Introduce bats testing framework

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-01-30 02:18:49 +00:00 · 2025-05-23 23:46:52 +02:00
69 changed files with 180 additions and 739 deletions
--- a/.github/workflows/pull-requests-release.yaml
+++ b/.github/workflows/pull-requests-release.yaml
@@ -80,7 +80,6 @@ jobs:
      - name: Ensure maintenance branch release-X.Y
        uses: actions/github-script@v7
        with:
-          github-token: ${{ secrets.GH_PAT }}
          script: |
            const tag = '${{ steps.get_tag.outputs.tag }}';  // e.g. v0.1.3 or v0.1.3-rc3
            const match = tag.match(/^v(\d+)\.(\d+)\.\d+(?:[-\w\.]+)?$/);
@@ -90,45 +89,21 @@ jobs:
            }
            const line = `${match[1]}.${match[2]}`;
            const branch = `release-${line}`;
-
-            // Get main branch commit for the tag
-            const ref = await github.rest.git.getRef({
-              owner: context.repo.owner,
-              repo:  context.repo.repo,
-              ref:   `tags/${tag}`
-            });
-
-            const commitSha = ref.data.object.sha;
-
            try {
              await github.rest.repos.getBranch({
                owner: context.repo.owner,
-                repo: context.repo.repo,
+                repo:  context.repo.repo,
                branch
              });
-           
-              await github.rest.git.updateRef({
+              console.log(`Branch '${branch}' already exists`);
+            } catch (_) {
+              await github.rest.git.createRef({
                owner: context.repo.owner,
-                repo: context.repo.repo,
-                ref: `heads/${branch}`,
-                sha: commitSha,
-                force: true
+                repo:  context.repo.repo,
+                ref:   `refs/heads/${branch}`,
+                sha:   context.sha
              });
-              console.log(`🔁 Force-updated '${branch}' to ${commitSha}`);
-            } catch (err) {
-              if (err.status === 404) {
-                await github.rest.git.createRef({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  ref: `refs/heads/${branch}`,
-                  sha: commitSha
-                });
-                console.log(`✅ Created branch '${branch}' at ${commitSha}`);
-              } else {
-                console.error('Unexpected error --', err);
-                core.setFailed(`Unexpected error creating/updating branch: ${err.message}`);
-                throw err;
-              }
+              console.log(`✅ Branch '${branch}' created at ${context.sha}`);
            }

      # Get the latest published release
@@ -162,12 +137,12 @@ jobs:
        with:
          script: |
            const tag = '${{ steps.get_tag.outputs.tag }}';              // v0.31.5-rc.1
-            const m = tag.match(/^v(\d+\.\d+\.\d+)(-(?:alpha|beta|rc)\.\d+)?$/);
+            const m = tag.match(/^v(\d+\.\d+\.\d+)(-rc\.\d+)?$/);
            if (!m) {
-              core.setFailed(`❌ tag '${tag}' must match 'vX.Y.Z' or 'vX.Y.Z-(alpha|beta|rc).N'`);
+              core.setFailed(`❌ tag '${tag}' must match 'vX.Y.Z' or 'vX.Y.Z-rc.N'`);
              return;
            }
-            const version = m[1] + (m[2] ?? '');                         // 0.31.5-rc.1
+            const version = m[1] + (m[2] ?? '');                         // 0.31.5‑rc.1
            const isRc    = Boolean(m[2]);
            core.setOutput('is_rc',      isRc);
            const outdated = '${{ steps.semver.outputs.comparison-result }}' === '<';
--- a/.github/workflows/tags.yaml
+++ b/.github/workflows/tags.yaml
@@ -3,10 +3,9 @@ name: Versioned Tag
 on:
  push:
    tags:
-      - 'v*.*.*'          # vX.Y.Z
-      - 'v*.*.*-rc.*'     # vX.Y.Z-rc.N
-      - 'v*.*.*-beta.*'   # vX.Y.Z-beta.N
-      - 'v*.*.*-alpha.*'  # vX.Y.Z-alpha.N
+      - 'v*.*.*' # vX.Y.Z
+      - 'v*.*.*-rc.*' # vX.Y.Z-rc.N
+

 concurrency:
  group: tags-${{ github.workflow }}-${{ github.ref }}
@@ -43,7 +42,7 @@ jobs:
        if: steps.check_release.outputs.skip == 'true'
        run: echo "Release already exists, skipping workflow."

-      # Parse tag meta-data (rc?, maintenance line, etc.)
+      # Parse tag meta‑data (rc?, maintenance line, etc.)
      - name: Parse tag
        if: steps.check_release.outputs.skip == 'false'
        id: tag
@@ -51,12 +50,12 @@ jobs:
        with:
          script: |
            const ref = context.ref.replace('refs/tags/', '');           // e.g. v0.31.5-rc.1
-            const m = ref.match(/^v(\d+\.\d+\.\d+)(-(?:alpha|beta|rc)\.\d+)?$/);        // ['0.31.5', '-rc.1' | '-beta.1' | …]
+            const m = ref.match(/^v(\d+\.\d+\.\d+)(-rc\.\d+)?$/);        // ['0.31.5', '-rc.1']
            if (!m) {
-              core.setFailed(`❌ tag '${ref}' must match 'vX.Y.Z' or 'vX.Y.Z-(alpha|beta|rc).N'`);
+              core.setFailed(`❌ tag '${ref}' must match 'vX.Y.Z' or 'vX.Y.Z-rc.N'`);
              return;
            }
-            const version = m[1] + (m[2] ?? '');                         // 0.31.5-rc.1
+            const version = m[1] + (m[2] ?? '');                         // 0.31.5‑rc.1
            const isRc    = Boolean(m[2]);
            const [maj, min] = m[1].split('.');
            core.setOutput('tag',     ref);                              // v0.31.5-rc.1
@@ -64,7 +63,7 @@ jobs:
            core.setOutput('is_rc',   isRc);                             // true
            core.setOutput('line',    `${maj}.${min}`);                  // 0.31

-      # Detect base branch (main or release-X.Y) the tag was pushed from
+      # Detect base branch (main or release‑X.Y) the tag was pushed from
      - name: Get base branch
        if: steps.check_release.outputs.skip == 'false'
        id: get_base
@@ -169,7 +168,7 @@ jobs:
              });
              console.log(`Draft release created for ${tag}`);
            } else {
-              console.log(`Re-using existing release ${tag}`);
+              console.log(`Re‑using existing release ${tag}`);
            }
            core.setOutput('upload_url', rel.upload_url);

@@ -182,7 +181,7 @@ jobs:
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

-      # Create release-X.Y.Z branch and push (force-update)
+      # Create release‑X.Y.Z branch and push (force‑update)
      - name: Create release branch
        if: steps.check_release.outputs.skip == 'false'
        run: |
--- a/docs/changelogs/v0.31.0.md
+++ b/docs/changelogs/v0.31.0.md
@@ -1,5 +1,5 @@
-This is the third release candidate for the upcoming Cozystack v0.31.0 release.
-The release notes show changes accumulated since the release of previous version, Cozystack v0.30.0.
+This is the second release candidate for the upcoming Cozystack v0.31.0 release.
+The release notes show changes accumulated since the release of Cozystack v0.30.0.

 Cozystack 0.31.0 further advances GPU support, monitoring, and all-around convenience features.

@@ -12,21 +12,18 @@ Cozystack 0.31.0 further advances GPU support, monitoring, and all-around conven
    * [platform] Cozystack etcd-operator (@klinch0 in https://github.com/cozystack/cozystack/pull/850)
 * Introduce support for cross-architecture builds and Cozystack on ARM:
    * [build] Refactor Makefiles introducing build variables. (@nbykov0 in https://github.com/cozystack/cozystack/pull/907)
-    * [build] Add support for multi-architecture and cross-platform image builds. (@nbykov0 in https://github.com/cozystack/cozystack/pull/932 and https://github.com/cozystack/cozystack/pull/970)
+    * [build] Add support for multi-architecture and cross-platform image builds. (@nbykov0 in https://github.com/cozystack/cozystack/pull/932)
 * [platform] Introduce a new controller to synchronize tenant HelmReleases and propagate configuration changes. (@klinch0 in https://github.com/cozystack/cozystack/pull/870)
 * [platform] Introduce options `expose-services`, `expose-ingress` and `expose-external-ips` to the ingress service. (@kvaps in https://github.com/cozystack/cozystack/pull/929)
 * [kubevirt] Enable exporting VMs. (@kvaps in https://github.com/cozystack/cozystack/pull/808)
 * [kubevirt] Make KubeVirt's CPU allocation ratio configurable. (@lllamnyp in https://github.com/cozystack/cozystack/pull/905)
-* [virtual-machine] Add support for various storages. (@kvaps in https://github.com/cozystack/cozystack/pull/974)
 * [cozystack-controller] Record the IP address pool and storage class in Workload objects. (@lllamnyp in https://github.com/cozystack/cozystack/pull/831)
 * [cilium] Enable Cilium Gateway API. (@zdenekjanda in https://github.com/cozystack/cozystack/pull/924)
 * [cilium] Enable user-added parameters in a tenant cluster Cilium. (@lllamnyp in https://github.com/cozystack/cozystack/pull/917)
-* [apps] Remove user-facing config of limits and requests. (@lllamnyp in https://github.com/cozystack/cozystack/pull/935)
 * Update the Cozystack release policy to include long-lived release branches and start with release candidates. Update CI workflows and docs accordingly.
    * Use release branches `release-X.Y` for gathering and releasing fixes after initial `vX.Y.0` release. (@kvaps in https://github.com/cozystack/cozystack/pull/816)
    * Automatically create release branches after initial `vX.Y.0` release is published. (@kvaps in https://github.com/cozystack/cozystack/pull/886)
    * Introduce Release Candidate versions. Automate patch backporting by applying patches from pull requests labeled `[backport]` to the current release branch. (@kvaps in https://github.com/cozystack/cozystack/pull/841 and https://github.com/cozystack/cozystack/pull/901, @nickvolynkin in https://github.com/cozystack/cozystack/pull/890)
-    * Support alpha and beta pre-releases. (@kvaps in https://github.com/cozystack/cozystack/pull/978)
    * Commit changes in release pipelines under `github-actions <github-actions@github.com>`. (@kvaps in https://github.com/cozystack/cozystack/pull/823)
    * Describe the Cozystack release workflow. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/817 and https://github.com/cozystack/cozystack/pull/897)

