Create CONTRIBUTOR_LADDER.md

Contributor ladder is an important tool for community participants who are loyal to project and would like to take more responsibility in project. Besides, it's needed for CNCF Incubated applications Signed-off-by: Timur Tukaev <90071493+tym83@users.noreply.github.com>
[tenant] Enable deleting extra applications from a tenant (#1162 )
2026-01-28 18:18:41 +00:00 · 2025-07-20 15:56:25 +05:00 · 2025-07-19 03:44:35 +02:00 · 2025-07-19 03:42:55 +02:00 · 2025-07-19 03:41:56 +02:00 · 2025-07-18 08:41:04 +02:00
228 changed files with 19808 additions and 51099 deletions
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -28,16 +28,7 @@ jobs:

      - name: Install generate
        run: |
-          sudo apt update
-          sudo apt install curl -y
-          sudo apt install nodejs -y
-          sudo apt install npm -y
-
-          git clone --branch 2.7.0 --depth 1 https://github.com/bitnami/readme-generator-for-helm.git
-          cd ./readme-generator-for-helm
-          npm install
-          npm install -g @yao-pkg/pkg
-          pkg . -o /usr/local/bin/readme-generator
+          curl -sSL https://github.com/cozystack/readme-generator-for-helm/releases/download/v1.0.0/readme-generator-for-helm-linux-amd64.tar.gz | tar -xzvf- -C /usr/local/bin/ readme-generator-for-helm

      - name: Run pre-commit hooks
        run: |
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -11,14 +11,14 @@ repos:
    - id: run-make-generate
      name: Run 'make generate' in all app directories
      entry: |
-        /bin/bash -c '
+        flock -x .git/pre-commit.lock sh -c '
          for dir in ./packages/apps/*/ ./packages/extra/*/ ./packages/system/cozystack-api/; do
            if [ -d "$dir" ]; then
              echo "Running make generate in $dir"
-              make generate -C "$dir"
+              make generate -C "$dir" || exit $?
            fi
          done
          git diff --color=always | cat
        '
-      language: script
+      language: system
      files: ^.*$
--- a/CONTRIBUTOR_LADDER.md
+++ b/CONTRIBUTOR_LADDER.md
@@ -0,0 +1,151 @@
+# Contributor Ladder Template
+
+* [Contributor Ladder](#contributor-ladder-template)
+    * [Community Participant](#community-participant)
+    * [Contributor](#contributor)
+    * [Reviewer](#reviewer)
+    * [Maintainer](#maintainer)
+* [Inactivity](#inactivity)
+* [Involuntary Removal](#involuntary-removal-or-demotion)
+* [Stepping Down/Emeritus Process](#stepping-downemeritus-process)
+* [Contact](#contact)
+
+
+## Contributor Ladder
+
+Hello! We are excited that you want to learn more about our project contributor ladder! This contributor ladder outlines the different contributor roles within the project, along with the responsibilities and privileges that come with them. Community members generally start at the first levels of the "ladder" and advance up it as their involvement in the project grows.  Our project members are happy to help you advance along the contributor ladder.
+
+Each of the contributor roles below is organized into lists of three types of things. "Responsibilities" are things that a contributor is expected to do. "Requirements" are qualifications a person needs to meet to be in that role, and "Privileges" are things contributors on that level are entitled to.
+
+
+### Community Participant
+Description: A Community Participant engages with the project and its community, contributing their time, thoughts, etc. Community participants are usually users who have stopped being anonymous and started being active in project discussions.
+
+* Responsibilities:
+    * Must follow the [CNCF CoC](https://github.com/cncf/foundation/blob/main/code-of-conduct.md)
+* How users can get involved with the community:
+    * Participating in community discussions
+    * Helping other users
+    * Submitting bug reports
+    * Commenting on issues
+    * Trying out new releases
+    * Attending community events
+
+
+### Contributor
+Description: A Contributor contributes directly to the project and adds value to it. Contributions need not be code. People at the Contributor level may be new contributors, or they may only contribute occasionally.
+
+* Responsibilities include:
+    * Follow the [CNCF CoC](https://github.com/cncf/foundation/blob/main/code-of-conduct.md)
+    * Follow the project [contributing guide] (https://github.com/cozystack/cozystack/blob/main/CONTRIBUTING.md)
+* Requirements (one or several of the below):
+    * Report and sometimes resolve issues
+    * Occasionally submit PRs
+    * Contribute to the documentation
+    * Show up at meetings, takes notes
+    * Answer questions from other community members
+    * Submit feedback on issues and PRs
+    * Test releases and patches and submit reviews
+    * Run or helps run events
+    * Promote the project in public
+    * Help run the project infrastructure
+* Privileges:
+    * Invitations to contributor events
+    * Eligible to become a Maintainer
+
+
+### Reviewer
+Description: A Reviewer has responsibility for specific code, documentation, test, or other project areas. They are collectively responsible, with other Reviewers, for reviewing all changes to those areas and indicating whether those changes are ready to merge. They have a track record of contribution and review in the project.
+
+Reviewers are responsible for a "specific area." This can be a specific code directory, driver, chapter of the docs, test job, event, or other clearly-defined project component that is smaller than an entire repository or subproject. Most often it is one or a set of directories in one or more Git repositories. The "specific area" below refers to this area of responsibility.
+
+Reviewers have all the rights and responsibilities of a Contributor, plus:
+
+* Responsibilities include:
+    * Continues to contribute regularly, as demonstrated by having at least 15 PRs a year, as demonstrated by [Cozystack devstats](https://cozystack.devstats.cncf.io).
+    * Following the reviewing guide
+    * Reviewing most Pull Requests against their specific areas of responsibility
+    * Reviewing at least 40 PRs per year
+    * Helping other contributors become reviewers
+* Requirements:
+    * Must have successful contributions to the project, including at least one of the following:
+        * 10 accepted PRs,
+        * Reviewed 20 PRs,
+        * Resolved and closed 20 Issues,
+        * Become responsible for a key project management area,
+        * Or some equivalent combination or contribution
+    * Must have been contributing for at least 6 months
+    * Must be actively contributing to at least one project area
+    * Must have two sponsors who are also Reviewers or Maintainers, at least one of whom does not work for the same employer
+    * Has reviewed, or helped review, at least 20 Pull Requests
+    * Has analyzed and resolved test failures in their specific area
+    * Has demonstrated an in-depth knowledge of the specific area
+    * Commits to being responsible for that specific area
+    * Is supportive of new and occasional contributors and helps get useful PRs in shape to commit
+* Additional privileges:
+    * Has GitHub or CI/CD rights to approve pull requests in specific directories
+    * Can recommend and review other contributors to become Reviewers
+    * May be assigned Issues and Reviews
+    * May give commands to CI/CD automation
+    * Can recommend other contributors to become Reviewers
+
+
+The process of becoming a Reviewer is:
+1. The contributor is nominated by opening a PR against the appropriate repository, which adds their GitHub username to the OWNERS file for one or more directories.
+2. At least two members of the team that owns that repository or main directory, who are already Approvers, approve the PR.
+
+
+### Maintainer
+Description: Maintainers are very established contributors who are responsible for the entire project. As such, they have the ability to approve PRs against any area of the project, and are expected to participate in making decisions about the strategy and priorities of the project.
+
+A Maintainer must meet the responsibilities and requirements of a Reviewer, plus:
+
+* Responsibilities include:
+    * Reviewing at least 40 PRs per year, especially PRs that involve multiple parts of the project
+    * Mentoring new Reviewers
+    * Writing refactoring PRs
+    * Participating in CNCF maintainer activities
+    * Determining strategy and policy for the project
+    * Participating in, and leading, community meetings
+* Requirements
+    * Experience as a Reviewer for at least 6 months
+    * Demonstrates a broad knowledge of the project across multiple areas
+    * Is able to exercise judgment for the good of the project, independent of their employer, friends, or team
+    * Mentors other contributors
+    * Can commit to spending at least 10 hours per month working on the project
+* Additional privileges:
+    * Approve PRs to any area of the project
+    * Represent the project in public as a Maintainer
+    * Communicate with the CNCF on behalf of the project
+    * Have a vote in Maintainer decision-making meetings
+    
+
+Process of becoming a maintainer:
+1. Any current Maintainer may nominate a current Reviewer to become a new Maintainer, by opening a PR against the root of the cozystack repository adding the nominee as an Approver in the [MAINTAINERS](https://github.com/cozystack/cozystack/blob/main/MAINTAINERS.md) file.
+2. The nominee will add a comment to the PR testifying that they agree to all requirements of becoming a Maintainer.
+3. A majority of the current Maintainers must then approve the PR.
+
+
+## Inactivity
+It is important for contributors to be and stay active to set an example and show commitment to the project. Inactivity is harmful to the project as it may lead to unexpected delays, contributor attrition, and a lost of trust in the project.
+
+* Inactivity is measured by:
+    * Periods of no contributions for longer than 6 months
+    * Periods of no communication for longer than 3 months
+* Consequences of being inactive include:
+    * Involuntary removal or demotion
+    * Being asked to move to Emeritus status
+
+## Involuntary Removal or Demotion
+
+Involuntary removal/demotion of a contributor happens when responsibilities and requirements aren't being met. This may include repeated patterns of inactivity, extended period of inactivity, a period of failing to meet the requirements of your role, and/or a violation of the Code of Conduct. This process is important because it protects the community and its deliverables while also opens up opportunities for new contributors to step in.
+
+Involuntary removal or demotion is handled through a vote by a majority of the current Maintainers.
+
+## Stepping Down/Emeritus Process
+If and when contributors' commitment levels change, contributors can consider stepping down (moving down the contributor ladder) vs moving to emeritus status (completely stepping away from the project).
+
+Contact the Maintainers about changing to Emeritus status, or reducing your contributor level.
+
+## Contact
+* For inquiries, please reach out to: @kvaps, @tym83
--- a/docs/changelogs/v0.33.0.md
+++ b/docs/changelogs/v0.33.0.md
@@ -0,0 +1,91 @@
+> [!WARNING]
+> A patch release [0.33.2](github.com/cozystack/cozystack/releases/tag/v0.33.2) fixing a regression in 0.33.0 has been released. 
+> It is recommended to skip this version and upgrade to [0.33.2](github.com/cozystack/cozystack/releases/tag/v0.33.2) instead.
+
+## Feature Highlights
+
+### Unified CPU and Memory Allocation Management
+
+Since version 0.31.0, Cozystack introduced a single-point-of-truth configuration variable `cpu-allocation-ratio`,
+making CPU resource requests and limits uniform in Virtual Machines managed by KubeVirt.
+The new release 0.33.0 introduces `memory-allocation-ratio` and expands both variables to all managed applications and tenant resource quotas.
+
+Resource presets also respect the allocation ratios and behave in the same way as explicit resource definitions.
+The new resource definition format is concise and simple for platform users.
+
+```yaml
+# resource definition in the configuration
+resources:
+  cpu: <defined cpu value>
+  memory: <defined memory value>
+```
+
+It results in Kubernetes resource requests and limits, based on defined values and the universal allocation ratios:
+
+```yaml
+# actual requests and limits, provided to the application
+resources:
+  limits:
+    cpu: <defined cpu value>
+    memory: <defined memory value>
+  requests:
+    cpu: <defined cpu value / cpu-allocation-ratio>
+    memory: <defined memory value / memory-allocation-ratio>
+```
+
+When updating from earlier Cozystack versions, resource configuration in managed applications will be automatically migrated to the new format.
+
+### Backing up and Restoring Data in Tenant Kubernetes
+
+One of the main features of the release is backup capability for PVCs in tenant Kubernetes clusters.
+It enables platform and tenant administrators to back up and restore data used by services in the tenant clusters.
+
+This new functionality in Cozystack is powered by [Velero](https://velero.io/) and needs an external S3-compatible storage.
+
+## Support for NFS Storage
+
+Cozystack now supports using NFS shared storage with a new optional system module.
+See the documentation: https://cozystack.io/docs/operations/storage/nfs/.
+
+## Features and Improvements
+
+* [kubernetes] Enable PVC backups in tenant Kubernetes clusters, powered by [Velero](https://velero.io/). (@klinch0 in https://github.com/cozystack/cozystack/pull/1132)
+* [nfs-driver] Enable NFS support by introducing a new optional system module `nfs-driver`.  (@kvaps in https://github.com/cozystack/cozystack/pull/1133)
+* [virtual-machine] Configure CPU sockets available to VMs with the `resources.cpu.sockets` configuration value. (@klinch0 in https://github.com/cozystack/cozystack/pull/1131)
+* [virtual-machine] Add support for using pre-imported "golden image" disks for virtual machines, enabling faster provisioning by referencing existing images instead of downloading via HTTP. (@gwynbleidd2106 in https://github.com/cozystack/cozystack/pull/1112)
+* [kubernetes] Add an option to expose the Ingress-NGINX controller in tenant Kubernetes cluster via LoadBalancer. New configuration value `exposeMethod` offers a choice of `Proxied` and `LoadBalancer`. (@kvaps in https://github.com/cozystack/cozystack/pull/1114)
+* [apps] When updating from earlier Cozystack versions, automatically migrate to the new resource definition format: from `resources.requests.[cpu,memory]` and `resources.limits.[cpu,memory]` to `resources.[cpu,memory]`. (@kvaps in https://github.com/cozystack/cozystack/pull/1127)
+* [apps] Give examples of new resource definitions in the managed app README's. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1120)
+* [tenant] Respect `cpu-allocation-ratio` in tenant's `resourceQuotas`.(@kvaps in https://github.com/cozystack/cozystack/pull/1119)
+* [cozy-lib] Introduce helper function to calculate Java heap params based on memory requests and limits. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1157)
+
+## Security
+
+* [monitoring] Disable sign up in Alerta. (@klinch0 in https://github.com/cozystack/cozystack/pull/1129)
+
+## Fixes
+
+* [platform] Always set resources for managed apps . (@lllamnyp in https://github.com/cozystack/cozystack/pull/1156)
+* [platform] Remove the memory limit for Keycloak deployment. (@klinch0 in https://github.com/cozystack/cozystack/pull/1122)
+* [kubernetes] Fix a condition in the ingress template for tenant Kubernetes. (@kvaps in https://github.com/cozystack/cozystack/pull/1143)
+* [kubernetes] Fix a deadlock on reattaching a KubeVirt-CSI volume. (@kvaps in https://github.com/cozystack/cozystack/pull/1135)
+* [mysql] MySQL applications with a single replica now correctly create a `LoadBalancer` service. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1113)
+* [etcd] Fix resources and headless services in the etcd application. (@kvaps in https://github.com/cozystack/cozystack/pull/1128)
+* [apps] Enable selecting `resourcePreset` from a drop-down list for all applications by adding enum of allowed values in the config scheme. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1117)
+* [apps] Refactor resource presets provided to managed apps by `cozy-lib`. (@kvaps in https://github.com/cozystack/cozystack/pull/1155)
+* [keycloak] Calculate and pass Java heap parameters explicitly to prevent OOM errors. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1157)
+
+
+## Development, Testing, and CI/CD
+
+* [dx] Introduce cozyreport tool and gather reports in CI. (@kvaps in https://github.com/cozystack/cozystack/pull/1139)
+* [ci] Use Nexus as a pull-through cache for CI. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1124)
+* [ci] Save a list of observed images after each workflow run. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1089)
+* [ci] Skip Cozystack tests on PRs that only change the docs. Don't restart CI when a PR is labeled. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1136)
+* [dx] Fix Makefile variables for `capi-providers`. (@kvaps in https://github.com/cozystack/cozystack/pull/1115)
+* [tests] Introduce self-destructing testing environments. (@kvaps in https://github.com/cozystack/cozystack/pull/1138, https://github.com/cozystack/cozystack/pull/1140, https://github.com/cozystack/cozystack/pull/1141, https://github.com/cozystack/cozystack/pull/1142)
+* [e2e] Retry flaky application tests to improve total test time. (@kvaps in https://github.com/cozystack/cozystack/pull/1123)
+* [maintenance] Add a PR template. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1121)
+
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.32.1...v0.33.0
--- a/docs/changelogs/v0.33.1.md
+++ b/docs/changelogs/v0.33.1.md
@@ -0,0 +1,3 @@
+## Fixes
+
+* [kubevirt-csi] Fix a regression by updating the role of the CSI controller. (@lllamnyp in https://github.com/cozystack/cozystack/pull/1165)
--- a/docs/changelogs/v0.33.2.md
+++ b/docs/changelogs/v0.33.2.md
@@ -0,0 +1,19 @@
+## Features and Improvements
+
+* [vm-instance] Enable running [Windows](https://cozystack.io/docs/operations/virtualization/windows/) and [MikroTik RouterOS](https://cozystack.io/docs/operations/virtualization/mikrotik/) in Cozystack. Add `bus` option and always specify `bootOrder` for all disks. (@kvaps in https://github.com/cozystack/cozystack/pull/1168)
+* [cozystack-api] Refactor OpenAPI Schema and support reading it from config. (@kvaps in https://github.com/cozystack/cozystack/pull/1173)
+* [cozystack-api] Enable using singular resource names in Cozystack API. For example, `kubectl get tenant` is now a valid command, in addition to `kubectl get tenants`. (@kvaps in https://github.com/cozystack/cozystack/pull/1169)
+* [postgres] Explain how to back up and restore PostgreSQL using Velero backups. (@klinch0 and @NickVolynkin in https://github.com/cozystack/cozystack/pull/1141)
+
+## Fixes
+
+* [virtual-machine,vm-instance] Adjusted RBAC role to let users read the service associated with the VMs they create. Consequently, users can now see details of the service in the dashboard and therefore read the IP address of the VM. (@klinch0 in https://github.com/cozystack/cozystack/pull/1161)
+* [cozystack-api] Fix an error with `resourceVersion` which resulted in message 'failed to update HelmRelease: helmreleases.helm.toolkit.fluxcd.io "xxx" is invalid...'. (@kvaps in https://github.com/cozystack/cozystack/pull/1170)
+* [cozystack-api] Fix an error in updating lists in Cozystack objects, which resulted in message "Warning: resource ... is missing the kubectl.kubernetes.io/last-applied-configuration annotation". (@kvaps in https://github.com/cozystack/cozystack/pull/1171)
+* [cozystack-api] Disable `startegic-json-patch` support. (@kvaps in https://github.com/cozystack/cozystack/pull/1179)
+* [dashboard] Fix the code for removing dashboard comments which used to mistakenly remove shebang from cloudInit scripts. (@kvaps in https://github.com/cozystack/cozystack/pull/1175).
+* [virtual-machine] Fix cloudInit and sshKeys processing. (@kvaps in https://github.com/cozystack/cozystack/pull/1175 and https://github.com/cozystack/cozystack/commit/da3ee5d0ea9e87529c8adc4fcccffabe8782292e)
+* [applications] Fix a typo in preset resource tables in the built-in documentation of managed applications. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/1172)
+* [kubernetes] Enable deleting Velero component from a tenant Kubernetes cluster. (@klinch0 in https://github.com/cozystack/cozystack/pull/1176)
+
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.33.1...v0.33.2
--- a/internal/controller/system_helm_reconciler.go
+++ b/internal/controller/system_helm_reconciler.go
@@ -54,6 +54,7 @@ func (r *CozystackConfigReconciler) Reconcile(ctx context.Context, _ ctrl.Reques
 		if !isSystemApp && !isTenantRoot {
 			continue
 		}
+		patchTarget := hr.DeepCopy()

 		if hr.Annotations == nil {
 			hr.Annotations = map[string]string{}
@@ -62,13 +63,12 @@ func (r *CozystackConfigReconciler) Reconcile(ctx context.Context, _ ctrl.Reques
 		if hr.Annotations[digestAnnotation] == digest {
 			continue
 		}
+		patchTarget.Annotations[digestAnnotation] = digest
+		patchTarget.Annotations[forceReconcileKey] = now
+		patchTarget.Annotations[requestedAt] = now

 		patch := client.MergeFrom(hr.DeepCopy())
-		hr.Annotations[digestAnnotation] = digest
-		hr.Annotations[forceReconcileKey] = now
-		hr.Annotations[requestedAt] = now
-
-		if err := r.Patch(ctx, &hr, patch); err != nil {
+		if err := r.Patch(ctx, patchTarget, patch); err != nil {
 			log.Error(err, "failed to patch HelmRelease", "name", hr.Name, "namespace", hr.Namespace)
 			continue
 		}
--- a/internal/controller/workload_controller.go
+++ b/internal/controller/workload_controller.go
@@ -3,6 +3,7 @@ package controller
 import (
 	"context"
 	"strings"
+	"time"

 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -15,6 +16,10 @@ import (
 	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
 )

+const (
+	deletionRequeueDelay = 30 * time.Second
+)
+
 // WorkloadMonitorReconciler reconciles a WorkloadMonitor object
 type WorkloadReconciler struct {
 	client.Client
@@ -52,6 +57,9 @@ func (r *WorkloadReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c

 	// found object, nothing to do
 	if err == nil {
+		if !t.GetDeletionTimestamp().IsZero() {
+			return ctrl.Result{RequeueAfter: deletionRequeueDelay}, nil
+		}
 		return ctrl.Result{}, nil
 	}

--- a/packages/apps/bucket/Makefile
+++ b/packages/apps/bucket/Makefile
@@ -1,4 +1,4 @@
 include ../../../scripts/package.mk

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
--- a/packages/apps/bucket/values.schema.json
+++ b/packages/apps/bucket/values.schema.json
@@ -1,5 +1,5 @@
 {
+    "properties": {},
    "title": "Chart Values",
-    "type": "object",
-    "properties": {}
+    "type": "object"
 }
--- a/packages/apps/clickhouse/Makefile
+++ b/packages/apps/clickhouse/Makefile
@@ -5,7 +5,7 @@ include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
 	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json

 image:
--- a/packages/apps/clickhouse/README.md
+++ b/packages/apps/clickhouse/README.md
@@ -23,35 +23,35 @@ For more details, read [Restic: Effective Backup from Stdin](https://blog.aenix.

