:
-        tag: v9.2.13
+        tag: v9.2.12
        # The special "match" attribute is used to select an image based on the node's reported OS.
        # The operator will first check the k8s node's ".status.nodeInfo.osImage" field, and compare it against the list
        # here. If one matches, that specific image name will be used instead of the fallback image.
@@ -89,25 +90,25 @@ data:
    base: registry.k8s.io/sig-storage
    components:
      csi-attacher:
-        tag: v4.8.1
+        tag: v4.7.0
        image: csi-attacher
      csi-livenessprobe:
-        tag: v2.15.0
+        tag: v2.14.0
        image: livenessprobe
      csi-provisioner:
-        tag: v5.2.0
+        tag: v5.1.0
        image: csi-provisioner
      csi-snapshotter:
-        tag: v8.2.1
+        tag: v8.1.0
        image: csi-snapshotter
      csi-resizer:
-        tag: v1.13.2
+        tag: v1.12.0
        image: csi-resizer
      csi-external-health-monitor-controller:
-        tag: v0.14.0
+        tag: v0.13.0
        image: csi-external-health-monitor-controller
      csi-node-driver-registrar:
-        tag: v2.13.0
+        tag: v2.12.0
        image: csi-node-driver-registrar
  {{- range $idx, $value := .Values.imageConfigOverride }}
  {{ add $idx 1 }}_helm_override.yaml: |
--- a/pkg/apis/apps/v1alpha1/types.go
+++ b/pkg/apis/apps/v1alpha1/types.go
@@ -21,6 +21,12 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 const (
 	CozySystemConfigurationHashConfigMapName = "cozy-system-configuration-hash"
 	CozyTenantConfigurationHashConfigMapName = "cozy-tenant-configuration-hash"
 	CozyTenantConfigurationHashKey           = "cozyTenantConfigurationHash"
 )
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // ApplicationList is a list of Application objects.
--- a/pkg/registry/apps/application/rest.go
+++ b/pkg/registry/apps/application/rest.go
@@ -988,6 +988,18 @@ func (r *REST) convertApplicationToHelmRelease(app *appsv1alpha1.Application) (*
 		},
 	}
 	valuesFromConfigMap := appsv1alpha1.CozyTenantConfigurationHashConfigMapName
 	if helmRelease.Name == "tenant-root" && helmRelease.Namespace == "tenant-root" {
 		valuesFromConfigMap = appsv1alpha1.CozySystemConfigurationHashConfigMapName
 	}
 	helmRelease.Spec.ValuesFrom = []helmv2.ValuesReference{{
 		Kind:       "ConfigMap",
 		Name:       valuesFromConfigMap,
 		ValuesKey:  appsv1alpha1.CozyTenantConfigurationHashKey,
 		TargetPath: appsv1alpha1.CozyTenantConfigurationHashKey,
 		Optional:   true,
 	}}
 	return helmRelease, nil
 }
`@@ -1,2 +1,2 @@`
	`ARG VERSION=v1.17.3`	`ARG VERSION=v1.17.2`
	`FROM quay.io/cilium/cilium:${VERSION}`	`FROM quay.io/cilium/cilium:${VERSION}`