@@ -45,7 +42,6 @@ Cozystack 0.31.0 further advances GPU support, monitoring, and all-around conven
 * [kubernetes] Fix merging `valuesOverride` for tenant clusters. (@kvaps in https://github.com/cozystack/cozystack/pull/879)
 * [kubernetes] Fix `ubuntu-container-disk` tag. (@kvaps in https://github.com/cozystack/cozystack/pull/887)
 * [kubernetes] Refactor Helm manifests for tenant Kubernetes clusters. (@kvaps in https://github.com/cozystack/cozystack/pull/866)
-* [kubernetes] Fix Ingress-NGINX depends on Cert-Manager . (@kvaps in https://github.com/cozystack/cozystack/pull/976)
 * [tenant] Fix an issue with accessing external IPs of a cluster from the cluster itself. (@kvaps in https://github.com/cozystack/cozystack/pull/854)
 * [cluster-api] Remove the no longer necessary workaround for Kamaji. (@kvaps in https://github.com/cozystack/cozystack/pull/867, patched in https://github.com/cozystack/cozystack/pull/956) 
 * [monitoring] Remove legacy label "POD" from the exclude filter in metrics. (@xy2 in https://github.com/cozystack/cozystack/pull/826)
@@ -66,8 +62,6 @@ Cozystack 0.31.0 further advances GPU support, monitoring, and all-around conven
 * [ci] Fix release branch creation. (@kvaps in https://github.com/cozystack/cozystack/pull/884)
 * [ci, dx] Reduce noise in the test logs by suppressing the `wget` progress bar. (@lllamnyp in https://github.com/cozystack/cozystack/pull/865)
 * [ci] Revert "automatically trigger tests in releasing PR". (@kvaps in https://github.com/cozystack/cozystack/pull/900)
-* [ci] Force-update release branch on tagged main commits . (@kvaps in https://github.com/cozystack/cozystack/pull/977)
-* [docs] Explain that tenants cannot have dashes in the names. (@NickVolynkin in https://github.com/cozystack/cozystack/pull/980)

 ## Dependencies

@@ -80,8 +74,7 @@ Cozystack 0.31.0 further advances GPU support, monitoring, and all-around conven
 * Update tenant Kubernetes to v1.32. (@kvaps in https://github.com/cozystack/cozystack/pull/871)
 * Update flux-operator to 0.20.0. (@kingdonb in https://github.com/cozystack/cozystack/pull/880 and https://github.com/cozystack/cozystack/pull/934)
 * Update multiple Cluster API components. (@kvaps in https://github.com/cozystack/cozystack/pull/867 and https://github.com/cozystack/cozystack/pull/947)
-* Update KamajiControlPlane to edge-25.4.1. (@kvaps in https://github.com/cozystack/cozystack/pull/953, fixed by @nbykov0 in https://github.com/cozystack/cozystack/pull/983)
-* Update cert-manager to v1.17.2. (@kvaps in https://github.com/cozystack/cozystack/pull/975)
+* Update KamajiControlPlane to edge-25.4.1. (@kvaps in https://github.com/cozystack/cozystack/pull/953)

 ## Maintenance

@@ -94,4 +87,4 @@ Cozystack 0.31.0 further advances GPU support, monitoring, and all-around conven
 * @zdenekjanda made their first contribution in https://github.com/cozystack/cozystack/pull/924
 * @gwynbleidd2106 made their first contribution in https://github.com/cozystack/cozystack/pull/962

-**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.30.0...v0.31.0-rc.3
+**Full Changelog**: https://github.com/cozystack/cozystack/compare/v0.30.0...v0.31.0-rc.2
--- a/hack/cozytest.sh
+++ b/hack/cozytest.sh
@@ -1,117 +0,0 @@
-#!/bin/sh
-###############################################################################
-# cozytest.sh - Bats-compatible test runner with live trace and enhanced      #
-# output, written in pure shell                                               #
-###############################################################################
-set -eu
-
-TEST_FILE=${1:?Usage: ./cozytest.sh <file.bats> [pattern]}
-PATTERN=${2:-*}
-LINE='----------------------------------------------------------------'
-
-cols() { stty size 2>/dev/null | awk '{print $2}' || echo 80; }
-MAXW=$(( $(cols) - 12 )); [ "$MAXW" -lt 40 ] && MAXW=70
-BEGIN=$(date +%s)
-timestamp() { s=$(( $(date +%s) - BEGIN )); printf '[%02d:%02d]' $((s/60)) $((s%60)); }
-
-###############################################################################
-# run_one <fn> <title>                                                        #
-###############################################################################
-run_one() {
-  fn=$1 title=$2
-  tmp=$(mktemp -d) || { echo "Failed to create temp directory" >&2; exit 1; }
-  log="$tmp/log"
-
-  echo "╭ » Run test: $title"
-  START=$(date +%s)
-  skip_next="+ $fn"      # первую строку трассировки с именем функции пропустим
-
-  {
-    (
-      PS4='+ '           # prefix for set -x
-      set -eu -x         # strict + trace
-      "$fn"
-    )
-    printf '__RC__%s\n' "$?"
-  } 2>&1 | tee "$log" | while IFS= read -r line; do
-        case "$line" in
-          '__RC__'*) : ;;
-          '+ '*)   cmd=${line#'+ '}
-                    [ "$cmd" = "${skip_next#+ }" ] && continue
-                    case "$cmd" in
-                      'set -e'|'set -x'|'set -u'|'return 0') continue ;;
-                    esac
-                    out=$cmd ;;
-          *)       out=$line ;;
-        esac
-        now=$(( $(date +%s) - START ))
-        [ ${#out} -gt "$MAXW" ] && out="$(printf '%.*s…' "$MAXW" "$out")"
-        printf '┊[%02d:%02d] %s\n' $((now/60)) $((now%60)) "$out"
-  done
-
-  rc=$(awk '/^__RC__/ {print substr($0,7)}' "$log" | tail -n1)
-  [ -z "$rc" ] && rc=1
-  now=$(( $(date +%s) - START ))
-
-  if [ "$rc" -eq 0 ]; then
-    printf '╰[%02d:%02d] ✅ Test OK: %s\n' $((now/60)) $((now%60)) "$title"
-  else
-    printf '╰[%02d:%02d] ❌ Test failed: %s (exit %s)\n' \
-           $((now/60)) $((now%60)) "$title" "$rc"
-    echo "----- captured output -----------------------------------------"
-    grep -v '^__RC__' "$log"
-    echo "$LINE"
-    exit "$rc"
-  fi
-
-  rm -rf "$tmp"
-}
-
-###############################################################################
-# convert .bats -> shell-functions                                            #
-###############################################################################
-TMP_SH=$(mktemp) || { echo "Failed to create temp file" >&2; exit 1; }
-trap 'rm -f "$TMP_SH"' EXIT
-awk '
-  /^@test[[:space:]]+"/ {
-    line  = substr($0, index($0, "\"") + 1)
-    title = substr(line, 1, index(line, "\"") - 1)
-    fname = "test_"
-    for (i = 1; i <= length(title); i++) {
-      c = substr(title, i, 1)
-      fname = fname (c ~ /[A-Za-z0-9]/ ? c : "_")
-    }
-    printf("### %s\n", title)
-    printf("%s() {\n", fname)
-    print "  set -e"           # ошибка → падение теста
-    next
-  }
-  /^}$/ {
-    print "  return 0"         # если автор не сделал exit 1 — тест ОК
-    print "}"
-    next
-  }
-  { print }
-' "$TEST_FILE" > "$TMP_SH"
-
-[ -f "$TMP_SH" ] || { echo "Failed to generate test functions" >&2; exit 1; }
-# shellcheck disable=SC1090
-. "$TMP_SH"
-
-###############################################################################
-# run selected tests                                                          #
-###############################################################################
-awk -v pat="$PATTERN" '
-  /^### / {
-    title = substr($0, 5)
-    name = "test_"
-    for (i = 1; i <= length(title); i++) {
-      c = substr(title, i, 1)
-      name = name (c ~ /[A-Za-z0-9]/ ? c : "_")
-    }
-    if (pat == "*" || index(title, pat) > 0)
-      printf("%s %s\n", name, title)
-  }
-' "$TMP_SH" | while IFS=' ' read -r fn title; do
-  run_one "$fn" "$title"
-done
--- a/hack/e2e-apps.bats
+++ b/hack/e2e-apps.bats
@@ -1,94 +0,0 @@
-#!/usr/bin/env bats
-# -----------------------------------------------------------------------------
-# Cozystack end‑to‑end provisioning test (Bats)
-# -----------------------------------------------------------------------------
-
-@test "Create tenant with isolated mode enabled" {
-  kubectl create -f - <<EOF
-apiVersion: apps.cozystack.io/v1alpha1
-kind: Tenant
-metadata:
-  name: test
-  namespace: tenant-root
-spec:
-  etcd: false
-  host: ""
-  ingress: false
-  isolated: true
-  monitoring: false
-  resourceQuotas: {}
-  seaweedfs: false
-EOF
-  kubectl wait hr/tenant-test -n tenant-root --timeout=1m --for=condition=ready
-  kubectl wait namespace tenant-test --timeout=20s --for=jsonpath='{.status.phase}'=Active
-}
-
-@test "Create a tenant Kubernetes control plane" {
-  kubectl create -f - <<EOF
-apiVersion: apps.cozystack.io/v1alpha1
-kind: Kubernetes
-metadata:
-  name: test
-  namespace: tenant-test
-spec:
-  addons:
-    certManager:
-      enabled: false
-      valuesOverride: {}
-    cilium:
-      valuesOverride: {}
-    fluxcd:
-      enabled: false
-      valuesOverride: {}
-    gatewayAPI:
-      enabled: false
-    gpuOperator:
-      enabled: false
-      valuesOverride: {}
-    ingressNginx:
-      enabled: true
-      hosts: []
-      valuesOverride: {}
-    monitoringAgents:
-      enabled: false
-      valuesOverride: {}
-    verticalPodAutoscaler:
-      valuesOverride: {}
-  controlPlane:
-    apiServer:
-      resources: {}
-      resourcesPreset: small
-    controllerManager:
-      resources: {}
-      resourcesPreset: micro
-    konnectivity:
-      server:
-        resources: {}
-        resourcesPreset: micro
-    replicas: 2
-    scheduler:
-      resources: {}
-      resourcesPreset: micro
-  host: ""
-  nodeGroups:
-    md0:
-      ephemeralStorage: 20Gi
-      gpus: []
-      instanceType: u1.medium
-      maxReplicas: 10
-      minReplicas: 0
-      resources:
-        cpu: ""
-        memory: ""
-      roles:
-      - ingress-nginx
-  storageClass: replicated
-EOF
-  kubectl wait namespace tenant-test --timeout=20s --for=jsonpath='{.status.phase}'=Active
-  timeout 10 sh -ec 'until kubectl get kamajicontrolplane -n tenant-test kubernetes-test; do sleep 1; done'
-  kubectl wait --for=condition=TenantControlPlaneCreated kamajicontrolplane -n tenant-test kubernetes-test --timeout=4m
-  kubectl wait tcp -n tenant-test kubernetes-test --timeout=2m --for=jsonpath='{.status.kubernetesResources.version.status}'=Ready
-  kubectl wait deploy --timeout=4m --for=condition=available -n tenant-test kubernetes-test kubernetes-test-cluster-autoscaler kubernetes-test-kccm kubernetes-test-kcsi-controller
-  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=1m --for=jsonpath='{.status.replicas}'=2
-  kubectl wait machinedeployment kubernetes-test-md0 -n tenant-test --timeout=5m --for=jsonpath='{.status.v1beta2.readyReplicas}'=2
-}
--- a/hack/e2e-cluster.bats
+++ b/hack/e2e-cluster.bats
@@ -3,13 +3,25 @@
 # Cozystack end‑to‑end provisioning test (Bats)
 # -----------------------------------------------------------------------------