 ### Common parameters

-| Name             | Description                                              | Value  |
-| ---------------- | -------------------------------------------------------- | ------ |
-| `size`           | Size of Persistent Volume for data                       | `10Gi` |
-| `logStorageSize` | Size of Persistent Volume for logs                       | `2Gi`  |
-| `shards`         | Number of Clickhouse shards                              | `1`    |
-| `replicas`       | Number of Clickhouse replicas                            | `2`    |
-| `storageClass`   | StorageClass used to store the data                      | `""`   |
-| `logTTL`         | TTL (expiration time) for query_log and query_thread_log | `15`   |
+| Name              | Description                                                                                                                             | Value   |
+| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `replicas`        | Number of Clickhouse replicas                                                                                                           | `2`     |
+| `shards`          | Number of Clickhouse shards                                                                                                             | `1`     |
+| `resources`       | Explicit CPU and memory configuration for each ClickHouse replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.             | `small` |
+| `size`            | Persistent Volume Claim size, available for application data                                                                            | `10Gi`  |
+| `storageClass`    | StorageClass used to store the application data                                                                                         | `""`    |

-### Configuration parameters
+### Application-specific parameters

-| Name    | Description         | Value |
-| ------- | ------------------- | ----- |
-| `users` | Users configuration | `{}`  |
+| Name             | Description                                              | Value |
+| ---------------- | -------------------------------------------------------- | ----- |
+| `logStorageSize` | Size of Persistent Volume for logs                       | `2Gi` |
+| `logTTL`         | TTL (expiration time) for query_log and query_thread_log | `15`  |
+| `users`          | Users configuration                                      | `{}`  |

 ### Backup parameters

-| Name                     | Description                                                                                                                             | Value                                                  |
-| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
-| `backup.enabled`         | Enable periodic backups                                                                                                                 | `false`                                                |
-| `backup.s3Region`        | AWS S3 region where backups are stored                                                                                                  | `us-east-1`                                            |
-| `backup.s3Bucket`        | S3 bucket used for storing backups                                                                                                      | `s3.example.org/clickhouse-backups`                    |
-| `backup.schedule`        | Cron schedule for automated backups                                                                                                     | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | Retention strategy for cleaning up old backups                                                                                          | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | Access key for S3, used for authentication                                                                                              | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | Secret key for S3, used for authentication                                                                                              | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | Password for Restic backup encryption                                                                                                   | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Explicit CPU and memory configuration for each ClickHouse replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`                                                   |
-| `resourcesPreset`        | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.             | `small`                                                |
+| Name                     | Description                                    | Value                                                  |
+| ------------------------ | ---------------------------------------------- | ------------------------------------------------------ |
+| `backup.enabled`         | Enable periodic backups                        | `false`                                                |
+| `backup.s3Region`        | AWS S3 region where backups are stored         | `us-east-1`                                            |
+| `backup.s3Bucket`        | S3 bucket used for storing backups             | `s3.example.org/clickhouse-backups`                    |
+| `backup.schedule`        | Cron schedule for automated backups            | `0 2 * * *`                                            |
+| `backup.cleanupStrategy` | Retention strategy for cleaning up old backups | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.s3AccessKey`     | Access key for S3, used for authentication     | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3SecretKey`     | Secret key for S3, used for authentication     | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.resticPassword`  | Password for Restic backup encryption          | `ChaXoveekoh6eigh4siesheeda2quai0`                     |

 ## Parameter examples and reference

--- a/packages/apps/clickhouse/images/clickhouse-backup.tag
+++ b/packages/apps/clickhouse/images/clickhouse-backup.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/clickhouse-backup:0.11.0@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205
+ghcr.io/cozystack/cozystack/clickhouse-backup:0.11.1@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205
--- a/packages/apps/clickhouse/values.schema.json
+++ b/packages/apps/clickhouse/values.schema.json
@@ -1,91 +1,74 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
-        "size": {
-            "type": "string",
-            "description": "Size of Persistent Volume for data",
-            "default": "10Gi"
-        },
-        "logStorageSize": {
-            "type": "string",
-            "description": "Size of Persistent Volume for logs",
-            "default": "2Gi"
-        },
-        "shards": {
-            "type": "number",
-            "description": "Number of Clickhouse shards",
-            "default": 1
-        },
-        "replicas": {
-            "type": "number",
-            "description": "Number of Clickhouse replicas",
-            "default": 2
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
-        },
-        "logTTL": {
-            "type": "number",
-            "description": "TTL (expiration time) for query_log and query_thread_log",
-            "default": 15
-        },
        "backup": {
-            "type": "object",
            "properties": {
-                "enabled": {
-                    "type": "boolean",
-                    "description": "Enable periodic backups",
-                    "default": false
-                },
-                "s3Region": {
-                    "type": "string",
-                    "description": "AWS S3 region where backups are stored",
-                    "default": "us-east-1"
-                },
-                "s3Bucket": {
-                    "type": "string",
-                    "description": "S3 bucket used for storing backups",
-                    "default": "s3.example.org/clickhouse-backups"
-                },
-                "schedule": {
-                    "type": "string",
-                    "description": "Cron schedule for automated backups",
-                    "default": "0 2 * * *"
-                },
                "cleanupStrategy": {
-                    "type": "string",
+                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m",
                    "description": "Retention strategy for cleaning up old backups",
-                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+                    "type": "string"
                },
-                "s3AccessKey": {
-                    "type": "string",
-                    "description": "Access key for S3, used for authentication",
-                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
-                },
-                "s3SecretKey": {
-                    "type": "string",
-                    "description": "Secret key for S3, used for authentication",
-                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
+                "enabled": {
+                    "default": false,
+                    "description": "Enable periodic backups",
+                    "type": "boolean"
                },
                "resticPassword": {
-                    "type": "string",
+                    "default": "ChaXoveekoh6eigh4siesheeda2quai0",
                    "description": "Password for Restic backup encryption",
-                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
+                    "type": "string"
+                },
+                "s3AccessKey": {
+                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu",
+                    "description": "Access key for S3, used for authentication",
+                    "type": "string"
+                },
+                "s3Bucket": {
+                    "default": "s3.example.org/clickhouse-backups",
+                    "description": "S3 bucket used for storing backups",
+                    "type": "string"
+                },
+                "s3Region": {
+                    "default": "us-east-1",
+                    "description": "AWS S3 region where backups are stored",
+                    "type": "string"
+                },
+                "s3SecretKey": {
+                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog",
+                    "description": "Secret key for S3, used for authentication",
+                    "type": "string"
+                },
+                "schedule": {
+                    "default": "0 2 * * *",
+                    "description": "Cron schedule for automated backups",
+                    "type": "string"
                }
-            }
+            },
+            "type": "object"
+        },
+        "logStorageSize": {
+            "default": "2Gi",
+            "description": "Size of Persistent Volume for logs",
+            "type": "string"
+        },
+        "logTTL": {
+            "default": 15,
+            "description": "TTL (expiration time) for query_log and query_thread_log",
+            "type": "number"
+        },
+        "replicas": {
+            "default": 2,
+            "description": "Number of Clickhouse replicas",
+            "type": "number"
        },
        "resources": {
-            "type": "object",
+            "default": {},
            "description": "Explicit CPU and memory configuration for each ClickHouse replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
        },
        "resourcesPreset": {
-            "type": "string",
-            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
            "default": "small",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "type": "string",
            "enum": [
                "nano",
                "micro",
@@ -95,6 +78,23 @@
                "xlarge",
                "2xlarge"
            ]
+        },
+        "shards": {
+            "default": 1,
+            "description": "Number of Clickhouse shards",
+            "type": "number"
+        },
+        "size": {
+            "default": "10Gi",
+            "description": "Persistent Volume Claim size, available for application data",
+            "type": "string"
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the application data",
+            "type": "string"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/clickhouse/values.yaml
+++ b/packages/apps/clickhouse/values.yaml
@@ -1,21 +1,29 @@
 ## @section Common parameters
-
-## @param size Size of Persistent Volume for data
-## @param logStorageSize Size of Persistent Volume for logs
-## @param shards Number of Clickhouse shards
-## @param replicas Number of Clickhouse replicas
-## @param storageClass StorageClass used to store the data
-## @param logTTL TTL (expiration time) for query_log and query_thread_log
 ##
-size: 10Gi
-logStorageSize: 2Gi
-shards: 1
+## @param replicas Number of Clickhouse replicas
 replicas: 2
+## @param shards Number of Clickhouse shards
+shards: 1
+## @param resources Explicit CPU and memory configuration for each ClickHouse replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+#  resources:
+#    cpu: 4000m
+#    memory: 4Gi
+
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "small"
+## @param size Persistent Volume Claim size, available for application data
+size: 10Gi
+## @param storageClass StorageClass used to store the application data
 storageClass: ""
+
+
+## @section Application-specific parameters
+##
+## @param logStorageSize Size of Persistent Volume for logs
+logStorageSize: 2Gi
+## @param logTTL TTL (expiration time) for query_log and query_thread_log
 logTTL: 15
-
-## @section Configuration parameters
-
 ## @param users [object] Users configuration
 ## Example:
 ## users:
@@ -27,6 +35,7 @@ logTTL: 15
 ##
 users: {}

+
 ## @section Backup parameters

 ## @param backup.enabled Enable periodic backups
@@ -47,11 +56,3 @@ backup:
  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0

-## @param resources Explicit CPU and memory configuration for each ClickHouse replica. When left empty, the preset defined in `resourcesPreset` is applied.
-resources: {}
- # resources:
- #   cpu: 4000m
- #   memory: 4Gi
-
-## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
-resourcesPreset: "small"
--- a/packages/apps/ferretdb/Chart.yaml
+++ b/packages/apps/ferretdb/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.1
+version: 1.0.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.24.0"
+appVersion: 2.4.0
--- a/packages/apps/ferretdb/Makefile
+++ b/packages/apps/ferretdb/Makefile
@@ -2,5 +2,12 @@ include ../../../scripts/package.mk
 PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
 	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
+
+update:
+	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/FerretDB/FerretDB | awk -F'[/^]' '{sub("^v", "", $$3)} END{print $$3}') && \
+	pgtag=$$(skopeo list-tags docker://ghcr.io/ferretdb/postgres-documentdb | jq -r --arg tag "$$tag" '.Tags[] | select(endswith("ferretdb-" + $$tag))' | sort -V | tail -n1) && \
+	sed -i "s|\(imageName: ghcr.io/ferretdb/postgres-documentdb:\).*|\1$$pgtag|" templates/postgres.yaml && \
+	sed -i "s|\(image: ghcr.io/ferretdb/ferretdb:\).*|\1$$tag|" templates/ferretdb.yaml && \
+	sed -i "s|\(appVersion: \).*|\1$$tag|" Chart.yaml
--- a/packages/apps/ferretdb/README.md
+++ b/packages/apps/ferretdb/README.md
@@ -8,37 +8,42 @@ Internally, FerretDB service is backed by Postgres.

 ### Common parameters

-| Name                     | Description                                                                                                                 | Value   |
-| ------------------------ | --------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`               | Enable external access from outside the cluster                                                                             | `false` |
-| `size`                   | Persistent Volume size                                                                                                      | `10Gi`  |
-| `replicas`               | Number of replicas                                                                                                          | `2`     |
-| `storageClass`           | StorageClass used to store the data                                                                                         | `""`    |
-| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed                | `0`     |
-| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas) | `0`     |
+| Name              | Description                                                                                                                           | Value   |
+| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `replicas`        | Number of replicas                                                                                                                    | `2`     |
+| `resources`       | Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.     | `micro` |
+| `size`            | Persistent Volume size                                                                                                                | `10Gi`  |
+| `storageClass`    | StorageClass used to store the data                                                                                                   | `""`    |
+| `external`        | Enable external access from outside the cluster                                                                                       | `false` |

-### Configuration parameters
+### Application-specific parameters

-| Name    | Description         | Value |
-| ------- | ------------------- | ----- |
-| `users` | Users configuration | `{}`  |
+| Name                     | Description                                                                                                                 | Value |
+| ------------------------ | --------------------------------------------------------------------------------------------------------------------------- | ----- |
+| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed                | `0`   |
+| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas) | `0`   |
+| `users`                  | Users configuration                                                                                                         | `{}`  |

 ### Backup parameters

-| Name                     | Description                                                                                                                           | Value                                                  |
-| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
-| `backup.enabled`         | Enable periodic backups                                                                                                               | `false`                                                |
-| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                            | `us-east-1`                                            |
-| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                                | `s3.example.org/postgres-backups`                      |
-| `backup.schedule`        | Cron schedule for automated backups                                                                                                   | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                              | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                        | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                        | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | The password for Restic backup encryption                                                                                             | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`                                                   |
-| `resourcesPreset`        | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.           | `nano`                                                 |
+| Name                     | Description                                                | Value                               |
+| ------------------------ | ---------------------------------------------------------- | ----------------------------------- |
+| `backup.enabled`         | Enable regular backups                                     | `false`                             |
+| `backup.schedule`        | Cron schedule for automated backups                        | `0 2 * * * *`                       |
+| `backup.retentionPolicy` | Retention policy                                           | `30d`                               |
+| `backup.destinationPath` | Path to store the backup (i.e. s3://bucket/path/to/folder) | `s3://bucket/path/to/folder/`       |
+| `backup.endpointURL`     | S3 Endpoint used to upload data to the cloud               | `http://minio-gateway-service:9000` |
+| `backup.s3AccessKey`     | Access key for S3, used for authentication                 | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`  |
+| `backup.s3SecretKey`     | Secret key for S3, used for authentication                 | `ju3eum4dekeich9ahM1te8waeGai0oog`  |

+### Bootstrap (recovery) parameters

+| Name                     | Description                                                                                                          | Value   |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------- | ------- |
+| `bootstrap.enabled`      | Restore database cluster from a backup                                                                               | `false` |
+| `bootstrap.recoveryTime` | Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest | `""`    |
+| `bootstrap.oldName`      | Name of database cluster before deleting                                                                             | `""`    |

 ## Parameter examples and reference

--- a/packages/apps/ferretdb/images/postgres-backup.tag
+++ b/packages/apps/ferretdb/images/postgres-backup.tag
@@ -1 +0,0 @@
-ghcr.io/cozystack/cozystack/postgres-backup:0.14.0@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f
--- a/packages/apps/ferretdb/templates/backup-cronjob.yaml
+++ b/packages/apps/ferretdb/templates/backup-cronjob.yaml
@@ -1,99 +0,0 @@
-{{- if .Values.backup.enabled }}
-{{ $image := .Files.Get "images/backup.json" | fromJson }}
-
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: {{ .Release.Name }}-backup
-spec:
-  schedule: "{{ .Values.backup.schedule }}"
-  concurrencyPolicy: Forbid
-  successfulJobsHistoryLimit: 3
-  failedJobsHistoryLimit: 3
-  jobTemplate:
-    spec:
-      backoffLimit: 2
-      template:
-        spec:
-          restartPolicy: OnFailure
-      template:
-        metadata:
-          annotations:
-            checksum/config: {{ include (print $.Template.BasePath "/backup-script.yaml") . | sha256sum }}
-            checksum/secret: {{ include (print $.Template.BasePath "/backup-secret.yaml") . | sha256sum }}
-        spec:
-          restartPolicy: Never
-          containers:
-          - name: pgdump
-            image: "{{ $.Files.Get "images/postgres-backup.tag" | trim }}"
-            command:
-            - /bin/sh
-            - /scripts/backup.sh
-            env:
-            - name: REPO_PREFIX
-              value: {{ required "s3Bucket is not specified!" .Values.backup.s3Bucket | quote }}
-            - name: CLEANUP_STRATEGY
-              value: {{ required "cleanupStrategy is not specified!" .Values.backup.cleanupStrategy | quote }}
-            - name: PGUSER
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-postgres-superuser
-                  key: username
-            - name: PGPASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-postgres-superuser
-                  key: password
-            - name: PGHOST
-              value: {{ .Release.Name }}-postgres-rw
-            - name: PGPORT
-              value: "5432"
-            - name: PGDATABASE
-              value: postgres
-            - name: AWS_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-backup
-                  key: s3AccessKey
-            - name: AWS_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-backup
-                  key: s3SecretKey
-            - name: AWS_DEFAULT_REGION
-              value: {{ .Values.backup.s3Region }}
-            - name: RESTIC_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-backup
-                  key: resticPassword
-            volumeMounts:
-            - mountPath: /scripts
-              name: scripts
-            - mountPath: /tmp
-              name: tmp
-            - mountPath: /.cache
-              name: cache
-            securityContext:
-              allowPrivilegeEscalation: false
-              capabilities:
-                drop:
-                - ALL
-              privileged: false
-              readOnlyRootFilesystem: true
-              runAsNonRoot: true
-          volumes:
-          - name: scripts
-            secret:
-              secretName: {{ .Release.Name }}-backup-script
-          - name: tmp
-            emptyDir: {}
-          - name: cache
-            emptyDir: {}
-          securityContext:
-            runAsNonRoot: true
-            runAsUser: 9000
-            runAsGroup: 9000
-            seccompProfile:
-              type: RuntimeDefault
-{{- end }}
--- a/packages/apps/ferretdb/templates/backup-script.yaml
+++ b/packages/apps/ferretdb/templates/backup-script.yaml
@@ -1,50 +0,0 @@
-{{- if .Values.backup.enabled }}
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-backup-script
-stringData:
-  backup.sh: |
-    #!/bin/sh
-    set -e
-    set -o pipefail
-
-    JOB_ID="job-$(uuidgen|cut -f1 -d-)"
-    DB_LIST=$(psql -Atq -c 'SELECT datname FROM pg_catalog.pg_database;' | grep -v '^\(postgres\|app\|template.*\)$')
-    echo DB_LIST=$(echo "$DB_LIST" | shuf) # shuffle list
-    echo "Job ID: $JOB_ID"
-    echo "Target repo: $REPO_PREFIX"
-    echo "Cleanup strategy: $CLEANUP_STRATEGY"
-    echo "Start backup for:"
-    echo "$DB_LIST"
-    echo
-    echo "Backup started at `date +%Y-%m-%d\ %H:%M:%S`"
-    for db in $DB_LIST; do
-      (
-        set -x
-        restic -r "s3:${REPO_PREFIX}/$db" cat config >/dev/null 2>&1 || \
-          restic -r "s3:${REPO_PREFIX}/$db" init --repository-version 2
-        restic -r "s3:${REPO_PREFIX}/$db" unlock --remove-all >/dev/null 2>&1 || true # no locks, k8s takes care of it
-        pg_dump -Z0 -Ft -d "$db" | \
-          restic -r "s3:${REPO_PREFIX}/$db" backup --tag "$JOB_ID" --stdin --stdin-filename dump.tar
-        restic -r "s3:${REPO_PREFIX}/$db" tag --tag "$JOB_ID" --set "completed"
-      )
-    done
-    echo "Backup finished at `date +%Y-%m-%d\ %H:%M:%S`"
-
-    echo
-    echo "Run cleanup:"
-    echo
-
-    echo "Cleanup started at `date +%Y-%m-%d\ %H:%M:%S`"
-    for db in $DB_LIST; do
-      (
-        set -x
-        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags --keep-tag "completed" # keep completed snapshots only
-        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags $CLEANUP_STRATEGY
-        restic prune -r "s3:${REPO_PREFIX}/$db"
-      )
-    done
-    echo "Cleanup finished at `date +%Y-%m-%d\ %H:%M:%S`"
-{{- end }}
--- a/packages/apps/ferretdb/templates/backup-secret.yaml
+++ b/packages/apps/ferretdb/templates/backup-secret.yaml
@@ -1,11 +0,0 @@
-{{- if .Values.backup.enabled }}
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-backup
-stringData:
-  s3AccessKey: {{ required "s3AccessKey is not specified!" .Values.backup.s3AccessKey }}
-  s3SecretKey: {{ required "s3SecretKey is not specified!" .Values.backup.s3SecretKey }}
-  resticPassword: {{ required "resticPassword is not specified!" .Values.backup.resticPassword }}
-{{- end }}
--- a/packages/apps/ferretdb/templates/backup.yaml
+++ b/packages/apps/ferretdb/templates/backup.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.backup.enabled }}
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: {{ .Release.Name }}-postgres
+spec:
+  schedule: {{ .Values.backup.schedule | quote }}
+  backupOwnerReference: self
+  cluster:
+    name: {{ .Release.Name }}-postgres
+{{- end }}
--- a/packages/apps/ferretdb/templates/ferretdb.yaml
+++ b/packages/apps/ferretdb/templates/ferretdb.yaml
@@ -16,12 +16,14 @@ spec:
    spec:
      containers:
      - name: ferretdb
-        image: ghcr.io/ferretdb/ferretdb:1.24.0
+        image: ghcr.io/ferretdb/ferretdb:2.4.0
        ports:
        - containerPort: 27017
        env:
-          - name: FERRETDB_POSTGRESQL_URL
+          - name: POSTGRESQL_PASSWORD
            valueFrom:
              secretKeyRef:
-                name: {{ .Release.Name }}-postgres-app
-                key: uri
+                name: {{ .Release.Name }}-postgres-superuser
+                key: password
+          - name: FERRETDB_POSTGRESQL_URL
+            value: "postgresql://postgres:$(POSTGRESQL_PASSWORD)@{{ .Release.Name }}-postgres-rw:5432/postgres"
--- a/packages/apps/ferretdb/templates/init-job.yaml
+++ b/packages/apps/ferretdb/templates/init-job.yaml
@@ -1,66 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ .Release.Name }}-init-job
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": before-hook-creation
-spec:
-  template:
-    metadata:
-      name: {{ .Release.Name }}-init-job
-      annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/init-script.yaml") . | sha256sum }}
-    spec:
-      restartPolicy: Never
-      containers:
-      - name: postgres
-        image: ghcr.io/cloudnative-pg/postgresql:15.3
-        command:
-        - bash
-        - /scripts/init.sh
-        env:
-        - name: PGUSER
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-postgres-superuser
-              key: username
-        - name: PGPASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-postgres-superuser
-              key: password
-        - name: PGHOST
-          value: {{ .Release.Name }}-postgres-rw
-        - name: PGPORT
-          value: "5432"
-        - name: PGDATABASE
-          value: postgres
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          privileged: false
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-        volumeMounts:
-        - mountPath: /etc/secret
-          name: secret
-        - mountPath: /scripts
-          name: scripts
-      securityContext:
-        fsGroup: 26
-        runAsGroup: 26
-        runAsNonRoot: true
-        runAsUser: 26
-        seccompProfile:
-          type: RuntimeDefault
-      volumes:
-      - name: secret
-        secret:
-          secretName: {{ .Release.Name }}-postgres-superuser
-      - name: scripts
-        secret:
-          secretName: {{ .Release.Name }}-init-script
--- a/packages/apps/ferretdb/templates/init-script.yaml
+++ b/packages/apps/ferretdb/templates/init-script.yaml
@@ -1,131 +0,0 @@
-{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
-{{- $passwords := dict }}
-
-{{- with (index $existingSecret "data") }}
-  {{- range $k, $v := . }}
-    {{- $_ := set $passwords $k (b64dec $v) }}
-  {{- end }}
-{{- end }}
-
-{{- range $user, $u := .Values.users }}
-  {{- if $u.password }}
-    {{- $_ := set $passwords $user $u.password }}
-  {{- else if not (index $passwords $user) }}
-    {{- $_ := set $passwords $user (randAlphaNum 16) }}
-  {{- end }}
-{{- end }}
-
-{{- if .Values.users }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-credentials
-stringData:
-  {{- range $user, $u := .Values.users }}
-  {{ quote $user }}: {{ quote (index $passwords $user) }}
-  {{- end }}
-{{- end }}
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-init-script
-stringData:
-  init.sh: |
-    #!/bin/bash
-    set -e
-
-    until pg_isready ; do sleep 5; done
-
-    echo "== create users"
-    {{- if .Values.users }}
-    psql -v ON_ERROR_STOP=1 <<\EOT
-    {{- range $user, $u := .Values.users }}
-    SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;'
-    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec
-    ALTER ROLE {{ $user }} WITH PASSWORD '{{ index $passwords $user }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
-    COMMENT ON ROLE {{ $user }} IS 'user managed by helm';
-    {{- end }}
-    EOT
-    {{- end }}
-
-    echo "== delete users"
-    MANAGED_USERS=$(echo '\du+' | psql | awk -F'|' '$4 == " user managed by helm" {print $1}' | awk NF=NF RS= OFS=' ')
-    DEFINED_USERS="{{ join " " (keys .Values.users) }}"
-    DELETE_USERS=$(for user in $MANAGED_USERS; do case " $DEFINED_USERS " in *" $user "*) :;; *) echo $user;; esac; done)
-
-    echo "users to delete: $DELETE_USERS"
-    for user in $DELETE_USERS; do
-    # https://stackoverflow.com/a/51257346/2931267
-    psql -v ON_ERROR_STOP=1 --echo-all <<EOT
-    REASSIGN OWNED BY $user TO postgres;
-    DROP OWNED BY $user;
-    DROP USER $user;
-    EOT
-    done
-
-    echo "== create roles"
-    psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
-    SELECT 'CREATE ROLE app_admin NOINHERIT;'
-    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'app_admin')\gexec
-    COMMENT ON ROLE app_admin IS 'role managed by helm';
-    EOT
-
-    echo "== grant privileges on databases to roles"
-    psql -v ON_ERROR_STOP=1 --echo-all -d "app" <<\EOT
-    ALTER DATABASE app OWNER TO app_admin;
-
-    DO $$
-    DECLARE
-        schema_record record;
-    BEGIN
-        -- Loop over all schemas
-        FOR schema_record IN SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT IN ('pg_catalog', 'information_schema') LOOP
-            -- Changing Schema Ownership
-            EXECUTE format('ALTER SCHEMA %I OWNER TO %I', schema_record.schema_name, 'app_admin');
-
-            -- Add rights for the admin role
-            EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('GRANT ALL ON ALL TABLES IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('GRANT ALL ON ALL SEQUENCES IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('GRANT ALL ON ALL FUNCTIONS IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON TABLES TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON SEQUENCES TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON FUNCTIONS TO %I', schema_record.schema_name, 'app_admin');
-        END LOOP;
-    END$$;
-    EOT
-
-    echo "== setup event trigger for schema creation"
-    psql -v ON_ERROR_STOP=1 --echo-all -d "app" <<\EOT
-    CREATE OR REPLACE FUNCTION auto_grant_schema_privileges()
-    RETURNS event_trigger LANGUAGE plpgsql AS $$
-    DECLARE
-      obj record;
-    BEGIN
-      FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'CREATE SCHEMA' LOOP
-        -- Set owner for schema
-        EXECUTE format('ALTER SCHEMA %I OWNER TO %I', obj.object_identity, 'app_admin');
-
-        -- Set privileges for admin role
-        EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', obj.object_identity, 'app_admin');
-        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON TABLES TO %I', obj.object_identity, 'app_admin');
-        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON SEQUENCES TO %I', obj.object_identity, 'app_admin');
-        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON FUNCTIONS TO %I', obj.object_identity, 'app_admin');
-      END LOOP;
-    END;
-    $$;
-
-    DROP EVENT TRIGGER IF EXISTS trigger_auto_grant;
-    CREATE EVENT TRIGGER trigger_auto_grant ON ddl_command_end
-    WHEN TAG IN ('CREATE SCHEMA')
-    EXECUTE PROCEDURE auto_grant_schema_privileges();
-    EOT
-
-    echo "== assign roles to users"
-    psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
-    GRANT app_admin TO app;
-    {{- range $user, $u := $.Values.users }}
-    GRANT app_admin TO {{ $user }};
-    {{- end }}
-    EOT
--- a/packages/apps/ferretdb/templates/postgres.yaml
+++ b/packages/apps/ferretdb/templates/postgres.yaml
@@ -5,6 +5,50 @@ metadata:
  name: {{ .Release.Name }}-postgres
 spec:
  instances: {{ .Values.replicas }}
+  {{- if .Values.backup.enabled }}
+  backup:
+    barmanObjectStore:
+      destinationPath: {{ .Values.backup.destinationPath }}
+      endpointURL: {{ .Values.backup.endpointURL }}
+      s3Credentials:
+        accessKeyId:
+          name: {{ .Release.Name }}-s3-creds
+          key: AWS_ACCESS_KEY_ID
+        secretAccessKey:
+          name: {{ .Release.Name }}-s3-creds
+          key: AWS_SECRET_ACCESS_KEY
+    retentionPolicy: {{ .Values.backup.retentionPolicy }}
+  {{- end }}
+
+  bootstrap:
+    initdb:
+      postInitSQL:
+        - 'CREATE EXTENSION IF NOT EXISTS documentdb CASCADE;'
+    {{- if .Values.bootstrap.enabled }}
+    recovery:
+      source: {{ .Values.bootstrap.oldName }}
+      {{- if .Values.bootstrap.recoveryTime }}
+      recoveryTarget:
+        targetTime: {{ .Values.bootstrap.recoveryTime }}
+      {{- end }}
+    {{- end }}
+  {{- if .Values.bootstrap.enabled }}
+  externalClusters:
+    - name: {{ .Values.bootstrap.oldName }}
+      barmanObjectStore:
+        destinationPath: {{ .Values.backup.destinationPath }}
+        endpointURL: {{ .Values.backup.endpointURL }}
+        s3Credentials:
+          accessKeyId:
+            name: {{ .Release.Name }}-s3-creds
+            key: AWS_ACCESS_KEY_ID
+          secretAccessKey:
+            name: {{ .Release.Name }}-s3-creds
+            key: AWS_SECRET_ACCESS_KEY
+  {{- end }}
+  imageName: ghcr.io/ferretdb/postgres-documentdb:17-0.105.0-ferretdb-2.4.0
+  postgresUID: 999
+  postgresGID: 999
  enableSuperuserAccess: true
  {{- $configMap := lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling" }}
  {{- if $configMap }}
@@ -22,6 +66,17 @@ spec:
  monitoring:
    enablePodMonitor: true

+  postgresql:
+    shared_preload_libraries:
+      - pg_cron
+      - pg_documentdb_core
+      - pg_documentdb
+    parameters:
+      cron.database_name: 'postgres'
+    pg_hba:
+      - host postgres postgres 127.0.0.1/32 trust
+      - host postgres postgres ::1/128 trust
+
  storage:
    size: {{ required ".Values.size is required" .Values.size }}
    {{- with .Values.storageClass }}
@@ -42,8 +97,6 @@ spec:
      passwordSecret:
        name: {{ printf "%s-user-%s" $.Release.Name $user }}
      login: true
-      inRoles:
-      - app
    {{- end }}
  {{- end }}

--- a/packages/apps/ferretdb/values.schema.json
+++ b/packages/apps/ferretdb/values.schema.json
@@ -1,96 +1,99 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
-        "external": {
-            "type": "boolean",
-            "description": "Enable external access from outside the cluster",
-            "default": false
-        },
-        "size": {
-            "type": "string",
-            "description": "Persistent Volume size",
-            "default": "10Gi"
-        },
-        "replicas": {
-            "type": "number",
-            "description": "Number of replicas",
-            "default": 2
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
-        },
-        "quorum": {
-            "type": "object",
-            "properties": {
-                "minSyncReplicas": {
-                    "type": "number",
-                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed",
-                    "default": 0
-                },
-                "maxSyncReplicas": {
-                    "type": "number",
-                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas)",
-                    "default": 0
-                }
-            }
-        },
        "backup": {
-            "type": "object",
            "properties": {
+                "destinationPath": {
+                    "default": "s3://bucket/path/to/folder/",
+                    "description": "Path to store the backup (i.e. s3://bucket/path/to/folder)",
+                    "type": "string"
+                },
                "enabled": {
-                    "type": "boolean",
-                    "description": "Enable periodic backups",
-                    "default": false
+                    "default": false,
+                    "description": "Enable regular backups",
+                    "type": "boolean"
                },
-                "s3Region": {
-                    "type": "string",
-                    "description": "The AWS S3 region where backups are stored",
-                    "default": "us-east-1"
+                "endpointURL": {
+                    "default": "http://minio-gateway-service:9000",
+                    "description": "S3 Endpoint used to upload data to the cloud",
+                    "type": "string"
                },
-                "s3Bucket": {
-                    "type": "string",
-                    "description": "The S3 bucket used for storing backups",
-                    "default": "s3.example.org/postgres-backups"
-                },
-                "schedule": {
-                    "type": "string",
-                    "description": "Cron schedule for automated backups",
-                    "default": "0 2 * * *"
-                },
-                "cleanupStrategy": {
-                    "type": "string",
-                    "description": "The strategy for cleaning up old backups",
-                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+                "retentionPolicy": {
+                    "default": "30d",
+                    "description": "Retention policy",
+                    "type": "string"
                },
                "s3AccessKey": {
-                    "type": "string",
-                    "description": "The access key for S3, used for authentication",
-                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
+                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu",
+                    "description": "Access key for S3, used for authentication",
+                    "type": "string"
                },
                "s3SecretKey": {
-                    "type": "string",
-                    "description": "The secret key for S3, used for authentication",
-                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
+                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog",
+                    "description": "Secret key for S3, used for authentication",
+                    "type": "string"
                },
-                "resticPassword": {
-                    "type": "string",
-                    "description": "The password for Restic backup encryption",
-                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
+                "schedule": {
+                    "default": "0 2 * * * *",
+                    "description": "Cron schedule for automated backups",
+                    "type": "string"
                }
-            }
+            },
+            "type": "object"
+        },
+        "bootstrap": {
+            "properties": {
+                "enabled": {
+                    "default": false,
+                    "description": "Restore database cluster from a backup",
+                    "type": "boolean"
+                },
+                "oldName": {
+                    "default": "",
+                    "description": "Name of database cluster before deleting",
+                    "type": "string"
+                },
+                "recoveryTime": {
+                    "default": "",
+                    "description": "Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest",
+                    "type": "string"
+                }
+            },
+            "type": "object"
+        },
+        "external": {
+            "default": false,
+            "description": "Enable external access from outside the cluster",
+            "type": "boolean"
+        },
+        "quorum": {
+            "properties": {
+                "maxSyncReplicas": {
+                    "default": 0,
+                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas)",
+                    "type": "number"
+                },
+                "minSyncReplicas": {
+                    "default": 0,
+                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed",
+                    "type": "number"
+                }
+            },
+            "type": "object"
+        },
+        "replicas": {
+            "default": 2,
+            "description": "Number of replicas",
+            "type": "number"
        },
        "resources": {
-            "type": "object",
+            "default": {},
            "description": "Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
        },
        "resourcesPreset": {
+            "default": "micro",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
            "type": "string",
-            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
-            "default": "nano",
            "enum": [
                "nano",
                "micro",
@@ -100,6 +103,18 @@
                "xlarge",
                "2xlarge"
            ]
+        },
+        "size": {
+            "default": "10Gi",
+            "description": "Persistent Volume size",
+            "type": "string"
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the data",
+            "type": "string"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/ferretdb/values.yaml
+++ b/packages/apps/ferretdb/values.yaml
@@ -1,24 +1,30 @@
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param size Persistent Volume size
-## @param replicas Number of replicas
-## @param storageClass StorageClass used to store the data
 ##
-external: false
-size: 10Gi
+## @param replicas Number of replicas
 replicas: 2
+## @param resources Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+#  resources:
+#    cpu: 4000m
+#    memory: 4Gi
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "micro"
+## @param size Persistent Volume size
+size: 10Gi
+## @param storageClass StorageClass used to store the data
 storageClass: ""
+## @param external Enable external access from outside the cluster
+external: false

+
+## @section Application-specific parameters
+##
 ## Configuration for the quorum-based synchronous replication
 ## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed
 ## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the total number of replicas)
 quorum:
  minSyncReplicas: 0
  maxSyncReplicas: 0
-
-## @section Configuration parameters
-
 ## @param users [object] Users configuration
 ## Example:
 ## users:
@@ -29,31 +35,36 @@ quorum:
 ##
 users: {}

-## @section Backup parameters

-## @param backup.enabled Enable periodic backups
-## @param backup.s3Region The AWS S3 region where backups are stored
-## @param backup.s3Bucket The S3 bucket used for storing backups
+## @section Backup parameters
+##
+## @param backup.enabled Enable regular backups
 ## @param backup.schedule Cron schedule for automated backups
-## @param backup.cleanupStrategy The strategy for cleaning up old backups
-## @param backup.s3AccessKey The access key for S3, used for authentication
-## @param backup.s3SecretKey The secret key for S3, used for authentication
-## @param backup.resticPassword The password for Restic backup encryption
+## @param backup.retentionPolicy Retention policy
+## @param backup.destinationPath Path to store the backup (i.e. s3://bucket/path/to/folder)
+## @param backup.endpointURL S3 Endpoint used to upload data to the cloud
+## @param backup.s3AccessKey Access key for S3, used for authentication
+## @param backup.s3SecretKey Secret key for S3, used for authentication
 backup:
  enabled: false
-  s3Region: us-east-1
-  s3Bucket: s3.example.org/postgres-backups
-  schedule: "0 2 * * *"
-  cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+  retentionPolicy: 30d
+  destinationPath: s3://bucket/path/to/folder/
+  endpointURL: http://minio-gateway-service:9000
+  schedule: "0 2 * * * *"
  s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
-  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0

-## @param resources Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied.
-resources: {}
- # resources:
- #   cpu: 4000m
- #   memory: 4Gi

-## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
-resourcesPreset: "nano"
+## @section Bootstrap (recovery) parameters
+##
+## @param bootstrap.enabled Restore database cluster from a backup
+## @param bootstrap.recoveryTime Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest
+## @param bootstrap.oldName Name of database cluster before deleting
+##
+bootstrap:
+  enabled: false
+  # example: 2020-11-26 15:22:00.00000+00
+  recoveryTime: ""
+  oldName: ""
+
+
--- a/packages/apps/http-cache/Makefile
+++ b/packages/apps/http-cache/Makefile
@@ -23,7 +23,7 @@ image-nginx:
 	rm -f images/nginx-cache.json

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
 	yq -i -o json --indent 4 '.properties.haproxy.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
 	yq -i -o json --indent 4 '.properties.nginx.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json

--- a/packages/apps/http-cache/README.md
+++ b/packages/apps/http-cache/README.md
@@ -60,24 +60,34 @@ The deployment architecture is illustrated in the diagram below:

 ### Common parameters

-| Name                      | Description                                                                                                                          | Value   |
-| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ------- |
-| `external`                | Enable external access from outside the cluster                                                                                      | `false` |
-| `size`                    | Persistent Volume size                                                                                                               | `10Gi`  |
-| `storageClass`            | StorageClass used to store the data                                                                                                  | `""`    |
-| `haproxy.replicas`        | Number of HAProxy replicas                                                                                                           | `2`     |
-| `nginx.replicas`          | Number of Nginx replicas                                                                                                             | `2`     |
-| `haproxy.resources`       | Explicit CPU and memory configuration for each HAProxy replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
-| `haproxy.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.          | `nano`  |
-| `nginx.resources`         | Explicit CPU and memory configuration for each nginx replica. When left empty, the preset defined in `resourcesPreset` is applied.   | `{}`    |
-| `nginx.resourcesPreset`   | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.          | `nano`  |
+| Name           | Description                                     | Value   |
+| -------------- | ----------------------------------------------- | ------- |
+| `size`         | Persistent Volume size                          | `10Gi`  |
+| `storageClass` | StorageClass used to store the data             | `""`    |
+| `external`     | Enable external access from outside the cluster | `false` |

-### Configuration parameters
+### Application-specific parameters

 | Name        | Description             | Value |
 | ----------- | ----------------------- | ----- |
 | `endpoints` | Endpoints configuration | `[]`  |

+### HAProxy parameters
+
+| Name                      | Description                                                                                                                          | Value  |
+| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ------ |
+| `haproxy.replicas`        | Number of HAProxy replicas                                                                                                           | `2`    |
+| `haproxy.resources`       | Explicit CPU and memory configuration for each HAProxy replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`   |
+| `haproxy.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.          | `nano` |
+
+### Nginx parameters
+
+| Name                    | Description                                                                                                                        | Value  |
+| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------ |
+| `nginx.replicas`        | Number of Nginx replicas                                                                                                           | `2`    |
+| `nginx.resources`       | Explicit CPU and memory configuration for each nginx replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`   |
+| `nginx.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.        | `nano` |
+
 ## Parameter examples and reference