+export TALOSCONFIG=$PWD/talosconfig
+export KUBECONFIG=$PWD/kubeconfig
+
+# Runs before each @test
+setup() {
+  [ ! -f ${BATS_RUN_TMPDIR}/.skip ] || skip "skip remaining tests" ]
+}
+
+# Runs after each @test
+teardown() {
+  [ -n "$BATS_TEST_COMPLETED" ] || touch ${BATS_RUN_TMPDIR}/.skip
+}
+
@test "Environment variable COZYSTACK_INSTALLER_YAML is defined" {
  if [ -z "${COZYSTACK_INSTALLER_YAML:-}" ]; then
    echo 'COZYSTACK_INSTALLER_YAML environment variable is not set!' >&2
    echo >&2
    echo 'Please export it with the following command:' >&2
    echo '  export COZYSTACK_INSTALLER_YAML=$(helm template -n cozy-system installer packages/core/installer)' >&2
-    exit 1
  fi
 }

@@ -19,7 +31,6 @@
    echo >&2
    echo "Enable it with:" >&2
    echo "  echo 1 > /proc/sys/net/ipv4/ip_forward" >&2
-    exit 1
  fi
 }

@@ -112,7 +123,7 @@ EOF
 }

@test "Wait until Talos API port 50000 is reachable on all machines" {
-  timeout 60 sh -ec 'until nc -nz 192.168.123.11 50000 && nc -nz 192.168.123.12 50000 && nc -nz 192.168.123.13 50000; do sleep 1; done'
+  timeout 60 bash -c 'until nc -nz 192.168.123.11 50000 && nc -nz 192.168.123.12 50000 && nc -nz 192.168.123.13 50000; do sleep 1; done'
 }

@test "Generate Talos cluster configuration" {
@@ -211,23 +222,23 @@ EOF
  done

  # Wait for Talos services to come up again
-  timeout 60 sh -ec 'until nc -nz 192.168.123.11 50000 && nc -nz 192.168.123.12 50000 && nc -nz 192.168.123.13 50000; do sleep 1; done'
+  timeout 60 bash -c 'until nc -nz 192.168.123.11 50000 && nc -nz 192.168.123.12 50000 && nc -nz 192.168.123.13 50000; do sleep 1; done'
 }

@test "Bootstrap Talos cluster" {
  # Bootstrap etcd on the first node
-  timeout 10 sh -ec 'until talosctl bootstrap -n 192.168.123.11 -e 192.168.123.11; do sleep 1; done'
+  timeout 10 bash -c 'until talosctl bootstrap -n 192.168.123.11 -e 192.168.123.11; do sleep 1; done'

  # Wait until etcd is healthy
-  timeout 180 sh -ec 'until talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 >/dev/null 2>&1; do sleep 1; done'
-  timeout 60 sh -ec 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep -q "rpc error"; do sleep 1; done'
+  timeout 180 bash -c 'until talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 >/dev/null 2>&1; do sleep 1; done'
+  timeout 60 bash -c 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep -q "rpc error"; do sleep 1; done'

  # Retrieve kubeconfig
  rm -f kubeconfig
  talosctl kubeconfig kubeconfig -e 192.168.123.10 -n 192.168.123.10

  # Wait until all three nodes register in Kubernetes
-  timeout 60 sh -ec 'until [ $(kubectl get node --no-headers | wc -l) -eq 3 ]; do sleep 1; done'
+  timeout 60 bash -c 'until [ $(kubectl get node --no-headers | wc -l) -eq 3 ]; do sleep 1; done'
 }

@test "Install Cozystack" {
@@ -250,9 +261,9 @@ EOF
  kubectl wait deployment/cozystack -n cozy-system --timeout=1m --for=condition=Available

  # Wait until HelmReleases appear & reconcile them
-  timeout 60 sh -ec 'until kubectl get hr -A | grep -q cozys; do sleep 1; done'
+  timeout 60 bash -c 'until kubectl get hr -A | grep -q cozys; do sleep 1; done'
  sleep 5
-  kubectl get hr -A | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n "$1" hr/"$2" &"} END {print "wait"}' | sh -ex
+  kubectl get hr -A | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n "$1" hr/"$2" &"} END {print "wait"}' | bash -x

  # Fail the test if any HelmRelease is not Ready
  if kubectl get hr -A | grep -v " True " | grep -v NAME; then
@@ -263,14 +274,14 @@ EOF

@test "Wait for Cluster‑API provider deployments" {
  # Wait for Cluster‑API provider deployments
-  timeout 60 sh -ec 'until kubectl get deploy -n cozy-cluster-api capi-controller-manager capi-kamaji-controller-manager capi-kubeadm-bootstrap-controller-manager capi-operator-cluster-api-operator capk-controller-manager >/dev/null 2>&1; do sleep 1; done'
+  timeout 60 bash -c 'until kubectl get deploy -n cozy-cluster-api capi-controller-manager capi-kamaji-controller-manager capi-kubeadm-bootstrap-controller-manager capi-operator-cluster-api-operator capk-controller-manager >/dev/null 2>&1; do sleep 1; done'
  kubectl wait deployment/capi-controller-manager deployment/capi-kamaji-controller-manager deployment/capi-kubeadm-bootstrap-controller-manager deployment/capi-operator-cluster-api-operator deployment/capk-controller-manager -n cozy-cluster-api --timeout=1m --for=condition=available
 }

@test "Wait for LINSTOR and configure storage" {
  # Linstor controller and nodes
  kubectl wait deployment/linstor-controller -n cozy-linstor --timeout=5m --for=condition=available
-  timeout 60 sh -ec 'until [ $(kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor node list | grep -c Online) -eq 3 ]; do sleep 1; done'
+  timeout 60 bash -c 'until [ $(kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor node list | grep -c Online) -eq 3 ]; do sleep 1; done'

  for node in srv1 srv2 srv3; do
    kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs ${node} /dev/vdc --pool-name data --storage-pool data
@@ -344,7 +355,7 @@ EOF
  # Patch root tenant and wait for its releases
  kubectl patch tenants/root -n tenant-root --type merge -p '{"spec":{"host":"example.org","ingress":true,"monitoring":true,"etcd":true,"isolated":true}}'

-  timeout 60 sh -ec 'until kubectl get hr -n tenant-root etcd ingress monitoring tenant-root >/dev/null 2>&1; do sleep 1; done'
+  timeout 60 bash -c 'until kubectl get hr -n tenant-root etcd ingress monitoring tenant-root >/dev/null 2>&1; do sleep 1; done'
  kubectl wait hr/etcd hr/ingress hr/tenant-root -n tenant-root --timeout=2m --for=condition=ready

  if ! kubectl wait hr/monitoring -n tenant-root --timeout=2m --for=condition=ready; then
@@ -356,7 +367,7 @@ EOF
  kubectl patch configmap/cozystack -n cozy-system --type merge -p '{"data":{"expose-services":"api,dashboard,cdi-uploadproxy,vm-exportproxy,keycloak"}}'

  # NGINX ingress controller
-  timeout 60 sh -ec 'until kubectl get deploy root-ingress-controller -n tenant-root >/dev/null 2>&1; do sleep 1; done'
+  timeout 60 bash -c 'until kubectl get deploy root-ingress-controller -n tenant-root >/dev/null 2>&1; do sleep 1; done'
  kubectl wait deploy/root-ingress-controller -n tenant-root --timeout=5m --for=condition=available

  # etcd statefulset
@@ -373,15 +384,12 @@ EOF

  # Verify Grafana via ingress
  ingress_ip=$(kubectl get svc root-ingress-controller -n tenant-root -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-  if ! curl -sS -k "https://${ingress_ip}" -H 'Host: grafana.example.org' --max-time 30 | grep -q Found; then
-    echo "Failed to access Grafana via ingress at ${ingress_ip}" >&2
-    exit 1
-  fi
+  curl -sS -k "https://${ingress_ip}" -H 'Host: grafana.example.org' | grep -q Found
 }

@test "Keycloak OIDC stack is healthy" {
  kubectl patch configmap/cozystack -n cozy-system --type merge -p '{"data":{"oidc-enabled":"true"}}'

-  timeout 120 sh -ec 'until kubectl get hr -n cozy-keycloak keycloak keycloak-configure keycloak-operator >/dev/null 2>&1; do sleep 1; done'
+  timeout 120 bash -c 'until kubectl get hr -n cozy-keycloak keycloak keycloak-configure keycloak-operator >/dev/null 2>&1; do sleep 1; done'
  kubectl wait hr/keycloak hr/keycloak-configure hr/keycloak-operator -n cozy-keycloak --timeout=10m --for=condition=ready
 }
--- a/hack/gen_versions_map.sh
+++ b/hack/gen_versions_map.sh
@@ -16,15 +16,13 @@ if [ ! -f "$file" ] || [ ! -s "$file" ]; then
  exit 0
 fi

-miss_map=$(mktemp)
-trap 'rm -f "$miss_map"' EXIT
-echo -n "$new_map" | awk 'NR==FNR { nm[$1 " " $2] = $3; next } { if (!($1 " " $2 in nm)) print $1, $2, $3}' - "$file" > $miss_map
+miss_map=$(echo "$new_map" | awk 'NR==FNR { nm[$1 " " $2] = $3; next } { if (!($1 " " $2 in nm)) print $1, $2, $3}' - "$file")

 # search accross all tags sorted by version
 search_commits=$(git ls-remote --tags origin | awk -F/ '$3 ~ /v[0-9]+.[0-9]+.[0-9]+/ {print}' | sort -k2,2 -rV | awk '{print $1}')

 resolved_miss_map=$(
-  while read -r chart version commit; do
+  echo "$miss_map" | while read -r chart version commit; do
    # if version is found in HEAD, it's HEAD
    if [ "$(awk '$1 == "version:" {print $2}' ./${chart}/Chart.yaml)" = "${version}" ]; then
      echo "$chart $version HEAD"
@@ -58,7 +56,7 @@ resolved_miss_map=$(
    fi
    
    echo "$chart $version $found_tag"
-  done < $miss_map
+  done
 )