 ### resources and resourcesPreset
--- a/packages/apps/http-cache/images/nginx-cache.tag
+++ b/packages/apps/http-cache/images/nginx-cache.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.6.0@sha256:50ac1581e3100bd6c477a71161cb455a341ffaf9e5e2f6086802e4e25271e8af
+ghcr.io/cozystack/cozystack/nginx-cache:0.6.1@sha256:e0a07082bb6fc6aeaae2315f335386f1705a646c72f9e0af512aebbca5cb2b15
--- a/packages/apps/http-cache/values.schema.json
+++ b/packages/apps/http-cache/values.schema.json
@@ -1,39 +1,32 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
+        "endpoints": {
+            "default": [],
+            "description": "Endpoints configuration",
+            "items": {},
+            "type": "array"
+        },
        "external": {
-            "type": "boolean",
+            "default": false,
            "description": "Enable external access from outside the cluster",
-            "default": false
-        },
-        "size": {
-            "type": "string",
-            "description": "Persistent Volume size",
-            "default": "10Gi"
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
+            "type": "boolean"
        },
        "haproxy": {
-            "type": "object",
            "properties": {
                "replicas": {
-                    "type": "number",
+                    "default": 2,
                    "description": "Number of HAProxy replicas",
-                    "default": 2
+                    "type": "number"
                },
                "resources": {
-                    "type": "object",
+                    "default": {},
                    "description": "Explicit CPU and memory configuration for each HAProxy replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-                    "default": {}
+                    "type": "object"
                },
                "resourcesPreset": {
-                    "type": "string",
-                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
                    "default": "nano",
+                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+                    "type": "string",
                    "enum": [
                        "nano",
                        "micro",
@@ -44,25 +37,25 @@
                        "2xlarge"
                    ]
                }
-            }
+            },
+            "type": "object"
        },
        "nginx": {
-            "type": "object",
            "properties": {
                "replicas": {
-                    "type": "number",
+                    "default": 2,
                    "description": "Number of Nginx replicas",
-                    "default": 2
+                    "type": "number"
                },
                "resources": {
-                    "type": "object",
+                    "default": {},
                    "description": "Explicit CPU and memory configuration for each nginx replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-                    "default": {}
+                    "type": "object"
                },
                "resourcesPreset": {
-                    "type": "string",
-                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
                    "default": "nano",
+                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+                    "type": "string",
                    "enum": [
                        "nano",
                        "micro",
@@ -73,13 +66,20 @@
                        "2xlarge"
                    ]
                }
-            }
+            },
+            "type": "object"
        },
-        "endpoints": {
-            "type": "array",
-            "description": "Endpoints configuration",
-            "default": [],
-            "items": {}
+        "size": {
+            "default": "10Gi",
+            "description": "Persistent Volume size",
+            "type": "string"
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the data",
+            "type": "string"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/http-cache/values.yaml
+++ b/packages/apps/http-cache/values.yaml
@@ -1,37 +1,12 @@
-
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param size Persistent Volume size
-## @param storageClass StorageClass used to store the data
-## @param haproxy.replicas Number of HAProxy replicas
-## @param nginx.replicas Number of Nginx replicas
 ##
-external: false
+## @param size Persistent Volume size
 size: 10Gi
+## @param storageClass StorageClass used to store the data
 storageClass: ""
-haproxy:
-  replicas: 2
-  ## @param haproxy.resources Explicit CPU and memory configuration for each HAProxy replica. When left empty, the preset defined in `resourcesPreset` is applied.
-  resources: {}
-  # resources:
-  #   cpu: 4000m
-  #   memory: 4Gi
-
-  ## @param haproxy.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
-  resourcesPreset: "nano"
-nginx:
-  replicas: 2
-  ## @param nginx.resources Explicit CPU and memory configuration for each nginx replica. When left empty, the preset defined in `resourcesPreset` is applied.
-  resources: {}
-  # resources:
-  #   cpu: 4000m
-  #   memory: 4Gi
-
-  ## @param nginx.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
-  resourcesPreset: "nano"
-
-## @section Configuration parameters
+## @param external Enable external access from outside the cluster
+external: false
+## @section Application-specific parameters

 ## @param endpoints Endpoints configuration
 ## Example:
@@ -44,3 +19,29 @@ nginx:
 ##   - 10.100.3.13:80
 ##
 endpoints: []
+
+## @section HAProxy parameters
+haproxy:
+  ## @param haproxy.replicas Number of HAProxy replicas
+  replicas: 2
+  ## @param haproxy.resources Explicit CPU and memory configuration for each HAProxy replica. When left empty, the preset defined in `resourcesPreset` is applied.
+  resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+
+  ## @param haproxy.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+  resourcesPreset: "nano"
+
+## @section Nginx parameters
+nginx:
+  ## @param nginx.replicas Number of Nginx replicas
+  replicas: 2
+  ## @param nginx.resources Explicit CPU and memory configuration for each nginx replica. When left empty, the preset defined in `resourcesPreset` is applied.
+  resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+
+  ## @param nginx.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+  resourcesPreset: "nano"
--- a/packages/apps/kafka/Makefile
+++ b/packages/apps/kafka/Makefile
@@ -2,6 +2,6 @@ include ../../../scripts/package.mk
 PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
 	yq -i -o json --indent 4 '.properties.kafka.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
 	yq -i -o json --indent 4 '.properties.zookeeper.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
--- a/packages/apps/kafka/README.md
+++ b/packages/apps/kafka/README.md
@@ -4,25 +4,35 @@

 ### Common parameters

+| Name       | Description                                     | Value   |
+| ---------- | ----------------------------------------------- | ------- |
+| `external` | Enable external access from outside the cluster | `false` |
+
+### Application-specific parameters
+
+| Name     | Description                        | Value |
+| -------- | ---------------------------------- | ----- |
+| `topics` | Topics configuration (see example) | `[]`  |
+
+### Kafka configuration
+
+| Name                    | Description                                                                                                                        | Value   |
+| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `kafka.replicas`        | Number of Kafka replicas                                                                                                           | `3`     |
+| `kafka.resources`       | Explicit CPU and memory configuration for each Kafka replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `kafka.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.        | `small` |
+| `kafka.size`            | Persistent Volume size for Kafka                                                                                                   | `10Gi`  |
+| `kafka.storageClass`    | StorageClass used to store the Kafka data                                                                                          | `""`    |
+
+### Zookeeper configuration
+
 | Name                        | Description                                                                                                                            | Value   |
 | --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`                  | Enable external access from outside the cluster                                                                                        | `false` |
-| `kafka.size`                | Persistent Volume size for Kafka                                                                                                       | `10Gi`  |
-| `kafka.replicas`            | Number of Kafka replicas                                                                                                               | `3`     |
-| `kafka.storageClass`        | StorageClass used to store the Kafka data                                                                                              | `""`    |
-| `zookeeper.size`            | Persistent Volume size for ZooKeeper                                                                                                   | `5Gi`   |
 | `zookeeper.replicas`        | Number of ZooKeeper replicas                                                                                                           | `3`     |
-| `zookeeper.storageClass`    | StorageClass used to store the ZooKeeper data                                                                                          | `""`    |
-| `kafka.resources`           | Explicit CPU and memory configuration for each Kafka replica. When left empty, the preset defined in `resourcesPreset` is applied.     | `{}`    |
-| `kafka.resourcesPreset`     | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.            | `small` |
 | `zookeeper.resources`       | Explicit CPU and memory configuration for each Zookeeper replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
 | `zookeeper.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.            | `small` |
-
-### Configuration parameters
-
-| Name     | Description          | Value |
-| -------- | -------------------- | ----- |
-| `topics` | Topics configuration | `[]`  |
+| `zookeeper.size`            | Persistent Volume size for ZooKeeper                                                                                                   | `5Gi`   |
+| `zookeeper.storageClass`    | StorageClass used to store the ZooKeeper data                                                                                          | `""`    |

 ## Parameter examples and reference

--- a/packages/apps/kafka/values.schema.json
+++ b/packages/apps/kafka/values.schema.json
@@ -1,39 +1,26 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
        "external": {
-            "type": "boolean",
+            "default": false,
            "description": "Enable external access from outside the cluster",
-            "default": false
+            "type": "boolean"
        },
        "kafka": {
-            "type": "object",
            "properties": {
-                "size": {
-                    "type": "string",
-                    "description": "Persistent Volume size for Kafka",
-                    "default": "10Gi"
-                },
                "replicas": {
-                    "type": "number",
+                    "default": 3,
                    "description": "Number of Kafka replicas",
-                    "default": 3
-                },
-                "storageClass": {
-                    "type": "string",
-                    "description": "StorageClass used to store the Kafka data",
-                    "default": ""
+                    "type": "number"
                },
                "resources": {
-                    "type": "object",
+                    "default": {},
                    "description": "Explicit CPU and memory configuration for each Kafka replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-                    "default": {}
+                    "type": "object"
                },
                "resourcesPreset": {
-                    "type": "string",
-                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
                    "default": "small",
+                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+                    "type": "string",
                    "enum": [
                        "nano",
                        "micro",
@@ -43,53 +30,66 @@
                        "xlarge",
                        "2xlarge"
                    ]
-                }
-            }
-        },
-        "zookeeper": {
-            "type": "object",
-            "properties": {
-                "size": {
-                    "type": "string",
-                    "description": "Persistent Volume size for ZooKeeper",
-                    "default": "5Gi"
                },
-                "replicas": {
-                    "type": "number",
-                    "description": "Number of ZooKeeper replicas",
-                    "default": 3
+                "size": {
+                    "default": "10Gi",
+                    "description": "Persistent Volume size for Kafka",
+                    "type": "string"
                },
                "storageClass": {
-                    "type": "string",
-                    "description": "StorageClass used to store the ZooKeeper data",
-                    "default": ""
-                },
-                "resources": {
-                    "type": "object",
-                    "description": "Explicit CPU and memory configuration for each Zookeeper replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-                    "default": {}
-                },
-                "resourcesPreset": {
-                    "type": "string",
-                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
-                    "default": "small",
-                    "enum": [
-                        "nano",
-                        "micro",
-                        "small",
-                        "medium",
-                        "large",
-                        "xlarge",
-                        "2xlarge"
-                    ]
+                    "default": "",
+                    "description": "StorageClass used to store the Kafka data",
+                    "type": "string"
                }
-            }
+            },
+            "type": "object"
        },
        "topics": {
-            "type": "array",
-            "description": "Topics configuration",
            "default": [],
-            "items": {}
+            "description": "Topics configuration (see example)",
+            "items": {},
+            "type": "array"
+        },
+        "zookeeper": {
+            "properties": {
+                "replicas": {
+                    "default": 3,
+                    "description": "Number of ZooKeeper replicas",
+                    "type": "number"
+                },
+                "resources": {
+                    "default": {},
+                    "description": "Explicit CPU and memory configuration for each Zookeeper replica. When left empty, the preset defined in `resourcesPreset` is applied.",
+                    "type": "object"
+                },
+                "resourcesPreset": {
+                    "default": "small",
+                    "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+                    "type": "string",
+                    "enum": [
+                        "nano",
+                        "micro",
+                        "small",
+                        "medium",
+                        "large",
+                        "xlarge",
+                        "2xlarge"
+                    ]
+                },
+                "size": {
+                    "default": "5Gi",
+                    "description": "Persistent Volume size for ZooKeeper",
+                    "type": "string"
+                },
+                "storageClass": {
+                    "default": "",
+                    "description": "StorageClass used to store the ZooKeeper data",
+                    "type": "string"
+                }
+            },
+            "type": "object"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/kafka/values.yaml
+++ b/packages/apps/kafka/values.yaml
@@ -1,42 +1,12 @@
-
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param kafka.size Persistent Volume size for Kafka
-## @param kafka.replicas Number of Kafka replicas
-## @param kafka.storageClass StorageClass used to store the Kafka data
-## @param zookeeper.size Persistent Volume size for ZooKeeper
-## @param zookeeper.replicas Number of ZooKeeper replicas
-## @param zookeeper.storageClass StorageClass used to store the ZooKeeper data
 ##
+## @param external Enable external access from outside the cluster
 external: false
-kafka:
-  size: 10Gi
-  replicas: 3
-  storageClass: ""
-  ## @param kafka.resources Explicit CPU and memory configuration for each Kafka replica. When left empty, the preset defined in `resourcesPreset` is applied.
-  resources: {}
-  # resources:
-  #   cpu: 4000m
-  #   memory: 4Gi
-  ## @param kafka.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
-  resourcesPreset: "small"

-zookeeper:
-  size: 5Gi
-  replicas: 3
-  storageClass: ""
-  ## @param zookeeper.resources Explicit CPU and memory configuration for each Zookeeper replica. When left empty, the preset defined in `resourcesPreset` is applied.
-  resources: {}
-  # resources:
-  #   cpu: 4000m
-  #   memory: 4Gi
-  ## @param zookeeper.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
-  resourcesPreset: "small"

-## @section Configuration parameters
-
-## @param topics Topics configuration
+## @section Application-specific parameters
+##
+## @param topics Topics configuration (see example)
 ## Example:
 ## topics:
 ##   - name: Results
@@ -54,3 +24,41 @@ zookeeper:
 ##     replicas: 3
 ##
 topics: []
+
+## @section Kafka configuration
+##
+kafka:
+  ## @param kafka.replicas Number of Kafka replicas
+  replicas: 3
+  ## @param kafka.resources Explicit CPU and memory configuration for each Kafka replica. When left empty, the preset defined in `resourcesPreset` is applied.
+  resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+  ## @param kafka.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+  resourcesPreset: "small"
+  ## @param kafka.size Persistent Volume size for Kafka
+  size: 10Gi
+  ## @param kafka.storageClass StorageClass used to store the Kafka data
+  storageClass: ""
+
+
+## @section Zookeeper configuration
+##
+zookeeper:
+  ## @param zookeeper.replicas Number of ZooKeeper replicas
+  replicas: 3
+  ## @param zookeeper.resources Explicit CPU and memory configuration for each Zookeeper replica. When left empty, the preset defined in `resourcesPreset` is applied.
+  resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+  ## @param zookeeper.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+  resourcesPreset: "small"
+  ## @param zookeeper.size Persistent Volume size for ZooKeeper
+  size: 5Gi
+  ## @param zookeeper.storageClass StorageClass used to store the ZooKeeper data
+  storageClass: ""
+
+
+
--- a/packages/apps/kubernetes/Makefile
+++ b/packages/apps/kubernetes/Makefile
@@ -6,7 +6,7 @@ include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
 	yq -o=json -i '.properties.version.enum = (load("files/versions.yaml") | keys)' values.schema.json
 	yq -o json -i '.properties.addons.properties.ingressNginx.properties.exposeMethod.enum = ["Proxied","LoadBalancer"]' values.schema.json
 	yq -o json -i '.properties.controlPlane.properties.apiServer.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
--- a/packages/apps/kubernetes/README.md
+++ b/packages/apps/kubernetes/README.md
@@ -11,6 +11,9 @@ Tenant clusters are fully separated from the management cluster and are intended
 Within a tenant cluster, users can take advantage of LoadBalancer services and easily provision physical volumes as needed.                               
 The control-plane operates within containers, while the worker nodes are deployed as virtual machines, all seamlessly managed by the application.

+Kubernetes version in tenant clusters is independent of Kubernetes in the management cluster.
+Users can select the latest patch versions from 1.28 to 1.33.
+
 ## Why Use a Managed Kubernetes Cluster?

 Kubernetes has emerged as the industry standard, providing a unified and accessible API, primarily utilizing YAML for configuration.
@@ -81,13 +84,17 @@ See the reference for components utilized in this service:

 ### Common Parameters

-| Name                    | Description                                                                                                       | Value        |
-| ----------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------ |
-| `host`                  | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `""`         |
-| `controlPlane.replicas` | Number of replicas for Kubernetes control-plane components.                                                       | `2`          |
-| `storageClass`          | StorageClass used to store user data.                                                                             | `replicated` |
-| `version`               | Kubernetes version given as vMAJOR.MINOR                                                                          | `v1.32`      |
-| `nodeGroups`            | nodeGroups configuration                                                                                          | `{}`         |
+| Name           | Description                           | Value        |
+| -------------- | ------------------------------------- | ------------ |
+| `storageClass` | StorageClass used to store user data. | `replicated` |
+
+### Application-specific parameters
+
+| Name         | Description                                                                                                       | Value   |
+| ------------ | ----------------------------------------------------------------------------------------------------------------- | ------- |
+| `version`    | Kubernetes version given as vMAJOR.MINOR. Available are versions from 1.28 to 1.33.                               | `v1.32` |
+| `host`       | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `""`    |
+| `nodeGroups` | Worker nodes configuration (see example)                                                                          | `{}`    |

 ### Cluster Addons

@@ -98,9 +105,9 @@ See the reference for components utilized in this service:
 | `addons.cilium.valuesOverride`                | Custom values to override                                                                                                                                                         | `{}`      |
 | `addons.gatewayAPI.enabled`                   | Enable the Gateway API                                                                                                                                                            | `false`   |
 | `addons.ingressNginx.enabled`                 | Enable the Ingress-NGINX controller (requires nodes labeled with the 'ingress-nginx' role).                                                                                       | `false`   |
-| `addons.ingressNginx.valuesOverride`          | Custom values to override                                                                                                                                                         | `{}`      |
 | `addons.ingressNginx.exposeMethod`            | Method to expose the Ingress-NGINX controller. (allowed values: Proxied, LoadBalancer)                                                                                            | `Proxied` |
 | `addons.ingressNginx.hosts`                   | List of domain names that the parent cluster should route to this tenant cluster. Taken into account only when `exposeMethod` is set to `Proxied`.                                | `[]`      |
+| `addons.ingressNginx.valuesOverride`          | Custom values to override                                                                                                                                                         | `{}`      |
 | `addons.gpuOperator.enabled`                  | Enable the GPU-operator                                                                                                                                                           | `false`   |
 | `addons.gpuOperator.valuesOverride`           | Custom values to override                                                                                                                                                         | `{}`      |
 | `addons.fluxcd.enabled`                       | Enable FluxCD                                                                                                                                                                     | `false`   |
@@ -115,6 +122,7 @@ See the reference for components utilized in this service:

 | Name                                               | Description                                                                                                                            | Value    |
 | -------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | -------- |
+| `controlPlane.replicas`                            | Number of replicas for Kubernetes control-plane components.                                                                            | `2`      |
 | `controlPlane.apiServer.resources`                 | Explicit CPU and memory configuration for the API Server. When left empty, the preset defined in `resourcesPreset` is applied.         | `{}`     |
 | `controlPlane.apiServer.resourcesPreset`           | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.            | `medium` |
 | `controlPlane.controllerManager.resources`         | Explicit CPU and memory configuration for the Controller Manager. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`     |
@@ -124,7 +132,6 @@ See the reference for components utilized in this service:
 | `controlPlane.konnectivity.server.resources`       | Explicit CPU and memory configuration for Konnectivity. When left empty, the preset defined in `resourcesPreset` is applied.           | `{}`     |
 | `controlPlane.konnectivity.server.resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.            | `micro`  |

-
 ## Parameter examples and reference

 ### resources and resourcesPreset
--- a/packages/apps/kubernetes/images/cluster-autoscaler.tag
+++ b/packages/apps/kubernetes/images/cluster-autoscaler.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.25.2@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.26.0@sha256:3a8170433e1632e5cc2b6d9db34d0605e8e6c63c158282c38450415e700e932e
--- a/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
+++ b/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.25.2@sha256:e522960064290747a67502d4e8927c591bdb290bad1f0bae88a02758ebfd380f
+ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.26.0@sha256:71f9afa218693a890f827cb5cda98ba327302bd9f58afde767740557538e07d9
--- a/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
+++ b/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.25.2@sha256:761e7235ff9cb7f6f223f00954943e6a5af32ed6624ee592a8610122f96febb0
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.26.0@sha256:445c2727b04ac68595b43c988ff17b3d69a7b22b0644fde3b10c65b47a7bc036
--- a/packages/apps/kubernetes/templates/_versions.tpl
+++ b/packages/apps/kubernetes/templates/_versions.tpl
@@ -1,16 +1,7 @@
 {{- define "kubernetes.versionMap" }}
-{{- $ := . }}
-
-{{- if not (hasKey $ "cachedVersionMap") }}
-    {{- $versionMap := $.Files.Get "files/versions.yaml" | fromYaml }}
-    {{- $_ := set $ "cachedVersionMap" $versionMap }}
-{{- end }}
-
-{{- $versionMap := $.cachedVersionMap }}
-
-{{- if not (hasKey $versionMap $.Values.version) }}
+{{- $versionMap := .Files.Get "files/versions.yaml" | fromYaml }}
+{{- if not (hasKey $versionMap .Values.version) }}
    {{- printf `Kubernetes version %s is not supported, allowed versions are %s` $.Values.version (keys $versionMap) | fail }}
 {{- end }}
-
-{{- index $versionMap $.Values.version }}
+{{- index $versionMap .Values.version }}
 {{- end }}
--- a/packages/apps/kubernetes/templates/csi/deploy.yaml
+++ b/packages/apps/kubernetes/templates/csi/deploy.yaml
@@ -69,6 +69,11 @@ spec:
            requests:
              cpu: 125m
              memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
        - name: csi-provisioner
          image: quay.io/openshift/origin-csi-external-provisioner:latest
          resources:
@@ -78,6 +83,11 @@ spec:
            requests:
              cpu: 125m
              memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
          args:
            - "--csi-address=$(ADDRESS)"
            - "--default-fstype=ext4"
@@ -118,6 +128,11 @@ spec:
            requests:
              cpu: 125m
              memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
        - name: csi-liveness-probe
          image: quay.io/openshift/origin-csi-livenessprobe:latest
          args:
@@ -134,6 +149,62 @@ spec:
            requests:
              cpu: 125m
              memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+        - name: csi-snapshotter
+          args:
+          - --timeout=1m
+          - --csi-address=$(ADDRESS)
+          - --worker-threads=10
+          - --kubeconfig=/etc/kubernetes/kubeconfig/super-admin.svc
+          env:
+          - name: ADDRESS
+            value: /csi/csi.sock
+          image: registry.k8s.io/sig-storage/csi-snapshotter:v8.3.0
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits:
+              cpu: 512m
+              memory: 512Mi
+            requests:
+              cpu: 125m
+              memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+          volumeMounts:
+          - mountPath: /csi
+            name: socket-dir
+          - mountPath: /etc/kubernetes/kubeconfig
+            name: kubeconfig
+            readOnly: true
+        - name: snapshot-controller
+          image: registry.k8s.io/sig-storage/snapshot-controller:v8.3.0
+          args:
+            - --worker-threads=10
+            - --kubeconfig=/etc/kubernetes/kubeconfig/super-admin.svc
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits:
+              cpu: 512m
+              memory: 512Mi
+            requests:
+              cpu: 125m
+              memory: 128Mi
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+          volumeMounts:
+          - mountPath: /etc/kubernetes/kubeconfig
+            name: kubeconfig
+            readOnly: true
      volumes:
        - name: socket-dir
          emptyDir: {}
--- a/packages/apps/kubernetes/templates/helmreleases/volumesnapshot_crd.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/volumesnapshot_crd.yaml
@@ -0,0 +1,39 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: {{ .Release.Name }}-volumesnapshot-crd-for-tenant-k8s
+  labels:
+    cozystack.io/repository: system
+    cozystack.io/target-cluster-name: {{ .Release.Name }}
+spec:
+  interval: 5m
+  releaseName: volumesnapshot-crd-for-tenant-k8s
+  chart:
+    spec:
+      chart: cozy-volumesnapshot-crd-for-tenant-k8s
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: cozystack-system
+        namespace: cozy-system
+      version: '>= 0.0.0-0'
+  kubeConfig:
+    secretRef:
+      name: {{ .Release.Name }}-admin-kubeconfig
+      key: super-admin.svc
+  targetNamespace: cozy-volumesnapshot-crd-for-tenant-k8s
+  storageNamespace: cozy-volumesnapshot-crd-for-tenant-k8s
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  dependsOn:
+  {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }}
+  - name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  - name: {{ .Release.Name }}-cilium
+    namespace: {{ .Release.Namespace }}
--- a/packages/apps/kubernetes/values.schema.json
+++ b/packages/apps/kubernetes/values.schema.json
@@ -1,32 +1,158 @@
 {
-  "title": "Chart Values",
-  "type": "object",
  "properties": {
-    "host": {
-      "type": "string",
-      "description": "Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.",
-      "default": ""
+    "addons": {
+      "properties": {
+        "certManager": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable cert-manager, which automatically creates and manages SSL/TLS certificates.",
+              "type": "boolean"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "cilium": {
+          "properties": {
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "fluxcd": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable FluxCD",
+              "type": "boolean"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "gatewayAPI": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable the Gateway API",
+              "type": "boolean"
+            }
+          },
+          "type": "object"
+        },
+        "gpuOperator": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable the GPU-operator",
+              "type": "boolean"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "ingressNginx": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable the Ingress-NGINX controller (requires nodes labeled with the 'ingress-nginx' role).",
+              "type": "boolean"
+            },
+            "exposeMethod": {
+              "default": "Proxied",
+              "description": "Method to expose the Ingress-NGINX controller. (allowed values: Proxied, LoadBalancer)",
+              "type": "string",
+              "enum": [
+                "Proxied",
+                "LoadBalancer"
+              ]
+            },
+            "hosts": {
+              "default": [],
+              "description": "List of domain names that the parent cluster should route to this tenant cluster. Taken into account only when `exposeMethod` is set to `Proxied`.",
+              "items": {},
+              "type": "array"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "monitoringAgents": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable monitoring agents (Fluent Bit and VMAgents) to send logs and metrics. If tenant monitoring is enabled, data is sent to tenant storage; otherwise, it goes to root storage.",
+              "type": "boolean"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "velero": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "description": "Enable velero for backup and restore k8s cluster.",
+              "type": "boolean"
+            },
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        },
+        "verticalPodAutoscaler": {
+          "properties": {
+            "valuesOverride": {
+              "default": {},
+              "description": "Custom values to override",
+              "type": "object"
+            }
+          },
+          "type": "object"
+        }
+      },
+      "type": "object"
    },
    "controlPlane": {
-      "type": "object",
      "properties": {
-        "replicas": {
-          "type": "number",
-          "description": "Number of replicas for Kubernetes control-plane components.",
-          "default": 2
-        },
        "apiServer": {
-          "type": "object",
          "properties": {
            "resources": {
-              "type": "object",
+              "default": {},
              "description": "Explicit CPU and memory configuration for the API Server. When left empty, the preset defined in `resourcesPreset` is applied.",
-              "default": {}
+              "type": "object"
            },
            "resourcesPreset": {
-              "type": "string",
-              "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
              "default": "medium",
+              "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+              "type": "string",
              "enum": [
                "nano",
                "micro",
@@ -37,20 +163,20 @@
                "2xlarge"
              ]
            }
-          }
+          },
+          "type": "object"
        },
        "controllerManager": {
-          "type": "object",
          "properties": {
            "resources": {
-              "type": "object",
+              "default": {},
              "description": "Explicit CPU and memory configuration for the Controller Manager. When left empty, the preset defined in `resourcesPreset` is applied.",
-              "default": {}
+              "type": "object"
            },
            "resourcesPreset": {
-              "type": "string",
-              "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
              "default": "micro",
+              "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+              "type": "string",
              "enum": [
                "nano",
                "micro",
@@ -61,47 +187,22 @@
                "2xlarge"
              ]
            }
-          }
-        },
-        "scheduler": {
-          "type": "object",
-          "properties": {
-            "resources": {
-              "type": "object",
-              "description": "Explicit CPU and memory configuration for the Scheduler. When left empty, the preset defined in `resourcesPreset` is applied.",
-              "default": {}
-            },
-            "resourcesPreset": {
-              "type": "string",
-              "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
-              "default": "micro",
-              "enum": [
-                "nano",
-                "micro",
-                "small",
-                "medium",
-                "large",
-                "xlarge",
-                "2xlarge"
-              ]
-            }
-          }
+          },
+          "type": "object"
        },
        "konnectivity": {
-          "type": "object",
          "properties": {
            "server": {
-              "type": "object",
              "properties": {
                "resources": {
-                  "type": "object",
+                  "default": {},
                  "description": "Explicit CPU and memory configuration for Konnectivity. When left empty, the preset defined in `resourcesPreset` is applied.",
-                  "default": {}
+                  "type": "object"
                },
                "resourcesPreset": {
-                  "type": "string",
-                  "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
                  "default": "micro",
+                  "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+                  "type": "string",
                  "enum": [
                    "nano",
                    "micro",
@@ -112,21 +213,58 @@
                    "2xlarge"
                  ]
                }
-              }
+              },
+              "type": "object"
            }
-          }
+          },
+          "type": "object"
+        },
+        "replicas": {
+          "default": 2,
+          "description": "Number of replicas for Kubernetes control-plane components.",
+          "type": "number"
+        },
+        "scheduler": {
+          "properties": {
+            "resources": {
+              "default": {},
+              "description": "Explicit CPU and memory configuration for the Scheduler. When left empty, the preset defined in `resourcesPreset` is applied.",
+              "type": "object"
+            },
+            "resourcesPreset": {
+              "default": "micro",
+              "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+              "type": "string",
+              "enum": [
+                "nano",
+                "micro",
+                "small",
+                "medium",
+                "large",
+                "xlarge",
+                "2xlarge"
+              ]
+            }
+          },
+          "type": "object"
        }
-      }
+      },
+      "type": "object"
+    },
+    "host": {
+      "default": "",
+      "description": "Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.",
+      "type": "string"
    },
    "storageClass": {
-      "type": "string",
+      "default": "replicated",
      "description": "StorageClass used to store user data.",
-      "default": "replicated"
+      "type": "string"
    },
    "version": {
-      "type": "string",
-      "description": "Kubernetes version given as vMAJOR.MINOR",
      "default": "v1.32",
+      "description": "Kubernetes version given as vMAJOR.MINOR. Available are versions from 1.28 to 1.33.",
+      "type": "string",
      "enum": [
        "v1.28",
        "v1.29",
@@ -135,146 +273,8 @@
        "v1.32",
        "v1.33"
      ]
-    },
-    "addons": {
-      "type": "object",
-      "properties": {
-        "certManager": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable cert-manager, which automatically creates and manages SSL/TLS certificates.",
-              "default": false
-            },
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "cilium": {
-          "type": "object",
-          "properties": {
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "gatewayAPI": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable the Gateway API",
-              "default": false
-            }
-          }
-        },
-        "ingressNginx": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable the Ingress-NGINX controller (requires nodes labeled with the 'ingress-nginx' role).",
-              "default": false
-            },
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            },
-            "exposeMethod": {
-              "type": "string",
-              "description": "Method to expose the Ingress-NGINX controller. (allowed values: Proxied, LoadBalancer)",
-              "default": "Proxied",
-              "enum": [
-                "Proxied",
-                "LoadBalancer"
-              ]
-            },
-            "hosts": {
-              "type": "array",
-              "description": "List of domain names that the parent cluster should route to this tenant cluster. Taken into account only when `exposeMethod` is set to `Proxied`.",
-              "default": [],
-              "items": {}
-            }
-          }
-        },
-        "gpuOperator": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable the GPU-operator",
-              "default": false
-            },
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "fluxcd": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable FluxCD",
-              "default": false
-            },
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "monitoringAgents": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable monitoring agents (Fluent Bit and VMAgents) to send logs and metrics. If tenant monitoring is enabled, data is sent to tenant storage; otherwise, it goes to root storage.",
-              "default": false
-            },
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "verticalPodAutoscaler": {
-          "type": "object",
-          "properties": {
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        },
-        "velero": {
-          "type": "object",
-          "properties": {
-            "enabled": {
-              "type": "boolean",
-              "description": "Enable velero for backup and restore k8s cluster.",
-              "default": false
-            },
-            "valuesOverride": {
-              "type": "object",
-              "description": "Custom values to override",
-              "default": {}
-            }
-          }
-        }
-      }
    }
-  }
+  },
+  "title": "Chart Values",
+  "type": "object"
 }
--- a/packages/apps/kubernetes/values.yaml
+++ b/packages/apps/kubernetes/values.yaml
@@ -1,14 +1,14 @@
 ## @section Common Parameters

-## @param host Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.
-## @param controlPlane.replicas Number of replicas for Kubernetes control-plane components.
 ## @param storageClass StorageClass used to store user data.
-## @param version Kubernetes version given as vMAJOR.MINOR
-##
-host: ""
 storageClass: replicated
+
+## @section Application-specific parameters
+## @param version Kubernetes version given as vMAJOR.MINOR. Available are versions from 1.28 to 1.33.
 version: "v1.32"
-## @param nodeGroups [object] nodeGroups configuration
+## @param host Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.
+host: ""
+## @param nodeGroups [object] Worker nodes configuration (see example)
 ##
 nodeGroups:
  md0:
@@ -34,13 +34,12 @@ nodeGroups:
 ## @section Cluster Addons
 ##
 addons:
-
  ## Cert-manager: automatically creates and manages SSL/TLS certificate
  ##
  certManager:
    ## @param addons.certManager.enabled Enable cert-manager, which automatically creates and manages SSL/TLS certificates.
-    ## @param addons.certManager.valuesOverride Custom values to override
    enabled: false
+    ## @param addons.certManager.valuesOverride Custom values to override
    valuesOverride: {}

  ## Cilium CNI plugin
@@ -59,18 +58,17 @@ addons:
  ##
  ingressNginx:
    ## @param addons.ingressNginx.enabled Enable the Ingress-NGINX controller (requires nodes labeled with the 'ingress-nginx' role).
-    ## @param addons.ingressNginx.valuesOverride Custom values to override
-    ##
    enabled: false
    ## @param addons.ingressNginx.exposeMethod Method to expose the Ingress-NGINX controller. (allowed values: Proxied, LoadBalancer)
+    exposeMethod: Proxied
    ## @param addons.ingressNginx.hosts List of domain names that the parent cluster should route to this tenant cluster. Taken into account only when `exposeMethod` is set to `Proxied`.
    ## e.g:
    ## hosts:
    ## - example.org
    ## - foo.example.net
    ##
-    exposeMethod: Proxied
    hosts: []
+    ## @param addons.ingressNginx.valuesOverride Custom values to override
    valuesOverride: {}

  ## GPU-operator: NVIDIA GPU Operator
@@ -117,12 +115,12 @@ addons:

 ## @section Kubernetes Control Plane Configuration
 ##
-
 controlPlane:
+  ## @param controlPlane.replicas Number of replicas for Kubernetes control-plane components.
  replicas: 2
-
  apiServer:
    ## @param controlPlane.apiServer.resources Explicit CPU and memory configuration for the API Server. When left empty, the preset defined in `resourcesPreset` is applied.
+    resources: {}
    ## @param controlPlane.apiServer.resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
    ## e.g:
    ## resources:
@@ -130,7 +128,6 @@ controlPlane:
    ##   memory: 4Gi
    ##
    resourcesPreset: "medium"
-    resources: {}

  controllerManager:
    ## @param controlPlane.controllerManager.resources Explicit CPU and memory configuration for the Controller Manager. When left empty, the preset defined in `resourcesPreset` is applied.
--- a/packages/apps/mysql/Makefile
+++ b/packages/apps/mysql/Makefile
@@ -5,7 +5,7 @@ include ../../../scripts/common-envs.mk
 include ../../../scripts/package.mk

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
 	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json

 image:
--- a/packages/apps/mysql/README.md
+++ b/packages/apps/mysql/README.md
@@ -68,14 +68,16 @@ more details:

 ### Common parameters

-| Name           | Description                                     | Value   |
-| -------------- | ----------------------------------------------- | ------- |
-| `external`     | Enable external access from outside the cluster | `false` |
-| `size`         | Persistent Volume size                          | `10Gi`  |
-| `replicas`     | Number of MariaDB replicas                      | `2`     |
-| `storageClass` | StorageClass used to store the data             | `""`    |
+| Name              | Description                                                                                                                          | Value   |
+| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ------- |
+| `replicas`        | Number of MariaDB replicas                                                                                                           | `2`     |
+| `resources`       | Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.          | `nano`  |
+| `size`            | Persistent Volume size                                                                                                               | `10Gi`  |
+| `storageClass`    | StorageClass used to store the data                                                                                                  | `""`    |
+| `external`        | Enable external access from outside the cluster                                                                                      | `false` |

-### Configuration parameters
+### Application-specific parameters

 | Name        | Description             | Value |
 | ----------- | ----------------------- | ----- |
@@ -84,18 +86,16 @@ more details:

 ### Backup parameters

-| Name                     | Description                                                                                                                          | Value                                                  |
-| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------ |
-| `backup.enabled`         | Enable periodic backups                                                                                                              | `false`                                                |
-| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                           | `us-east-1`                                            |
-| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                               | `s3.example.org/postgres-backups`                      |
-| `backup.schedule`        | Cron schedule for automated backups                                                                                                  | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                             | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                       | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                       | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | The password for Restic backup encryption                                                                                            | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`                                                   |
-| `resourcesPreset`        | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.          | `nano`                                                 |
+| Name                     | Description                                    | Value                                                  |
+| ------------------------ | ---------------------------------------------- | ------------------------------------------------------ |
+| `backup.enabled`         | Enable periodic backups                        | `false`                                                |
+| `backup.s3Region`        | The AWS S3 region where backups are stored     | `us-east-1`                                            |
+| `backup.s3Bucket`        | The S3 bucket used for storing backups         | `s3.example.org/postgres-backups`                      |
+| `backup.schedule`        | Cron schedule for automated backups            | `0 2 * * *`                                            |
+| `backup.cleanupStrategy` | The strategy for cleaning up old backups       | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
+| `backup.s3AccessKey`     | The access key for S3, used for authentication | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
+| `backup.s3SecretKey`     | The secret key for S3, used for authentication | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
+| `backup.resticPassword`  | The password for Restic backup encryption      | `ChaXoveekoh6eigh4siesheeda2quai0`                     |

 ## Parameter examples and reference

--- a/packages/apps/mysql/images/mariadb-backup.tag
+++ b/packages/apps/mysql/images/mariadb-backup.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/mariadb-backup:0.9.0@sha256:cfd1c37d8ad24e10681d82d6e6ce8a641b4602c1b0ffa8516ae15b4958bb12d4
+ghcr.io/cozystack/cozystack/mariadb-backup:0.9.1@sha256:a3789db9e9e065ff60cbac70771b4a8aa1460db3194307cf5ca5d4fe1b412b6b
--- a/packages/apps/mysql/values.schema.json
+++ b/packages/apps/mysql/values.schema.json
@@ -1,81 +1,69 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
-        "external": {
-            "type": "boolean",
-            "description": "Enable external access from outside the cluster",
-            "default": false
-        },
-        "size": {
-            "type": "string",
-            "description": "Persistent Volume size",
-            "default": "10Gi"
-        },
-        "replicas": {
-            "type": "number",
-            "description": "Number of MariaDB replicas",
-            "default": 2
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
-        },
        "backup": {
-            "type": "object",
            "properties": {
-                "enabled": {
-                    "type": "boolean",
-                    "description": "Enable periodic backups",
-                    "default": false
-                },
-                "s3Region": {
-                    "type": "string",
-                    "description": "The AWS S3 region where backups are stored",
-                    "default": "us-east-1"
-                },
-                "s3Bucket": {
-                    "type": "string",
-                    "description": "The S3 bucket used for storing backups",
-                    "default": "s3.example.org/postgres-backups"
-                },
-                "schedule": {
-                    "type": "string",
-                    "description": "Cron schedule for automated backups",
-                    "default": "0 2 * * *"
-                },
                "cleanupStrategy": {
-                    "type": "string",
+                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m",
                    "description": "The strategy for cleaning up old backups",
-                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+                    "type": "string"
                },
-                "s3AccessKey": {
-                    "type": "string",
-                    "description": "The access key for S3, used for authentication",
-                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
-                },
-                "s3SecretKey": {
-                    "type": "string",
-                    "description": "The secret key for S3, used for authentication",
-                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
+                "enabled": {
+                    "default": false,
+                    "description": "Enable periodic backups",
+                    "type": "boolean"
                },
                "resticPassword": {
-                    "type": "string",
+                    "default": "ChaXoveekoh6eigh4siesheeda2quai0",
                    "description": "The password for Restic backup encryption",
-                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
+                    "type": "string"
+                },
+                "s3AccessKey": {
+                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu",
+                    "description": "The access key for S3, used for authentication",
+                    "type": "string"
+                },
+                "s3Bucket": {
+                    "default": "s3.example.org/postgres-backups",
+                    "description": "The S3 bucket used for storing backups",
+                    "type": "string"
+                },
+                "s3Region": {
+                    "default": "us-east-1",
+                    "description": "The AWS S3 region where backups are stored",
+                    "type": "string"
+                },
+                "s3SecretKey": {
+                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog",
+                    "description": "The secret key for S3, used for authentication",
+                    "type": "string"
+                },
+                "schedule": {
+                    "default": "0 2 * * *",
+                    "description": "Cron schedule for automated backups",
+                    "type": "string"
                }
-            }
+            },
+            "type": "object"
+        },
+        "external": {
+            "default": false,
+            "description": "Enable external access from outside the cluster",
+            "type": "boolean"
+        },
+        "replicas": {
+            "default": 2,
+            "description": "Number of MariaDB replicas",
+            "type": "number"
        },
        "resources": {
-            "type": "object",
+            "default": {},
            "description": "Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
        },
        "resourcesPreset": {
-            "type": "string",
-            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
            "default": "nano",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "type": "string",
            "enum": [
                "nano",
                "micro",
@@ -85,6 +73,18 @@
                "xlarge",
                "2xlarge"
            ]
+        },
+        "size": {
+            "default": "10Gi",
+            "description": "Persistent Volume size",
+            "type": "string"
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the data",
+            "type": "string"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/mysql/values.yaml
+++ b/packages/apps/mysql/values.yaml
@@ -1,17 +1,23 @@
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param size Persistent Volume size
-## @param replicas Number of MariaDB replicas
-## @param storageClass StorageClass used to store the data
 ##
-external: false
-size: 10Gi
+## @param replicas Number of MariaDB replicas
 replicas: 2
+## @param resources Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "nano"
+## @param size Persistent Volume size
+size: 10Gi
+## @param storageClass StorageClass used to store the data
 storageClass: ""
+## @param external Enable external access from outside the cluster
+external: false

-## @section Configuration parameters
-
+## @section Application-specific parameters
+##
 ## @param users [object] Users configuration
 ## Example:
 ## users:
@@ -36,7 +42,7 @@ users: {}
 databases: {}

 ## @section Backup parameters
-
+##
 ## @param backup.enabled Enable periodic backups
 ## @param backup.s3Region The AWS S3 region where backups are stored
 ## @param backup.s3Bucket The S3 bucket used for storing backups
@@ -55,11 +61,3 @@ backup:
  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0

-## @param resources Explicit CPU and memory configuration for each MariaDB replica. When left empty, the preset defined in `resourcesPreset` is applied.
-resources: {}
- # resources:
- #   cpu: 4000m
- #   memory: 4Gi
- 
-## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
-resourcesPreset: "nano"
--- a/packages/apps/nats/Makefile
+++ b/packages/apps/nats/Makefile
@@ -2,5 +2,5 @@ include ../../../scripts/package.mk
 PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
 	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
--- a/packages/apps/nats/README.md
+++ b/packages/apps/nats/README.md
@@ -7,18 +7,23 @@ It provides a data layer for cloud native applications, IoT messaging, and micro