-printf "%s\n" "$new_map" "$resolved_miss_map" | sort -k1,1 -k2,2 -V | awk '!seen[$1, $2]++' > "$file"
+printf "%s\n" "$new_map" "$resolved_miss_map" | sort -k1,1 -k2,2 -V | awk '$1' > "$file"
--- a/hack/package_chart.sh
+++ b/hack/package_chart.sh
@@ -1,65 +0,0 @@
-#!/bin/sh
-
-set -e
-
-usage() {
-        printf "%s\n" "Usage:" >&2 ;
-        printf -- "%s\n" '---' >&2 ;
-        printf "%s %s\n" "$0" "INPUT_DIR OUTPUT_DIR TMP_DIR [DEPENDENCY_DIR]" >&2 ;
-        printf -- "%s\n" '---' >&2 ;
-        printf "%s\n" "Takes a helm repository from INPUT_DIR, with an optional library repository in" >&2 ;
-        printf "%s\n" "DEPENDENCY_DIR, prepares a view of the git archive at select points in history" >&2 ;
-        printf "%s\n" "in TMP_DIR and packages helm charts, outputting the tarballs to OUTPUT_DIR" >&2 ;
-}
-
-if [ "x$(basename $PWD)" != "xpackages" ]
-then
-        echo "Error: This script must run from the ./packages/ directory" >&2
-        echo >&2
-        usage
-        exit 1
-fi
-
-if [ "x$#" != "x3" ] && [ "x$#" != "x4" ]
-then
-        echo "Error: This script takes 3 or 4 arguments" >&2
-        echo "Got $# arguments:" "$@" >&2
-        echo >&2
-        usage
-        exit 1
-fi
-
-input_dir=$1
-output_dir=$2
-tmp_dir=$3
-
-if [ "x$#" = "x4" ]
-then
-        dependency_dir=$4
-fi
-
-rm -rf "${output_dir:?}"
-mkdir -p "${output_dir}"
-while read package _ commit
-do
-        # this lets devs build the packages from a dirty repo for quick local testing
-        if [ "x$commit" = "xHEAD" ]
-        then
-                helm package "${input_dir}/${package}" -d "${output_dir}"
-                continue
-        fi
-        git archive --format tar "${commit}" "${input_dir}/${package}" | tar -xf- -C "${tmp_dir}/"
-
-        # the library chart is not present in older commits and git archive doesn't fail gracefully if the path is not found
-        if [ "x${dependency_dir}" != "x" ] && git ls-tree --name-only "${commit}" "${dependency_dir}" | grep -qx "${dependency_dir}"
-        then
-                git archive --format tar "${commit}" "${dependency_dir}" | tar -xf- -C "${tmp_dir}/"
-        fi
-        helm package "${tmp_dir}/${input_dir}/${package}" -d "${output_dir}"
-        rm -rf "${tmp_dir:?}/${input_dir:?}/${package:?}"
-        if [ "x${dependency_dir}" != "x" ]
-        then
-                rm -rf "${tmp_dir:?}/${dependency_dir:?}"
-        fi
-done < "${input_dir}/versions_map"
-helm repo index "${output_dir}"
--- a/packages/apps/Makefile
+++ b/packages/apps/Makefile
@@ -1,8 +1,14 @@
-OUT=../_out/repos/apps
-TMP := $(shell mktemp -d)
+OUT=../../_out/repos/apps
+TMP=../../_out/repos/apps/historical

 repo:
-	cd .. && ../hack/package_chart.sh apps $(OUT) $(TMP) library
+	rm -rf "$(OUT)"
+	mkdir -p "$(OUT)"
+	awk '$$3 != "HEAD" {print "mkdir -p $(TMP)/" $$1 "-" $$2}' versions_map | sh -ex
+	awk '$$3 != "HEAD" {print "git archive " $$3 " " $$1 " | tar -xf- --strip-components=1 -C $(TMP)/" $$1 "-" $$2 }' versions_map | sh -ex
+	helm package -d "$(OUT)" $$(find . $(TMP) -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")' | sort -V)
+	cd "$(OUT)" && helm repo index . --url http://cozystack.cozy-system.svc/repos/apps
+	rm -rf "$(TMP)"

 fix-chartnames:
 	find . -maxdepth 2 -name Chart.yaml  | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done
--- a/packages/apps/clickhouse/Chart.yaml
+++ b/packages/apps/clickhouse/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.0
+version: 0.8.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/clickhouse/charts/cozy-lib
+++ b/packages/apps/clickhouse/charts/cozy-lib
@@ -1 +0,0 @@
-../../../library/cozy-lib
--- a/packages/apps/clickhouse/images/clickhouse-backup.tag
+++ b/packages/apps/clickhouse/images/clickhouse-backup.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/clickhouse-backup:0.9.0@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205
+ghcr.io/cozystack/cozystack/clickhouse-backup:0.8.0@sha256:3faf7a4cebf390b9053763107482de175aa0fdb88c1e77424fd81100b1c3a205
--- a/packages/apps/clickhouse/templates/clickhouse.yaml
+++ b/packages/apps/clickhouse/templates/clickhouse.yaml
@@ -122,9 +122,9 @@ spec:
            - name: clickhouse
              image: clickhouse/clickhouse-server:24.9.2.42
              {{- if .Values.resources }}
-              resources: {{- include "cozy-lib.resources.sanitize" .Values.resources | nindent 16 }}
+              resources: {{- toYaml .Values.resources | nindent 16 }}
              {{- else if ne .Values.resourcesPreset "none" }}
-              resources: {{- include "cozy-lib.resources.preset" .Values.resourcesPreset | nindent 16 }}
+              resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 16 }}
              {{- end }}
              volumeMounts:
                - name: data-volume-template
--- a/packages/apps/http-cache/images/nginx-cache.tag
+++ b/packages/apps/http-cache/images/nginx-cache.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/nginx-cache:0.5.0@sha256:158c35dd6a512bd14e86a423be5c8c7ca91ac71999c73cce2714e4db60a2db43
+ghcr.io/cozystack/cozystack/nginx-cache:0.5.0@sha256:785bd69cb593dc1509875d1e3128dac1a013b099fbb02f39330298d798706a0e
--- a/packages/apps/kubernetes/Chart.yaml
+++ b/packages/apps/kubernetes/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.20.1
+version: 0.20.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/packages/apps/kubernetes/images/cluster-autoscaler.tag
+++ b/packages/apps/kubernetes/images/cluster-autoscaler.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/cluster-autoscaler:0.20.1@sha256:720148128917fa10f860a8b7e74f9428de72481c466c880c5ad894e1f0026d43
+ghcr.io/cozystack/cozystack/cluster-autoscaler:0.20.0@sha256:8dbbe95fe8b933a1d1a3c638120f386fec0c4950092d3be5ddd592375bb8a760
--- a/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
+++ b/packages/apps/kubernetes/images/kubevirt-cloud-provider.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.20.1@sha256:1b48a4725a33ccb48604bb2e1be3171271e7daac2726d3119228212d8a9da5bb
+ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.20.0@sha256:41fcdbd2f667f68bf554dd184ce362e65b88f350dc7b938c86079b719f5e5099
--- a/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
+++ b/packages/apps/kubernetes/images/kubevirt-csi-driver.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.20.1@sha256:fb6d3ce9d6d948285a6d399c852e15259d6922162ec7c44177d2274243f59d1f
+ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.20.0@sha256:61580fea56b745580989d85e3ef2563e9bb1accc9c4185f8e636bacd02551319
--- a/packages/apps/kubernetes/images/ubuntu-container-disk.tag
+++ b/packages/apps/kubernetes/images/ubuntu-container-disk.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.32@sha256:184b81529ae72684279799b12f436cc7a511d8ff5bd1e9a30478799c7707c625
+ghcr.io/cozystack/cozystack/ubuntu-container-disk:v1.32@sha256:186af6f71891bfc6d6948454802c08922baa508c30e7f79e330b7d26ffceff03
--- a/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml
@@ -6,11 +6,6 @@ ingress-nginx:
    hostNetwork: true
    service:
      enabled: false
-    {{- if not .Values.addons.certManager.enabled }}
-    admissionWebhooks:
-      certManager:
-        enabled: false
-    {{- end }}
  nodeSelector:
    node-role.kubernetes.io/ingress-nginx: ""
 {{- end }}
--- a/packages/apps/tenant/README.md
+++ b/packages/apps/tenant/README.md
@@ -4,55 +4,36 @@ A tenant is the main unit of security on the platform. The closest analogy would

 Tenants can be created recursively and are subject to the following rules:

-### Tenant naming
+### Higher-level tenants can access lower-level ones.

-Tenant names must be alphanumeric.
-Using dashes (`-`) in tenant names is not allowed, unlike with other services.
-This limitation exists to keep consistent naming in tenants, nested tenants, and services deployed in them.
+Higher-level tenants can view and manage the applications of all their children.

-For example:
+### Each tenant has its own domain

-   The root tenant is named `root`, but internally it's referenced as `tenant-root`.
-   A nested tenant could be named `foo`, which would result in `tenant-foo` in service names and URLs.
-   However, a tenant can not be named `foo-bar`, because parsing names such as `tenant-foo-bar` would be ambiguous.
-
-### Unique domains
-
-Each tenant has its own domain.
-By default, (unless otherwise specified), it inherits the domain of its parent with a prefix of its name.
-For example, if the parent had the domain `example.org`, then `tenant-foo` would get the domain `foo.example.org` by default.
+By default (unless otherwise specified), it inherits the domain of its parent with a prefix of its name, for example, if the parent had the domain `example.org`, then `tenant-foo` would get the domain `foo.example.org` by default.