 ### Common parameters

-| Name                | Description                                                                                                                       | Value   |
-| ------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`          | Enable external access from outside the cluster                                                                                   | `false` |
-| `replicas`          | Persistent Volume size for NATS                                                                                                   | `2`     |
-| `storageClass`      | StorageClass used to store the data                                                                                               | `""`    |
-| `users`             | Users configuration                                                                                                               | `{}`    |
-| `jetstream.size`    | Jetstream persistent storage size                                                                                                 | `10Gi`  |
-| `jetstream.enabled` | Enable or disable Jetstream                                                                                                       | `true`  |
-| `config.merge`      | Additional configuration to merge into NATS config                                                                                | `{}`    |
-| `config.resolver`   | Additional configuration to merge into NATS config                                                                                | `{}`    |
-| `resources`         | Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
-| `resourcesPreset`   | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.       | `nano`  |
+| Name              | Description                                                                                                                       | Value   |
+| ----------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `replicas`        | Number of replicas                                                                                                                | `2`     |
+| `resources`       | Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.       | `nano`  |
+| `storageClass`    | StorageClass used to store the data                                                                                               | `""`    |
+| `external`        | Enable external access from outside the cluster                                                                                   | `false` |
+
+### Application-specific parameters
+
+| Name                | Description                                                               | Value  |
+| ------------------- | ------------------------------------------------------------------------- | ------ |
+| `users`             | Users configuration (see example)                                         | `{}`   |
+| `jetstream.enabled` | Enable or disable Jetstream                                               | `true` |
+| `jetstream.size`    | Jetstream persistent storage size                                         | `10Gi` |
+| `config.merge`      | Additional configuration to merge into NATS config (see example)          | `{}`   |
+| `config.resolver`   | Additional resolver configuration to merge into NATS config (see example) | `{}`   |

 ## Parameter examples and reference

--- a/packages/apps/nats/values.schema.json
+++ b/packages/apps/nats/values.schema.json
@@ -1,61 +1,54 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
-        "external": {
-            "type": "boolean",
-            "description": "Enable external access from outside the cluster",
-            "default": false
-        },
-        "replicas": {
-            "type": "number",
-            "description": "Persistent Volume size for NATS",
-            "default": 2
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
-        },
-        "jetstream": {
-            "type": "object",
-            "properties": {
-                "size": {
-                    "type": "string",
-                    "description": "Jetstream persistent storage size",
-                    "default": "10Gi"
-                },
-                "enabled": {
-                    "type": "boolean",
-                    "description": "Enable or disable Jetstream",
-                    "default": true
-                }
-            }
-        },
        "config": {
-            "type": "object",
            "properties": {
                "merge": {
-                    "type": "object",
-                    "description": "Additional configuration to merge into NATS config",
-                    "default": {}
+                    "default": {},
+                    "description": "Additional configuration to merge into NATS config (see example)",
+                    "type": "object"
                },
                "resolver": {
-                    "type": "object",
-                    "description": "Additional configuration to merge into NATS config",
-                    "default": {}
+                    "default": {},
+                    "description": "Additional resolver configuration to merge into NATS config (see example)",
+                    "type": "object"
                }
-            }
+            },
+            "type": "object"
+        },
+        "external": {
+            "default": false,
+            "description": "Enable external access from outside the cluster",
+            "type": "boolean"
+        },
+        "jetstream": {
+            "properties": {
+                "enabled": {
+                    "default": true,
+                    "description": "Enable or disable Jetstream",
+                    "type": "boolean"
+                },
+                "size": {
+                    "default": "10Gi",
+                    "description": "Jetstream persistent storage size",
+                    "type": "string"
+                }
+            },
+            "type": "object"
+        },
+        "replicas": {
+            "default": 2,
+            "description": "Number of replicas",
+            "type": "number"
        },
        "resources": {
-            "type": "object",
+            "default": {},
            "description": "Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
        },
        "resourcesPreset": {
-            "type": "string",
-            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
            "default": "nano",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "type": "string",
            "enum": [
                "nano",
                "micro",
@@ -65,6 +58,13 @@
                "xlarge",
                "2xlarge"
            ]
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the data",
+            "type": "string"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/nats/values.yaml
+++ b/packages/apps/nats/values.yaml
@@ -1,14 +1,22 @@
-
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param replicas Persistent Volume size for NATS
-## @param storageClass StorageClass used to store the data
 ##
-external: false
+## @param replicas Number of replicas
 replicas: 2
+## @param resources Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "nano"
+## @param storageClass StorageClass used to store the data
 storageClass: ""
-## @param users [object] Users configuration
+## @param external Enable external access from outside the cluster
+external: false
+
+## @section Application-specific parameters
+##
+## @param users [object] Users configuration (see example)
 ## Example:
 ## users:
 ##   user1:
@@ -17,18 +25,17 @@ storageClass: ""
 users: {}

 jetstream:
+  ## @param jetstream.enabled Enable or disable Jetstream
+  ## Set to true to enable Jetstream for persistent messaging in NATS.
+  ## Default: true
+  enabled: true
  ## @param jetstream.size Jetstream persistent storage size
  ## Specifies the size of the persistent storage for Jetstream (message store).
  ## Default: 10Gi
  size: 10Gi

-  ## @param jetstream.enabled Enable or disable Jetstream
-  ## Set to true to enable Jetstream for persistent messaging in NATS.
-  ## Default: true
-  enabled: true
-
 config:
-  ## @param config.merge Additional configuration to merge into NATS config
+  ## @param config.merge Additional configuration to merge into NATS config (see example)
  ## Allows you to customize NATS server settings by merging additional configurations.
  ## For example, you can add extra parameters, configure authentication, or set custom settings.
  ## Default: {}
@@ -56,17 +63,9 @@ config:
  ##   include ./my-config-last.conf;
  ## }
  merge: {}
-  ## @param config.resolver Additional configuration to merge into NATS config
+  ## @param config.resolver Additional resolver configuration to merge into NATS config (see example)
  ## Allows you to customize NATS server settings by merging resolver configurations.
  ## Default: {}
-  ## Example see: https://github.com/nats-io/k8s/blob/main/helm/charts/nats/values.yaml#L247
+  ## Example: https://github.com/nats-io/k8s/blob/94414664c254b0bbac3a07fc9693f6c4f8f88709/helm/charts/nats/values.yaml#L248-L270
  resolver: {}

-## @param resources Explicit CPU and memory configuration for each NATS replica. When left empty, the preset defined in `resourcesPreset` is applied.
-resources: {}
- # resources:
- #   cpu: 4000m
- #   memory: 4Gi
- 
-## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
-resourcesPreset: "nano"
--- a/packages/apps/postgres/Chart.yaml
+++ b/packages/apps/postgres/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.17.2
+version: 0.17.3

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/postgres/Makefile
+++ b/packages/apps/postgres/Makefile
@@ -2,5 +2,5 @@ include ../../../scripts/package.mk
 PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
 	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
--- a/packages/apps/postgres/README.md
+++ b/packages/apps/postgres/README.md
@@ -66,22 +66,24 @@ See:

 ### Common parameters

-| Name                                    | Description                                                                                                              | Value   |
-| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------- |
-| `external`                              | Enable external access from outside the cluster                                                                          | `false` |
-| `size`                                  | Persistent Volume size                                                                                                   | `10Gi`  |
-| `replicas`                              | Number of Postgres replicas                                                                                              | `2`     |
-| `storageClass`                          | StorageClass used to store the data                                                                                      | `""`    |
-| `postgresql.parameters.max_connections` | Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections | `100`   |
-| `quorum.minSyncReplicas`                | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.            | `0`     |
-| `quorum.maxSyncReplicas`                | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).  | `0`     |
+| Name              | Description                                                                                                                             | Value   |
+| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `replicas`        | Number of Postgres replicas                                                                                                             | `2`     |
+| `resources`       | Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.             | `micro` |
+| `size`            | Persistent Volume size                                                                                                                  | `10Gi`  |
+| `storageClass`    | StorageClass used to store the data                                                                                                     | `""`    |
+| `external`        | Enable external access from outside the cluster                                                                                         | `false` |

-### Configuration parameters
+### Application-specific parameters

-| Name        | Description             | Value |
-| ----------- | ----------------------- | ----- |
-| `users`     | Users configuration     | `{}`  |
-| `databases` | Databases configuration | `{}`  |
+| Name                                    | Description                                                                                                              | Value |
+| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ----- |
+| `postgresql.parameters.max_connections` | Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections | `100` |
+| `quorum.minSyncReplicas`                | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.            | `0`   |
+| `quorum.maxSyncReplicas`                | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).  | `0`   |
+| `users`                                 | Users configuration                                                                                                      | `{}`  |
+| `databases`                             | Databases configuration                                                                                                  | `{}`  |

 ### Backup parameters

@@ -95,16 +97,13 @@ See:
 | `backup.s3AccessKey`     | Access key for S3, used for authentication                 | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`  |
 | `backup.s3SecretKey`     | Secret key for S3, used for authentication                 | `ju3eum4dekeich9ahM1te8waeGai0oog`  |

-### Bootstrap parameters
-
-| Name                     | Description                                                                                                                             | Value   |
-| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `bootstrap.enabled`      | Restore database cluster from a backup                                                                                                  | `false` |
-| `bootstrap.recoveryTime` | Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest                    | `""`    |
-| `bootstrap.oldName`      | Name of database cluster before deleting                                                                                                | `""`    |
-| `resources`              | Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
-| `resourcesPreset`        | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.             | `micro` |
+### Bootstrap (recovery) parameters

+| Name                     | Description                                                                                                          | Value   |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------- | ------- |
+| `bootstrap.enabled`      | Restore database cluster from a backup                                                                               | `false` |
+| `bootstrap.recoveryTime` | Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest | `""`    |
+| `bootstrap.oldName`      | Name of database cluster before deleting                                                                             | `""`    |

 ## Parameter examples and reference

--- a/packages/apps/postgres/templates/dashboard-resourcemap.yaml
+++ b/packages/apps/postgres/templates/dashboard-resourcemap.yaml
@@ -11,6 +11,7 @@ rules:
  - {{ .Release.Name }}-r
  - {{ .Release.Name }}-ro
  - {{ .Release.Name }}-rw
+  - {{ .Release.Name }}-external-write
  verbs: ["get", "list", "watch"]
 - apiGroups:
  - ""
--- a/packages/apps/postgres/values.schema.json
+++ b/packages/apps/postgres/values.schema.json
@@ -1,131 +1,119 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
-        "external": {
-            "type": "boolean",
-            "description": "Enable external access from outside the cluster",
-            "default": false
-        },
-        "size": {
-            "type": "string",
-            "description": "Persistent Volume size",
-            "default": "10Gi"
-        },
-        "replicas": {
-            "type": "number",
-            "description": "Number of Postgres replicas",
-            "default": 2
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
-        },
-        "postgresql": {
-            "type": "object",
-            "properties": {
-                "parameters": {
-                    "type": "object",
-                    "properties": {
-                        "max_connections": {
-                            "type": "number",
-                            "description": "Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections",
-                            "default": 100
-                        }
-                    }
-                }
-            }
-        },
-        "quorum": {
-            "type": "object",
-            "properties": {
-                "minSyncReplicas": {
-                    "type": "number",
-                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.",
-                    "default": 0
-                },
-                "maxSyncReplicas": {
-                    "type": "number",
-                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).",
-                    "default": 0
-                }
-            }
-        },
-        "databases": {
-            "type": "object",
-            "description": "Databases configuration",
-            "default": {}
-        },
        "backup": {
-            "type": "object",
            "properties": {
-                "enabled": {
-                    "type": "boolean",
-                    "description": "Enable regular backups",
-                    "default": false
-                },
-                "schedule": {
-                    "type": "string",
-                    "description": "Cron schedule for automated backups",
-                    "default": "0 2 * * * *"
-                },
-                "retentionPolicy": {
-                    "type": "string",
-                    "description": "Retention policy",
-                    "default": "30d"
-                },
                "destinationPath": {
-                    "type": "string",
+                    "default": "s3://bucket/path/to/folder/",
                    "description": "Path to store the backup (i.e. s3://bucket/path/to/folder)",
-                    "default": "s3://bucket/path/to/folder/"
+                    "type": "string"
+                },
+                "enabled": {
+                    "default": false,
+                    "description": "Enable regular backups",
+                    "type": "boolean"
                },
                "endpointURL": {
-                    "type": "string",
+                    "default": "http://minio-gateway-service:9000",
                    "description": "S3 Endpoint used to upload data to the cloud",
-                    "default": "http://minio-gateway-service:9000"
+                    "type": "string"
+                },
+                "retentionPolicy": {
+                    "default": "30d",
+                    "description": "Retention policy",
+                    "type": "string"
                },
                "s3AccessKey": {
-                    "type": "string",
+                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu",
                    "description": "Access key for S3, used for authentication",
-                    "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
+                    "type": "string"
                },
                "s3SecretKey": {
-                    "type": "string",
+                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog",
                    "description": "Secret key for S3, used for authentication",
-                    "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
+                    "type": "string"
+                },
+                "schedule": {
+                    "default": "0 2 * * * *",
+                    "description": "Cron schedule for automated backups",
+                    "type": "string"
                }
-            }
+            },
+            "type": "object"
        },
        "bootstrap": {
-            "type": "object",
            "properties": {
                "enabled": {
-                    "type": "boolean",
+                    "default": false,
                    "description": "Restore database cluster from a backup",
-                    "default": false
-                },
-                "recoveryTime": {
-                    "type": "string",
-                    "description": "Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest",
-                    "default": ""
+                    "type": "boolean"
                },
                "oldName": {
-                    "type": "string",
+                    "default": "",
                    "description": "Name of database cluster before deleting",
-                    "default": ""
+                    "type": "string"
+                },
+                "recoveryTime": {
+                    "default": "",
+                    "description": "Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest",
+                    "type": "string"
                }
-            }
+            },
+            "type": "object"
+        },
+        "databases": {
+            "default": {},
+            "description": "Databases configuration",
+            "type": "object"
+        },
+        "external": {
+            "default": false,
+            "description": "Enable external access from outside the cluster",
+            "type": "boolean"
+        },
+        "postgresql": {
+            "properties": {
+                "parameters": {
+                    "properties": {
+                        "max_connections": {
+                            "default": 100,
+                            "description": "Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections",
+                            "type": "number"
+                        }
+                    },
+                    "type": "object"
+                }
+            },
+            "type": "object"
+        },
+        "quorum": {
+            "properties": {
+                "maxSyncReplicas": {
+                    "default": 0,
+                    "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).",
+                    "type": "number"
+                },
+                "minSyncReplicas": {
+                    "default": 0,
+                    "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.",
+                    "type": "number"
+                }
+            },
+            "type": "object"
+        },
+        "replicas": {
+            "default": 2,
+            "description": "Number of Postgres replicas",
+            "type": "number"
        },
        "resources": {
-            "type": "object",
+            "default": {},
            "description": "Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
        },
        "resourcesPreset": {
-            "type": "string",
-            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
            "default": "micro",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "type": "string",
            "enum": [
                "nano",
                "micro",
@@ -135,6 +123,18 @@
                "xlarge",
                "2xlarge"
            ]
+        },
+        "size": {
+            "default": "10Gi",
+            "description": "Persistent Volume size",
+            "type": "string"
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the data",
+            "type": "string"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/postgres/values.yaml
+++ b/packages/apps/postgres/values.yaml
@@ -1,30 +1,35 @@
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param size Persistent Volume size
-## @param replicas Number of Postgres replicas
-## @param storageClass StorageClass used to store the data
 ##
-external: false
-size: 10Gi
+## @param replicas Number of Postgres replicas
 replicas: 2
+## @param resources Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "micro"
+## @param size Persistent Volume size
+size: 10Gi
+## @param storageClass StorageClass used to store the data
 storageClass: ""
+## @param external Enable external access from outside the cluster
+external: false

-## Server Configuration
+
+## @section Application-specific parameters
+##
 ## @param postgresql.parameters.max_connections Determines the maximum number of concurrent connections to the database server. The default is typically 100 connections
 postgresql:
  parameters:
    max_connections: 100

-## Configuration for the quorum-based synchronous replication
 ## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.
 ## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).
 quorum:
  minSyncReplicas: 0
  maxSyncReplicas: 0

-## @section Configuration parameters
-
 ## @param users [object] Users configuration
 ## Example:
 ## users:
@@ -75,7 +80,7 @@ backup:
  s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
  s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog

-## @section Bootstrap parameters
+## @section Bootstrap (recovery) parameters

 ## @param bootstrap.enabled Restore database cluster from a backup
 ## @param bootstrap.recoveryTime Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest
@@ -87,11 +92,3 @@ bootstrap:
  recoveryTime: ""
  oldName: ""

-## @param resources Explicit CPU and memory configuration for each PostgreSQL replica. When left empty, the preset defined in `resourcesPreset` is applied.
-resources: {}
- # resources:
- #   cpu: 4000m
- #   memory: 4Gi
- 
-## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
-resourcesPreset: "micro"
--- a/packages/apps/rabbitmq/Makefile
+++ b/packages/apps/rabbitmq/Makefile
@@ -2,5 +2,5 @@ include ../../../scripts/package.mk
 PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
 	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
--- a/packages/apps/rabbitmq/README.md
+++ b/packages/apps/rabbitmq/README.md
@@ -13,21 +13,21 @@ The service utilizes official RabbitMQ operator. This ensures the reliability an

 ### Common parameters

-| Name           | Description                                     | Value   |
-| -------------- | ----------------------------------------------- | ------- |
-| `external`     | Enable external access from outside the cluster | `false` |
-| `size`         | Persistent Volume size                          | `10Gi`  |
-| `replicas`     | Number of RabbitMQ replicas                     | `3`     |
-| `storageClass` | StorageClass used to store the data             | `""`    |
+| Name              | Description                                                                                                                           | Value   |
+| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `replicas`        | Number of RabbitMQ replicas                                                                                                           | `3`     |
+| `resources`       | Explicit CPU and memory configuration for each RabbitMQ replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.           | `nano`  |
+| `size`            | Persistent Volume size                                                                                                                | `10Gi`  |
+| `storageClass`    | StorageClass used to store the data                                                                                                   | `""`    |
+| `external`        | Enable external access from outside the cluster                                                                                       | `false` |

-### Configuration parameters
+### Application-specific parameters

-| Name              | Description                                                                                                                           | Value  |
-| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------ |
-| `users`           | Users configuration                                                                                                                   | `{}`   |
-| `vhosts`          | Virtual Hosts configuration                                                                                                           | `{}`   |
-| `resources`       | Explicit CPU and memory configuration for each RabbitMQ replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`   |
-| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.           | `nano` |
+| Name     | Description                 | Value |
+| -------- | --------------------------- | ----- |
+| `users`  | Users configuration         | `{}`  |
+| `vhosts` | Virtual Hosts configuration | `{}`  |

 ## Parameter examples and reference

--- a/packages/apps/rabbitmq/values.schema.json
+++ b/packages/apps/rabbitmq/values.schema.json
@@ -1,41 +1,24 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
        "external": {
-            "type": "boolean",
+            "default": false,
            "description": "Enable external access from outside the cluster",
-            "default": false
-        },
-        "size": {
-            "type": "string",
-            "description": "Persistent Volume size",
-            "default": "10Gi"
+            "type": "boolean"
        },
        "replicas": {
-            "type": "number",
+            "default": 3,
            "description": "Number of RabbitMQ replicas",
-            "default": 3
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
-        },
-        "vhosts": {
-            "type": "object",
-            "description": "Virtual Hosts configuration",
-            "default": {}
+            "type": "number"
        },
        "resources": {
-            "type": "object",
+            "default": {},
            "description": "Explicit CPU and memory configuration for each RabbitMQ replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
        },
        "resourcesPreset": {
-            "type": "string",
-            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
            "default": "nano",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "type": "string",
            "enum": [
                "nano",
                "micro",
@@ -45,6 +28,23 @@
                "xlarge",
                "2xlarge"
            ]
+        },
+        "size": {
+            "default": "10Gi",
+            "description": "Persistent Volume size",
+            "type": "string"
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the data",
+            "type": "string"
+        },
+        "vhosts": {
+            "default": {},
+            "description": "Virtual Hosts configuration",
+            "type": "object"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/rabbitmq/values.yaml
+++ b/packages/apps/rabbitmq/values.yaml
@@ -1,17 +1,24 @@
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param size Persistent Volume size
-## @param replicas Number of RabbitMQ replicas
-## @param storageClass StorageClass used to store the data
 ##
-external: false
-size: 10Gi
+## @param replicas Number of RabbitMQ replicas
 replicas: 3
+## @param resources Explicit CPU and memory configuration for each RabbitMQ replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "nano"
+## @param size Persistent Volume size
+size: 10Gi
+## @param storageClass StorageClass used to store the data
 storageClass: ""
+## @param external Enable external access from outside the cluster
+external: false

-## @section Configuration parameters

+## @section Application-specific parameters
+##
 ## @param users [object] Users configuration
 ## Example:
 ## users:
@@ -40,11 +47,3 @@ users: {}
 ##       - user3
 vhosts: {}