 Kubernetes clusters created in this tenant namespace would get domains like: `kubernetes-cluster.foo.example.org`

 Example:
-```text       
+```
 tenant-root (example.org)
 └── tenant-foo (foo.example.org)
    └── kubernetes-cluster1 (kubernetes-cluster1.foo.example.org)
 ```

-### Nesting tenants and reusing parent services
+### Lower-level tenants can access the cluster services of their parent (provided they do not run their own)

-Tenants can be nested.
-A tenant administrator can create nested tenants using the "Tenant" application from the catalogue.
-
-Higher-level tenants can view and manage the applications of all their children tenants.
-If a tenant does not run their own cluster services, it can access ones of its parent.
-
-For example, you create:
-   Tenant `tenant-u1` with a set of services like `etcd`, `ingress`, `monitoring`.
-   Tenant `tenant-u2` nested in `tenant-u1`.
+Thus, you can create `tenant-u1` with a set of services like `etcd`, `ingress`, `monitoring`. And create another tenant namespace `tenant-u2` inside of `tenant-u1`.

 Let's see what will happen when you run Kubernetes and Postgres under `tenant-u2` namespace.

-Since `tenant-u2` does not have its own cluster services like `etcd`, `ingress`, and `monitoring`,
-the applications running in `tenant-u2` will use the cluster services of the parent tenant.
-
+Since `tenant-u2` does not have its own cluster services like `etcd`, `ingress`, and `monitoring`, the applications will use the cluster services of the parent tenant.  
 This in turn means:

-    The Kubernetes cluster data will be stored in `etcd` for `tenant-u1`.
-    Access to the cluster will be through the common `ingress` of `tenant-u1`.
-    Essentially, all metrics will be collected in the `monitoring` from `tenant-u1`, and only that tenant will have access to them.
+- The Kubernetes cluster data will be stored in etcd for `tenant-u1`.
+- Access to the cluster will be through the common ingress of `tenant-u1`.
+- Essentially, all metrics will be collected in the monitoring from `tenant-u1`, and only it will have access to them.
+

 Example:
 ```
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -9,7 +9,7 @@ clickhouse 0.6.0 1ec10165
 clickhouse 0.6.1 c62a83a7
 clickhouse 0.6.2 8267072d
 clickhouse 0.7.0 93bdf411
-clickhouse 0.9.0 HEAD
+clickhouse 0.8.0 HEAD
 ferretdb 0.1.0 e9716091
 ferretdb 0.1.1 91b0499a
 ferretdb 0.2.0 6c5cf5bf
@@ -64,8 +64,7 @@ kubernetes 0.17.0 1fbbfcd0
 kubernetes 0.17.1 fd240701
 kubernetes 0.18.0 721c12a7
 kubernetes 0.19.0 93bdf411
-kubernetes 0.20.0 609e7ede
-kubernetes 0.20.1 HEAD
+kubernetes 0.20.0 HEAD
 mysql 0.1.0 263e47be
 mysql 0.2.0 c24a103f
 mysql 0.3.0 53f2365e
@@ -158,8 +157,7 @@ virtual-machine 0.8.0 3fa4dd3a
 virtual-machine 0.8.1 93c46161
 virtual-machine 0.8.2 de19450f
 virtual-machine 0.9.0 721c12a7
-virtual-machine 0.9.1 93bdf411
-virtual-machine 0.10.0 HEAD
+virtual-machine 0.9.1 HEAD
 vm-disk 0.1.0 d971f2ff
 vm-disk 0.1.1 HEAD
 vm-instance 0.1.0 1ec10165
@@ -170,7 +168,7 @@ vm-instance 0.4.1 0ab39f20
 vm-instance 0.5.0 3fa4dd3a
 vm-instance 0.5.1 de19450f
 vm-instance 0.6.0 721c12a7
-vm-instance 0.7.0 HEAD
+vm-instance 0.6.1 HEAD
 vpn 0.1.0 263e47be
 vpn 0.2.0 53f2365e
 vpn 0.3.0 6c5cf5bf
--- a/packages/apps/virtual-machine/Chart.yaml
+++ b/packages/apps/virtual-machine/Chart.yaml
@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.10.0
+version: 0.9.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 0.10.0
+appVersion: 0.9.0
--- a/packages/apps/virtual-machine/Makefile
+++ b/packages/apps/virtual-machine/Makefile
@@ -9,4 +9,4 @@ generate:
 	  && yq -i -o json ".properties.instanceProfile.optional=true | .properties.instanceProfile.enum = $${PREFERENCES}" values.schema.json
 	yq -i -o json '.properties.externalPorts.items.type = "integer"' values.schema.json
 	yq -i -o json '.properties.systemDisk.properties.image.enum = ["ubuntu", "cirros", "alpine", "fedora", "talos"]' values.schema.json
-	yq -i -o json '.properties.externalMethod.enum = ["PortList", "WholeIP"]' values.schema.json
+	yq -i -o json '.properties.externalMethod.enum = ["WholeIP", "PortList"]' values.schema.json
--- a/packages/apps/virtual-machine/README.md
+++ b/packages/apps/virtual-machine/README.md
@@ -39,7 +39,7 @@ virtctl ssh <user>@<vm>
 | Name                      | Description                                                                                                | Value        |
 | ------------------------- | ---------------------------------------------------------------------------------------------------------- | ------------ |
 | `external`                | Enable external access from outside the cluster                                                            | `false`      |
-| `externalMethod`          | specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList` | `PortList`   |
+| `externalMethod`          | specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList` | `WholeIP`    |
 | `externalPorts`           | Specify ports to forward from outside the cluster                                                          | `[]`         |
 | `running`                 | Determines if the virtual machine should be running                                                        | `true`       |
 | `instanceType`            | Virtual Machine instance type                                                                              | `u1.medium`  |
--- a/packages/apps/virtual-machine/templates/vm.yaml
+++ b/packages/apps/virtual-machine/templates/vm.yaml
@@ -27,7 +27,10 @@ spec:
  - metadata:
      name: {{ include "virtual-machine.fullname" . }}
    spec:
-      storage:
+      pvc:
+        volumeMode: Block
+        accessModes:
+        - ReadWriteMany
        resources:
          requests:
            storage: {{ .Values.systemDisk.storage | quote }}
--- a/packages/apps/virtual-machine/values.schema.json
+++ b/packages/apps/virtual-machine/values.schema.json
@@ -10,10 +10,10 @@
    "externalMethod": {
      "type": "string",
      "description": "specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList`",
-      "default": "PortList",
+      "default": "WholeIP",
      "enum": [
-        "PortList",
-        "WholeIP"
+        "WholeIP",
+        "PortList"
      ]
    },
    "externalPorts": {
--- a/packages/apps/virtual-machine/values.yaml
+++ b/packages/apps/virtual-machine/values.yaml
@@ -4,7 +4,7 @@
 ## @param externalMethod specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList`
 ## @param externalPorts [array] Specify ports to forward from outside the cluster
 external: false
-externalMethod: PortList
+externalMethod: WholeIP
 externalPorts:
 - 22

--- a/packages/apps/vm-instance/Chart.yaml
+++ b/packages/apps/vm-instance/Chart.yaml
@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.0
+version: 0.6.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 0.7.0
+appVersion: 0.6.0
--- a/packages/apps/vm-instance/Makefile
+++ b/packages/apps/vm-instance/Makefile
@@ -9,4 +9,4 @@ generate:
 	PREFERENCES=$$(yq e '.metadata.name' -o=json -r ../../system/kubevirt-instancetypes/templates/preferences.yaml | yq 'split(" ") | . + [""]' -o json) \
 	  && yq -i -o json ".properties.instanceProfile.optional=true | .properties.instanceProfile.enum = $${PREFERENCES}" values.schema.json
 	yq -i -o json '.properties.externalPorts.items.type = "integer"' values.schema.json
-	yq -i -o json '.properties.externalMethod.enum = ["PortList", "WholeIP"]' values.schema.json
+	yq -i -o json '.properties.externalMethod.enum = ["WholeIP", "PortList"]' values.schema.json
--- a/packages/apps/vm-instance/README.md
+++ b/packages/apps/vm-instance/README.md
@@ -39,7 +39,7 @@ virtctl ssh <user>@<vm>
 | Name               | Description                                                                                                | Value       |
 | ------------------ | ---------------------------------------------------------------------------------------------------------- | ----------- |
 | `external`         | Enable external access from outside the cluster                                                            | `false`     |
-| `externalMethod`   | specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList` | `PortList`  |
+| `externalMethod`   | specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList` | `WholeIP`   |
 | `externalPorts`    | Specify ports to forward from outside the cluster                                                          | `[]`        |
 | `running`          | Determines if the virtual machine should be running                                                        | `true`      |
 | `instanceType`     | Virtual Machine instance type                                                                              | `u1.medium` |
--- a/packages/apps/vm-instance/values.schema.json
+++ b/packages/apps/vm-instance/values.schema.json
@@ -10,10 +10,10 @@
    "externalMethod": {
      "type": "string",
      "description": "specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList`",
-      "default": "PortList",
+      "default": "WholeIP",
      "enum": [
-        "PortList",
-        "WholeIP"
+        "WholeIP",
+        "PortList"
      ]
    },
    "externalPorts": {
--- a/packages/apps/vm-instance/values.yaml
+++ b/packages/apps/vm-instance/values.yaml
@@ -4,7 +4,7 @@
 ## @param externalMethod specify method to passthrough the traffic to the virtual machine. Allowed values: `WholeIP` and `PortList`
 ## @param externalPorts [array] Specify ports to forward from outside the cluster
 external: false
-externalMethod: PortList
+externalMethod: WholeIP
 externalPorts:
 - 22

--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.31.0-rc.3@sha256:5fc6b88de670878b66f2b5bf381b89b68253ab3e69ff1cb7359470bc65beb3fa
+  image: ghcr.io/cozystack/cozystack/installer:v0.31.0-rc.2@sha256:05d812a6ac1df86c614b528e8d171af05c0080545ceee383d6cb043f415a4372
--- a/packages/core/testing/Makefile
+++ b/packages/core/testing/Makefile
@@ -30,13 +30,8 @@ image-e2e-sandbox:
 		yq -i '.e2e.image = strenv(IMAGE)' values.yaml
 	rm -f images/e2e-sandbox.json

-test: test-cluster test-apps ## Run the end-to-end tests in existing sandbox
-
-test-cluster: ## Run the end-to-end for creating a cluster
-	docker exec "${SANDBOX_NAME}" sh -c 'cd /workspace && export COZYSTACK_INSTALLER_YAML=$$(helm template -n cozy-system installer ./packages/core/installer) && hack/cozytest.sh hack/e2e-cluster.bats'
-
-test-apps: ## Run the end-to-end tests for apps
-	docker exec "${SANDBOX_NAME}" sh -c 'cd /workspace && hack/cozytest.sh hack/e2e-apps.bats'
+test: ## Run the end-to-end tests in existing sandbox.
+	docker exec "${SANDBOX_NAME}" sh -c 'cd /workspace && export COZYSTACK_INSTALLER_YAML=$$(helm template -n cozy-system installer ./packages/core/installer) && hack/e2e.bats'

 delete: ## Remove sandbox from existing Kubernetes cluster.
 	docker rm -f "${SANDBOX_NAME}" || true
@@ -45,10 +40,5 @@ exec:  ## Opens an interactive shell in the sandbox container.
 	docker exec -ti "${SANDBOX_NAME}" bash

 apply: delete
-	docker run \
-		-d --rm --name "${SANDBOX_NAME}" --privileged \
-		-e TALOSCONFIG=/workspace/talosconfig \
-		-e KUBECONFIG=/workspace/kubeconfig \
-		"$$(yq .e2e.image values.yaml)" \
-		sleep infinity
+	docker run -d --rm --name "${SANDBOX_NAME}" --privileged "$$(yq .e2e.image values.yaml)" sleep infinity
 	docker cp "${ROOT_DIR}" "${SANDBOX_NAME}":/workspace
--- a/packages/core/testing/images/e2e-sandbox/Dockerfile
+++ b/packages/core/testing/images/e2e-sandbox/Dockerfile
@@ -8,7 +8,7 @@ ARG TARGETOS
 ARG TARGETARCH