-## @param resources Explicit CPU and memory configuration for each RabbitMQ replica. When left empty, the preset defined in `resourcesPreset` is applied.
-resources: {}
- # resources:
- #   cpu: 4000m
- #   memory: 4Gi
- 
-## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
-resourcesPreset: "nano"
--- a/packages/apps/redis/Makefile
+++ b/packages/apps/redis/Makefile
@@ -2,5 +2,5 @@ include ../../../scripts/package.mk
 PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
 	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
--- a/packages/apps/redis/README.md
+++ b/packages/apps/redis/README.md
@@ -15,13 +15,18 @@ Service utilizes the Spotahome Redis Operator for efficient management and orche

 | Name              | Description                                                                                                                        | Value   |
 | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `external`        | Enable external access from outside the cluster                                                                                    | `false` |
-| `size`            | Persistent Volume size                                                                                                             | `1Gi`   |
 | `replicas`        | Number of Redis replicas                                                                                                           | `2`     |
-| `storageClass`    | StorageClass used to store the data                                                                                                | `""`    |
-| `authEnabled`     | Enable password generation                                                                                                         | `true`  |
 | `resources`       | Explicit CPU and memory configuration for each Redis replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
 | `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.        | `nano`  |
+| `size`            | Persistent Volume size                                                                                                             | `1Gi`   |
+| `storageClass`    | StorageClass used to store the data                                                                                                | `""`    |
+| `external`        | Enable external access from outside the cluster                                                                                    | `false` |
+
+### Application-specific parameters
+
+| Name          | Description                | Value  |
+| ------------- | -------------------------- | ------ |
+| `authEnabled` | Enable password generation | `true` |

 ## Parameter examples and reference

--- a/packages/apps/redis/values.schema.json
+++ b/packages/apps/redis/values.schema.json
@@ -1,41 +1,29 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
-        "external": {
-            "type": "boolean",
-            "description": "Enable external access from outside the cluster",
-            "default": false
+        "authEnabled": {
+            "default": true,
+            "description": "Enable password generation",
+            "type": "boolean"
        },
-        "size": {
-            "type": "string",
-            "description": "Persistent Volume size",
-            "default": "1Gi"
+        "external": {
+            "default": false,
+            "description": "Enable external access from outside the cluster",
+            "type": "boolean"
        },
        "replicas": {
-            "type": "number",
+            "default": 2,
            "description": "Number of Redis replicas",
-            "default": 2
-        },
-        "storageClass": {
-            "type": "string",
-            "description": "StorageClass used to store the data",
-            "default": ""
-        },
-        "authEnabled": {
-            "type": "boolean",
-            "description": "Enable password generation",
-            "default": true
+            "type": "number"
        },
        "resources": {
-            "type": "object",
+            "default": {},
            "description": "Explicit CPU and memory configuration for each Redis replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
        },
        "resourcesPreset": {
-            "type": "string",
-            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
            "default": "nano",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "type": "string",
            "enum": [
                "nano",
                "micro",
@@ -45,6 +33,18 @@
                "xlarge",
                "2xlarge"
            ]
+        },
+        "size": {
+            "default": "1Gi",
+            "description": "Persistent Volume size",
+            "type": "string"
+        },
+        "storageClass": {
+            "default": "",
+            "description": "StorageClass used to store the data",
+            "type": "string"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/redis/values.yaml
+++ b/packages/apps/redis/values.yaml
@@ -1,22 +1,23 @@
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param size Persistent Volume size
-## @param replicas Number of Redis replicas
-## @param storageClass StorageClass used to store the data
-## @param authEnabled Enable password generation
 ##
-external: false
-size: 1Gi
+## @param replicas Number of Redis replicas
 replicas: 2
-storageClass: ""
-authEnabled: true
-
 ## @param resources Explicit CPU and memory configuration for each Redis replica. When left empty, the preset defined in `resourcesPreset` is applied.
 resources: {}
- # resources:
- #   cpu: 4000m
- #   memory: 4Gi
- 
+  # resources:
+  #   cpu: 4000m
+  #   memory: 4Gi
 ## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
 resourcesPreset: "nano"
+## @param size Persistent Volume size
+size: 1Gi
+## @param storageClass StorageClass used to store the data
+storageClass: ""
+## @param external Enable external access from outside the cluster
+external: false
+
+
+## @section Application-specific parameters
+##
+## @param authEnabled Enable password generation
+authEnabled: true
--- a/packages/apps/tcp-balancer/Makefile
+++ b/packages/apps/tcp-balancer/Makefile
@@ -2,7 +2,7 @@ include ../../../scripts/package.mk
 PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
 	yq -i -o json --indent 2 '.properties.httpAndHttps.properties.mode.enum = ["tcp","tcp-with-proxy"]' values.schema.json
 	yq -i -o json --indent 2 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
 	rm -f values.schema.json.tmp
--- a/packages/apps/tcp-balancer/README.md
+++ b/packages/apps/tcp-balancer/README.md
@@ -12,23 +12,23 @@ Managed TCP Load Balancer Service efficiently utilizes HAProxy for load balancin

 ### Common parameters

-| Name       | Description                                     | Value   |
-| ---------- | ----------------------------------------------- | ------- |
-| `external` | Enable external access from outside the cluster | `false` |
-| `replicas` | Number of HAProxy replicas                      | `2`     |
+| Name              | Description                                                                                                                               | Value   |
+| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `replicas`        | Number of HAProxy replicas                                                                                                                | `2`     |
+| `resources`       | Explicit CPU and memory configuration for each TCP Balancer replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.               | `nano`  |
+| `external`        | Enable external access from outside the cluster                                                                                           | `false` |

-### Configuration parameters
+### Application-specific parameters

-| Name                             | Description                                                                                                                               | Value   |
-| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `httpAndHttps.mode`              | Mode for balancer. Allowed values: `tcp` and `tcp-with-proxy`                                                                             | `tcp`   |
-| `httpAndHttps.targetPorts.http`  | HTTP port number.                                                                                                                         | `80`    |
-| `httpAndHttps.targetPorts.https` | HTTPS port number.                                                                                                                        | `443`   |
-| `httpAndHttps.endpoints`         | Endpoint addresses list                                                                                                                   | `[]`    |
-| `whitelistHTTP`                  | Secure HTTP by enabling  client networks whitelisting                                                                                     | `false` |
-| `whitelist`                      | List of client networks                                                                                                                   | `[]`    |
-| `resources`                      | Explicit CPU and memory configuration for each TCP Balancer replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
-| `resourcesPreset`                | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.               | `nano`  |
+| Name                             | Description                                                   | Value   |
+| -------------------------------- | ------------------------------------------------------------- | ------- |
+| `httpAndHttps.mode`              | Mode for balancer. Allowed values: `tcp` and `tcp-with-proxy` | `tcp`   |
+| `httpAndHttps.targetPorts.http`  | HTTP port number.                                             | `80`    |
+| `httpAndHttps.targetPorts.https` | HTTPS port number.                                            | `443`   |
+| `httpAndHttps.endpoints`         | Endpoint addresses list                                       | `[]`    |
+| `whitelistHTTP`                  | Secure HTTP by whitelisting client networks                   | `false` |
+| `whitelist`                      | List of client networks                                       | `[]`    |

 ## Parameter examples and reference

--- a/packages/apps/tcp-balancer/values.schema.json
+++ b/packages/apps/tcp-balancer/values.schema.json
@@ -1,72 +1,59 @@
 {
-  "title": "Chart Values",
-  "type": "object",
  "properties": {
    "external": {
-      "type": "boolean",
+      "default": false,
      "description": "Enable external access from outside the cluster",
-      "default": false
-    },
-    "replicas": {
-      "type": "number",
-      "description": "Number of HAProxy replicas",
-      "default": 2
+      "type": "boolean"
    },
    "httpAndHttps": {
-      "type": "object",
      "properties": {
+        "endpoints": {
+          "default": [],
+          "description": "Endpoint addresses list",
+          "items": {},
+          "type": "array"
+        },
        "mode": {
-          "type": "string",
-          "description": "Mode for balancer. Allowed values: `tcp` and `tcp-with-proxy`",
          "default": "tcp",
+          "description": "Mode for balancer. Allowed values: `tcp` and `tcp-with-proxy`",
+          "type": "string",
          "enum": [
            "tcp",
            "tcp-with-proxy"
          ]
        },
        "targetPorts": {
-          "type": "object",
          "properties": {
            "http": {
-              "type": "number",
+              "default": 80,
              "description": "HTTP port number.",
-              "default": 80
+              "type": "number"
            },
            "https": {
-              "type": "number",
+              "default": 443,
              "description": "HTTPS port number.",
-              "default": 443
+              "type": "number"
            }
-          }
-        },
-        "endpoints": {
-          "type": "array",
-          "description": "Endpoint addresses list",
-          "default": [],
-          "items": {}
+          },
+          "type": "object"
        }
-      }
+      },
+      "type": "object"
    },
-    "whitelistHTTP": {
-      "type": "boolean",
-      "description": "Secure HTTP by enabling  client networks whitelisting",
-      "default": false
-    },
-    "whitelist": {
-      "type": "array",
-      "description": "List of client networks",
-      "default": [],
-      "items": {}
+    "replicas": {
+      "default": 2,
+      "description": "Number of HAProxy replicas",
+      "type": "number"
    },
    "resources": {
-      "type": "object",
+      "default": {},
      "description": "Explicit CPU and memory configuration for each TCP Balancer replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-      "default": {}
+      "type": "object"
    },
    "resourcesPreset": {
-      "type": "string",
-      "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
      "default": "nano",
+      "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+      "type": "string",
      "enum": [
        "nano",
        "micro",
@@ -76,6 +63,19 @@
        "xlarge",
        "2xlarge"
      ]
+    },
+    "whitelist": {
+      "default": [],
+      "description": "List of client networks",
+      "items": {},
+      "type": "array"
+    },
+    "whitelistHTTP": {
+      "default": false,
+      "description": "Secure HTTP by whitelisting client networks",
+      "type": "boolean"
    }
-  }
+  },
+  "title": "Chart Values",
+  "type": "object"
 }
--- a/packages/apps/tcp-balancer/values.yaml
+++ b/packages/apps/tcp-balancer/values.yaml
@@ -1,18 +1,27 @@
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param replicas Number of HAProxy replicas
 ##
-external: false
+## @param replicas Number of HAProxy replicas
 replicas: 2
+## @param resources Explicit CPU and memory configuration for each TCP Balancer replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+# resources:
+#   cpu: 4000m
+#   memory: 4Gi
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "nano"
+##
+## @param external Enable external access from outside the cluster
+external: false

-## @section Configuration parameters

+## @section Application-specific parameters
+##
 ## @param httpAndHttps.mode Mode for balancer. Allowed values: `tcp` and `tcp-with-proxy`
 ## @param httpAndHttps.targetPorts.http HTTP port number.
 ## @param httpAndHttps.targetPorts.https HTTPS port number.
 ## @param httpAndHttps.endpoints Endpoint addresses list
 ## Example:
+##
 ## httpAndHttps:
 ##   mode: tcp
 ##   targetPorts:
@@ -33,7 +42,7 @@ httpAndHttps:
    https: 443
  endpoints: []

-## @param whitelistHTTP Secure HTTP by enabling  client networks whitelisting
+## @param whitelistHTTP Secure HTTP by whitelisting client networks
 ## @param whitelist List of client networks
 ## Example:
 ## whitelistHTTP: true
@@ -44,11 +53,3 @@ httpAndHttps:
 whitelistHTTP: false
 whitelist: []

-## @param resources Explicit CPU and memory configuration for each TCP Balancer replica. When left empty, the preset defined in `resourcesPreset` is applied.
-resources: {}
-# resources:
-#   cpu: 4000m
-#   memory: 4Gi
-
-## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
-resourcesPreset: "nano"
--- a/packages/apps/tenant/Makefile
+++ b/packages/apps/tenant/Makefile
@@ -1,4 +1,4 @@
 include ../../../scripts/package.mk

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
--- a/packages/apps/tenant/templates/etcd.yaml
+++ b/packages/apps/tenant/templates/etcd.yaml
@@ -4,8 +4,6 @@ kind: HelmRelease
 metadata:
  name: etcd
  namespace: {{ include "tenant.name" . }}
-  annotations:
-    helm.sh/resource-policy: keep
  labels:
    cozystack.io/ui: "true"
    app.kubernetes.io/instance: {{ .Release.Name }}
@@ -19,7 +17,6 @@ spec:
        kind: HelmRepository
        name: cozystack-extra
        namespace: cozy-public
-      version: "*"
  interval: 1m0s
  timeout: 5m0s
 {{- end }}
--- a/packages/apps/tenant/templates/info.yaml
+++ b/packages/apps/tenant/templates/info.yaml
@@ -6,8 +6,6 @@ kind: HelmRelease
 metadata:
  name: info
  namespace: {{ include "tenant.name" . }}
-  annotations:
-    helm.sh/resource-policy: keep
  labels:
    cozystack.io/ui: "true"
    app.kubernetes.io/instance: {{ .Release.Name }}
@@ -21,7 +19,6 @@ spec:
        kind: HelmRepository
        name: cozystack-extra
        namespace: cozy-public
-      version: "*"
  interval: 1m0s
  timeout: 5m0s
 {{- end }}
--- a/packages/apps/tenant/templates/ingress.yaml
+++ b/packages/apps/tenant/templates/ingress.yaml
@@ -4,8 +4,6 @@ kind: HelmRelease
 metadata:
  name: ingress
  namespace: {{ include "tenant.name" . }}
-  annotations:
-    helm.sh/resource-policy: keep
  labels:
    cozystack.io/ui: "true"
    app.kubernetes.io/instance: {{ .Release.Name }}
--- a/packages/apps/tenant/templates/monitoring.yaml
+++ b/packages/apps/tenant/templates/monitoring.yaml
@@ -4,8 +4,6 @@ kind: HelmRelease
 metadata:
  name: monitoring
  namespace: {{ include "tenant.name" . }}
-  annotations:
-    helm.sh/resource-policy: keep
  labels:
    cozystack.io/ui: "true"
    app.kubernetes.io/instance: {{ .Release.Name }}
@@ -19,31 +17,6 @@ spec:
        kind: HelmRepository
        name: cozystack-extra
        namespace: cozy-public
-      version: "*"
  interval: 1m0s
  timeout: 5m0s
-  values:
-    metricsStorages:
-    - name: shortterm
-      retentionPeriod: "3d"
-      deduplicationInterval: "15s"
-      storage: 10Gi
-      vminsert:
-        resources: {}
-      vmselect:
-        resources: {}
-      vmstorage:
-        resources: {}
-    - name: longterm
-      retentionPeriod: "14d"
-      deduplicationInterval: "5m"
-      storage: 10Gi
-      vminsert:
-        resources: {}
-      vmselect:
-        resources: {}
-      vmstorage:
-        resources: {}
-    oncall:
-      enabled: false
 {{- end }}
--- a/packages/apps/tenant/templates/seaweedfs.yaml
+++ b/packages/apps/tenant/templates/seaweedfs.yaml
@@ -4,8 +4,6 @@ kind: HelmRelease
 metadata:
  name: seaweedfs
  namespace: {{ include "tenant.name" . }}
-  annotations:
-    helm.sh/resource-policy: keep
  labels:
    cozystack.io/ui: "true"
    app.kubernetes.io/instance: {{ .Release.Name }}
@@ -19,7 +17,6 @@ spec:
        kind: HelmRepository
        name: cozystack-extra
        namespace: cozy-public
-      version: "*"
  interval: 1m0s
  timeout: 5m0s
 {{- end }}
--- a/packages/apps/tenant/values.schema.json
+++ b/packages/apps/tenant/values.schema.json
@@ -1,41 +1,41 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
-        "host": {
-            "type": "string",
-            "description": "The hostname used to access tenant services (defaults to using the tenant name as a subdomain for it's parent tenant host).",
-            "default": ""
-        },
        "etcd": {
-            "type": "boolean",
+            "default": false,
            "description": "Deploy own Etcd cluster",
-            "default": false
+            "type": "boolean"
        },
-        "monitoring": {
-            "type": "boolean",
-            "description": "Deploy own Monitoring Stack",
-            "default": false
+        "host": {
+            "default": "",
+            "description": "The hostname used to access tenant services (defaults to using the tenant name as a subdomain for it's parent tenant host).",
+            "type": "string"
        },
        "ingress": {
-            "type": "boolean",
+            "default": false,
            "description": "Deploy own Ingress Controller",
-            "default": false
-        },
-        "seaweedfs": {
-            "type": "boolean",
-            "description": "Deploy own SeaweedFS",
-            "default": false
+            "type": "boolean"
        },
        "isolated": {
-            "type": "boolean",
+            "default": true,
            "description": "Enforce tenant namespace with network policies",
-            "default": true
+            "type": "boolean"
+        },
+        "monitoring": {
+            "default": false,
+            "description": "Deploy own Monitoring Stack",
+            "type": "boolean"
        },
        "resourceQuotas": {
-            "type": "object",
+            "default": {},
            "description": "Define resource quotas for the tenant",
-            "default": {}
+            "type": "object"
+        },
+        "seaweedfs": {
+            "default": false,
+            "description": "Deploy own SeaweedFS",
+            "type": "boolean"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -29,7 +29,7 @@ ferretdb 0.6.1 632224a3
 ferretdb 0.7.0 62cb694d
 ferretdb 0.7.1 4369b031
 ferretdb 0.8.0 08cb7c0f
-ferretdb 0.8.1 HEAD
+ferretdb 1.0.0 HEAD
 http-cache 0.1.0 263e47be
 http-cache 0.2.0 53f2365e
 http-cache 0.3.0 6c5cf5bf
@@ -113,7 +113,7 @@ postgres 0.15.1 4369b031
 postgres 0.16.0 70f82667
 postgres 0.17.0 acd4663a
 postgres 0.17.1 08cb7c0f
-postgres 0.17.2 HEAD
+postgres 0.17.3 HEAD
 rabbitmq 0.1.0 263e47be
 rabbitmq 0.2.0 53f2365e
 rabbitmq 0.3.0 6c5cf5bf
@@ -170,7 +170,8 @@ virtual-machine 0.10.0 6130f43d
 virtual-machine 0.10.2 632224a3
 virtual-machine 0.11.0 4369b031
 virtual-machine 0.12.0 acd4663a
-virtual-machine 0.12.1 HEAD
+virtual-machine 0.12.1 909208ba
+virtual-machine 0.12.2 HEAD
 vm-disk 0.1.0 d971f2ff
 vm-disk 0.1.1 6130f43d
 vm-disk 0.1.2 632224a3
@@ -188,7 +189,8 @@ vm-instance 0.7.0 6130f43d
 vm-instance 0.7.2 632224a3
 vm-instance 0.8.0 4369b031
 vm-instance 0.9.0 acd4663a
-vm-instance 0.10.0 HEAD
+vm-instance 0.10.0 909208ba
+vm-instance 0.10.1 HEAD
 vpn 0.1.0 263e47be
 vpn 0.2.0 53f2365e
 vpn 0.3.0 6c5cf5bf
--- a/packages/apps/virtual-machine/Chart.yaml
+++ b/packages/apps/virtual-machine/Chart.yaml
@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.12.1
+version: 0.12.2

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/virtual-machine/Makefile
+++ b/packages/apps/virtual-machine/Makefile
@@ -1,7 +1,7 @@
 include ../../../scripts/package.mk