 RUN apt update -q
-RUN apt install -yq --no-install-recommends genisoimage ca-certificates qemu-kvm qemu-utils iproute2 iptables wget xz-utils netcat curl jq make git
+RUN apt install -yq --no-install-recommends genisoimage ca-certificates qemu-kvm qemu-utils iproute2 iptables wget xz-utils netcat curl jq make git bats
 RUN curl -sSL "https://github.com/siderolabs/talos/releases/download/v${TALOSCTL_VERSION}/talosctl-${TARGETOS}-${TARGETARCH}" -o /usr/local/bin/talosctl \
 && chmod +x /usr/local/bin/talosctl
 RUN curl -sSL "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl" -o /usr/local/bin/kubectl \
--- a/packages/core/testing/values.yaml
+++ b/packages/core/testing/values.yaml
@@ -1,2 +1,2 @@
 e2e:
-  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.31.0-rc.3@sha256:8de0a8900994cb55f74ba25d265eeecac9958b07cdb8f86b9284b9f23668d2bb
+  image: ghcr.io/cozystack/cozystack/e2e-sandbox:v0.31.0-rc.2@sha256:2d35b2cce2f093c5c3145a08d9981e2bf28cf45a6804117d50bd6345a15ecd1a
--- a/packages/extra/Makefile
+++ b/packages/extra/Makefile
@@ -1,8 +1,14 @@
-OUT=../_out/repos/extra
-TMP := $(shell mktemp -d)
+OUT=../../_out/repos/extra
+TMP=../../_out/repos/extra/historical

 repo:
-	cd .. && ../hack/package_chart.sh extra $(OUT) $(TMP) library
+	rm -rf "$(OUT)"
+	mkdir -p "$(OUT)"
+	awk '$$3 != "HEAD" {print "mkdir -p $(TMP)/" $$1 "-" $$2}' versions_map | sh -ex
+	awk '$$3 != "HEAD" {print "git archive " $$3 " " $$1 " | tar -xf- --strip-components=1 -C $(TMP)/" $$1 "-" $$2 }' versions_map | sh -ex
+	helm package -d "$(OUT)" $$(find . $(TMP) -mindepth 2 -maxdepth 2 -name Chart.yaml | awk 'sub("/Chart.yaml", "")' | sort -V)
+	cd "$(OUT)" && helm repo index . --url http://cozystack.cozy-system.svc/repos/extra
+	rm -rf "$(TMP)"

 fix-chartnames:
 	find . -maxdepth 2 -name Chart.yaml | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done
--- a/packages/extra/bootbox/images/matchbox.tag
+++ b/packages/extra/bootbox/images/matchbox.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/matchbox:v0.31.0-rc.3@sha256:8b65a160333830bf4711246ae78f26095e3b33667440bf1bbdd36db60a7f92e2
+ghcr.io/cozystack/cozystack/matchbox:v0.31.0-rc.2@sha256:78e5a28badd3c804e55e5c1376f12dad77e04b9f6f80637596939ba348f7104b
--- a/packages/extra/monitoring/images/grafana.tag
+++ b/packages/extra/monitoring/images/grafana.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/grafana:1.9.2@sha256:24382d445bf7a39ed988ef4dc7a0d9f084db891fcb5f42fd2e64622710b9457e
+ghcr.io/cozystack/cozystack/grafana:1.9.2@sha256:c63978e1ed0304e8518b31ddee56c4e8115541b997d8efbe1c0a74da57140399
--- a/packages/library/Makefile
+++ b/packages/library/Makefile
@@ -1,8 +0,0 @@
-OUT=../_out/repos/library
-TMP := $(shell mktemp -d)
-
-repo:
-	cd .. && ../hack/package_chart.sh library $(OUT) $(TMP)
-
-fix-chartnames:
-	find . -maxdepth 2 -name Chart.yaml  | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done
--- a/packages/library/cozy-lib/.helmignore
+++ b/packages/library/cozy-lib/.helmignore
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
--- a/packages/library/cozy-lib/Chart.yaml
+++ b/packages/library/cozy-lib/Chart.yaml
@@ -1,18 +0,0 @@
-apiVersion: v2
-name: cozy-lib
-description: Common Cozystack templates
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: library
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
--- a/packages/library/cozy-lib/Makefile
+++ b/packages/library/cozy-lib/Makefile
@@ -1,6 +0,0 @@
-include ../../../scripts/common-envs.mk
-include ../../../scripts/package.mk
-
-generate:
-	readme-generator -v values.yaml -s values.schema.json -r README.md
-
--- a/packages/library/cozy-lib/README.md
+++ b/packages/library/cozy-lib/README.md
@@ -1 +0,0 @@
-## Parameters
--- a/packages/library/cozy-lib/templates/_resourcepresets.tpl
+++ b/packages/library/cozy-lib/templates/_resourcepresets.tpl
@@ -1,49 +0,0 @@
-{{/*
-Copyright Broadcom, Inc. All Rights Reserved.
-SPDX-License-Identifier: APACHE-2.0
-*/}}
-
-{{/* vim: set filetype=mustache: */}}
-
-{{/*
-Return a resource request/limit object based on a given preset.
-These presets are for basic testing and not meant to be used in production
-{{ include "cozy-lib.resources.preset" "nano" -}}
-*/}}
-{{- define "cozy-lib.resources.preset" -}}
-{{- $presets := dict 
-  "nano" (dict 
-      "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
-      "limits" (dict "memory" "128Mi" "ephemeral-storage" "2Gi")
-   )
-  "micro" (dict 
-      "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
-      "limits" (dict "memory" "256Mi" "ephemeral-storage" "2Gi")
-   )
-  "small" (dict 
-      "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
-      "limits" (dict "memory" "512Mi" "ephemeral-storage" "2Gi")
-   )
-  "medium" (dict 
-      "requests" (dict "cpu" "500m" "memory" "1Gi" "ephemeral-storage" "50Mi")
-      "limits" (dict "memory" "1Gi" "ephemeral-storage" "2Gi")
-   )
-  "large" (dict 
-      "requests" (dict "cpu" "1" "memory" "2Gi" "ephemeral-storage" "50Mi")
-      "limits" (dict "memory" "2Gi" "ephemeral-storage" "2Gi")
-   )
-  "xlarge" (dict 
-      "requests" (dict "cpu" "2" "memory" "4Gi" "ephemeral-storage" "50Mi")
-      "limits" (dict "memory" "4Gi" "ephemeral-storage" "2Gi")
-   )
-  "2xlarge" (dict 
-      "requests" (dict "cpu" "4" "memory" "8Gi" "ephemeral-storage" "50Mi")
-      "limits" (dict "memory" "8Gi" "ephemeral-storage" "2Gi")
-   )
- }}
-{{- if hasKey $presets . -}}
-{{- index $presets . | toYaml -}}
-{{- else -}}
-{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" . (join "," (keys $presets)) | fail -}}
-{{- end -}}
-{{- end -}}
--- a/packages/library/cozy-lib/templates/_resources.tpl
+++ b/packages/library/cozy-lib/templates/_resources.tpl
@@ -1,53 +0,0 @@
-{{- /*
-  A sanitized resource map is a dict with resource-name => resource-quantity.
-  If not in such a form, requests are used, then limits. All resources are set
-  to have equal requests and limits, except CPU, that has only requests. The
-  template expects to receive a dict {"requests":{...}, "limits":{...}} as
-  input, e.g. {{ include "cozy-lib.resources.sanitize" .Values.resources }}.
-  Example input:
-  ==============
-  limits:
-    cpu: 100m
-    memory: 1024Mi
-  requests:
-    cpu: 200m
-    memory: 512Mi
-  memory: 256Mi
-  devices.com/nvidia: "1"
-
-  Example output:
-  ===============
-  limits:
-    devices.com/nvidia: "1"
-    memory: 256Mi
-  requests:
-    cpu: 200m
-    devices.com/nvidia: "1"
-    memory: 256Mi
-*/}}
-{{- define "cozy-lib.resources.sanitize" }}
-{{-   $sanitizedMap := dict }}
-{{-   if hasKey . "limits" }}
-{{-     range $k, $v := .limits }}
-{{-       $_ := set $sanitizedMap $k $v }}
-{{-     end }}
-{{-   end }}
-{{-   if hasKey . "requests" }}
-{{-     range $k, $v := .requests }}
-{{-       $_ := set $sanitizedMap $k $v }}
-{{-     end }}
-{{-   end }}
-{{-   range $k, $v := . }}
-{{-     if not (or (eq $k "requests") (eq $k "limits")) }}
-{{-       $_ := set $sanitizedMap $k $v }}
-{{-     end }}
-{{-   end }}
-{{-   $output := dict "requests" dict "limits" dict }}
-{{-   range $k, $v := $sanitizedMap }}
-{{-     $_ := set $output.requests $k $v }}
-{{-     if not (eq $k "cpu") }}
-{{-       $_ := set $output.limits $k $v }}
-{{-     end }}
-{{-   end }}
-{{-   $output | toYaml }}
-{{- end  }}
--- a/packages/library/cozy-lib/values.schema.json
+++ b/packages/library/cozy-lib/values.schema.json
@@ -1,5 +0,0 @@
-{
-    "title": "Chart Values",
-    "type": "object",
-    "properties": {}
-}
--- a/packages/library/cozy-lib/values.yaml
+++ b/packages/library/cozy-lib/values.yaml
@@ -1 +0,0 @@
-{}
--- a/packages/library/testfile
+++ b/packages/library/testfile
--- a/packages/system/bucket/images/s3manager.tag
+++ b/packages/system/bucket/images/s3manager.tag
@@ -1 +1 @@
-ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:4399c240ce1f99660d5d1be9d6d7b3e8157c50e4aba58345d51a1d9ac25779a3
+ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:a219040fed290492f047818e5c5a864a30112ff418ad4b12b24de9709302427a
--- a/packages/system/cert-manager/charts/cert-manager/Chart.yaml
+++ b/packages/system/cert-manager/charts/cert-manager/Chart.yaml
@@ -6,7 +6,7 @@ annotations:
    fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
    url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
 apiVersion: v2
-appVersion: v1.17.2
+appVersion: v1.16.3
 description: A Helm chart for cert-manager
 home: https://cert-manager.io
 icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
@@ -23,4 +23,4 @@ maintainers:
 name: cert-manager
 sources:
 - https://github.com/cert-manager/cert-manager
-version: v1.17.2
+version: v1.16.3
--- a/packages/system/cert-manager/charts/cert-manager/README.md
+++ b/packages/system/cert-manager/charts/cert-manager/README.md
@@ -19,7 +19,7 @@ Before installing the chart, you must first install the cert-manager CustomResou
 This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources.

 ```bash
-$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.crds.yaml
+$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.3/cert-manager.crds.yaml
 ```