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
 	yq -o json -i '.properties.gpus.items.type = "object" | .properties.gpus.default = []' values.schema.json
 	INSTANCE_TYPES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/instancetypes.yaml | yq 'split(" ") | . + [""]' -o json) \
 	  && yq -i -o json ".properties.instanceType.optional=true | .properties.instanceType.enum = $${INSTANCE_TYPES}" values.schema.json
--- a/packages/apps/virtual-machine/templates/vm-update-hook.yaml
+++ b/packages/apps/virtual-machine/templates/vm-update-hook.yaml
@@ -52,6 +52,13 @@ spec:
      containers:
        - name: update-resources
          image: bitnami/kubectl:latest
+          resources:
+            requests:
+              memory: "16Mi"
+              cpu: "10m"
+            limits:
+              memory: "128Mi"
+              cpu: "100m"
          command: ["sh", "-exc"]
          args:
            - |
--- a/packages/apps/virtual-machine/values.schema.json
+++ b/packages/apps/virtual-machine/values.schema.json
@@ -1,38 +1,100 @@
 {
-  "title": "Chart Values",
-  "type": "object",
  "properties": {
+    "cloudInit": {
+      "default": "",
+      "description": "cloud-init user data config. See cloud-init documentation for more details.",
+      "type": "string"
+    },
+    "cloudInitSeed": {
+      "default": "",
+      "description": "A seed string to generate an SMBIOS UUID for the VM.",
+      "type": "string"
+    },
    "external": {
-      "type": "boolean",
+      "default": false,
      "description": "Enable external access from outside the cluster",
-      "default": false
+      "type": "boolean"
    },
    "externalMethod": {
-      "type": "string",
-      "description": "specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList`",
      "default": "PortList",
+      "description": "specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList`",
+      "type": "string",
      "enum": [
        "PortList",
        "WholeIP"
      ]
    },
    "externalPorts": {
-      "type": "array",
+      "default": [],
      "description": "Specify ports to forward from outside the cluster",
-      "default": "[]",
      "items": {
        "type": "integer"
-      }
+      },
+      "type": "array"
    },
-    "running": {
-      "type": "boolean",
-      "description": "Determines if the virtual machine should be running",
-      "default": true
+    "gpus": {
+      "default": [],
+      "description": "List of GPUs to attach",
+      "items": {
+        "type": "object"
+      },
+      "type": "array"
+    },
+    "instanceProfile": {
+      "default": "ubuntu",
+      "description": "Virtual Machine preferences profile",
+      "type": "string",
+      "optional": true,
+      "enum": [
+        "alpine",
+        "centos.7",
+        "centos.7.desktop",
+        "centos.stream10",
+        "centos.stream10.desktop",
+        "centos.stream8",
+        "centos.stream8.desktop",
+        "centos.stream8.dpdk",
+        "centos.stream9",
+        "centos.stream9.desktop",
+        "centos.stream9.dpdk",
+        "cirros",
+        "fedora",
+        "fedora.arm64",
+        "opensuse.leap",
+        "opensuse.tumbleweed",
+        "rhel.10",
+        "rhel.10.arm64",
+        "rhel.7",
+        "rhel.7.desktop",
+        "rhel.8",
+        "rhel.8.desktop",
+        "rhel.8.dpdk",
+        "rhel.9",
+        "rhel.9.arm64",
+        "rhel.9.desktop",
+        "rhel.9.dpdk",
+        "rhel.9.realtime",
+        "sles",
+        "ubuntu",
+        "windows.10",
+        "windows.10.virtio",
+        "windows.11",
+        "windows.11.virtio",
+        "windows.2k16",
+        "windows.2k16.virtio",
+        "windows.2k19",
+        "windows.2k19.virtio",
+        "windows.2k22",
+        "windows.2k22.virtio",
+        "windows.2k25",
+        "windows.2k25.virtio",
+        ""
+      ]
    },
    "instanceType": {
-      "type": "string",
-      "description": "Virtual Machine instance type",
      "default": "u1.medium",
+      "description": "Virtual Machine instance type",
+      "type": "string",
      "optional": true,
      "enum": [
        "cx1.2xlarge",
@@ -86,64 +148,43 @@
        ""
      ]
    },
-    "instanceProfile": {
-      "type": "string",
-      "description": "Virtual Machine preferences profile",
-      "default": "ubuntu",
-      "optional": true,
-      "enum": [
-        "alpine",
-        "centos.7",
-        "centos.7.desktop",
-        "centos.stream10",
-        "centos.stream10.desktop",
-        "centos.stream8",
-        "centos.stream8.desktop",
-        "centos.stream8.dpdk",
-        "centos.stream9",
-        "centos.stream9.desktop",
-        "centos.stream9.dpdk",
-        "cirros",
-        "fedora",
-        "fedora.arm64",
-        "opensuse.leap",
-        "opensuse.tumbleweed",
-        "rhel.10",
-        "rhel.10.arm64",
-        "rhel.7",
-        "rhel.7.desktop",
-        "rhel.8",
-        "rhel.8.desktop",
-        "rhel.8.dpdk",
-        "rhel.9",
-        "rhel.9.arm64",
-        "rhel.9.desktop",
-        "rhel.9.dpdk",
-        "rhel.9.realtime",
-        "sles",
-        "ubuntu",
-        "windows.10",
-        "windows.10.virtio",
-        "windows.11",
-        "windows.11.virtio",
-        "windows.2k16",
-        "windows.2k16.virtio",
-        "windows.2k19",
-        "windows.2k19.virtio",
-        "windows.2k22",
-        "windows.2k22.virtio",
-        "windows.2k25",
-        "windows.2k25.virtio",
-        ""
-      ]
+    "resources": {
+      "properties": {
+        "cpu": {
+          "default": "",
+          "description": "The number of CPU cores allocated to the virtual machine",
+          "type": "string"
+        },
+        "memory": {
+          "default": "",
+          "description": "The amount of memory allocated to the virtual machine",
+          "type": "string"
+        },
+        "sockets": {
+          "default": "",
+          "description": "The number of CPU sockets allocated to the virtual machine (used to define vCPU topology)",
+          "type": "string"
+        }
+      },
+      "type": "object"
+    },
+    "running": {
+      "default": true,
+      "description": "Determines if the virtual machine should be running",
+      "type": "boolean"
+    },
+    "sshKeys": {
+      "default": [],
+      "description": "List of SSH public keys for authentication. Can be a single key or a list of keys.",
+      "items": {},
+      "type": "array"
    },
    "systemDisk": {
-      "type": "object",
      "properties": {
        "image": {
-          "type": "string",
-          "description": "The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos`",
          "default": "ubuntu",
+          "description": "The base image for the virtual machine. Allowed values: `ubuntu`, `cirros`, `alpine`, `fedora` and `talos`",
+          "type": "string",
          "enum": [
            "ubuntu",
            "cirros",
@@ -153,62 +194,19 @@
          ]
        },
        "storage": {
-          "type": "string",
+          "default": "5Gi",
          "description": "The size of the disk allocated for the virtual machine",
-          "default": "5Gi"
+          "type": "string"
        },
        "storageClass": {
-          "type": "string",
+          "default": "replicated",
          "description": "StorageClass used to store the data",
-          "default": "replicated"
+          "type": "string"
        }
-      }
-    },
-    "gpus": {
-      "type": "array",
-      "description": "List of GPUs to attach",
-      "default": [],
-      "items": {
-        "type": "object"
-      }
-    },
-    "resources": {
-      "type": "object",
-      "properties": {
-        "cpu": {
-          "type": "string",
-          "description": "The number of CPU cores allocated to the virtual machine",
-          "default": ""
-        },
-        "memory": {
-          "type": "string",
-          "description": "The amount of memory allocated to the virtual machine",
-          "default": ""
-        },
-        "sockets": {
-          "type": "string",
-          "description": "The number of CPU sockets allocated to the virtual machine (used to define vCPU topology)",
-          "default": ""
-        }
-      }
-    },
-    "sshKeys": {
-      "type": "array",
-      "description": "List of SSH public keys for authentication. Can be a single key or a list of keys.",
-      "default": "[]",
-      "items": {
-        "type": "string"
-      }
-    },
-    "cloudInit": {
-      "type": "string",
-      "description": "cloud-init user data config. See cloud-init documentation for more details.",
-      "default": ""
-    },
-    "cloudInitSeed": {
-      "type": "string",
-      "description": "A seed string to generate an SMBIOS UUID for the VM.",
-      "default": ""
+      },
+      "type": "object"
    }
-  }
+  },
+  "title": "Chart Values",
+  "type": "object"
 }
--- a/packages/apps/vm-disk/Makefile
+++ b/packages/apps/vm-disk/Makefile
@@ -1,4 +1,4 @@
 include ../../../scripts/package.mk

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
--- a/packages/apps/vm-disk/values.schema.json
+++ b/packages/apps/vm-disk/values.schema.json
@@ -1,26 +1,26 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
-        "source": {
-            "type": "object",
-            "description": "The source image location used to create a disk",
-            "default": {}
-        },
        "optical": {
-            "type": "boolean",
+            "default": false,
            "description": "Defines is disk should be considered as optical",
-            "default": false
+            "type": "boolean"
+        },
+        "source": {
+            "default": {},
+            "description": "The source image location used to create a disk",
+            "type": "object"
        },
        "storage": {
-            "type": "string",
+            "default": "5Gi",
            "description": "The size of the disk allocated for the virtual machine",
-            "default": "5Gi"
+            "type": "string"
        },
        "storageClass": {
-            "type": "string",
+            "default": "replicated",
            "description": "StorageClass used to store the data",
-            "default": "replicated"
+            "type": "string"
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/vm-instance/Chart.yaml
+++ b/packages/apps/vm-instance/Chart.yaml
@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.10.0
+version: 0.10.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/vm-instance/Makefile
+++ b/packages/apps/vm-instance/Makefile
@@ -1,7 +1,7 @@
 include ../../../scripts/package.mk

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
 	yq -o json -i '.properties.disks.items.type = "object" | .properties.disks.default = []' values.schema.json
 	yq -o json -i '.properties.gpus.items.type = "object" | .properties.gpus.default = []' values.schema.json
 	INSTANCE_TYPES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/instancetypes.yaml | yq 'split(" ") | . + [""]' -o json) \
--- a/packages/apps/vm-instance/templates/vm-update-hook.yaml
+++ b/packages/apps/vm-instance/templates/vm-update-hook.yaml
@@ -42,6 +42,13 @@ spec:
      containers:
        - name: update-resources
          image: bitnami/kubectl:latest
+          resources:
+            requests:
+              memory: "16Mi"
+              cpu: "10m"
+            limits:
+              memory: "128Mi"
+              cpu: "100m"
          command: ["sh", "-exc"]
          args:
            - |
--- a/packages/apps/vm-instance/values.schema.json
+++ b/packages/apps/vm-instance/values.schema.json
@@ -1,38 +1,108 @@
 {
-  "title": "Chart Values",
-  "type": "object",
  "properties": {
+    "cloudInit": {
+      "default": "",
+      "description": "cloud-init user data config. See cloud-init documentation for more details.",
+      "type": "string"
+    },
+    "cloudInitSeed": {
+      "default": "",
+      "description": "A seed string to generate an SMBIOS UUID for the VM.",
+      "type": "string"
+    },
+    "disks": {
+      "default": [],
+      "description": "List of disks to attach",
+      "items": {
+        "type": "object"
+      },
+      "type": "array"
+    },
    "external": {
-      "type": "boolean",
+      "default": false,
      "description": "Enable external access from outside the cluster",
-      "default": false
+      "type": "boolean"
    },
    "externalMethod": {
-      "type": "string",
-      "description": "specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList`",
      "default": "PortList",
+      "description": "specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList`",
+      "type": "string",
      "enum": [
        "PortList",
        "WholeIP"
      ]
    },
    "externalPorts": {
-      "type": "array",
+      "default": [],
      "description": "Specify ports to forward from outside the cluster",
-      "default": "[]",
      "items": {
        "type": "integer"
-      }
+      },
+      "type": "array"
    },
-    "running": {
-      "type": "boolean",
-      "description": "Determines if the virtual machine should be running",
-      "default": true
+    "gpus": {
+      "default": [],
+      "description": "List of GPUs to attach",
+      "items": {
+        "type": "object"
+      },
+      "type": "array"
+    },
+    "instanceProfile": {
+      "default": "ubuntu",
+      "description": "Virtual Machine preferences profile",
+      "type": "string",
+      "optional": true,
+      "enum": [
+        "alpine",
+        "centos.7",
+        "centos.7.desktop",
+        "centos.stream10",
+        "centos.stream10.desktop",
+        "centos.stream8",
+        "centos.stream8.desktop",
+        "centos.stream8.dpdk",
+        "centos.stream9",
+        "centos.stream9.desktop",
+        "centos.stream9.dpdk",
+        "cirros",
+        "fedora",
+        "fedora.arm64",
+        "opensuse.leap",
+        "opensuse.tumbleweed",
+        "rhel.10",
+        "rhel.10.arm64",
+        "rhel.7",
+        "rhel.7.desktop",
+        "rhel.8",
+        "rhel.8.desktop",
+        "rhel.8.dpdk",
+        "rhel.9",
+        "rhel.9.arm64",
+        "rhel.9.desktop",
+        "rhel.9.dpdk",
+        "rhel.9.realtime",
+        "sles",
+        "ubuntu",
+        "windows.10",
+        "windows.10.virtio",
+        "windows.11",
+        "windows.11.virtio",
+        "windows.2k16",
+        "windows.2k16.virtio",
+        "windows.2k19",
+        "windows.2k19.virtio",
+        "windows.2k22",
+        "windows.2k22.virtio",
+        "windows.2k25",
+        "windows.2k25.virtio",
+        ""
+      ]
    },
    "instanceType": {
-      "type": "string",
-      "description": "Virtual Machine instance type",
      "default": "u1.medium",
+      "description": "Virtual Machine instance type",
+      "type": "string",
      "optional": true,
      "enum": [
        "cx1.2xlarge",
@@ -86,110 +156,38 @@
        ""
      ]
    },
-    "instanceProfile": {
-      "type": "string",
-      "description": "Virtual Machine preferences profile",
-      "default": "ubuntu",
-      "optional": true,
-      "enum": [
-        "alpine",
-        "centos.7",
-        "centos.7.desktop",
-        "centos.stream10",
-        "centos.stream10.desktop",
-        "centos.stream8",
-        "centos.stream8.desktop",
-        "centos.stream8.dpdk",
-        "centos.stream9",
-        "centos.stream9.desktop",
-        "centos.stream9.dpdk",
-        "cirros",
-        "fedora",
-        "fedora.arm64",
-        "opensuse.leap",
-        "opensuse.tumbleweed",
-        "rhel.10",
-        "rhel.10.arm64",
-        "rhel.7",
-        "rhel.7.desktop",
-        "rhel.8",
-        "rhel.8.desktop",
-        "rhel.8.dpdk",
-        "rhel.9",
-        "rhel.9.arm64",
-        "rhel.9.desktop",
-        "rhel.9.dpdk",
-        "rhel.9.realtime",
-        "sles",
-        "ubuntu",
-        "windows.10",
-        "windows.10.virtio",
-        "windows.11",
-        "windows.11.virtio",
-        "windows.2k16",
-        "windows.2k16.virtio",
-        "windows.2k19",
-        "windows.2k19.virtio",
-        "windows.2k22",
-        "windows.2k22.virtio",
-        "windows.2k25",
-        "windows.2k25.virtio",
-        ""
-      ]
-    },
-    "disks": {
-      "type": "array",
-      "description": "List of disks to attach",
-      "default": [],
-      "items": {
-        "type": "object"
-      }
-    },
-    "gpus": {
-      "type": "array",
-      "description": "List of GPUs to attach",
-      "default": [],
-      "items": {
-        "type": "object"
-      }
-    },
    "resources": {
-      "type": "object",
      "properties": {
        "cpu": {
-          "type": "string",
+          "default": "",
          "description": "The number of CPU cores allocated to the virtual machine",
-          "default": ""
+          "type": "string"
        },
        "memory": {
-          "type": "string",
+          "default": "",
          "description": "The amount of memory allocated to the virtual machine",
-          "default": ""
+          "type": "string"
        },
        "sockets": {
-          "type": "string",
+          "default": "",
          "description": "The number of CPU sockets allocated to the virtual machine (used to define vCPU topology)",
-          "default": ""
+          "type": "string"
        }
-      }
+      },
+      "type": "object"
+    },
+    "running": {
+      "default": true,
+      "description": "Determines if the virtual machine should be running",
+      "type": "boolean"
    },
    "sshKeys": {
-      "type": "array",
+      "default": [],
      "description": "List of SSH public keys for authentication. Can be a single key or a list of keys.",
-      "default": "[]",
-      "items": {
-        "type": "string"
-      }
-    },
-    "cloudInit": {
-      "type": "string",
-      "description": "cloud-init user data config. See cloud-init documentation for more details.",
-      "default": ""
-    },
-    "cloudInitSeed": {
-      "type": "string",
-      "description": "A seed string to generate an SMBIOS UUID for the VM.",
-      "default": ""
+      "items": {},
+      "type": "array"
    }
-  }
+  },
+  "title": "Chart Values",
+  "type": "object"
 }
--- a/packages/apps/vpn/Makefile
+++ b/packages/apps/vpn/Makefile
@@ -2,5 +2,5 @@ include ../../../scripts/package.mk
 PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]

 generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json -r README.md
 	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
--- a/packages/apps/vpn/README.md
+++ b/packages/apps/vpn/README.md
@@ -19,20 +19,20 @@ Furthermore, Shadowbox is compatible with standard Shadowsocks clients, providin

 ### Common parameters

-| Name       | Description                                     | Value   |
-| ---------- | ----------------------------------------------- | ------- |
-| `external` | Enable external access from outside the cluster | `false` |
-| `replicas` | Number of VPN server replicas                   | `2`     |
+| Name              | Description                                                                                                                             | Value   |
+| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `replicas`        | Number of VPN server replicas                                                                                                           | `2`     |
+| `resources`       | Explicit CPU and memory configuration for each VPN server replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.             | `nano`  |
+| `external`        | Enable external access from outside the cluster                                                                                         | `false` |

-### Configuration parameters
+### Application-specific parameters

-| Name              | Description                                                                                                                             | Value  |
-| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------- | ------ |
-| `host`            | Host used to substitute into generated URLs                                                                                             | `""`   |
-| `users`           | Users configuration                                                                                                                     | `{}`   |
-| `externalIPs`     | List of externalIPs for service. Optional. If not specified will use LoadBalancer service by default.                                   | `[]`   |
-| `resources`       | Explicit CPU and memory configuration for each VPN server replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`   |
-| `resourcesPreset` | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.             | `nano` |
+| Name          | Description                                                                                           | Value |
+| ------------- | ----------------------------------------------------------------------------------------------------- | ----- |
+| `host`        | Host used to substitute into generated URLs                                                           | `""`  |
+| `users`       | Users configuration (see example)                                                                     | `{}`  |
+| `externalIPs` | List of externalIPs for service. Optional. If not specified will use LoadBalancer service by default. | `[]`  |

 ## Parameter examples and reference

--- a/packages/apps/vpn/values.schema.json
+++ b/packages/apps/vpn/values.schema.json
@@ -1,39 +1,35 @@
 {
-    "title": "Chart Values",
-    "type": "object",
    "properties": {
        "external": {
-            "type": "boolean",
+            "default": false,
            "description": "Enable external access from outside the cluster",
-            "default": false
-        },
-        "replicas": {
-            "type": "number",
-            "description": "Number of VPN server replicas",
-            "default": 2
-        },
-        "host": {
-            "type": "string",
-            "description": "Host used to substitute into generated URLs",
-            "default": ""
+            "type": "boolean"
        },
        "externalIPs": {
-            "type": "array",
+            "default": [],
            "description": "List of externalIPs for service. Optional. If not specified will use LoadBalancer service by default.",
-            "default": "[]",
-            "items": {
-                "type": "string"
-            }
+            "items": {},
+            "type": "array"
+        },
+        "host": {
+            "default": "",
+            "description": "Host used to substitute into generated URLs",
+            "type": "string"
+        },
+        "replicas": {
+            "default": 2,
+            "description": "Number of VPN server replicas",
+            "type": "number"
        },
        "resources": {
-            "type": "object",
+            "default": {},
            "description": "Explicit CPU and memory configuration for each VPN server replica. When left empty, the preset defined in `resourcesPreset` is applied.",
-            "default": {}
+            "type": "object"
        },
        "resourcesPreset": {
-            "type": "string",
-            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
            "default": "nano",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "type": "string",
            "enum": [
                "nano",
                "micro",
@@ -44,5 +40,7 @@
                "2xlarge"
            ]
        }
-    }
+    },
+    "title": "Chart Values",
+    "type": "object"
 }
--- a/packages/apps/vpn/values.yaml
+++ b/packages/apps/vpn/values.yaml
@@ -1,17 +1,25 @@
 ## @section Common parameters
-
-## @param external Enable external access from outside the cluster
-## @param replicas Number of VPN server replicas
 ##
-external: false
+## @param replicas Number of VPN server replicas
 replicas: 2
+## @param resources Explicit CPU and memory configuration for each VPN server replica. When left empty, the preset defined in `resourcesPreset` is applied.
+resources: {}
+# resources:
+#   cpu: 4000m
+#   memory: 4Gi
+##
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "nano"
+## @param external Enable external access from outside the cluster
+external: false

-## @section Configuration parameters

+## @section Application-specific parameters
+##
 ## @param host Host used to substitute into generated URLs
 host: ""

-## @param users [object] Users configuration
+## @param users [object] Users configuration (see example)
 ## Example:
 ## users:
 ##   user1:
@@ -29,11 +37,3 @@ users: {}
 ##
 externalIPs: []

-## @param resources Explicit CPU and memory configuration for each VPN server replica. When left empty, the preset defined in `resourcesPreset` is applied.
-resources: {}
-# resources:
-#   cpu: 4000m
-#   memory: 4Gi
-
-## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
-resourcesPreset: "nano"
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.34.0-beta.1@sha256:6f29c93e52d686ae6144d64bbcd92c138cbd1b432b06a74273c5dc35b11fe048
+  image: ghcr.io/cozystack/cozystack/installer:v0.34.0-beta.2@sha256:92639050dc388167c0a7047edc3288423963ecb36954e5cd1f472841bf380713
--- a/packages/core/testing/values.yaml
+++ b/packages/core/testing/values.yaml
@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.34.0-beta.1@sha256:f0a7a45218122b57022e51d41c0e6b18d31621c8ec504651d2347f47e5e5f256
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.34.0-beta.2@sha256:09078954d19c712d34f10b3ff7df30464fad4f492548b79cf0852aa10c7e1e03
--- a/packages/extra/bootbox/Makefile
+++ b/packages/extra/bootbox/Makefile
@@ -4,7 +4,7 @@ NAMESPACE=tenant-root
 include ../../../scripts/package.mk

 generate:
-	readme-generator -v values.yaml -s values.schema.json.tmp -r README.md
+	readme-generator-for-helm -v values.yaml -s values.schema.json.tmp -r README.md
 	cat values.schema.json.tmp | \
 		jq '.properties.machines.items.type = "object"' \
 		> values.schema.json
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`ghcr.io/cozystack/cozystack/postgres-backup:0.14.0@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f`