 To install the chart with the release name `cert-manager`:
@@ -29,7 +29,7 @@ To install the chart with the release name `cert-manager`:
 $ helm repo add jetstack https://charts.jetstack.io --force-update

 ## Install the cert-manager helm chart
-$ helm install cert-manager --namespace cert-manager --version v1.17.2 jetstack/cert-manager
+$ helm install cert-manager --namespace cert-manager --version v1.16.3 jetstack/cert-manager
 ```

 In order to begin issuing certificates, you will need to set up a ClusterIssuer
@@ -65,7 +65,7 @@ If you want to completely uninstall cert-manager from your cluster, you will als
 delete the previously installed CustomResourceDefinition resources:

 ```console
-$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.crds.yaml
+$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.3/cert-manager.crds.yaml
 ```

 ## Configuration
@@ -316,13 +316,7 @@ If not set and create is true, a name is generated using the fullname template.

 #### **serviceAccount.annotations** ~ `object`

-Optional additional annotations to add to the controller's Service Account. Templates are allowed for both keys and values.  
-Example using templating:
-
-```yaml
-annotations:
-  "{{ .Chart.Name }}-helm-chart/version": "{{ .Chart.Version }}"
-```
+Optional additional annotations to add to the controller's Service Account.

 #### **serviceAccount.labels** ~ `object`

@@ -370,24 +364,17 @@ config:
  kubernetesAPIQPS: 9000
  kubernetesAPIBurst: 9000
  numberOfConcurrentWorkers: 200
-  enableGatewayAPI: true
-  # Feature gates as of v1.17.0. Listed with their default values.
-  # See https://cert-manager.io/docs/cli/controller/
  featureGates:
-    AdditionalCertificateOutputFormats: true # BETA - default=true
-    AllAlpha: false # ALPHA - default=false
-    AllBeta: false # BETA - default=false
-    ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false
-    ExperimentalGatewayAPISupport: true # BETA - default=true
-    LiteralCertificateSubject: true # BETA - default=true
-    NameConstraints: true # BETA - default=true
-    OtherNames: false # ALPHA - default=false
-    SecretsFilteredCaching: true # BETA - default=true
-    ServerSideApply: false # ALPHA - default=false
-    StableCertificateRequestName: true # BETA - default=true
-    UseCertificateRequestBasicConstraints: false # ALPHA - default=false
-    UseDomainQualifiedFinalizer: true # BETA - default=false
-    ValidateCAA: false # ALPHA - default=false
+    AdditionalCertificateOutputFormats: true
+    DisallowInsecureCSRUsageDefinition: true
+    ExperimentalCertificateSigningRequestControllers: true
+    ExperimentalGatewayAPISupport: true
+    LiteralCertificateSubject: true
+    SecretsFilteredCaching: true
+    ServerSideApply: true
+    StableCertificateRequestName: true
+    UseCertificateRequestBasicConstraints: true
+    ValidateCAA: true
  # Configure the metrics server for TLS
  # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
  metricsTLSConfig:
--- a/packages/system/cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml
+++ b/packages/system/cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml
@@ -53,12 +53,6 @@ spec:
        prometheus.io/port: '9402'
      {{- end }}
    spec:
-      {{- if not .Values.cainjector.serviceAccount.create }}
-      {{- with .Values.global.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- end }}
      serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
      {{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
      automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
--- a/packages/system/cert-manager/charts/cert-manager/templates/cainjector-service.yaml
+++ b/packages/system/cert-manager/charts/cert-manager/templates/cainjector-service.yaml
@@ -1,4 +1,3 @@
-{{- if .Values.cainjector.enabled }}
 {{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
 apiVersion: v1
 kind: Service
@@ -29,4 +28,3 @@ spec:
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: "cainjector"
 {{- end }}
-{{- end }}
--- a/packages/system/cert-manager/charts/cert-manager/templates/crds.yaml
+++ b/packages/system/cert-manager/charts/cert-manager/templates/crds.yaml
@@ -514,6 +514,7 @@ spec:
                      type: object
                      required:
                        - create
+                        - passwordSecretRef
                      properties:
                        alias:
                          description: |-
@@ -525,25 +526,17 @@ spec:
                            Create enables JKS keystore creation for the Certificate.
                            If true, a file named `keystore.jks` will be created in the target
                            Secret resource, encrypted using the password stored in
-                            `passwordSecretRef` or `password`.
+                            `passwordSecretRef`.
                            The keystore file will be updated immediately.
                            If the issuer provided a CA certificate, a file named `truststore.jks`
                            will also be created in the target Secret resource, encrypted using the
                            password stored in `passwordSecretRef`
                            containing the issuing Certificate Authority
                          type: boolean
-                        password:
-                          description: |-
-                            Password provides a literal password used to encrypt the JKS keystore.
-                            Mutually exclusive with passwordSecretRef.
-                            One of password or passwordSecretRef must provide a password with a non-zero length.
-                          type: string
                        passwordSecretRef:
                          description: |-
-                            PasswordSecretRef is a reference to a non-empty key in a Secret resource
+                            PasswordSecretRef is a reference to a key in a Secret resource
                            containing the password used to encrypt the JKS keystore.
-                            Mutually exclusive with password.
-                            One of password or passwordSecretRef must provide a password with a non-zero length.
                          type: object
                          required:
                            - name
@@ -566,31 +559,24 @@ spec:
                      type: object
                      required:
                        - create
+                        - passwordSecretRef
                      properties:
                        create:
                          description: |-
                            Create enables PKCS12 keystore creation for the Certificate.
                            If true, a file named `keystore.p12` will be created in the target
                            Secret resource, encrypted using the password stored in
-                            `passwordSecretRef` or in `password`.
+                            `passwordSecretRef`.
                            The keystore file will be updated immediately.
                            If the issuer provided a CA certificate, a file named `truststore.p12` will
                            also be created in the target Secret resource, encrypted using the
                            password stored in `passwordSecretRef` containing the issuing Certificate
                            Authority
                          type: boolean
-                        password:
-                          description: |-
-                            Password provides a literal password used to encrypt the PKCS#12 keystore.
-                            Mutually exclusive with passwordSecretRef.
-                            One of password or passwordSecretRef must provide a password with a non-zero length.
-                          type: string
                        passwordSecretRef:
                          description: |-
-                            PasswordSecretRef is a reference to a non-empty key in a Secret resource
-                            containing the password used to encrypt the PKCS#12 keystore.
-                            Mutually exclusive with password.
-                            One of password or passwordSecretRef must provide a password with a non-zero length.
+                            PasswordSecretRef is a reference to a key in a Secret resource
+                            containing the password used to encrypt the PKCS12 keystore.
                          type: object
                          required:
                            - name
@@ -1390,9 +1376,6 @@ spec:
                                    resource ID of the managed identity, can not be used at the same time as clientID
                                    Cannot be used for Azure Managed Service Identity
                                  type: string
-                                tenantID:
-                                  description: tenant ID of the managed identity, can not be used at the same time as resourceID
-                                  type: string
                            resourceGroupName:
                              description: resource group the DNS zone is located in
                              type: string
@@ -4706,9 +4689,6 @@ spec:
                                          resource ID of the managed identity, can not be used at the same time as clientID
                                          Cannot be used for Azure Managed Service Identity
                                        type: string
-                                      tenantID:
-                                        description: tenant ID of the managed identity, can not be used at the same time as resourceID
-                                        type: string
                                  resourceGroupName:
                                    description: resource group the DNS zone is located in
                                    type: string
@@ -8435,9 +8415,6 @@ spec:
                                          resource ID of the managed identity, can not be used at the same time as clientID
                                          Cannot be used for Azure Managed Service Identity
                                        type: string
-                                      tenantID:
-                                        description: tenant ID of the managed identity, can not be used at the same time as resourceID
-                                        type: string
                                  resourceGroupName:
                                    description: resource group the DNS zone is located in
                                    type: string
--- a/packages/system/cert-manager/charts/cert-manager/templates/deployment.yaml
+++ b/packages/system/cert-manager/charts/cert-manager/templates/deployment.yaml
@@ -52,12 +52,6 @@ spec:
        prometheus.io/port: '9402'
      {{- end }}
    spec:
-      {{- if not .Values.serviceAccount.create }}
-      {{- with .Values.global.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- end }}
      serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}
      {{- if hasKey .Values "automountServiceAccountToken" }}
      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
--- a/packages/system/cert-manager/charts/cert-manager/templates/serviceaccount.yaml
+++ b/packages/system/cert-manager/charts/cert-manager/templates/serviceaccount.yaml
@@ -11,9 +11,7 @@ metadata:
  namespace: {{ include "cert-manager.namespace" . }}
  {{- with .Values.serviceAccount.annotations }}
  annotations:
-    {{- range $k, $v := . }}
-      {{- printf "%s: %s" (tpl $k $) (tpl $v $) | nindent 4 }}
-    {{- end }} 
+    {{- toYaml . | nindent 4 }}
  {{- end }}
  labels:
    app: {{ include "cert-manager.name" . }}
--- a/packages/system/cert-manager/charts/cert-manager/templates/webhook-deployment.yaml
+++ b/packages/system/cert-manager/charts/cert-manager/templates/webhook-deployment.yaml
@@ -52,12 +52,6 @@ spec:
        prometheus.io/port: '9402'
      {{- end }}
    spec:
-      {{- if not .Values.webhook.serviceAccount.create }}
-      {{- with .Values.global.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- end }}
      serviceAccountName: {{ template "webhook.serviceAccountName" . }}
      {{- if hasKey .Values.webhook "automountServiceAccountToken" }}
      automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
--- a/packages/system/cert-manager/charts/cert-manager/values.schema.json
+++ b/packages/system/cert-manager/charts/cert-manager/values.schema.json
@@ -579,7 +579,7 @@
    },
    "helm-values.config": {
      "default": {},
-      "description": "This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.\n\nIf `apiVersion` and `kind` are unspecified they default to the current latest version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.\n\nFor example:\nconfig:\n  apiVersion: controller.config.cert-manager.io/v1alpha1\n  kind: ControllerConfiguration\n  logging:\n    verbosity: 2\n    format: text\n  leaderElectionConfig:\n    namespace: kube-system\n  kubernetesAPIQPS: 9000\n  kubernetesAPIBurst: 9000\n  numberOfConcurrentWorkers: 200\n  enableGatewayAPI: true\n  # Feature gates as of v1.17.0. Listed with their default values.\n  # See https://cert-manager.io/docs/cli/controller/\n  featureGates:\n    AdditionalCertificateOutputFormats: true # BETA - default=true\n    AllAlpha: false # ALPHA - default=false\n    AllBeta: false # BETA - default=false\n    ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false\n    ExperimentalGatewayAPISupport: true # BETA - default=true\n    LiteralCertificateSubject: true # BETA - default=true\n    NameConstraints: true # BETA - default=true\n    OtherNames: false # ALPHA - default=false\n    SecretsFilteredCaching: true # BETA - default=true\n    ServerSideApply: false # ALPHA - default=false\n    StableCertificateRequestName: true # BETA - default=true\n    UseCertificateRequestBasicConstraints: false # ALPHA - default=false\n    UseDomainQualifiedFinalizer: true # BETA - default=false\n    ValidateCAA: false # ALPHA - default=false\n  # Configure the metrics server for TLS\n  # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls\n  metricsTLSConfig:\n    dynamic:\n      secretNamespace: \"cert-manager\"\n      secretName: \"cert-manager-metrics-ca\"\n      dnsNames:\n      - cert-manager-metrics",
+      "description": "This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.\n\nIf `apiVersion` and `kind` are unspecified they default to the current latest version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.\n\nFor example:\nconfig:\n  apiVersion: controller.config.cert-manager.io/v1alpha1\n  kind: ControllerConfiguration\n  logging:\n    verbosity: 2\n    format: text\n  leaderElectionConfig:\n    namespace: kube-system\n  kubernetesAPIQPS: 9000\n  kubernetesAPIBurst: 9000\n  numberOfConcurrentWorkers: 200\n  featureGates:\n    AdditionalCertificateOutputFormats: true\n    DisallowInsecureCSRUsageDefinition: true\n    ExperimentalCertificateSigningRequestControllers: true\n    ExperimentalGatewayAPISupport: true\n    LiteralCertificateSubject: true\n    SecretsFilteredCaching: true\n    ServerSideApply: true\n    StableCertificateRequestName: true\n    UseCertificateRequestBasicConstraints: true\n    ValidateCAA: true\n  # Configure the metrics server for TLS\n  # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls\n  metricsTLSConfig:\n    dynamic:\n      secretNamespace: \"cert-manager\"\n      secretName: \"cert-manager-metrics-ca\"\n      dnsNames:\n      - cert-manager-metrics",
      "type": "object"
    },
    "helm-values.containerSecurityContext": {
@@ -1223,7 +1223,7 @@
      "type": "object"
    },
    "helm-values.serviceAccount.annotations": {
-      "description": "Optional additional annotations to add to the controller's Service Account. Templates are allowed for both keys and values.\nExample using templating:\nannotations:\n  \"{{ .Chart.Name }}-helm-chart/version\": \"{{ .Chart.Version }}\"",
+      "description": "Optional additional annotations to add to the controller's Service Account.",
      "type": "object"
    },
    "helm-values.serviceAccount.automountServiceAccountToken": {
--- a/packages/system/cert-manager/charts/cert-manager/values.yaml
+++ b/packages/system/cert-manager/charts/cert-manager/values.yaml
@@ -190,10 +190,7 @@ serviceAccount:
  # +docs:property
  # name: ""

-  # Optional additional annotations to add to the controller's Service Account. Templates are allowed for both keys and values.
-  # Example using templating:
-  # annotations:
-  #   "{{ .Chart.Name }}-helm-chart/version": "{{ .Chart.Version }}"
+  # Optional additional annotations to add to the controller's Service Account.
  # +docs:property
  # annotations: {}

@@ -230,24 +227,17 @@ enableCertificateOwnerRef: false
 #    kubernetesAPIQPS: 9000
 #    kubernetesAPIBurst: 9000
 #    numberOfConcurrentWorkers: 200
-#    enableGatewayAPI: true
-#    # Feature gates as of v1.17.0. Listed with their default values.
-#    # See https://cert-manager.io/docs/cli/controller/
 #    featureGates:
-#      AdditionalCertificateOutputFormats: true # BETA - default=true
-#      AllAlpha: false # ALPHA - default=false
-#      AllBeta: false # BETA - default=false
-#      ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false
-#      ExperimentalGatewayAPISupport: true # BETA - default=true
-#      LiteralCertificateSubject: true # BETA - default=true
-#      NameConstraints: true # BETA - default=true
-#      OtherNames: false # ALPHA - default=false
-#      SecretsFilteredCaching: true # BETA - default=true
-#      ServerSideApply: false # ALPHA - default=false
-#      StableCertificateRequestName: true # BETA - default=true
-#      UseCertificateRequestBasicConstraints: false # ALPHA - default=false
-#      UseDomainQualifiedFinalizer: true # BETA - default=false
-#      ValidateCAA: false # ALPHA - default=false
+#      AdditionalCertificateOutputFormats: true
+#      DisallowInsecureCSRUsageDefinition: true
+#      ExperimentalCertificateSigningRequestControllers: true
+#      ExperimentalGatewayAPISupport: true
+#      LiteralCertificateSubject: true
+#      SecretsFilteredCaching: true
+#      ServerSideApply: true
+#      StableCertificateRequestName: true
+#      UseCertificateRequestBasicConstraints: true
+#      ValidateCAA: true
 #    # Configure the metrics server for TLS
 #    # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
 #    metricsTLSConfig:
--- a/packages/system/cozystack-api/values.yaml
+++ b/packages/system/cozystack-api/values.yaml
@@ -1,2 +1,2 @@
 cozystackAPI:
-  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.31.0-rc.3@sha256:9940cffabedb510397e3c330887aee724c4d232c011df60f4c16891fcfe1d9bf
+  image: ghcr.io/cozystack/cozystack/cozystack-api:v0.31.0-rc.2@sha256:d3794a5ebd49ee28ef7108213d3bb5053f5247ef62855f4731c7cafb8059a635
--- a/packages/system/cozystack-controller/values.yaml
+++ b/packages/system/cozystack-controller/values.yaml
@@ -1,5 +1,5 @@
 cozystackController:
-  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.31.0-rc.3@sha256:b2f0de3ae2d7f15956eb7cdec78d2267aeba7e56a7781c70473757df4989a05a
+  image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.31.0-rc.2@sha256:fb7cfdf62a128103954f0cb711b2d21650c0d2f7ff639d41a56f68d454a1e4ea
  debug: false
  disableTelemetry: false
-  cozystackVersion: "v0.31.0-rc.3"
+  cozystackVersion: "v0.31.0-rc.2"
--- a/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml
+++ b/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml
@@ -76,7 +76,7 @@ data:
      "kubeappsNamespace": {{ .Release.Namespace | quote }},
      "helmGlobalNamespace": {{ include "kubeapps.helmGlobalPackagingNamespace" . | quote }},
      "carvelGlobalNamespace": {{ .Values.kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace | quote }},
-      "appVersion": "v0.31.0-rc.3",
+      "appVersion": "v0.31.0-rc.2",
      "authProxyEnabled": {{ .Values.authProxy.enabled }},
      "oauthLoginURI": {{ .Values.authProxy.oauthLoginURI | quote }},
      "oauthLogoutURI": {{ .Values.authProxy.oauthLogoutURI | quote }},
--- a/packages/system/dashboard/values.yaml
+++ b/packages/system/dashboard/values.yaml
@@ -19,7 +19,7 @@ kubeapps:
    image:
      registry: ghcr.io/cozystack/cozystack
      repository: dashboard
-      tag: v0.31.0-rc.3
+      tag: v0.31.0-rc.2
      digest: "sha256:a83fe4654f547469cfa469a02bda1273c54bca103a41eb007fdb2e18a7a91e93"
  redis:
    master:
@@ -35,8 +35,8 @@ kubeapps:
    image:
      registry: ghcr.io/cozystack/cozystack
      repository: kubeapps-apis
-      tag: v0.31.0-rc.3
-      digest: "sha256:1447c10fcc9a8de426ec381bce565aa56267d0c9f3bab8fe26ac502d433283c5"
+      tag: v0.31.0-rc.2
+      digest: "sha256:db4f33e9ca6969459c9baf0131c2c342cb6c366df16df7361e7cbdeb4a854cea"
    pluginConfig:
      flux:
        packages:
--- a/packages/system/kamaji/images/kamaji/Dockerfile
+++ b/packages/system/kamaji/images/kamaji/Dockerfile
@@ -1,7 +1,7 @@
 # Build the manager binary
 FROM golang:1.24 as builder

-ARG VERSION=edge-25.4.1
+ARG VERSION=edge-25.3.2
 ARG TARGETOS
 ARG TARGETARCH

@@ -23,4 +23,4 @@ WORKDIR /
 COPY --from=builder /workspace/kamaji .
 USER 65532:65532

-ENTRYPOINT ["/kamaji"]
+ENTRYPOINT ["/kamaji"]
--- a/packages/system/kamaji/values.yaml
+++ b/packages/system/kamaji/values.yaml
@@ -3,7 +3,7 @@ kamaji:
    deploy: false
  image:
    pullPolicy: IfNotPresent
-    tag: v0.31.0-rc.3@sha256:5f828637ebd1717a5c2b828352fff7fc14c218c7bbfc2cb2ce55737f9b5bf500
+    tag: v0.31.0-rc.2@sha256:beb066f5c45cda520e5028222ec26a5e39c2c3c63bc9016e8a6ec49a2379e00c
    repository: ghcr.io/cozystack/cozystack/kamaji
  resources:
    limits:
--- a/packages/system/kubeovn-webhook/values.yaml
+++ b/packages/system/kubeovn-webhook/values.yaml
@@ -1,3 +1,3 @@
 portSecurity: true
 routes: ""
-image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.31.0-rc.3@sha256:f3acc1c6dd87cebd76be5afe1789c19780cb24f9518c8bdafa46f823ae4ba46e
+image: ghcr.io/cozystack/cozystack/kubeovn-webhook:v0.31.0-rc.2@sha256:f9b464a94bd1a1fa116bbf77c4bbece3931d03dac1489eb820f94d98176ed5c9
--- a/packages/system/metallb/Makefile
+++ b/packages/system/metallb/Makefile
@@ -16,8 +16,6 @@ image-controller image-speaker:
 	$(eval VERSION := $(shell yq '.appVersion' charts/metallb/Chart.yaml))
 	docker buildx build images/metallb \
 		--provenance false \
-		--builder=$(BUILDER) \
-		--platform=$(PLATFORM) \
 		--target $(TARGET) \
 		--build-arg VERSION=$(VERSION) \
 		--tag $(REGISTRY)/metallb-$(TARGET):$(VERSION) \
@@ -25,8 +23,8 @@ image-controller image-speaker:
 		--cache-to type=inline \
 		--metadata-file images/$(TARGET).json \
 		--push=$(PUSH) \
-		--label "org.opencontainers.image.source=https://github.com/cozystack/cozystack" \
-		--load=$(LOAD)
+		--label "org.opencontainers.image.source=https://github.com/cozystack/cozystack"
+		--load=1
 	REPOSITORY="$(REGISTRY)/metallb-$(TARGET)" \
 		yq -i '.metallb.$(TARGET).image.repository = strenv(REPOSITORY)' values.yaml
 	TAG=$(VERSION)@$$(yq e '."containerimage.digest"' images/$(TARGET).json -o json -r) \